# @(#)/etc/npf.conf
#
# Example host firewall.
#
# 20240427  Kimmo Suominen
#

alg "icmp"

procedure "log" {
    # Send log events to npflog0, see npfd(8)
    log: npflog0
}

group default {

    #
    # Allow DHCP configuration.
    #
    pass in  final family inet4 proto udp from any port bootps to any port bootpc
    pass out final family inet4 proto udp from any port bootpc to any port bootps
    pass in  final family inet6 proto udp from any to any port "dhcpv6-client"
    pass out final family inet6 proto udp from any port "dhcpv6-client" to any

    #
    # Only allow select IPv4 ICMP types.
    #
    pass in  final family inet4 proto icmp icmp-type echo         all
    pass in  final family inet4 proto icmp icmp-type timxceed     all
    pass in  final family inet4 proto icmp icmp-type unreach      all
    pass in  final family inet4 proto icmp icmp-type echoreply    all
    pass in  final family inet4 proto icmp icmp-type sourcequench all
    pass in  final family inet4 proto icmp icmp-type paramprob    all
    pass out final family inet4 proto icmp all

    #
    # Allow IPv6 ICMP.
    #
    # ICMPv6 packets which must not be dropped, see
    # https://tools.ietf.org/html/rfc4890#section-4.4.1
    #
    pass in  final family inet6 proto ipv6-icmp icmp-type unreach         all
    pass in  final family inet6 proto ipv6-icmp icmp-type packet_too_big  all
    pass in  final family inet6 proto ipv6-icmp icmp-type timxceed        all
    pass in  final family inet6 proto ipv6-icmp icmp-type paramprob       all
    pass in  final family inet6 proto ipv6-icmp icmp-type echo            all
    pass in  final family inet6 proto ipv6-icmp icmp-type echoreply       all
    pass in  final family inet6 proto ipv6-icmp icmp-type rtsol           all
    pass in  final family inet6 proto ipv6-icmp icmp-type rtadv           all #
    pass in  final family inet6 proto ipv6-icmp icmp-type neighsol        all #
    pass in  final family inet6 proto ipv6-icmp icmp-type neighadv        all #
    pass in  final family inet6 proto ipv6-icmp icmp-type invneighsol     all
    pass in  final family inet6 proto ipv6-icmp icmp-type invneighrep     all
    pass in  final family inet6 proto ipv6-icmp icmp-type mcastlistenq    from fe80::/10
    pass in  final family inet6 proto ipv6-icmp icmp-type mcastlistenrep  from fe80::/10
    pass in  final family inet6 proto ipv6-icmp icmp-type mcastlistendone from fe80::/10
    pass in  final family inet6 proto ipv6-icmp icmp-type mcastlistenrep2 from fe80::/10
    pass in  final family inet6 proto ipv6-icmp icmp-type cga_sol         all
    pass in  final family inet6 proto ipv6-icmp icmp-type cga_adv         all
    pass in  final family inet6 proto ipv6-icmp icmp-type mcast_rtadv     from fe80::/10
    pass in  final family inet6 proto ipv6-icmp icmp-type mcast_rtsol     from fe80::/10
    pass in  final family inet6 proto ipv6-icmp icmp-type mcast_rtterm    from fe80::/10
    pass out final family inet6 proto ipv6-icmp all

    #
    # Handle traceroute gracefully for up-to 65 hops away.
    #
    pass in final proto udp to any port 33434-33499

    #
    # Block abusers.
    #
    block in final from 203.0.113.0/24

    #
    # Block non-HTTP to HTTP service addresses.
    #
    pass stateful in final proto tcp to 192.0.2.49 port 80
    block  return in final proto tcp to 192.0.2.49
    pass stateful in final proto tcp to 2001:db8::49 port 80
    block  return in final proto tcp to 2001:db8::49

    #
    # Allow everything else on loopback.
    #
    pass final on lo0 all

    #
    # Allow our addresses.
    #
    pass in  final from 10.0.0.0/8
    pass out final to   10.0.0.0/8
    pass in  final from 192.168.0.0/16
    pass out final to   192.168.0.0/16
    pass in  final from 192.0.2.0/24
    pass out final to   192.0.2.0/24
    pass in  final from 2001:db8::/32
    pass out final to   2001:db8::/32

    #
    # Allow service ports.
    #
    pass stateful in final proto tcp to any port 80
    pass stateful in final proto tcp to any port 443

    #
    # Allow all outbound traffic.
    #
    pass stateful out final all

    #
    # Do not log common probe targets.
    #
    block return in final proto tcp to any port 22		# SSH

    #
    # Do not log multicast that we are not processing.
    #
    block in final family inet4 from any to 239.192.52.151	# PVE (XXX: etcd?)
    block in final family inet4 from any to 239.255.250.250	# DDDP
    block in final family inet4 from any to 239.255.255.250	# SSDP
    block in final family inet4 from any to 224.0.0.18		# VRRP
    block in final family inet4 from any to 224.0.0.251		# mDNS
    block in final family inet4 from any to 224.0.0.252		# LLMNR

    #
    # Send back a reset only for new tcp connections.  Do not reset old
    # connections, so outgoing traffic can recreate the firewall state.
    #
    block return in final proto tcp flags S/SA all apply "log"

    # Default deny.
    block final all apply "log"

}