Configure NPF Firewall on NetBSD 10

NPF is NetBSD's stateful packet filter.

Step 1 – Enable NPF at boot

# /etc/rc.conf:
npf=YES
npf_conf=/etc/npf.conf

Step 2 – Basic `/etc/npf.conf`

$ext_if = inet4 addr "wm0"

alg "icmp"

procedure "block-log" {
    log: npflog0;
}

group default {
    # Allow loopback
    pass stateful on lo0 all

    # Allow established sessions
    pass stateful all

    # Allow SSH
    pass stateful in final on wm0 proto tcp to $ext_if port 22

    # Allow HTTP/HTTPS
    pass stateful in final on wm0 proto tcp to $ext_if port 80
    pass stateful in final on wm0 proto tcp to $ext_if port 443

    # Allow ICMP ping
    pass stateful in final on wm0 proto icmp all

    # Block everything else
    block in final on wm0 all
}

Step 3 – Load rules

npfctl reload
npfctl start

Step 4 – Check status

npfctl show
npfctl stats

Configure Firewall on NetBSD 10

Configure NPF Firewall on NetBSD 10

Step 1 – Enable NPF at boot

Step 2 – Basic /etc/npf.conf

Step 3 – Load rules

Step 4 – Check status

Step 2 – Basic `/etc/npf.conf`