A simple npf configuration

With an external interface and native ipv6:

$if = “nfe0″
$pub_ports = { http, https, domain, ssh }

procedure “rid” {
normalise: “random-id”
}

group (name “external”, interface $if) {
# always pass ICMP stateless
pass out final family inet6 proto ipv6-icmp all
pass out final family inet proto icmp all
pass in final family inet6 proto ipv6-icmp all
pass in final family inet proto icmp all

# allow outgoing TCP SYN to create state, no state for others
pass stateful out final proto tcp flags S/SA all apply “rid”
pass out final proto tcp all apply “rid”

# allow other outgoing protocols to create state
pass stateful out final all

# allow incoming sessions to services
pass stateful in final to $if port $pub_ports
}

group (default) {
pass final on lo0 all

block all
}