Default Rules

Default rules apply only when explicit rules exist for the same target (src, dst, port in src section, icmp, etc.). If no explicit rules are defined for a target, the corresponding defaults are considered inactive and no filtering is applied.

If explicit rules exist for a target but no default rule is specified:

block is used for the dst filter
allow is used for all other filters

Entries in the defaults section do not have names, as they apply to all named rule sections that match by target and attributes.

The defaults section uses only replace semantics for all entries. If a rule previously defined in the defaults section is not present in a new configuration, it is considered removed and the default value for that field is applied.

Example:

defaults {
    # Pseudo-syntax:
    # <target> <scope>: <policy>;
    #
    #   <target>  := src | dst | icmp
    #   <scope>   := ip4[.tcp|.udp] | ip6[.tcp|.udp] | <empty>
    #   <policy>  := allow | block | ratelimit=<name>
    #
    src_ip ip4.tcp: allow;
    # Block all incoming IPv4 UDP traffic by default
    src_ip ip4.udp: block;
    # Rate-limit tcp/udp incoming IPv6 traffic using profile "default_ratelimit"
    src_ip ip6: ratelimit = default_ratelimit;

    # Block all incoming IPv4 UDP port traffic by default
    src_port ip4.udp: block;
    # Allow all incoming IPv4 UDP port traffic by default
    src_port ip4.tcp: allow;
    # Allow all incoming IPv6 port traffic by default
    src_port ip6: allow;

    # The dst section can also be expanded similarly to src_ip or src_port:
    # For example, you can specify protocol-specific defaults:
    #
    # dst ip4.tcp: allow;
    # dst ip4.udp: block;
    # dst ip6: ratelimit=default_ratelimit;

    # Block all traffic by default
    dst: block;

    # ICMP traffic can be blocked using the short form: 'icmp block;'
    # Allow all IPv4 traffic by default
    icmp ip4: allow;
    # Block all IPv6 traffic by default
    icmp ip6: block;
}