display | more...

pf is the OpenBSD packet filter, aka firewall. Like all of OpenBSD, it is well-known for its security and flexibility. It is also responsible for Network Address Translation. Here is an example pf.conf configuration file for pf, from a fairly typical NAT setup. (Prior to version 3.2, the actual NAT configuration itself was stored in a separate file. This is from a 3.1 box, and as such does not include the NAT directives.)

pass out quick on ne3 all keep state
block in on ne3 all
pass in on rl0 all
pass out on rl0 all
pass in on ne3 proto tcp from any to any port 22
pass in on ne3 proto tcp from any to any port 27960

The first and second lines establish ne3 as the external network interface, allowing packets out but not in. Since pf by default applies the last matching rule (unlike ipchains, which uses the first), the qualifier quick is used to make the first rule supercede other applicable rules. (It is not strictly needed here because there are no other conflicting rules.) keep state is more important; it establishes that packets outgoing on ne3 will be remembered and any related incoming packets will be allowed. Example: if your Web browser sends a HTTP request to everything2's Web server, the corresponding response will be permitted through the firewall, despite the block in on ne3 all rule.

The third and fourth lines establish that all data incoming or outgoing on rl0 (the internal interface) will be allowed through. This is typical of most firewall setups: firewalling is done on the external interface side.

The fifth and sixth lines are examples of how to punch a hole in the firewall: incoming data on TCP ports 22 (SSH) and 27960 (Quake III Arena) will be allowed in. This overrules the earlier block in on ne3 all rule.

pf is fairly new to OpenBSD; it was written from scratch for OpenBSD version 3.0. Prior to that, the de facto packet filter on OpenBSD was ipf, the IPFilter. However, in May 2001 Darren Reed, the author of ipf, "clarified" the ipf license to include the phrase "...derivitive [sic] or modified works are not permitted without the author's prior consent." As this runs contrary to Open Source principles, ipf was dropped from OpenBSD and pf was written from scratch.

More information than you would ever want to know about pf can be found through the commands man 4 pf, man 5 pf.conf, and man 8 pfctl on any modern OpenBSD system.

Log in or register to write something here or to contact authors.