Guide to Unix/BSD/OpenBSD/As a Firewall

$_

General: Introduction | Explanations | Why Unix-like
Platforms: Linux | BSD
Quick Reference: Commands | Environment Variables | Files | License

General: Introduction | External Links
Distributions: FreeBSD | Mac OS X | NetBSD | OpenBSD | Historical

OpenBSD includes PF ("packet filter") as a firewall.

Getting Started

To turn PF on, on boot up, create the configuration file rc.conf.local.

vi /etc/rc.conf.local

To activate PF on boot up enter the following in the configuration file:

pf=YES

To enable PF manually, enter in the following command:

pfctl -e

To disable PF manually, enter in the following command:

pfctl -d

Congratulation, you are now protected by one of the best firewalls available.

Configuring PF

Pf is a very good firewall by default however it also contains a few options. You can change the configuration of pf by editing the configuration file /etc/pf.conf.

Options

Option	Description	Example	Description of Example
rdr	Redirects traffic	rdr on tl0 proto tcp from any to any port 80 -> 192.168.1.20	Redirects traffic for 192.168.1.20 on the tl0 interface, for any port up to 80.
Block	Blocks traffic	block out on fxp0 from 192.168.0.1 to any	For 192.168.0.1, blocks outgoing traffic on the fxp0 interface for any port.
Pass	Allows traffic to pass through	pass in all	Unless stated otherwise, pf will allow all incoming traffic.
Scrub	Scrubing defragments and in some cases rejects fragmented packets.	scrub in all	scrubs all incoming traffic on all interfaces.
Table	defines groups of IPs.	table <goodguys> { 172.16.0.0/16, 172.16.1.0/24, 172.16.1.100 } block in on dc0 all pass in on dc0 from <goodguys> to any	Allows incoming connections to <goodguys> on the dc0 interface. Blocks all other incoming connections on the dc0 interface.

Wrong information.

Scrubbing

Scrubbing defragments and in some cases rejects fragmented packets. This prevents your computer from becoming fragmented, however it also causes a lot of packets to be lost. To scrub an network interface enter the following in you /etc/pf.conf:

scrub <in/out> <interface>

A simple example of this is scrubbing all of the incoming interfaces.

scrub in all

Authors

If you made a contribution to this article please feel free to add your username.

CFeyecare- Started page.

References

"Faq pf." Pf. OpenBSD. 3 Nov. 2008 <http://www.openbsd.org/faq/pf/>.