User:CFeyecare/sandbox/2
 |
This user's work in progress page may be incomplete, and/or unreliable. The latest revision of this page is or will be located at Guide to Unix/BSD/OpenBSD/As a Firewall. |
| Sandbox 1 | Sandbox 2 | Sandbox 3 | Sandbox 4 | Sandbox 5 |
|
OpenBSD as a Firewall
editOpenBSD includes PF ("packet filter") as a firewall.
Getting Started
editTo turn PF on, on boot up, create the configuration file rc.local.conf.
vi /etc/rc.local.conf
To activate PF on boot up enter the following in the configuration file:
pf=YES
To enable PF manually, enter in the following command:
pfctl -e
To disable PF manually, enter in the following command:
pfctl -d
Congratulation, you are now protected by one of the best firewalls available.
Configuring PF
edit |
This page was last edited 188 months ago, and may be abandoned This page has not been edited since 8 November 2008, but other pages in this book might have been. Check out related changes to see what the state of this book is. You can help by editing and updating this book. Remove {{under construction}} from this page if it is not being actively edited. Ask for help at WB:PROJECTS. |
Pf is a very good firewall by default however it also contains a few options. You can change the configuration of pf by editing the configuration file /etc/pf.conf.
Options
edit| Option | Description | Example | Description of Example |
|---|---|---|---|
| rdr | Redirects traffic | rdr on tl0 proto tcp from any to any port 80 -> 192.168.1.20 | Redirects traffic for 192.168.1.20 on the t10 interface, for any port up to 80. |
| Block | Blocks traffic | block out on fxp0 from 192.168.0.1 to any | For 192.168.0.1, blocks outgoing traffic on the fxp0 interface for any port. |
| Pass | Allows traffic to pass through | pass in all | Unless stated otherwise, pf will allow all incoming traffic. |
| Scrub | Scrubing defragments and in some cases rejects fragmented packets. | scrub in all | scrubs all incoming traffic on all interfaces. |
| Table | defines groups of IPs. | table <goodguys> { 172.16.0.0/16, 172.16.1.0/24, 172.16.1.100 } block in on dc0 all |
Allows incoming connections to <goodguys> on the dc0 interface. Blocks all other incoming connections on the dc0 interface. |
Macros
editMacros are the equivalent of shorthand for rules. Such as you could write:
block out on fxp0 from { 192.168.0.1, 10.5.32.6 } to any
as opposed to the long way:
block out on fxp0 from 192.168.0.1 to any block out on fxp0 from 10.5.32.6 to any
Scrubing
editScrubing defragments and in some cases rejects fragmented packets. This prevents your computer from becoming fragmented, however it also causes a lot of packets to be lost. To scrub an network interface enter the following in you /etc/pf.conf:
scrub in <interface>
A simple example of this is scrubing all of the interfaces.
scrub in all
Authors
editIf you made a contribution to this article please feel free to add your username.
- CFeyecare- Started page.
See Also
edit- PF on Wikipedia
References
edit- "Faq pf." Pf. OpenBSD. 3 Nov. 2008 <http://www.openbsd.org/faq/pf/>.