PF (firewall)

Encyclopedia : P : PF : PFF : PF (firewall)

---

PF (Packet Filter) is OpenBSD's stateful packet filter, written by Daniel Hartmeier. It replaced Darren Reed's IPFilter in OpenBSD, due to problems with its license, specifically that Reed withheld permission from the OpenBSD developers to change his code. As IPFilter was removed, Theo de Raadt stated that "software which OpenBSD uses and redistributes must be free to all ... for any purpose ... including modification, use, peeing on, or even integration into baby mulching machines or atomic bombs to be dropped on Australia." Because of the OpenBSD team's disapproval of Reed's license changes, they opted to replace his software rather than spend any more time negotiating on the issue.

PF has since evolved quickly and has now several advantages over other available firewalls. The filtering syntax is similar to IPFilter, with some modifications to make it clearer. Network Address Translation (NAT) and Quality of Service (QoS) have been integrated into PF, QoS by importing the ALTQ queuing software and linking it with PF's configuration. Features such as pfsync and CARP for failover and redundancy, authpf for session authentication, and ftp-proxy to ease firewalling the difficult FTP protocol, have also extended PF. It has been ported to NetBSD, is installed by default in FreeBSD starting with version 5.3 and appears in DragonFly BSD version 1.2.

One innovative feature is PF's logging. Logging is configurable per rule within the pf.conf and logs are provided from PF by a pseudo-network interface called pflog. Logs may be monitored using standard utilities such as tcpdump, which in OpenBSD has been extended especially for the purpose, or saved to disk in a modified tcpdump/pcap binary format using the pflogd daemon.

Example pf.conf file

## Macros


# The internal interface (connected to the local network).
int_if="xl0"


## Options


# Set the default policy to return RSTs or ICMPs for blocked traffic.
set block-policy return


# Ignore the loopback interface entirely.
set skip on lo0


## Translation rules


# NAT traffic on the interface in the default egress interface group (to
# which the interface out of which the default route goes is assigned) from the
# local network.
nat on egress from $int_if:network to any -> (egress)


## Filtering rules


# Default deny rule, with all blocked packets logged.
block log all


# Pass all traffic to and from the local network, using quick so that later
# rules are not evaluated if a packet matches this. Some rulesets would restrict
# local traffic much further.
pass quick on $int_if all


# Permit all traffic going out, keep state so that replies are automatically passed;
# many rulesets would have many rules here, restricting traffic in and out on the
# external (egress) interface.
pass out keep state

See also

• Internet protocol suite
• Network address translation
• Reverse path filtering

External links

• [OpenBSD's pf man page]
• [The OpenBSD PF guide]
• [The OpenBSD 3.6 release song] with background information on PF's creation
• [PF section on Daniel Hartmeier's site]

 

---

From Wikipedia, the Free Encyclopedia. Original article here. Support Wikipedia by contributing or donating.
All text is available under the terms of the GNU Free Documentation License See Wikipedia Copyrights for details.

Search Titles

0

1

2

3

4

5

6

7

8

9

A

B

C

D

E

F

G

H

I

J

K

L

M

N

O

P

Q

R

S

T

U

V

W

X

Y

Z

?