Guide to Unix/BSD/OpenBSD/As a Firewall
OpenBSD includes PF ("packet filter") as a firewall.
Getting Started
[edit | edit source]To turn PF on, on boot up, create the configuration file rc.conf.local.
vi /etc/rc.conf.local
To activate PF on boot up enter the following in the configuration file:
pf=YES
To enable PF manually, enter in the following command:
pfctl -e
To disable PF manually, enter in the following command:
pfctl -d
Congratulation, you are now protected by one of the best firewalls available.
Configuring PF
[edit | edit source]Pf is a very good firewall by default however it also contains a few options. You can change the configuration of pf by editing the configuration file /etc/pf.conf.
Options
[edit | edit source]Option | Description | Example | Description of Example |
---|---|---|---|
rdr | Redirects traffic | rdr on tl0 proto tcp from any to any port 80 -> 192.168.1.20 | Redirects traffic for 192.168.1.20 on the tl0 interface, for any port up to 80. |
Block | Blocks traffic | block out on fxp0 from 192.168.0.1 to any | For 192.168.0.1, blocks outgoing traffic on the fxp0 interface for any port. |
Pass | Allows traffic to pass through | pass in all | Unless stated otherwise, pf will allow all incoming traffic. |
Scrub | Scrubing defragments and in some cases rejects fragmented packets. | scrub in all | scrubs all incoming traffic on all interfaces. |
Table | defines groups of IPs. | table <goodguys> { 172.16.0.0/16, 172.16.1.0/24, 172.16.1.100 } block in on dc0 all |
Allows incoming connections to <goodguys> on the dc0 interface. Blocks all other incoming connections on the dc0 interface. |
Wrong information.
Scrubbing
[edit | edit source]Scrubbing defragments and in some cases rejects fragmented packets. This prevents your computer from becoming fragmented, however it also causes a lot of packets to be lost. To scrub an network interface enter the following in you /etc/pf.conf:
scrub <in/out> <interface>
A simple example of this is scrubbing all of the incoming interfaces.
scrub in all
Authors
[edit | edit source]If you made a contribution to this article please feel free to add your username.
- CFeyecare- Started page.
See Also
[edit | edit source]- PF on Wikipedia
References
[edit | edit source]- "Faq pf." Pf. OpenBSD. 3 Nov. 2008 <http://www.openbsd.org/faq/pf/>.