PF (firewall) - AbsoluteAstronomy.com

PF is a BSD licensed stateful

Stateful firewall

In computing, a stateful firewall is a firewall that keeps track of the state of network connections traveling across it. The firewall is programmed to distinguish legitimate packets for different types of connections...

packet filter, a central piece of software for firewalling

Firewall (computing)

A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass....

. It is comparable to iptables

Iptables

iptables is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall and the chains and rules it stores...

, ipfw

Ipfirewall

ipfirewall or ipfw is a FreeBSD IP packet filter and traffic accounting facility. Its ruleset logic is similar to many other packet filters except IPFilter. ipfw is authored and maintained by FreeBSD volunteer staff members. Its syntax enables use of sophisticated filtering capabilities and thus...

and ipfilter

IPFilter

IPFilter is an open source software package that provides firewall services and network address translation for many UNIX-like operating systems. The author and software maintainer is Darren Reed. IPFilter supports both IPv4 and IPv6 protocols, and is a stateful firewall.IPFilter is delivered...

. PF is developed on OpenBSD

OpenBSD

OpenBSD is a Unix-like computer operating system descended from Berkeley Software Distribution , a Unix derivative developed at the University of California, Berkeley. It was forked from NetBSD by project leader Theo de Raadt in late 1995...

, but has been ported to many other operating systems including Mac OS 10.7 ‘Lion’

Mac OS

Mac OS is a series of graphical user interface-based operating systems developed by Apple Inc. for their Macintosh line of computer systems. The Macintosh user experience is credited with popularizing the graphical user interface...

, FreeBSD

FreeBSD

FreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...

, NetBSD

NetBSD

NetBSD is a freely available open source version of the Berkeley Software Distribution Unix operating system. It was the second open source BSD descendant to be formally released, after 386BSD, and continues to be actively developed. The NetBSD project is primarily focused on high quality design,...

, DragonFly BSD

DragonFly BSD

DragonFly BSD is a free Unix-like operating system created as a fork of FreeBSD 4.8. Matthew Dillon, an Amiga developer in the late 1980s and early 1990s and a FreeBSD developer between 1994 and 2003, began work on DragonFly BSD in June 2003 and announced it on the FreeBSD mailing lists on July...

and Debian GNU/kFreeBSD

Debian GNU/kFreeBSD

Debian GNU/kFreeBSD is an operating system released by the Debian project. It uses the kernel of FreeBSD combined with a GNU based userland. The majority of software in Debian GNU/kFreeBSD is built from the same sources as Debian GNU/Linux. The k in kFreeBSD refers to the fact that only the kernel...

History

PF was written by Daniel Hartmeier. It appeared in OpenBSD 3.0, which was released on 1 December 2001.

PF was originally designed as replacement for Darren Reed's IPFilter

IPFilter

, from which it derives much of its rule syntax. IPFilter was removed from OpenBSD's CVS

Concurrent Versions System

The Concurrent Versions System , also known as the Concurrent Versioning System, is a client-server free software revision control system in the field of software development. Version control system software keeps track of all work and all changes in a set of files, and allows several developers ...

tree on 30 May 2001 due to OpenBSD developers' concerns with its license.

Features

The filtering syntax is similar to IPFilter, with some modifications to make it clearer. Network Address Translation

Network address translation

In computer networking, network address translation is the process of modifying IP address information in IP packet headers while in transit across a traffic routing device....

(NAT) and Quality of Service

Quality of service

The quality of service refers to several related aspects of telephony and computer networks that allow the transport of traffic with special requirements...

(QoS) have been integrated into PF, QoS by importing the ALTQ

ALTQ

ALTQ is an ALTernate Queueing framework for BSD. ALTQ provides queueing disciplines and other QoS related components required to realize resource-sharing and Quality of Service. It is most commonly implemented on BSD-based routers...

queuing software and linking it with PF's configuration. Features such as pfsync

Pfsync

Pfsync is a computer protocol used to synchronize firewall states between machines running Packet Filter for High Availability. It's used along with CARP to make sure a backup firewall has the same information as the main firewall...

and CARP

Common Address Redundancy Protocol

The Common Address Redundancy Protocol or CARP is a protocol which allows multiple hosts on the same local network to share a set of IP addresses. Its primary purpose is to provide failover redundancy, especially when used with firewalls and routers. In some configurations CARP can also provide...

for failover

Failover

In computing, failover is automatic switching to a redundant or standby computer server, system, or network upon the failure or abnormal termination of the previously active application, server, system, or network...

and redundancy, authpf for session authentication, and ftp-proxy to ease firewalling the difficult FTP

File Transfer Protocol

File Transfer Protocol is a standard network protocol used to transfer files from one host to another host over a TCP-based network, such as the Internet. FTP is built on a client-server architecture and utilizes separate control and data connections between the client and server...

protocol, have also extended PF.

PF's logging is configurable per rule within the pf.conf and logs are provided from PF by a pseudo-network interface called pflog, which is the only way to lift data from kernel-level mode for user-level programs. Logs may be monitored using standard utilities such as tcpdump

Tcpdump

tcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached...

, which in OpenBSD has been extended especially for the purpose, or saved to disk in a modified tcpdump

Tcpdump

/pcap

Pcap

In the field of computer network administration, pcap consists of an application programming interface for capturing network traffic...

binary format using the pflogd daemon.

Ports

Apart from its home platform OpenBSD, PF is also installed by default in FreeBSD

FreeBSD

starting with version 5.3, in NetBSD

NetBSD

from version 3.0, and appeared in DragonFly BSD

DragonFly BSD

from version 1.2. Core force, a firewalling and security product for Microsoft Windows

Microsoft Windows

Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...

, is derived from PF. PF is also included in Mac OS X

Mac OS X

Mac OS X is a series of Unix-based operating systems and graphical user interfaces developed, marketed, and sold by Apple Inc. Since 2002, has been included with all new Macintosh computer systems...

Lion (OS X 10.7), released in July 2011.

Annotated example pf.conf file




 Macros





 The internal interface (connected to the local network).


int_if="xl0"





 Options





 Set the default policy to return RSTs or ICMPs for blocked traffic.


set block-policy return



 Ignore the loopback interface entirely.


set skip on lo0





 Translation rules





 NAT traffic on the interface in the default egress interface group (to
 which the interface out of which the default route goes is assigned) from the
 local network.


match out on egress from $int_if:network to any nat-to (egress)





 Filtering rules





 Default deny rule, with all blocked packets logged.


block log all



 Pass all traffic to and from the local network, using quick so that later
 rules are not evaluated if a packet matches this. Some rulesets would restrict
 local traffic much further.


pass quick on $int_if all



 Permit all traffic going out, keep state so that replies are automatically passed;
 many rulesets would have many rules here, restricting traffic in and out on the
 external (egress) interface. (keep state is not needed in the newest version of pf)


pass out keep state

Books

The Book of PF: A No-Nonsense Guide to the OpenBSD Firewall by Peter N. M. Hansteen. No Starch Press. 2007. ISBN 9781593271657.
Building Firewalls with OpenBSD and PF, 2nd Edition by Jacek Artymiak. 2003. ISBN 83-916651-1-9.
The OpenBSD PF Packet Filter Book: PF for NetBSD, FreeBSD, DragonFly and OpenBSD. Published by Reed Media Services. 2006. ISBN 0-9790342-0-5.

External links

OpenBSD's pf man page
OpenBSD's pfctl man page
The OpenBSD PF guide
The OpenBSD 3.6 release song with humorous background information on PF's creation
PF section on Daniel Hartmeier's site
PF tutorial by Peter N. M. Hansteen
Pf "how to" and HFSC Quality of Service explanation with examples
Packet Filter Wiki
pfSense, PF based firewall (FreeBSD) distribution