Building a PF firewall walkthrough

Contributed by jose on 2003-09-19 from the help! dept.

Eric Bullen writes: "I get lots of requests for help with building PF firewalls from newbies, and they felt that the current FAQs have more information that they need for a beginner, and no real good walk through. So I felt it was time to scratch this itch, and I am sure others will find this useful. This is geared for beginners, and leaves out some of the more advanced features, but spends alot of time explaining why things are the way they are. I hope this helps more people than I am working with. Here's a direct link:

http://www.thedeepsky.com/howto/newbie_pf_guide.php "

Thanks, Eric!

(Comments are closed)

Comments

By zibi () on 2003-09-20 04:16

You misslead people by notice of /etc/nat.conf
in rc.conf.local and then you don't use that eg.:
---
Listing 1. /etc/rc.conf.local
#!/bin/sh -
pf=YES # Packet filter / NAT
pf_rules=/etc/pf.conf # Packet filter rules file
nat_rules=/etc/nat.conf # NAT rules file
pflogd_flags= # add more flags, ie. "-s 256"
---
You should put the statement that everything is
now in /etc/pf.conf
By Anonymous Coward () on 2003-09-22 06:55

Thanks for a great article. I used it to upgrade my firewall at home, and update the pf.conf at the same time. Whlie it doesn't try to explain everything, it does the basics very well. I'd love to see another.
By byte () on 2003-09-22 14:36

The text looks fine but I noticed a misunderstanding in the UDP section:

"If you have a server hanging on the net, and it receives a UDP packet destined for a port it doesn't listen on, it will drop the packet with no reply [...]"

Packets to closed UDP ports are supposed to trigger ICMP port unreachable error messages.
Comments
1. By Anonymous Coward () on 2003-09-22 17:02
  
  No, it really doesn't. The server when it receives a packet doesn't have to even acknowlege receiving the packet, nor does it have to return anything if it is closed. Returning a icmp port-unreach is completely elective, and not required..
2. By Ryvar () none on 2003-09-23 00:39 mailto:none
  
  I'm surprised you haven't encountered this before, the general consensus of the firewall-wielding Internet seems to be 'to Hell with the RFC, my machine is a blackhole.'
  
  --Ryv
  Comments
  1. By Anonymous Coward () on 2003-09-23 15:01
    
    Which RFC?
By Peter MacFarlane () cpmacfar@isn.net on 2003-09-22 14:38 mailto:cpmacfar@isn.net

The walkthru should be much appreciated since it has taken me several weeks to come up with a basic configuration on oBSD 3.3 that works, contrary to the more basic default deny policy script I used on 2.9. Better syntax examples would help. I finally figured out that the pf.conf man pages did have the best startup examples. The problem I find is mainly how to pass TCP traffic correctly.

Latest Articles

Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (10)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]