Packet Filter (PF) is OpenBSD’s system for filtering TCP/IP traffic and doing Network Address Translation. PF is also capable of normalizing and conditioning TCP/IP traffic and providing bandwidth control and packet prioritization.
To enable PF, we have to edit /etc/rc.conf.
pf=YES
To be able to do NAT, we have to edit /etc/sysctl.conf as well.
net.inet.ip.forwarding=1
The main pf configuration file is /etc/pf.conf. We can use shorthands for interfaces, port numbers and addresses we use in this file, e.g.
internet_if="xl0"
lan_if="rl0"
services_tcp="{ 22, 53, 80 }"
services_udp="{ 53 }"
non_routeable_ips="{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255 }"
broadcast_ip="255.255.255.255"
Assume we have two interfaces, one of which is connected to the Internet, the other connected to a LAN. Performing NAT for the machines on the LAN is done like this.
nat on $internet_if from $lan_net to any -> $internet_ip
By default, we can deny all traffic. Specifying more specific rules later in the configuration file gives us the opportunity to allow certain traffic. For example, we may want to allow traffic from and to our LAN.
block all pass in quick on $fixed_if from $fixed_net to any keep state pass out quick on $fixed_if from any to $fixed_net keep state