Packet Filter (PF)

pf

Packet Filter (PF) is OpenBSD’s system for filtering TCP/IP traffic and doing Network Address Translation. PF is also capable of normalizing and conditioning TCP/IP traffic and providing bandwidth control and packet prioritization.

To enable PF, we have to edit /etc/rc.conf.

pf=YES

To be able to do NAT, we have to edit /etc/sysctl.conf as well.

net.inet.ip.forwarding=1

The main pf configuration file is /etc/pf.conf. We can use shorthands for interfaces, port numbers and addresses we use in this file, e.g.

internet_if="xl0"
lan_if="rl0"

services_tcp="{ 22, 53, 80 }"
services_udp="{ 53 }"

non_routeable_ips="{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255 }"
broadcast_ip="255.255.255.255"

Assume we have two interfaces, one of which is connected to the Internet, the other connected to a LAN. Performing NAT for the machines on the LAN is done like this.

nat on $internet_if from $lan_net to any -> $internet_ip

By default, we can deny all traffic. Specifying more specific rules later in the configuration file gives us the opportunity to allow certain traffic. For example, we may want to allow traffic from and to our LAN.

block all

pass in quick on $fixed_if from $fixed_net to any keep state
pass out quick on $fixed_if from any to $fixed_net keep state

Leave a Reply

Your email will not be published. Name and Email fields are required.