User Tools

Site Tools



Using PF for Firewall


Packet Filtering (pf) is one of the many firewalls available with FreeBSD. I believe it originally came from OpenBSD and has been ported to many operating systems since.

To enable pf in FreeBSD, you need to create the file /etc/pf.conf, then add the correct stanzas in /etc/rc.conf.

Setting up


First, a basic pf.conf file. This one is designed to block all IP's outside of my country (US) since this particular machine has a very limited audience

set skip on lo0
# allow all outbound traffic
pass out quick all
# create table us_zones from file containing all us IP's
# use wget -4 --no-proxy --no-cookies --no-cache -O /etc/pf-files/
table <us_zones> persist file "/etc/pf-files/"
# create table tcp_services for the only services we need
tcp_services = "{ 22, 80 }"
# the local networks, just in case
table <local_network> {,, x.x.x.x/26 }
# create a table for fail2ban to use
table <fail2ban> persist
# allow anything from our local network
pass in quick from <local_network>
# block everything by default
block in all
# block anything loaded in fail2ban table immediately
block in quick from <fail2ban>
# allow icmp from anyplace EXCEPT fail2ban
pass in quick inet proto icmp all
pass in quick inet6 proto icmp6 all
# allow our tcp services from US Zones
pass in proto tcp from <us_zones> to any port $tcp_services

Check your configuration file with:

pfctl -vnf /etc/pf.conf

This will process, but not start, the configuration. It does some macro expansion, which can also give you a better idea of what is actually going on.

enable pf service

To enable the service, simply add the correct lines in /etc/rc.conf. The following commands turns on pf and pflogger (/var/log/pflog).

echo '# firewall used is PF' >> /etc/rc.conf
echo 'pf_enable="YES"' >> /etc/rc.conf
echo 'pflog_enable="YES"' >> /etc/rc.conf

Now, you can start the firewall with:

service pf start

Useful Commands

# flush and reload rule set
pfctl -f ALL -f /etc/pf.conf 
# show all rules. May also be nat and/or states
pfctl -s rules
# validate config file (dry run kind of thing)
pfctl -vnf /etc/pf.conf
# display all entries in the fail2ban table
pfctl -t fail2ban -T show
# add an IP to table fail2ban
pfctl -t fail2ban -T add
# remove IP from table fail2ban
pfctl -t fail2ban -T delete


unix/freebsd/packetfilter.txt · Last modified: 2018/07/04 18:39 by rodolico