Packet Filter

Informations

• Configuration file :

/etc/pf.conf

• Configuration example :

/etc/examples/pf.conf

pfctl command

• Check configuration file :

pfctl -nf /etc/pf.conf

• Check configuration file and be verbose :

pfctl -nvf /etc/pf.conf

• Load rules from the configuration file :

pfctl -f /etc/pf.conf

• Flush the filter rules, firewall become a pass all :

pfctl -F rules

• Flush everything (rules, states, sources, info, Tables, osfp) :

pfctl -F all

• Show the currently loaded filter rules :

pfctl -s rules

• Show filter information :

pfctl -s info

• Show everything (queue, rules, Anchors, states, Sources, info, labels, timeouts, memory, Tables) :

pfctl -s all

• Show the contents of the state table :

pfctl -s state

• kill all of the state entries originating from a host or a network :

pfctl -k host | network

Macros

• Example :

tcp_services = "{ ssh, domain, www, https }"

• We can use it inside a rule :

pass out proto tcp to any port $tcp_services keep state

Enable PacketFilter at boot

• Inside /etc/rc.conf

pf=YES	#active PF
pf_rules=/etc/pf.conf	# tell where is the configuration file

Router mode

Enable router mode (temporary)

• Enable IPv4 forwarding

# sysctl net.inet.ip.forwarding=1

• Enable IPv6 forwarding

# sysctl net.inet6.ip6.forwarding=1

Enable router mode (permanent)

Edit /etc/sysctl.conf.

net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1

Examples

NAT (LAN to WAN) and ALLOW ALL

#MACROS
ext_if = "re0"
int_if = "re1"
localnet = $int_if:network

# NAT
match out on $ext_if from $localnet to any nat-to $ext_if

# FILTER RULES
block all
pass from { lo0, $localnet } to any keep state

NAT (LAN to WAN) and Packet Filtering

#MACROS
ext_if = "re0"
int_if = "re1"
client_out = "{ ftp-data, ftp, ssh, domain, pop3, auth, nntp, http, https, 446, cvspserver, 2628, 5999, 8000, 8080 }"
udp_services = "{ domain, ntp }"
localnet = $int_if:network

# NAT
match out on $ext_if from $localnet to any nat-to $ext_if
# FILTER RULES
block all
pass inet proto tcp from $localnet to any port $client_out keep state
pass quick inet proto { tcp, udp } from $localnet to any port $udp_services keep state

NAT (LAN to WAN), Redirection (Port Forwarding) and Packet Filtering

We only allow http, https and dns from our 192.168.2.0/24 network and we allow rdp connexion to a host inside our network from everywhere.

#MACROS
ext_if = "em0"
lan_if = "em1"
tcp_allow = "{ domain, http, https }"
udp_allow = "{ domain }"
lan_network = "{ 192.168.2.0/24 }"

set skip on lo

block return    # block stateless traffic
block in all
block out all
pass out on $ext_if             # establish keep-state

# NAT
pass out on $ext_if inet from $lan_if:network to any nat-to $ext_if
# RDR to allow RDP
pass in quick on $ext_if proto tcp from any to any port 3389 rdr-to 192.168.2.200 port 3389

# FILTER RULES
pass quick from self to $lan_if:network
pass in quick on $lan_if inet proto tcp from $lan_if:network to any port $tcp_allow modulate state
pass in quick on $lan_if inet proto udp from $lan_if:network to any port $udp_allow modulate state
pass out quick on $lan_if inet proto tcp from any to 192.168.2.218 port 3389 keep state

# allow ssh to OpenBSD :
pass quick inet proto tcp from any to self port 22


# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010