As of July 2003 the OpenBSD firewall software application known as PF was ported to FreeBSD and was made available in the FreeBSD Ports Collection; the first release that contained PF as an integrated part of the base system was FreeBSD 5.3 in November 2004. PF is a complete, fully featured firewall that has optional support for ALTQ (Alternate Queuing). ALTQ provides Quality of Service (QoS) bandwidth shaping that allows guaranteeing bandwidth to different services based on filtering rules. The OpenBSD Project does an outstanding job of maintaining the PF User's Guide that it will not be made part of this handbook firewall section as that would just be duplicated effort.
More info can be found at the PF for FreeBSD web site: http://pf4freebsd.love2party.net/
.
PF is included in the basic FreeBSD install for versions newer
than 5.3 as a separate run time loadable module. The system
will dynamically load the PF kernel loadable module when the
rc.conf statement pf_enable="YES"
is used.
The loadable module was created with pflog(4) logging
enabled.
The module assumes the presence of options
INET
and device bpf
. Unless
NOINET6
for FreeBSD prior to 6.0-RELEASE and
NO_INET6
for later releases (for example in
make.conf(5)) was defined during the build, it also
requiresoptions INET6
.
Once the kernel module is loaded or the kernel is statically
built with PF support, it is possible to enable or disable
pf with the pfctl
command.
This example demonstrates how to enable pf:
#
pfctl -e
The pfctl
command provides a way to work
with the pf firewall. It is a good
idea to check the pfctl(8) manual page to find out more
information about using it.
It is not a mandatory requirement that you enable PF by compiling the following options into the FreeBSD kernel. It is only presented here as background information. Compiling PF into the kernel causes the loadable module to never be used.
Sample kernel config PF option statements are in the
/usr/src/sys/conf/NOTES
kernel source and
are reproduced here:
device pf device pflog device pfsync
device pf
enables support for the
"Packet Filter" firewall.
device pflog
enables the optional
pflog(4) pseudo network device which can be used to log
traffic to a bpf(4) descriptor. The pflogd(8) daemon
can be used to store the logging information to disk.
device pfsync
enables the optional
pfsync(4) pseudo network device that is used to monitor
"state changes". As this is not part of the
loadable module one has to build a custom kernel to use
it.
These settings will take effect only after you have built and installed a kernel with them set.
You need the following statements in
/etc/rc.conf
to activate PF at boot
time:
pf_enable="YES" # Enable PF (load module if required) pf_rules="/etc/pf.conf" # rules definition file for pf pf_flags="" # additional flags for pfctl startup pflog_enable="YES" # start pflogd(8) pflog_logfile="/var/log/pflog" # where pflogd should store the logfile pflog_flags="" # additional flags for pflogd startup
If you have a LAN behind this firewall and have to forward packets for the computers in the LAN or want to do NAT, you have to enable the following option as well:
gateway_enable="YES" # Enable as LAN gateway
ALTQ is only available by compiling the options into the FreeBSD Kernel. ALTQ is not supported by all of the available network card drivers. Please see the altq(4) manual page for a list of drivers that are supported in your release of FreeBSD. The following options will enable ALTQ and add additional functionality.
options ALTQ options ALTQ_CBQ # Class Bases Queuing (CBQ) options ALTQ_RED # Random Early Detection (RED) options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) options ALTQ_PRIQ # Priority Queuing (PRIQ) options ALTQ_NOPCC # Required for SMP build
options ALTQ
enables the
ALTQ framework.
options ALTQ_CBQ
enables Class Based
Queuing (CBQ). CBQ
allows you to divide a connection's bandwidth into different
classes or queues to prioritize traffic based on filter
rules.
options ALTQ_RED
enables Random Early
Detection (RED). RED is
used to avoid network congestion. RED does
this by measuring the length of the queue and comparing it to
the minimum and maximum thresholds for the queue. If the
queue is over the maximum all new packets will be dropped.
True to its name, RED drops packets from
different connections randomly.
options ALTQ_RIO
enables Random Early
Detection In and Out.
options ALTQ_HFSC
enables the
Hierarchical Fair Service Curve Packet Scheduler. For more
information about HFSC see: http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html
.
options ALTQ_PRIQ
enables Priority
Queuing (PRIQ). PRIQ
will always pass traffic that is in a higher queue
first.
options ALTQ_NOPCC
enables
SMP support for ALTQ.
This option is required on SMP
systems.
The Packet Filter reads its configuration rules from the
pf.conf(5) file and it modifies, drops or passes packets
according to the rules or definitions specified there. The FreeBSD
installation comes with a default
/etc/pf.conf
which contains useful examples
and explanations.
Although FreeBSD has its own /etc/pf.conf
the syntax is the same as one used in OpenBSD. A great
resource for configuring the pf
firewall has been written by OpenBSD team and is available at
http://www.openbsd.org/faq/pf/
.
When browsing the pf user's guide, please keep in mind that different versions of FreeBSD contain different versions of pf. The pf firewall in FreeBSD 5.X is at the level of OpenBSD version 3.5 and in FreeBSD 6.X is at the level of OpenBSD version 3.7.
The Lista dyskusyjna zapory Packet Filter we FreeBSD is a good place to ask questions about configuring and running the pf firewall. Do not forget to check the mailing list archives before asking questions.
All FreeBSD documents are available for download at https://download.freebsd.org/ftp/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.