pf

Intro

This guide is my contribution to the enormous number of various guides on pf packet filter. I don't like to create a yet-another-pf-guide-describing-rulesets, but just a few words about specific questions.

ipfw uses the first matching rule, BUT ipf and pf use the latest one. Keep this.

Except may be "quick" case.

Who serves?

Pf is represented by /dev/pf pseudo-device. This device allows to control pf from userland.

Manual control:
To disable the packet filter:

# pfctl -d

After some changes it is not necessary to disable pf before enable it again with new rules. pf re-reads configuration file:

# pfctl -e

or

# pfctl -ef /etc/pf.local.conf

To enable rules just for particular interface:

# pfctl -e -i lnc0

A trick: "Try to use -o option!":

# pfctl -o -ef /etc/pf.local.conf

This option tries to optimize rulesets. Main points of optimization are: remove duplicates (even partial), re-order rules to improve overall performance.

pfctl allows to load specific parts of rulesets. They are capital letters:

# pfctl -A
# pfctl -N
# pfctl -O
# pfctl -R

-A for queue rules, -N for NAT, -O for loading just specified file rulesets, -R for filter rulesets.

To flush some rules use -F option with a particular modifier of required type:

# pfctl -F nat
# pfctl -F queue
# pfctl -F rules
# pfctl -F state
# pfctl -F Source
# pfctl -F info
# pfctl -F Tables
# pfctl -F osfp
# pfctl -F all

Hope it is everything clear.

For those who is interested in keep state rules, there is a -k host option that kills all of the state entries for host:

# pfctl -k host
# pfctl -k host -k host2

To clear per-rule statistics:

# pfctl -z

To list the filter parameters (all for all):

# pfctl -s all

There are also less universal modifers like nat, queue, rules, Anchors, state etc.

Logging

Realtime logging using tcpdump:

# tcpdump -n -e -ttt -i pflog0
# tcpdump -nettti pflog0

pflogd is a specific logging daemon. Its log is binary and can be reviewed:

# tcpdump -n -e -ttt -r /var/log/pflog
# tcpdump -netttr /var/log/pflog0

OS specifications

Do not ignore pf fingerprinting using pf.os(5). To list all known operating systems:

# pfctl -so

There is a risk that any OS behaviour can be easily crafted, anyway it is usually useful and undeservedly forgotten.

Do you know much about authpf?

I don't like to copy authpf(8) here. Just a few facts:

1. authpf is a user shell for authenticating gateways (c) authpf(8)
2. authpf is just for ssh users
3. authpf uses client's IP (SSH_CLIENT env.) and a templates file to determine what additional filters and translation rules to be loaded. The end of ssh session removes these rules
4. Typical use is a gateway with authentication

pf stuff bugs and issues

• user and group rules that apply to packets of sockets owned by the particular user or group can result in a deadlock
• those who doesn't read pf(4), pfctl(8), pflog(4), pflogd(8), pf.conf(5), authpf(8), pfsync(4), pf.os(5), tcpdump(1), etc(n)