User:CFeyecare/sandbox/2

From Wikibooks, open books for an open world
Jump to navigation Jump to search
This user's work in progress page may be incomplete, and/or unreliable. The latest revision of this page is or will be located at Guide to Unix/BSD/OpenBSD/As a Firewall.

[edit | edit source]

Sandbox 1   Sandbox 2   Sandbox 3   Sandbox 4   Sandbox 5  



 

OpenBSD as a Firewall[edit | edit source]

OpenBSD includes PF ("packet filter") as a firewall.

Getting Started[edit | edit source]

To turn PF on, on boot up, create the configuration file rc.local.conf.

vi /etc/rc.local.conf

To activate PF on boot up enter the following in the configuration file:

pf=YES

To enable PF manually, enter in the following command:

pfctl -e

To disable PF manually, enter in the following command:

pfctl -d

Congratulation, you are now protected by one of the best firewalls available.

Configuring PF[edit | edit source]


Pf is a very good firewall by default however it also contains a few options. You can change the configuration of pf by editing the configuration file /etc/pf.conf.

Options[edit | edit source]

Option Description Example Description of Example
rdr Redirects traffic rdr on tl0 proto tcp from any to any port 80 -> 192.168.1.20 Redirects traffic for 192.168.1.20 on the t10 interface, for any port up to 80.
Block Blocks traffic block out on fxp0 from 192.168.0.1 to any For 192.168.0.1, blocks outgoing traffic on the fxp0 interface for any port.
Pass Allows traffic to pass through pass in all Unless stated otherwise, pf will allow all incoming traffic.
Scrub Scrubing defragments and in some cases rejects fragmented packets. scrub in all scrubs all incoming traffic on all interfaces.
Table defines groups of IPs. table <goodguys> { 172.16.0.0/16, 172.16.1.0/24, 172.16.1.100 }

block in on dc0 all
pass in on dc0 from <goodguys> to any

Allows incoming connections to <goodguys> on the dc0 interface. Blocks all other incoming connections on the dc0 interface.

Macros[edit | edit source]

Macros are the equivalent of shorthand for rules. Such as you could write:

block out on fxp0 from { 192.168.0.1, 10.5.32.6 } to any

as opposed to the long way:

block out on fxp0 from 192.168.0.1 to any
block out on fxp0 from 10.5.32.6 to any 

Scrubing[edit | edit source]

Scrubing defragments and in some cases rejects fragmented packets. This prevents your computer from becoming fragmented, however it also causes a lot of packets to be lost. To scrub an network interface enter the following in you /etc/pf.conf:

scrub in <interface>

A simple example of this is scrubing all of the interfaces.

scrub in all

Authors[edit | edit source]

If you made a contribution to this article please feel free to add your username.

See Also[edit | edit source]

  • PF on Wikipedia

References[edit | edit source]