User:CFeyecare/sandbox/2
 |
This user's work in progress page may be incomplete, and/or unreliable. The latest revision of this page is or will be located at Guide to Unix/BSD/OpenBSD/As a Firewall. |
| Sandbox 1 | Sandbox 2 | Sandbox 3 | Sandbox 4 | Sandbox 5 |
|
OpenBSD as a Firewall
[edit | edit source]OpenBSD includes PF ("packet filter") as a firewall.
Getting Started
[edit | edit source]To turn PF on, on boot up, create the configuration file rc.local.conf.
vi /etc/rc.local.conf
To activate PF on boot up enter the following in the configuration file:
pf=YES
To enable PF manually, enter in the following command:
pfctl -e
To disable PF manually, enter in the following command:
pfctl -d
Congratulation, you are now protected by one of the best firewalls available.
Configuring PF
[edit | edit source] |
This page was last edited 188 months ago, and may be abandoned This page has not been edited since 8 November 2008, but other pages in this book might have been. Check out related changes to see what the state of this book is. You can help by editing and updating this book. Remove {{under construction}} from this page if it is not being actively edited. Ask for help at WB:PROJECTS. |
Pf is a very good firewall by default however it also contains a few options. You can change the configuration of pf by editing the configuration file /etc/pf.conf.
Options
[edit | edit source]| Option | Description | Example | Description of Example |
|---|---|---|---|
| rdr | Redirects traffic | rdr on tl0 proto tcp from any to any port 80 -> 192.168.1.20 | Redirects traffic for 192.168.1.20 on the t10 interface, for any port up to 80. |
| Block | Blocks traffic | block out on fxp0 from 192.168.0.1 to any | For 192.168.0.1, blocks outgoing traffic on the fxp0 interface for any port. |
| Pass | Allows traffic to pass through | pass in all | Unless stated otherwise, pf will allow all incoming traffic. |
| Scrub | Scrubing defragments and in some cases rejects fragmented packets. | scrub in all | scrubs all incoming traffic on all interfaces. |
| Table | defines groups of IPs. | table <goodguys> { 172.16.0.0/16, 172.16.1.0/24, 172.16.1.100 } block in on dc0 all |
Allows incoming connections to <goodguys> on the dc0 interface. Blocks all other incoming connections on the dc0 interface. |
Macros
[edit | edit source]Macros are the equivalent of shorthand for rules. Such as you could write:
block out on fxp0 from { 192.168.0.1, 10.5.32.6 } to any
as opposed to the long way:
block out on fxp0 from 192.168.0.1 to any block out on fxp0 from 10.5.32.6 to any
Scrubing
[edit | edit source]Scrubing defragments and in some cases rejects fragmented packets. This prevents your computer from becoming fragmented, however it also causes a lot of packets to be lost. To scrub an network interface enter the following in you /etc/pf.conf:
scrub in <interface>
A simple example of this is scrubing all of the interfaces.
scrub in all
Authors
[edit | edit source]If you made a contribution to this article please feel free to add your username.
- CFeyecare- Started page.
See Also
[edit | edit source]- PF on Wikipedia
References
[edit | edit source]- "Faq pf." Pf. OpenBSD. 3 Nov. 2008 <http://www.openbsd.org/faq/pf/>.