Pf
From wikinotes
pf is the BSD firewall, originally created by openBSD. It exists in various implementations across the BSDs.
NOTE:
In pf, unlike nftables, the last matching rule is applied (unless quick keyword is used)
Documentation
openbsd-pf documentation http://www.openbsd.org/faq/pf/ freebsd-pf documentation https://www.freebsd.org/doc/handbook/firewalls-pf.html pf tutorial (from freebsd-manual) https://home.nuug.no/~peter/pf/
Tutorials
beginner's guide to pf http://srobb.net/pf.html NAT gateway using pf http://draft.scyphus.co.jp/freebsd/nat.html
Locations
/etc/rc.conf
configure services /etc/pf.conf
ruleset /etc/services
named services/port mapping
Quickstart
config
# /etc/pf.conf ext_if="vtnet0" ext_ports="{ 22 80 443 }" # sudo tcpdump -n -e -ttt -i pflog0 # watch log # sudo tcpdump -n -e -ttt -r /var/log/pflog # show logged block log all pass out all pass in on $ext_if \ proto tcp \ to 192.168.1.111 port $ext_portscommands
sudo tcpdump -n -e -ttt -i pflog0 # watch log pfctl -nf /etc/pf.conf # validate pf.conf pfctl -F all -f /etc/pf.conf # flush/reload from pf.conf pfctl -P -sn # show only nat rules pfctl -P -sr # show only firewall rules pfctl -P -s states # show states table pfctl -t fail2ban -T show # show table contents pfctl -e # enable pf pfctl -d # disable pf pfctl -k 0.0.0.0/0 -k 192.168.1.111 # kill all state rules destined to 192.168.1.111
Notes
pf usage pf configuration pf syntax pf examples pf debugging