Pf configuration

From wikinotes

Documentation

(FreeBSD) pf intro https://www.freebsd.org/doc/handbook/firewalls-pf.html
(FreeBSD) man pf.conf https://www.freebsd.org/cgi/man.cgi?query=pf.conf&apropos=0&sektion=0&manpath=FreeBSD+12.1-RELEASE+and+Ports&arch=default&format=html

Locations

/etc/rc.conf enable, and service configuration
/etc/pf.conf ruleset

Service

# /etc/rc.conf
pf_enabled="YES"      # enable service
gateway_enable="YES"  # set if you will be NAT, or forwarding packets to other servers

pflog_enable="YES"              # enable pf logging
pflog_logfile="/var/log/pflog"  # (optional) change location of pflog

service pf start
service pflog start

Ruleset

pf.conf is written in a dynamic scripting language. You can express variables etc. 

# /etc/pf.conf

# Variables
WAN_ipaddr = "192.168.1.1"      # your external ip
ext_if   = "vtnet0"             # a variable for interface with external traffic
jail_if  = "lo1"                # a variable for interface with internal traffic
jail_net = $jail_if:network     # all netwk-traffic from lo1

# Rules
nat on $ext_if from $jail_net to any -> $WAN_ipaddr # forward traffic on all jail ifaces to external-interface

pfctl -e                      # enable firewall
pfctl -d                      # disable firewall
pfctl -F all -f /etc/pf.conf  # flush all rules, reload from file
pfctl -vnf /etc/pf.conf       # check pf.conf for errors

See pf syntax for much more detail.
See pftop for an interactive tool to monitor traffic.

Retrieved from "http://willpittman.net:8080/index.php?title=Pf_configuration&oldid=18360"