Pf configuration
From wikinotes
Documentation
Locations
/etc/rc.conf
enable, and service configuration /etc/pf.conf
ruleset
Service
# /etc/rc.conf pf_enabled="YES" # enable service gateway_enable="YES" # set if you will be NAT, or forwarding packets to other servers pflog_enable="YES" # enable pf logging pflog_logfile="/var/log/pflog" # (optional) change location of pflogservice pf start service pflog start
Ruleset
pf.conf is written in a dynamic scripting language. You can express variables etc.
# /etc/pf.conf # Variables WAN_ipaddr = "192.168.1.1" # your external ip ext_if = "vtnet0" # a variable for interface with external traffic jail_if = "lo1" # a variable for interface with internal traffic jail_net = $jail_if:network # all netwk-traffic from lo1 # Rules nat on $ext_if from $jail_net to any -> $WAN_ipaddr # forward traffic on all jail ifaces to external-interfacepfctl -e # enable firewall pfctl -d # disable firewall pfctl -F all -f /etc/pf.conf # flush all rules, reload from file pfctl -vnf /etc/pf.conf # check pf.conf for errorsSee pf syntax for much more detail.
See pftop for an interactive tool to monitor traffic.