Questions tagged [pf]

pf is the OpenBSD Packet Filter, a feature-rich IP-layer firewall used on FreeBSD, NetBSD, and Mac OS X, as well as in the pfSense open-source firewall appliance software.

pf is a Packet Filtering firewall originally developed by the OpenBSD project, and since adopted by FreeBSD, NetBSD and Mac OS X (10.7 Lion & up). pf is also used in the pfSense project's firewall code.

pf features include:

  • Packet Filtering
  • Network Address Translation (NAT)
  • Port Redirection
  • Packet Queueing / QoS
  • Load Balancing
  • "Policy Filtering" (packet tagging)

More information on the pf firewall can be found in the OpenBSD FAQ, including some examples.

141 questions
8
votes
4 answers

OpenBSD/FreeBSD Firewall w/ GUI that is compatible with Intel 82574L Gigabit LAN NICs

I recently purchased a server to run m0n0wall or pfSense but I've learned since then that both of these firewall products are based on versions of FreeBSD which weren't yet compatible with the NICs in my new server. The SuperMicro server that I…
Zen Master
  • 131
  • 1
  • 6
7
votes
2 answers

Can I create a pf rule involving MAC address instead of IP?

The title is self explanatory. I want to create rules in pf running on OpenBSD 4.9 for perticular MAC address, something like pass in on eth0 from mac 00:04:34:5f:34:33 to mac 34:32:34:06:5e:22 I have read this, but it doesn't help!!
Vineet Menon
  • 191
  • 1
  • 7
6
votes
0 answers

pfSense Internal Traffic Policy Based Routing

What is the current and correct way to apply policy based routing to pfSense internal traffic (originating from the firewall itself)? Creating a floating rule with the WAN interfaces selected, direction OUT and a gateway defined does not work…
Monstieur
  • 536
  • 2
  • 15
6
votes
1 answer

pf slows traffic extremely down

I am running a web and mail server on FreeBSD 9.1. The system is installed on a KVM vServer. Everything works fine - until I enable pf(4). My weblog becomes unconscionably slow. So does all the other traffic, but this is not that annoying. So it…
Steffen
  • 163
  • 4
5
votes
1 answer

pf (Mac OS X) rule to redirect all traffic to a specific ip/port

I'm trying to recreate this iptables setup (from https://github.com/darkk/redsocks) with pf: iptables -t nat -A REDSOCKS -p tcp -d 10.0.0.0/8 -j REDIRECT --to-ports 12345 iptables -t nat -A OUTPUT -p tcp -j REDSOCKS I want to redirect all…
bkolobara
  • 53
  • 1
  • 4
5
votes
1 answer

Block Google requests to 16k using pf firewall

I'd like to block access to Google search using PF after the threshold of 17500 requests (connection established) in 24h, from a host running FreeBSD 9. What I came up with, after reading pf-faq is this rule: pass out on $net proto tcp from any to…
atmosx
  • 189
  • 1
  • 9
5
votes
1 answer

OS X 10.8: redirecting locally initiated ssh connections to localhost:22

I need to hack the OS X pf to redirect all ssh connections from an user to this machine. I want, when doing $ ssh google.com to get the same results as with $ ssh localhost ie a connection to my locally running sshd. Under a recent Linux, this…
foxx1337
  • 169
  • 1
  • 5
5
votes
1 answer

How to check pf's queues?

I use FreeBSD and working with pf+ALTQ now. Something doesn't work and I need a tool to view what requests are marked and moved to a queue "queue_name" Need something like pftop but showing queues. Can anyone help?
Sergey
  • 714
  • 2
  • 6
  • 21
4
votes
1 answer

Changing PF rules on the fly to mitigate damage of DDoS (OpenBSD 6.4)

This is a two part question, really. Keep in mind that I am a developer not a system admin, but being the only employee in the company, I wear ALL the hats. I have deployed my server with two firewalls running on CARP for load balancing/redundancy…
Miguel
  • 171
  • 4
4
votes
1 answer

PF vs -m of iptables

As you know, iptables has -m (match) such as : -m string -m state -m -iplimit and so on... My question: Does PF has similar features such as -m of iptables?
PersianGulf
  • 596
  • 6
  • 21
4
votes
3 answers

How can one redirect to a new host all traffic destined for an old host?

We're moving a bunch of services, say from 1.2.3.4 to 5.6.7.8. In order to test that the new services are correctly configured, we'd like to redirect (to the new host) all traffic destined for the original host that originates from our testing…
eggyal
  • 392
  • 4
  • 16
4
votes
1 answer

PF Firewall on OSX with IceFloor

I have set up pf using IceFloor on my OSX 10.9 system running Server 3.0.2. Everything seems to be fine except that I can not connect to the system using the DNS name or the public IP from localhost. E.g. I can connect to http/port 80 from the…
lluuaapp
  • 43
  • 1
  • 3
4
votes
1 answer

routing table vs PF precendence

I am wondering when a packet reaches an interface and I have some PF rules, which gets checked first, the routing table or the ruleset? ext_if = "em0" int_if = "em1" localnet = $int_if:network VPN_if = 172.16.0.110 nat log on $ext_if from any to…
nawar
  • 63
  • 5
4
votes
1 answer

pfctl in OpenBSD and FreeBSD

I've noticed that both FreeBSD and NetBSD have extra pfctl options: pfctl [-AdeghmNnOPqRrvz] But OpenBSD doesn't, it's missing around five of the extra options: pfctl [-deghnPqrvz] I would have thought that as pf is from OpenBSD that it would have…
Jak
  • 998
  • 9
  • 12
4
votes
2 answers

Create a rule using shell in fresh pfSense installation to open up WAN access to WebConfigurator

I am in a situation where I require WAN access to be opened up to the WebConfigurator through pfSense because I do not have another node connected to the same network to access WebConfigurator from the inside. Ideally I would like to just do this in…
tacos_tacos_tacos
  • 3,220
  • 16
  • 58
  • 97
1
2 3
9 10