PF (Packet Filter) firewall package based on dynamic configuration (stateful rules)

ON DYNAMIC CONFIGURATION

(Stateful Rules)

PF (Packet Filter) is the packet filter or firewall configuration based on dynamic (stateful rules) written by Darren OpenBSD. It replaced the filter in OpenBSD Darren Reed IPFilter due to problems with the license, namely that Reed had to give permission to the OpenBSD developers to change the

 code.

Theo de Raadt said when IPFilter was removed "the software that OpenBSD uses and shares should be free for all (both users and companies), for any purpose you want to be given, including their modification, use, piss on it or even join babies in crushing machines or atomic bombs to drop in Australia. " Due to the discomfort of the OpenBSD team is licensed by Reed, it was decided to replace the entire package rather than lose more time trying to negotiate the issue.

The PF has since developed very rapidly, and in OpenBSD 3.8 and have much advantage over other firewall options. Filtering syntax is very similar to IPFilter, but was modified to make it clearer. The network address translation (NAT) and Quality of Service (QoS) were integrated seamlessly into PF, to allow greater flexibility. Was achieved by integrating QoS queues alternatives (ALTQ) within the PF.

The PF can be used for mounting flexibility firewall devices, it includes features such as pfsync and redundancy protocol for common addresses (CARP), authpf (session ID), a proxy ftp and other features related to the PF.

It has been ported to NetBSD 3.0 PF for itojun, is installed in the default configuration of FreeBSD since version 5.3 and appears in DragonFly since version 1.2.

Commands and Options - FP (Packet Filter) Firewall 

pfctl-e -> active PF

pfctl-d -> disables PF

pfctl-f -> if there are no syntax errors, new rules are loaded into PF

Example of a file pf.conf - FP (Packet Filter) Firewall

# # Macros 

Internal interface (connected to the LAN). # Int_if = "xl0"

# # Options

Adjust the default policy to return RSTs or ICMPs for blocked traffic # Set block-policy return # Ignore the loopback interface completely. skip on lo0 September

# # Rules of rerouting

Traffic NAT at the interface included within the default group interface egress #

(Which is assigned the output interface default route) from the local network # Nat on egress from $ int_if: network to any -> (egress)

# # Filter Rules

Default deny rule, all recorded in log blocked packets # Block log all

raffic and from the local network, using quick for # Happens all the t

not assessed after the rules for this case. Some rules restrict # # Local traffic more. pass quick on $ int_if all

state so that responses # Happen automatically. Many rules have here ma # Allows export of all traffic, keeping the s rules, restricting # Input and output traffic on the external interface (egress).

pass out keep stat and

Record - FP (Packet Filter) Firewall

The PF register is set by rules in pf.conf. The logs are handled in binary tcpdump / pcap. 

You can access the logs through the pseudo network called 'pflog' using a utility such as tcpdump. Alternatively the utility 'pflogd' can pick and place logs in the binary log / var / log / pflog, which can also be handled with tcpdump, Ethereal and other similar applications.

Other definitions - FP (Packet Filter) Firewall

Packet filter (hereinafter referred to as PF) is OpenBSD's system for filtering TCP / IP traffic and doing Network Address Translation. PF is also capable of normalizing and conditioning TCP / IP traffic and provide control of bandwidth and packet prioritization. PF has been part of the generic OpenBSD kernel since OpenBSD 3.0. OpenBSD earlier versions use a different firewall package / NAT that is no longer supported.

PF was originally developed by Daniel Hartmeier and is now maintained and developed by the OpenBSD team over.

This set of documents, also available in PDF format, is designed as a general introduction to the VET system as run on OpenBSD. Even if it covers all the main characteristics of PF, it is only intended to be used as a supplement to the manual pages, and not as a substitute for them.

For complete and detailed view of what PF can do, please start by reading the pf (4) manual page.

As with the rest of the FAQ, this set of papers focuses on the users of OpenBSD 4.6. As PF is always growing and developing, there are changes and improvements from the 4.6-version and the version in OpenBSD-current as well as differences between 4.6 and earlier. The reader is advised to see the man pages for OpenBSD are currently working.

What is OpenBSD-Firewall? - FP (Packet Filter) Firewall

OpenBSD-Firewall (PF packet filter) is a BSD licensed stateful packet filter, a central piece of software firewalls. And common firewall can be defined as a dedicated device, or software running on another computer, which inspects network traffic passing through it, and denies or permits passage based on a set of rules, but specifically , firewall is a method of protection of hosts and networks connected to other hosts and networks against attacks (defined as attacks attempts to gain unauthorized access to our network, disruption of services, listening to or alter the communications , theft of data or software, corruption of data or software) from the outside and from within.