ABOUT CONFIGURATION BASED FIREWALL
Basic Definition
PF (Packet Filter) is the packet filter or firewall configuration based on dynamic (stateful rules) written by Darren OpenBSD. Replaced the filter in Darren Reed IPFilter OpenBSD due to problems with the license, namely that Reed had to give permission to the OpenBSD developers to change the code.
Theo de Raadt said IPFilter was removed when "the software that OpenBSD uses and shares should be free for all (both users and companies), for any purpose you want to be given, including modification, use, peeing on it or even join babies in crushing machines or atomic bombs to throw in Australia ". Due to the discomfort of the OpenBSD team with Reed's license, it was decided to replace the entire package rather than waste time trying to negotiate the issue.
The PF has since developed very quickly, and in OpenBSD 3.8 and had great advantage over other firewall options. Filtering syntax is similar to IPFilter, although modified to make it clearer. The Network Address Translation (NAT) and quality of service (QoS) were integrated seamlessly into PF, to allow greater flexibility. Reached integrating QoS queues alternatives (ALTQ) in PF itself.
The PF can be used for mounting flexibility firewall devices, since it includes features such as pfsync and redundancy protocol for common addresses (CARP), authpf (session ID), an ftp proxy and other extras related to PF.
PF has been ported to NetBSD 3.0 per itojun, is installed in the default configuration of FreeBSD since version 5.3 and appears in DragonFlyBSD since version 1.2.
- pfctl-e -> active PF
- pfctl-d -> disables PF
- pfctl-f -> if there are no syntax errors, new rules are loaded in PF
Pf.conf file example
# # Macros
# Internal interface (connected to the local network).
int_if = "xl0"
# # Options
# You set the default policy to return RSTs or ICMPs for traffic blocked
September block-policy return
# Ignore the loopback interface completely.
September skip on lo0
# # Rules rerouting
# NAT traffic on the interface group included within the default egress interface
# (Which is assigned the output interface the default route) from the local network
nat on egress from $ int_if: network to any -> (egress)
# # Filter Rules
# Default deny rule, all recorded in log blocked packets
block log all
# Pass all traffic to and from the local network, using quick to
# After the rules are not assessed for this case. Some rules restrict
# Local traffic more.
pass quick on $ int_if all
# Allows export of all traffic, maintaining the state so that responses
# Pass automatically. Many rules have more rules here, restricting
# Incoming and outgoing traffic on the external interface (egress).
pass out keep state
# Internal interface (connected to the local network).
int_if = "xl0"
# # Options
# You set the default policy to return RSTs or ICMPs for traffic blocked
September block-policy return
# Ignore the loopback interface completely.
September skip on lo0
# # Rules rerouting
# NAT traffic on the interface group included within the default egress interface
# (Which is assigned the output interface the default route) from the local network
nat on egress from $ int_if: network to any -> (egress)
# # Filter Rules
# Default deny rule, all recorded in log blocked packets
block log all
# Pass all traffic to and from the local network, using quick to
# After the rules are not assessed for this case. Some rules restrict
# Local traffic more.
pass quick on $ int_if all
# Allows export of all traffic, maintaining the state so that responses
# Pass automatically. Many rules have more rules here, restricting
# Incoming and outgoing traffic on the external interface (egress).
pass out keep state
Registration PF is configured in pf.conf rules. The logs are handled in binary format tcpdump / pcap.
You can access the logs through the network pseudo device called 'pflog' using a utility such as tcpdump. Alternatively the utility 'pflogd' can pick and place logs in binary log file / var / log / pflog, which can also be operated with tcpdump, Ethereal and other similar applications.
The format tcpdump / pcap has been modified slightly to archive statistics firewall rules, states pass / lock, interfaces used, information is only available to utilities that take into account this particular encoding, including recent versions of tcpdump and Ethereal.
Packet Filter (from here on referred to as PF) is OpenBSD's system for filtering TCP / IP traffic and doing Network Address Translation. PF is also capable of normalizing and conditioning TCP / IP traffic and provide control of bandwidth and packet prioritization. PF has been part of the OpenBSD kernel since OpenBSD 3.0 Generic. OpenBSD previous versions use a different firewall package / NAT which is no longer supported.
PF was originally developed by Daniel Hartmeier and is now maintained and developed by the OpenBSD team integer.
This set of documents, also available in PDF format, is intended as a general introduction to FP system as run on OpenBSD. Even if it covers all the main features of PF, it is only intended to be used as a supplement to the manual pages, and not a substitute for them.
For a complete and detailed view of what PF can do, please start by reading the pf (4) man page.
As with the rest of the FAQ, this set of documents is focused on users of OpenBSD 4.6. As PF is always growing and developing, there are changes and enhancements between the 4.6-version and the version in OpenBSD-current as well as the differences between 4.6 and previous versions. The reader is advised to see the man pages for the version of OpenBSD they are currently working.
OpenBSD-Firewall (PF packet filter) is a BSD licensed stateful packet filter, a central piece of software firewalls. And common firewall can be defined as dedicated device, or software running on another computer, which inspects network traffic passing through it, and denies or permits passage based on a set of rules, but specifically , firewall protection is a method of hosts and networks connected to other hosts and networks against attacks (defined as attacks attempts to gain unauthorized access to our network, disruption of services listening or alter the communications , theft of data or software, corruption of data or software) from the outside and from within.
Comentarios