Quick introduction to Packet Filter
Packet filter or pf is the system that controls the flow of packets, read more about it on OpenBSD faq and it's man page.
As a service can be enable or disable with rcctl or by pfctl program. PF uses /etc/pf.conf as it's main configuration file, after boot can load more rules from other files if needed.
To setup a simple firewall edit /etc/pf.conf, default comes with very simple rules;
# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
set skip on lo
block return # block stateless traffic
pass # establish keep-state
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
# Port build user does not need network
block return out log proto {tcp udp} user _pbuild
This configuration allows incoming connections and outgoing connections except for was is commented such as X11 or user that port system runs under when building.
After boot PF operation can be managed using pfctl;
pfctl -f /etc/pf.conf Load the pf.conf file
pfctl -nf /etc/pf.conf Parse the file, but don't load it
pfctl -sr Show the current ruleset
pfctl -ss Show the current state table
pfctl -si Show filter stats and counters
pfctl -sa Show EVERYTHING it can show
Documentation tells that when logging a packet a copy of it's header is sent to pflog interface with additional data such as the interface, action pf took, etc.
pflog interface allows user space applications to receive this data from the kernel. At boot when pf is enabled pflogd is also started and by default listens on pflog0 and writes to /var/log/pflog file.
To read log file;
# tcpdum -n -e -ttt -r /var/log/pflog
To read log in real time;
# tcpdump -n -e -ttt -i pflog0
Simplified syntax for filter rules is;
action [direction] [log] [quick] [on interface] [af]
[proto protocol] [from src_addr [port src_port]]
[to dst_addr [port dst_port]] [flags tcp_flags] [state]
Start changing default configuration by setting "default policy to deny" and to log all packets. Change configuration file to contain first filter rule;
int_if = "re0"
lan_net = "10.0.0.0/24"
set skip on lo
# scrub incoming packets
match in all scrub (no-df)
set block-policy drop # block silenty
block drop log all # block and log everything
# activate spoofing protection for all interfaces
block in quick from urpf-failed
# allow out dns
pass out on $int_if proto udp to 10.0.0.254 port domain
# allow out ntp
pass out on $int_if proto udp to any port ntp
# allow out https
pass out on $int_if proto tcp to any port 443
# allow out ssh
pass out on $int_if proto tcp to any port { 22, 2222 }
# allow in ssh
pass in log on $int_if proto tcp from any to 10.0.0.10 port 22
# do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010
# port build user does not need network
block out log proto {tcp udp} user _pbuild
To reload configuration file;
# pfctl -f /etc/pf.conf
See what ports are open;
# netstat -na -f inet | grep LISTEN
Check rules;
# pfctl -sr
OpenBSD Index
This is part of the LeetIO System Documentation. Copyright (C) 2021 LeetIO Team. See the file Gnu Free Documentation License for copying conditions.