pf (packet filter)

pf - an abbreviation of the packet filter (German: packet filter) - is a firewall - software , originally designed for the operating system OpenBSD has been written.

In addition to its function as a packet filter , pf also serves as a NAT software, i.e. H. for translating Internet addresses of a private network into the Internet , and can also regulate the data transmission rates of the filtered or translated network traffic (see QoS ). Furthermore, pf offers filtering based on the operating system, extended packet handling (assembly of fragmented packets) and an authentication mode called pf-auth.

history

pf was created when the OpenBSD project removed the previously included packet filter IPFilter due to licensing problems and needed a replacement. It was founded in June 2001 by Daniel Hartmeier and has been part of OpenBSD since OpenBSD 3.0 (released December 1, 2001) . Pf has since been ported to FreeBSD , NetBSD , DragonFly BSD and Mac OS X as well.

example

PF can be configured with rules that are easy to read (compared to iptables ) and which roughly follow the following syntax. Round brackets represent (…|…)necessary elements, square brackets represent […|…]optional elements:

 (pass|block [drop|return|return-icmp|return-icmp6|return-rst]|match) [in|out] [log] [quick]
 [on <interface>] [on rdomain <number>] [inet|inet6] [proto (tcp|udp|icmp|icmp6)]
 ([from <src> [port <src>][os <src>]|to <dest> [port <dest>]]|all) [flags <a>/<b>]
 [icmp-type <type> code <code>|icmp6-type <type> code <code>] [probability <number>]
 [user <user>] [nat-to <src>|rdr-to <dst>]

The following rules block all packets from hosts that are not allowed to deliver mail (blocked_hosts) and allow it for all others:

 blocked_hosts = { 223.33.14.23, 34.12.34.0/24, 17.0.0.0/8 }

 pass in on em0 inet proto tcp from any to self port 25,587
 block in on em0 inet proto tcp from $blocked_hosts to self port 25,587

Here em0 is the network interface on which the filtering takes place, in the direction (incoming), inet stands for IPv4 packets, proto tcp applies to TCP packets, the symbolic constant any applies to all hosts (IP notation 0.0. 0.0 ), and self is the own IP address of the respective interface.

A special feature of PF is that the last matching rule always applies, i.e. the most specialized rules are usually at the bottom and the most general ones at the top ( blacklisting ). Whitelisting is implemented by an all-forbidding rule at the beginning and the following permitting rules.

Therefore, the reverse order of the rules described here would mean that everyone would be allowed to deliver mail, since the hosts blocked in the first rule would be allowed through in the second rule.

The next example shows an exemplary NAT solution that z. B. can run on a router:

 ext_schnittstelle = em0
 intern_netz = 192.168.0.0/16

 match out on $ext_schnittstelle inet from $intern_netz to any nat-to $ext_schnittstelle

match applies to packets, but does not decide whether to let them through or block them. All packets that leave the firewall via the interface $ ext_interface and are IPv4 packets ( inet ) from your own (internal) network $ intern_netz are provided with the sender address from $ ext_interface . Further rules for a functioning NAT firewall are no longer necessary.