Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [pf]

pf is the OpenBSD Packet Filter, a feature-rich IP-layer firewall used on FreeBSD, NetBSD, and Mac OS X, as well as in the pfSense open-source firewall appliance software.

pf is a Packet Filtering firewall originally developed by the OpenBSD project, and since adopted by FreeBSD, NetBSD and Mac OS X (10.7 Lion & up). pf is also used in the pfSense project's firewall code.

pf features include:

  • Packet Filtering
  • Network Address Translation (NAT)
  • Port Redirection
  • Packet Queueing / QoS
  • Load Balancing
  • "Policy Filtering" (packet tagging)

More information on the pf firewall can be found in the OpenBSD FAQ, including some examples.

143 questions
0
votes
1 answer

PF firewall how to increase `max states per rule`

My firewall is hitting a problem related to max states per rule. # pfctl -vvsi Status: Enabled for 0 days 13:05:38 Debug: Urgent Hostid: 0x6556c6a9 Checksum: 0xe80368af9b3c0a876218cd2af59fbed5 State Table …
Luman75
  • 103
  • 3
0
votes
1 answer

FreeBSD: How can I tune the lifetime for TCP/UDP for in kernel NAT?

There used to be these sysctls in older versions of FreeBSD, viz: net.inet.ip.fw.dyn_ack_lifetime=3600 net.inet.ip.fw.dyn_udp_lifetime=15 now on FreeBSD 12 sysctl reports that these don't exist. How can I tune the lifetime for TCP/UDP for in kernel…
pnadeau
  • 143
  • 4
0
votes
0 answers

PF Nat over OpenVPN Client

I have FreeBSD 12.1-RELEASE router with 3 interfaces: LAN HOME(192.168.22.) LAN WORK(192.168.11.) WAN(1.2.3.4) My router connect to NordVPN over OpenVPN as a client (creates new TUN0 with address 10.8.0.3) I want now to nat only one host from…
cr4shydlo
  • 1
  • 1
0
votes
1 answer

How to specify an IP range representing "any IP" within a Pfsense alias?

I've restricted the source IP of many rules to some alias, say Trusted_Sources. Now, for some reason, I want to open all these rules to the world without manually modifying each individual rule. How can I modify the Trusted_Sources alias to include…
user2798081
  • 41
  • 1
  • 5
0
votes
1 answer

freebsd packet filter match last digit of IP address

On my freebsd system I want to use port forwarding to distribute incoming traffic, based on the last digit of the source IP. The following works on linux with iptables: iptables -t nat -A PREROUTING -p tcp -s 0.0.0.0/0.0.0.7 -d w.x.y.z --dport 443…
memyself
  • 335
  • 6
  • 13
0
votes
0 answers

How come that with these packet filter rules, this rule triggers?

I have (amongst others) these rules in my pf setup: block drop in log (user) proto udp from any to any port = 137 block drop in log (user) proto udp from any to any port = 138 block drop in log (user) proto udp from any to any port = 139 block drop…
gctwnl
  • 171
  • 11
-1
votes
1 answer

pf firewall server configuration

I am trying to configure a fire wall for a server that host http, smtp and ssh on a custom port. When I initialize pf, I get an error at the command line: No ALTQ support in kernel and my ssh connection freezes config: [\u@vader:/root] # cat…
NIX
  • 11
  • 3
-1
votes
7 answers

reroute DDOS to FBI Illegal?

Okay I know this might sound silly or dumb, but I would like to know (if anyone knows) if it would be illegal to reroute DDoS traffic to fbi.gov... I just thought it might be a good idea if you wanted to get your DDoS traffic investigated and I…
kernelPanic
  • 99
  • 1
  • 7
1 2 3
9
10