Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [pf]

pf is the OpenBSD Packet Filter, a feature-rich IP-layer firewall used on FreeBSD, NetBSD, and Mac OS X, as well as in the pfSense open-source firewall appliance software.

pf is a Packet Filtering firewall originally developed by the OpenBSD project, and since adopted by FreeBSD, NetBSD and Mac OS X (10.7 Lion & up). pf is also used in the pfSense project's firewall code.

pf features include:

  • Packet Filtering
  • Network Address Translation (NAT)
  • Port Redirection
  • Packet Queueing / QoS
  • Load Balancing
  • "Policy Filtering" (packet tagging)

More information on the pf firewall can be found in the OpenBSD FAQ, including some examples.

143 questions
4
votes
1 answer

pfctl in OpenBSD and FreeBSD

I've noticed that both FreeBSD and NetBSD have extra pfctl options: pfctl [-AdeghmNnOPqRrvz] But OpenBSD doesn't, it's missing around five of the extra options: pfctl [-deghnPqrvz] I would have thought that as pf is from OpenBSD that it would have…
Jak
  • 1,008
  • 9
  • 12
4
votes
2 answers

Create a rule using shell in fresh pfSense installation to open up WAN access to WebConfigurator

I am in a situation where I require WAN access to be opened up to the WebConfigurator through pfSense because I do not have another node connected to the same network to access WebConfigurator from the inside. Ideally I would like to just do this in…
tacos_tacos_tacos
  • 3,250
  • 18
  • 63
  • 100
4
votes
1 answer

OpenBSD pf port forwarding multiple rules

I have a few dozen servers behind OpenBSD firewall with port forwarding. Most rules are very similar and differ only in IPs or sometimes in ports forwarded, so I want to compact them to remove excessive repetition but I've found that it is…
AlexD
  • 8,747
  • 2
  • 29
  • 38
4
votes
3 answers

NFS mount "hanging" when accessing from a server on a different subnet

Here's a problem which I am at a loss to diagnose: Our user home directories are served via NFS from an Apple XServe running Mac OS X 10.5.7. Normally they are exported to our default office subnet, "lan". Recently I have been building a new subnet,…
Kamil Kisiel
  • 12,184
  • 7
  • 48
  • 69
3
votes
3 answers

Redirecting traffic to a specific address and port using PF on MacOS

I want to pentest a mobile application. To do so, I want to intercept all WiFi traffic and forward it to Burp, which runs in a VM. I enabled "Internet Sharing" on my Macbook so my phone now connects to the laptop using WiFi. Then I want to forward…
Sjoerd
  • 196
  • 1
  • 2
  • 9
3
votes
0 answers

How to split traffic through two different network adapters based on TCP port in OS X

I have a scenario where we will be using a Mac to stream video content to an RTMP server. This RMTP service provides 2 ingest URLs so that you can upload the same video content twice and have redundancy in case your connection has a problem.…
Luis Delgado
  • 131
  • 3
3
votes
0 answers

How to divert all OUTBOUND tcp traffic on port 1935 to localhost?

Mac OS X 10.10.3. I'm trying to use rtmpsrv. In order to do that, I have to redirect all outgoing tcp traffic on port 1935 to localhost. I tried: sudo sysctl -w net.inet.ip.forwarding=1 echo 'rdr pass on en0 inet proto tcp from any to any port…
PPR
  • 131
  • 2
3
votes
1 answer

Enabling pf for transparent proxy on Mac OS X Mountain Lion

I'm doing some usability testing of a web application and am attempting to debug and record some SSL sessions using mitmproxy as a transparent proxy and for some reason pf under Mac OS X Mountain Lion isn't setting up the transparent…
Pridkett
  • 176
  • 2
  • 8
3
votes
1 answer

blocking packets larger then specific size with pf

Is there a way with pf to block specific type of packets larger than specific size?
seaquest
  • 698
  • 2
  • 12
  • 25
3
votes
1 answer

Provide IPv6 to network from OpenBSD firewall

I have an OpenBSD PF firewall that I have added a IPv6 tunnel to (using HE.net tunnelbroker). I can ping/traceroute IPv6 addresses from the firewall. Now I want to provide IPv6 services to the servers behind my firewall. They all have public IP…
thelsdj
  • 830
  • 1
  • 12
  • 25
2
votes
1 answer

Almost empty pf.conf still logs packets

I have an issue that my pf logs many packets that it's not supposed to log. I reproduced it with almost empty pf.conf: set skip on lo and it still logs some packets. I think that all those packets have ICMP6 type and they do not really belong to my…
vbezhenar
  • 261
  • 1
  • 3
  • 10
2
votes
0 answers

pfctl not relaying SYN, ACK packet after NAT

I am trying to relay SSH connections from LAN hosts to hosts beyond VPN. Only one router host in the LAN has VPN connection to be reused by other hosts in LAN. Below is pfctl configuration on the router. extif = "utun0" intif = "en1" set skip on…
Oleg
  • 21
  • 2
2
votes
0 answers

Allowing Incoming Traffic over IPv6 with PF on FreeBSD

This is my current pf.conf on FreeBSD 11.1-RELEASE. It allows incoming connections from OpenVPN/UDP and SSH, as well as allows everything on the private/vpn networks (vtnet1 and tun0 respectively). The trouble is, I can't connect to OpenVPN or SSH…
djsumdog
  • 1,100
  • 2
  • 16
  • 29
2
votes
0 answers

Configuring PF to route between routing domains

I've got an OpenBSD 6.0 box running as a router / firewall. It's got three physical network connections and one GRE tunnel: em0: Internet (routing domain 0) em1: Internal LAN private IPs (routing domain 0) em2: Server network public IPs (routing…
PeterM
  • 123
  • 1
  • 5
2
votes
1 answer

All IPv6 traffic blocked by pf

The following pf.conf (FreeBSD 10.3) appears to be blocking all IPv6 traffic and I can't work out why. tcp_inbound = "{ ssh, domain, http, https }" tcp_outbound = "{ domain, http, https, imaps, smtps }" udp_services = "{ domain, ntp }" block…
dpk
  • 181
  • 1
  • 6
1
2
3
9 10