Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [pf]

pf is the OpenBSD Packet Filter, a feature-rich IP-layer firewall used on FreeBSD, NetBSD, and Mac OS X, as well as in the pfSense open-source firewall appliance software.

pf is a Packet Filtering firewall originally developed by the OpenBSD project, and since adopted by FreeBSD, NetBSD and Mac OS X (10.7 Lion & up). pf is also used in the pfSense project's firewall code.

pf features include:

  • Packet Filtering
  • Network Address Translation (NAT)
  • Port Redirection
  • Packet Queueing / QoS
  • Load Balancing
  • "Policy Filtering" (packet tagging)

More information on the pf firewall can be found in the OpenBSD FAQ, including some examples.

143 questions
2
votes
1 answer

Can't access server on loopback address, only on private address

I am running a rails web app server bound to 0.0.0.0 on port 80 like so: sudo rails s --port=80 --bind=0.0.0.0 I can access it at my private address http://192.168.0.13/, normally I can access at the loopback address http://127.0.0.1 /…
david_adler
  • 129
  • 7
2
votes
2 answers

Layer 3 routing based on HTTP packet content

I'm running a HTTP proxy service and want to route traffic to various Layer 3 TUNs based on the contents of HTTP packets (e.g. HTTP headers). I'm using BSD and Linux to do this but it doesn't look like either of these are capable of Layer 7…
Joshua Griffiths
  • 2,202
  • 15
  • 19
2
votes
2 answers

Redirection of pfctl on OSX gets error

I want all my traffics are redirected to SOCKS proxy on 127.0.0.1:1080. I added the rule below to the end of /etc/pf.conf according to this tutorial: pass on en3 proto tcp from any to any rdr-to 127.0.0.1 port 1080 When I load this configuration…
Douglas Su
  • 263
  • 1
  • 3
  • 9
2
votes
1 answer

pfSense can't access https website

I have just installed pfSense on a PC Engines APU1D4 to evaluate as an alternative to a Soekris 5501 + OpenBSD based setup, I have a PPPoE WAN configuration. The pf rules, NAT and PPPoE configurations appear to be the same as my OpenBSD box but some…
Phil
  • 21
  • 1
  • 3
2
votes
2 answers

FreeBSD pf with NFS

I'm having trouble establishing new NFS connections when my pf is turned on. When I turn off pf on the server and client I'm able to mount with no trouble. I tried keep state and flags S/SA on the server config, but that gave the same results. Am I…
Samer
  • 131
  • 1
  • 6
2
votes
1 answer

OpenBSD cannot set frag limit more than 6144

I am trying to : set limit frags 10000 and get following info: pfctl: cannot set 'frags' limit When i am trying to set it on 5000 everything works fine.
Kriss
  • 321
  • 3
  • 17
2
votes
1 answer

PF redirect rule: how to limit the rule to specific user

I was trying to setup a PF redirect rule to force all web traffic from a specific user account to go through a web filter on a shared computer. With iptables, I can use --uid-owner option to limit the applicability of the rule to certain user like…
victorx
  • 121
  • 1
2
votes
1 answer

Command to set dscp / ToS value on outgoing packets for OS X Mavericks?

I want to set a certain DSCP (or ToS) value on all packets sent over port 22. I have an iptables command to do so, but Mavericks only has the equivalent of pfctl and I can't figure out how to translate the command to pf. Can anyone help? How can I…
user41356
  • 279
  • 1
  • 5
  • 12
2
votes
2 answers

PF: Block all, but one subnet firewall rule?

I'm trying to do something that I thought would be relatively simple: Block all the traffic to a test server, other than my company's subnet. I've tried things along these lines (111.111.0.0 is my placeholder for this example), but only the block…
ballofpopculture
  • 123
  • 1
  • 3
2
votes
1 answer

Creating pflog interface

I'm attempting to create a pflog interface using ifconfig so I can log to more than one file and when I attempt to execute the following command I get this error. I'm attempting this on a vanilla install of the latest FreeBSD. freebsd# ifconfig…
kernelPanic
  • 99
  • 1
  • 7
2
votes
1 answer

Expanding a macro containing a subnet IP address with prefix (CIDR) in a list using PF firewall

I’m trying to expand a macro that contains an address with a subnet mask into a list with PF like so: subnet1 = "192.168.1.0/24" subnet2 = "10.0.0.0/8" subnets = "{" $subnet1 $subnet2 "}" But this results in a syntax error on the last…
Andrew Marshall
  • 432
  • 4
  • 13
2
votes
2 answers

Altq/Pf trouble on OpenBSD

I'm having some trouble with pf/altq on OpenBSD but as I'm new to it I'm not sure if its because I'm misunderstanding how to use anchors, or if something is wrong with my system. I'm trying to add altq rules to an anchor using pfctl, but pfctl keeps…
Jak
  • 1,008
  • 9
  • 12
2
votes
1 answer

Reasonable rate limiting settings with PF firewall

I have the following settings in my pf.conf to dissuade abusive clients (I get a few a day that are obviously just scraping content indiscriminately and slow everything down): pass in on $ext_if proto tcp to { $loadbalancer1_int } port $web_ports…
onyxrev
  • 123
  • 4
2
votes
1 answer

blocking packets for a non established connection on freebsd pf

For a freebsd pf firewall; I want it to block packets for non established connections. For example , the attacker should not send Reset packets for an unknown not-yet-established connection. In Linux it is easy to do -d targethost -m state --state…
seaquest
  • 698
  • 2
  • 12
  • 25
2
votes
2 answers

OpenBSD pf - implementing the equivalent of an iptables DNAT

Short version Server A (OpenBSD 4.7) connects to server B (Windows). IP of server B changes. Server A should be able to connect to server B to both the old and new IP. We cannot configure multiple IPs on server B. Long version We have an OpenBSD…
chutz
  • 7,888
  • 1
  • 29
  • 59
1 2
3
9 10