Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [pf]

pf is the OpenBSD Packet Filter, a feature-rich IP-layer firewall used on FreeBSD, NetBSD, and Mac OS X, as well as in the pfSense open-source firewall appliance software.

pf is a Packet Filtering firewall originally developed by the OpenBSD project, and since adopted by FreeBSD, NetBSD and Mac OS X (10.7 Lion & up). pf is also used in the pfSense project's firewall code.

pf features include:

  • Packet Filtering
  • Network Address Translation (NAT)
  • Port Redirection
  • Packet Queueing / QoS
  • Load Balancing
  • "Policy Filtering" (packet tagging)

More information on the pf firewall can be found in the OpenBSD FAQ, including some examples.

143 questions
2
votes
1 answer

FreeBSD - monitor aggregate bandwidth of individual local network devices

I'm looking for ways to monitor the Internet usage - the total amount of data transferred - of individual devices on my network. I'm using FreeBSD 9.0-RELEASE with pf for filtering and NAT. I'm not sure how to go about doing this. I'm currently…
Dave
  • 143
  • 1
  • 7
2
votes
2 answers

How to configure something like "Reflexive ACL" on OpenBSD?

My U-Verse modem has something called "Reflexive ACL" described as Reflexive ACL: When IPv6 is enabled, you can enable Reflexive Access Control Lists to deny inbound IPv6 traffic unless this traffic results from returning outgoing packets…
Earlz
  • 1,019
  • 5
  • 13
  • 29
2
votes
1 answer

Is there an equivalent of LinuxIMQs in BSD?

Is there an equivalent of LinuxIMQs in BSD ? From linuximq.net: The imq device has two common usage cases: Ingress shaping: With linux only egress shaping is possible (except for the ingress queue which can only do rate limiting). IMQ enables you…
Tin
  • 21
  • 1
2
votes
3 answers

Port-Forward for all IPs on an interface

I'm running a java-based web server as a non-privileged user. Therefore it listens on ports 8080 and 8443 instead of 80 and 443. Right now I'm using the following pf rules to forward the ports internally: rdr pass on $ext_if proto tcp from any to…
Henning
  • 213
  • 1
  • 3
  • 7
2
votes
2 answers

Default values of pf.conf set parameters

I want to learn default values of these parameters, I read the manual of pf.conf but couldn't find, could you help? set limit states set limit src-nodes set timeout tcp.first set timeout tcp.established set timeout tcp.closing set timeout…
ibrahim
  • 431
  • 1
  • 7
  • 20
2
votes
1 answer

Getting per-ip traffic stats from PF

Is there a way to get per-ip traffic stats from PF on OpenBSD 4.9? pfctl can give me the total traffic (bytes) for a given label, and pfstats for a given interface, and pftop can give me a "live" view of traffic, but I'm looking for a historical…
ibrewster
  • 75
  • 2
  • 8
2
votes
2 answers

PF firewall rules help

I'm having a heck of a time creating a pf ruleset for FTP. What I'm trying to do is : Only allow $WHITELIST to connect to FTP port 21 Open ports 49152 - 65535 for Passive port range Can anyone help me with this? I have tried…
Brian Smith
  • 333
  • 1
  • 6
  • 15
2
votes
1 answer

mDNS on bridged OpenVPN network

I have openvpn running on a openbsd server that is behind a firewall, so it is a local member of the LAN. The openvpn is a bridge configuration. firewall internal 10.0.10.1 openvpn server 10.0.10.15 vpn clients are assigned 10.0.10.240 -…
Tim Hoolihan
  • 121
  • 4
2
votes
1 answer

Help me upgrade my pf.conf for OpenBSD 4.7

I'm planning on upgrading my OpenBSD to 4.7 (from 4.6) and as you may or may not know, they changed the syntax for pf.conf. This is the relevant portion from the upgrade guide: pf(4) NAT syntax change As described in more detail in this mailing…
polemon
  • 585
  • 2
  • 8
  • 21
2
votes
1 answer

Inaccurate bandwidth limiting in altq queues

I'm setting up an environment where I have one Linux server, one OpenBSD router and one Linux client and I want to be able to limit how much bandwidth the client should be able to use. I've been performing these tests with "netcat" and "time" (using…
user42511
  • 21
  • 1
1
vote
0 answers

Share a VPN connection via a node in a LAN

I would like to share a VPN connection via a node in the same LAN. The scheme below shows my network system. LAN A: 10.44.247.0/24 |-* Router Aa: 10.44.247.1, ext XXX.XXX.XXX.XXX |-* Node Ab: 10.44.247.2 (en0), ppp 192.168.100.36 (ppp0) -| VPN…
Daehyun You
  • 23
  • 3
1
vote
0 answers

I fail to configure Pf of OpenBSD gateway

I have an OpenBSD server that I want to use as a gateway. OBSD server has the following interfaces - em5 (130...** ext.IP with internet connectivity) em0 (internal IP - 172.16.0.0/17) My default gateway is 130...1 and is accessible via ping. The…
Aravindh Sathish
  • 167
  • 5
1
vote
1 answer

How to migrate Linux iptables scripts to OpenBSD/macOS pf

I am building a VPN server on macOS based on this instruction: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-18-04-2, and stuck at configuring firewall part: *nat -A POSTROUTING -s…
Daehyun You
  • 23
  • 3
1
vote
0 answers

(Mac OS PF) Redirect outgoing UDP traffice to specific ip:port

I'm having some trouble getting my head around how PF works in Mac OS. I have been doing a lot of research on the topic but just cannot find the solution (although I can find many other very similar questions without an answer). My goal is to…
logicallysynced
  • 11
  • 1
1
vote
3 answers

Does PF support divert like IPFW?

I'm currently using IPFW on 3 dedicated firewall servers, and I would like to convert them to PF for some of its functionalities, but I need divert to work. Specifically I am teeing packets to a custom application for network analysis purposes. Is…
Massimiliano Torromeo
  • 291
  • 4
  • 12
1 2 3
9 10