Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [pf]

pf is the OpenBSD Packet Filter, a feature-rich IP-layer firewall used on FreeBSD, NetBSD, and Mac OS X, as well as in the pfSense open-source firewall appliance software.

pf is a Packet Filtering firewall originally developed by the OpenBSD project, and since adopted by FreeBSD, NetBSD and Mac OS X (10.7 Lion & up). pf is also used in the pfSense project's firewall code.

pf features include:

  • Packet Filtering
  • Network Address Translation (NAT)
  • Port Redirection
  • Packet Queueing / QoS
  • Load Balancing
  • "Policy Filtering" (packet tagging)

More information on the pf firewall can be found in the OpenBSD FAQ, including some examples.

143 questions
1
vote
1 answer

Why is there non-127.x.x.x traffic on my loopback device?

I've got an issue which caused me quite a bit of a headache and found the solution, but I cannot understand why the problem was happening in the first place. I've got an nginx reverse proxy which is routing requests to 1 of 3 servers. All are node…
papiro
  • 159
  • 1
  • 8
1
vote
1 answer

PF based gateway firewall for Openbsd 6.0

Currenly I am looking to create an OpenBSD 6.0 pf based gateway. Based on what I read in the pf manual pages and OpenBSD pf FAQ, and some examples on the internet, I was able to configure a firewall. But I am not sure if I got it right: ##…
Baron van Neemweggen
  • 11
  • 4
1
vote
1 answer

PF temporary reroute to different IP

I have a FreeBSD host that serves as an entry point to additional systems on an internal network. As such I have pf configured to redirect incoming traffic on certain ports (say, port 5000) to the host local address on one of the jails running a…
DCKing
  • 113
  • 6
1
vote
0 answers

pf on os x server 10.10 doesn't block addresses added to a table

I'm trying to understand the issue with pf on OS X 10.10 El Capitan. I have installed sshguard and try to make it work by adding table persist block in quick proto tcp from into /etc/pf.conf. The problem here is that while pf…
Захар Joe
  • 142
  • 1
  • 10
1
vote
2 answers

Block DNS query using pfctl

I am trying to create rule to allow DNS queries (port 53) to only 8.8.8.8 server (Google DNS). DNS queries to all other servers should not succeed. I added the following lines to /etc/pf.conf file anchor "com.xyz" load anchor "com.xyz" from…
sam
  • 11
  • 3
1
vote
0 answers

Need to restart PF under OSX till it gets effective

is anybody here familiar with the use of PF under OSX? I'm using PF in order to force all the traffic on my MacBook going thru a VPN. In order to do so, I'm using the following…
Norbert
  • 191
  • 1
  • 1
  • 4
1
vote
0 answers

Using PF under OSX but skipping local interface

I'm using PF under OSX to force the OS the make all external connections via a VPN to Ipredator. However, as soon as I start PF all local connections are blocked even though I thought I told PF to skip that interface. Is anybody here familiar with…
Norbert
  • 191
  • 1
  • 1
  • 4
1
vote
1 answer

traffic shaping on OSX 10.10 with pfctl and dnctl

I am trying to do traffic shaping (throttling) on Mac OS X 10.10 via pfctl and dnctl. I have implemented a simple test server and client with netcat (nc) and a synthetic random payload file to verify if my dummynet pipe throttling is working…
Peter Lyons
  • 283
  • 3
  • 12
1
vote
0 answers

Openbsd 5.7: IPv6 advertisement not working

--context-- I have a Sokeris with 8 interfaces: em0 is connected to a bridge router (ISP) and em2 is connected to my DMZ network (web servers). I got from my ISP a /56 prefix and 2 DNS IPs but no gateway IP. --problem-- My em0 is not getting a…
KuroNeko
  • 19
  • 7
1
vote
1 answer

openbsd pf squid transparent proxy using a bridge

I want to use OpenBSD 5.7 as a filtering bridge in front of my router, and as part of that run a transparent proxy (squid 3.5.1) to manage web access. I have set up the openbsd machine as a bridge, and this works fine. However, I cannot get pf to…
Jim
  • 11
  • 1
  • 3
1
vote
2 answers

FreeBSD nat via PF: how to change from random UDP ports to incremental?

I'm testing NAT penetration code and need a symmetric NAT. I have configured FreeBSD with PF, very simple rule: # rl0 in WAN on DHCP, sk0 is LAN with computers behind this NAT. nat on rl0 from sk0:network to any -> (rl0) This works great, NAT is…
grigoryvp
  • 3,655
  • 11
  • 39
  • 59
1
vote
1 answer

Forwarding IP address using pf

I'm trying to forward an external IP address to another external IP address with pf. The equivalent iptables command would be iptables -t nat -A OUTPUT -d [ipaddress1] -j DNAT --to-destination [ipaddress2]. I've tried various forms of nat and rdr…
chaz2505
  • 11
  • 2
1
vote
1 answer

Local transparent proxy OS X pf

I was trying to create local transparent proxy using this pf rules: rdr pass inet proto tcp from $Out to any port 80 -> 127.0.0.1 port 3129 pass out on $Out route-to lo0 inet proto tcp from $Out to any port 80 keep state but the problem is that…
Nonxnull
  • 11
  • 2
1
vote
0 answers

PF rule for Continuity

So it looks like the Continuity on OS X 10.10 creates network interface on the fly (utun2 here) and my PF blocks it, so that I can't make/answer calls. I'm not an admin, just use the IceFloor for PF config. Do you know what's the easiest way to…
cocoapriest
  • 111
  • 2
1
vote
1 answer

Mac OS X Firewall isn't firewalling

Rather confused by the results I'm getting on a Mac OS X Server running 10.8. I have an app that is running a web server on port 8000, which I want to be visible only to localhost. This seems perfectly suited for the GUI OS X firewall, but after…
Jeff Porten
  • 131
  • 4
1 2 3
9 10