Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [pf]

pf is the OpenBSD Packet Filter, a feature-rich IP-layer firewall used on FreeBSD, NetBSD, and Mac OS X, as well as in the pfSense open-source firewall appliance software.

pf is a Packet Filtering firewall originally developed by the OpenBSD project, and since adopted by FreeBSD, NetBSD and Mac OS X (10.7 Lion & up). pf is also used in the pfSense project's firewall code.

pf features include:

  • Packet Filtering
  • Network Address Translation (NAT)
  • Port Redirection
  • Packet Queueing / QoS
  • Load Balancing
  • "Policy Filtering" (packet tagging)

More information on the pf firewall can be found in the OpenBSD FAQ, including some examples.

143 questions
1
vote
0 answers

PF Firewall Rules Help - Block IP Hammering

I'm having an issue where someone is using a VPN / proxy to hammer my server. They will pick on random URL from my website and perform ~20 requests per second to it. Once I ban the IP address, a few minutes later a new IP address takes it's spot and…
Dave
  • 135
  • 4
1
vote
1 answer

pf - redirect rule does not work

I'm using pf on FreeBSD 9. sshd is up and listening on loopback only (127.0.0.1). Trying to use redirect rule to allow network hosts to connect via ssh. set block-policy drop set skip on lo0 scrub in no rdr on lo0 all rdr on fxp0 inet proto tcp…
taro
  • 193
  • 1
  • 8
1
vote
1 answer

Limit ftp connections with pf firewall at FreeBSD

I want to limit simultaneous FTP connections to my FreeBSD server with the pf firewall. For example that only 10 simultaneous connection are possible to the port 20 or 21 from one source IP. I use for this, this rule: pass in quick proto tcp from…
user3098388
  • 11
  • 1
1
vote
1 answer

Outline squid server - redirect traffic with pf

What's my goal: know what employee are looking in Internet (what pages, how long etc; no caching). What I did: install squid on openBSD Problem: I see whole traffic (tcpdump), but I can't redirect it to squid How I connected it: [ internet…
Ducker
  • 11
  • 2
1
vote
0 answers

Restrict "open" ethernet traffic to OpenVPN Traffic only when on a certain network

I would like to set up a pf or ipfw firewall rule on my Mac OS X 10.8 notebooks so that all Traffic on wireless and cabled networks is restricted to calling "home" through OpenVPN when I'm not in the office. In other (simpler/more mine) words: As…
user178954
  • 11
  • 1
1
vote
1 answer

How to redirect a packet to localhost in pf?

I am trying to redirect packets that are going to internal network to localhost of firewall. I wrote this rule but it doesn't work. int_net = "{10.0.0.0/24}" ext_if = "{igb0}" int_if = "{igb1}" rdr on $ext_if proto tcp from any to $int_net port www…
ibrahim
  • 431
  • 1
  • 7
  • 20
1
vote
1 answer

How to filter TCP packets based on flags using Packet Filter

Well, I didn't know exactly how to ask this question, but I know that you can use the keyword flags to especify which flags you want to filter. According to the documentation of the Packet filter: To have PF inspect the TCP flags during evaluation…
Davi Sampaio
  • 111
  • 2
1
vote
1 answer

freebsd pf squid transparent

I have broken my brain dealing with this. Squid was built from ports /usr/ports/www/squid32 with PF_TP enabled. I have internet but strangely it bypasses squid. Obviously, squid logs are empty. I am not sure what is wrong. Configs seem to be…
ysakiyev
  • 263
  • 1
  • 5
  • 12
1
vote
2 answers

OpenBSD pf 'match in all scrub (no-df)' causes HTTPS to be unreachable on mobile network

First of all: excuse me for my poor usage of the English language. For several years I'm experiencing problems with the 'match in all scrub (no-df)' rule in pf. I can't find out what's happening here. I'll try to be clear and simple. The pf.conf has…
Frank ter V.
  • 19
  • 1
  • 2
1
vote
2 answers

Route ssh traffic based on hostname using FreeBSD/pf?

I have a proxy/firewall machine running FreeBSD 9, using PF to route and filter traffic as needed. Now I'm setting up a git server, which runs over ssh, but I'm already using port 22 for ssh. I would like to route traffic from any IP to port 22 to…
kbanman
  • 209
  • 2
  • 7
1
vote
2 answers

Using Free/Open BSD + pf as a DDoS filter

Is using Free/Open BSD + pf a workable option for filtering DDoS? Which of the two would perform better under heavy load? (SYN flood maxing a 1 gbit pipe) Is this even an option to consider, or is a full hardware DDoS filter needed to get fast…
Eric
  • 593
  • 3
  • 8
1
vote
2 answers

PF OpenBSD states

We have an OpenBSD server used as firewall using the famous pf. The firewall is connected to the Internet form one side and to a local network form the other. we are experiencing a connection outage due to the fact that the pf is attaining its…
Abbass
  • 43
  • 1
  • 4
1
vote
1 answer

A jail that is accessible from network without port forwarding

I am using FreeBSD 7.1 and on my server I have two different jails. One for database and second one for game server. What I need to know is if it is possible to assign game server's jail to public IP so I do not need to forward every port I need? At…
Balon
  • 145
  • 1
  • 8
1
vote
2 answers

FreeBSD+PF+Passive Firewall=Frustration

I have a FreeBSD server that I'm trying to get FTP working on. If I disable pf everything works great. If I connect while pf is running I can login successfully-but as soon as I run an ls I get this: ftp> ls 229 Entering Extended Passive Mode…
Josh Budde
  • 2,378
  • 14
  • 7
1
vote
1 answer

Port forward DNS using pf

On OpenBSD, I can successfully & transparently forward ports 80 and 443 to services running on custom, unprivileged ports using the following /etc/pf.conf: tcp_pass = "{ 22 80 123 443 }" block all pass out log on egress proto tcp to any port…
neezer
  • 810
  • 3
  • 12
  • 29
1 2 3
9 10