Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [pf]

pf is the OpenBSD Packet Filter, a feature-rich IP-layer firewall used on FreeBSD, NetBSD, and Mac OS X, as well as in the pfSense open-source firewall appliance software.

pf is a Packet Filtering firewall originally developed by the OpenBSD project, and since adopted by FreeBSD, NetBSD and Mac OS X (10.7 Lion & up). pf is also used in the pfSense project's firewall code.

pf features include:

  • Packet Filtering
  • Network Address Translation (NAT)
  • Port Redirection
  • Packet Queueing / QoS
  • Load Balancing
  • "Policy Filtering" (packet tagging)

More information on the pf firewall can be found in the OpenBSD FAQ, including some examples.

143 questions
1
vote
1 answer

Simple OpenBSD NAT router not working

I'm toying around with using OpenBSD as a NAT router behind Starlink but efforts with the NAT are failing even in the simplest cases. I've probably simply been staring at it too long and need an extra set of eyes. Here's the essential…
Brian M. Hunt
  • 181
  • 3
  • 17
1
vote
0 answers

Mysterious/Unknown IPs keep getting whitelisted by spamd

I have an OpenBSD 7.1 mail server running OpenSMTPD with spamd. I notice mysterious IP addresses in /var/log/maillog, such as: smtp connected address=162.142.125.222 host=scanner-25.ch1.censys-scanner.com These IPs keep getting whitelisted in the…
Joe Blough
  • 11
  • 1
1
vote
1 answer

While using pf on FreeBSD, do I need to explicitly specify both the inet and inet6 parameters?

Suppose I have a rule like rdr on $ext_if inet proto tcp to port https -> $inf_if port $myhttps This is to redirect incoming TCP packets on the https port to a specific internal IP/port. This is in prod and works fine. Do I need a copy of this rule…
ahron
  • 365
  • 3
  • 14
1
vote
1 answer

403 Page recieved when accessing OpenBSD httpd page

I am writing a static webpage on an OpenBSD vm (here called example.com), and when I access the server with it's domain name over http I get httpd's 403 page, when I use telnet example.com 80 I get Date: Tue, 12 Jul 2022 01:07:01 GMT Server: OpenBSD…
CyberianTraveler
  • 25
  • 4
1
vote
0 answers

Redirecting traffic to a bridged ip and port using PF on MacOS

I am trying to redirect localhost traffic on specific port to bridged network ip I am using following echo " rdr pass inet proto tcp from any to any port 9300 -> 192.168.64.29 port 9300 rdr pass inet proto tcp from any to any port 3406 ->…
MrPandav
  • 111
  • 5
1
vote
2 answers

FreeBSD 13 PF blocking jail traffic

After upgrading my FreeBSD system from 12.2 to 13.0-p3 PF is blocking all traffic to my jails. When disabling PF everything works fine (except from being unprotected ;)) I tried to figure out what rule is blocking this traffic by setting 'block in…
GTeley
  • 21
  • 5
0
votes
1 answer

Setting DSCP value on specific outgoing traffic in OS X with pf

I want to set DSCP value on specific traffic coming out of an OS X machine. I think the right way is to use pf, but I can't figure how to write the rule correctly. I've tried something like this but when I try to load the file there is a syntax…
Jérémie
  • 1
  • 3
0
votes
1 answer

FreeBSD and pf - packet filtering based on OpenVPN usernames

I have an OpenVPN server which authenticates the users using an Active Directory server. I need to limit the bandwidth of each user based on their usernames, and I also want to be able to do some basic packet filtering on OpenVPN users. Users are…
Javad Kouhi
  • 103
  • 3
0
votes
2 answers

PF blocking out Flags [FP.]

On a FreeBSD 12 server, I started to notice that pf is blocking out having Flags [FP.], the logs are flooded with something like this: 00:00:00.000004 rule 2/0(match): block out on bge0: 213.59.241.172.80 > 162.158.59.122.48894: Flags [FP.], seq…
nbari
  • 558
  • 1
  • 9
  • 28
0
votes
2 answers

FreeBSD-12.0 PF firewall default rule is blocking when more specific rule allowing is ignored

Our PF firewall contains this: . . . scrub in all fragment reassemble no-df max-mss 1440 ### em1 ipv4 = 123.12.3.234 nat log on $ext_if \ from $net_nat \ to any -> ($ext_if) . . . antispoof …
James B. Byrne
  • 337
  • 1
  • 4
  • 14
0
votes
2 answers

carp versus proxy arp

Currently I have a redundant pfSense firewall system set up for our corporate server farm. The main router IPs are sharing an IP address through Carp. Our two public /27 networks are assigned as proxy arp addresses to the wan interfaces and are…
goose
  • 151
  • 7
0
votes
2 answers

openbsd pf firewall - how can I tell what is being blocked?

I am in a dire situation. Our exchange server disks have failed. I can still use the application as the os disks are unaffected, and I need to do an emergency migration to office365. We have an openbsd firewall in our office. I have managed to…
BeardyDrummer
  • 9
  • 5
0
votes
1 answer

PF firewall on FreeBSD for allowing SSH and OpenVPN Traffic

I'm trying to create a simple ansible template for the packet filter on FreeBSD 11.1-RELEASE. I have vtnet0 (public), vtnet1 (private, 10.10 address) and tun0 (openvpn, fully working/tested from a client to nodes on my network). My rc.conf looks…
djsumdog
  • 1,100
  • 2
  • 16
  • 29
0
votes
1 answer

Putting all blocked ips into a table

I would like to block all the incoming traffic for a specific port and to put the source ips of these blocked packets into a table... I don't know about a pf.conf solution, I guess I would use another kind of trick but I really don't know which!…
Psyloh
  • 11
  • 4
0
votes
1 answer

SSH into a jail takes so long

I have only one ip address and so I get to my jail through NAT. SSH to the host is lightning-fast but SSH to the jail is awfully long... Like 20 seconds between ssh command and prompt for public key password :-s In pf.conf : rdr pass log (all) on…
Psyloh
  • 11
  • 4
1 2 3
9 10