Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [pf]

pf is the OpenBSD Packet Filter, a feature-rich IP-layer firewall used on FreeBSD, NetBSD, and Mac OS X, as well as in the pfSense open-source firewall appliance software.

pf is a Packet Filtering firewall originally developed by the OpenBSD project, and since adopted by FreeBSD, NetBSD and Mac OS X (10.7 Lion & up). pf is also used in the pfSense project's firewall code.

pf features include:

  • Packet Filtering
  • Network Address Translation (NAT)
  • Port Redirection
  • Packet Queueing / QoS
  • Load Balancing
  • "Policy Filtering" (packet tagging)

More information on the pf firewall can be found in the OpenBSD FAQ, including some examples.

143 questions
0
votes
1 answer

Passing traffic to a service behind firewall

I am running nginx on port 8080, now I like to make it accessible from the internet, for that I open a port on my Router, next I add some rules to my PF, but a sniff from wireshark I see port unreachable: 2013-01-16 19:15:57.376545 IP…
SIFE
  • 121
  • 3
0
votes
1 answer

OpenBSD ftp-proxy behind NAT itself

Is it possible to change the PASV IP ftp-proxy of OpenBSD sends to clients, without changing the listen address of redirection control (-b
)? I have the following setup: FTP client --> 1:1 NAT router --> OpenBSD router --> FTP server The…
Manuel Faux
  • 497
  • 3
  • 13
0
votes
1 answer

pfSense to ASA L2L VPN - infrequent, short-lasting, but consistent disconnections

Has anyone here been able to specify a stable configuration for the L2L VPN between an ASA device and pfSense 2.0.1? I am using the most accomodating settings on the ASA side (DefaultL2LGroup with many transform sets and using PSK so that the…
tacos_tacos_tacos
  • 3,250
  • 18
  • 63
  • 100
0
votes
1 answer

OpenBsd 5 port forwarding

I'm trying to configure pf port forwarding on OpenBSD 5.0 The firewall machine has two nics: em0: 192.168.200.3 vic0: 192.65.214.136 I would like to forward all packets comming into 192.168.200.3:104 to 192.65.214.131:104. Also I need to still have…
Leonardo Ramé
  • 333
  • 3
  • 12
0
votes
1 answer

Order of application of NAT rules in pfSense 2

In pfSense 2.0, I have a bunch of WAN CARP Virtual IPs and a bunch of 1:1 NAT rules defined associating these IPs to LAN subnet hosts. If I set up Port Forwarding rules that forward from CARP IPs that I have already defined in 1:1 to other hosts,…
tacos_tacos_tacos
  • 3,250
  • 18
  • 63
  • 100
0
votes
1 answer

OpenBSD 5.0 pf with NAT & Port Forwarding

Port forwarding does not seem to work properly, incoming connections apparently are blocked. Is there something wrong with my pf.conf? # Performance limits set limit states 200000 set limit src-nodes 200000 set limit frags 1000000 set limit tables…
Robert Foss
  • 233
  • 1
  • 3
  • 11
0
votes
2 answers

Slow upload speeds with pfsense virtual appliance

I have a pfSense virtual appliance set up in front of a Windows server. The pfSense appliance has been configured with two L2L IPSec VPN sites and not too much else. The appliance has two vNics which both exist on the same VLAN, but one is "WAN" and…
tacos_tacos_tacos
  • 3,250
  • 18
  • 63
  • 100
0
votes
2 answers

Keep connection state with target machine in PF when reply comes from a different IP

I'm facing a challenge with my PF firewall on an OpenBSD machine. From a client (A) I'm connecting to a server (B) using a target ip (SRV-IP-1). The server is replying to my request, but sourcing the reply from a different IP (SRV-IP-2). The…
spidernik84
  • 319
  • 1
  • 5
  • 12
0
votes
2 answers

PF rules and configuration to allow a local IP alias to NAT on FreeBSD?

Here's exact details of my configuration: Firewall/DNS Server: 192.168.2.1 (local lan) which routes out to the internet. <-- NOT UNDER MY CONTROL My FreeBSD Server: 192.168.2.23 (LAN) "Inside" of my server, I have a jail. (I will have more, once my…
Nektarios
  • 1
  • 1
  • 8
0
votes
2 answers

using "include" like statement in pf.conf to include some parts from other files

I want to be able to include some parts of my pf.conf from other set of files. For example I will include "set timeout" vs like statements in another file. Using anchors and "load anchor from file" statements will not help because anchor can not…
seaquest
  • 698
  • 2
  • 12
  • 25
0
votes
1 answer

Disable ALTQ for internal network traffic

I currently have a FreeBSD 8.2 media server set up on my LAN that I use to stream my music from. I also have an SSH login that I use to do file transfers to and from this server remotely. I would like to set up ALTQ (and have gotten this working) to…
javanix
  • 247
  • 4
  • 15
0
votes
1 answer

FreeBSD machine not responding to first few packets of a stream

I have two machines running as reverse proxy caches/load balancers in front of a site I admin. Recently at peak times I've been seeing a problem where the first few packets from any stream of packets (ICMP, UDP, TCP, whatever) arrives on the machine…
Conor McDermottroe
  • 948
  • 1
  • 7
  • 17
0
votes
1 answer

Using NTPD on OpenBSD to get time from Linux using portforwarding

This is a rehash of another question, now that I understand things a bit better. I have the following network set up: NTP 10.21.3.169 | \______________ | \ 10.21.3.160 (eth1) | L1 …
Rich
  • 1,343
  • 7
  • 28
  • 39
0
votes
2 answers

PF firewall issues with FTP inside FreeBSD jail

I have recently tried to set up jails on one of my FreeBSD servers, and I’m running into strange errors while trying to download FreeBSD packages via FTP. I have these rules in the PF firewall to allow the download of packages on the host machine,…
mikl
  • 622
  • 1
  • 11
  • 17
0
votes
0 answers

pf rule for NATting multiple VPN interfaces, how to exclude two physical interfaces?

Situation: VPN server, hosting OpenVPN and L2TP connections. OpenVPN connections share a "utun" interface, one per OpenVPN server process. L2TP connections each get a unique "ppp" interface. The easiest way to capture all of the potential interface…
JLG
  • 21
  • 5
1 2 3
9
10