OpenBSD enables PF by default at system boot with these rc.conf variables:
To disable PF at boot, set
NO in rc.conf.local.
The default configuration file for PF is /etc/pf.conf. There’s nothing special about this file—it’s just a standard location. The
pf(4) kernel interface doesn’t read the file directly; the PF control program
pfctl(8) reads the file and sends the configuration to the kernel.
The default PF configuration (hard-coded in /etc/rc) blocks all network traffic except for ICMP and SSH. During boot, PF replaces those defaults with rules from /etc/pf.conf. If an error in pf.conf renders the file unparsable when the system boots, PF can’t load those rules; instead, it retains ...