Firewall with OpenBSD’s PacketFilter
Use OpenBSD’s firewalling features to protect your network.
PacketFilter, commonly known as PF, is the firewalling system available in OpenBSD. While it is a relatively new addition to the operating system, it has already surpassed IPFilter, the system it has replaced, in both features and flexibility. PF shares many features with Linux’s Netfilter. Although Linux’s Netfilter is more easily extensible with modules, PF outshines it in its traffic normalization capabilities and enhanced logging features.
To communicate with the kernel portion of PF, we need to use the
pfctl
command. Unlike
the iptables
command that is
used with Linux’s Netfilter, it is not used to
specify individual rules, but instead uses its own configuration and
rule specification language. To actually configure PF, we must edit
/etc/pf.conf
. PF’s rule
specification language is actually very powerful, flexible, and easy
to use. The pf.conf
file is split up into seven
sections, each of which contains a particular type of rule. Not all
sections need to be used—if you don’t need a
specific type of rule, that section can simply be left out of the
file.
The first section is for macros. In this section you can specify variables to hold either single values or lists of values for use in later sections of the configuration file. Like an environment variable or a programming-language identifier, macros must start with a letter and also may contain digits and underscores.
Here are ...
Get Network Security Hacks now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.