Firewall with OpenBSD’s PacketFilter
Use OpenBSD’s firewalling features to protect your network.
PacketFilter, commonly known as PF, is the firewalling system available in OpenBSD. While it is a relatively new addition to the operating system, it has already surpassed IPFilter, the system it has replaced, in both features and flexibility. PF shares many features with Linux’s Netfilter. Although Linux’s Netfilter is more easily extensible with modules, PF outshines it in its traffic normalization capabilities and enhanced logging features.
To communicate with the kernel portion of PF, we need to use the
/etc/pf.conf. PF’s rule
specification language is actually very powerful, flexible, and easy
to use. The
pf.conf file is split up into seven
sections, each of which contains a particular type of rule. Not all
sections need to be used—if you don’t need a
specific type of rule, that section can simply be left out of the
The first section is for macros. In this section you can specify variables to hold either single values or lists of values for use in later sections of the configuration file. Like an environment variable or a programming-language identifier, macros must start with a letter and also may contain digits and underscores.
Here are ...