As of July 2003 the OpenBSD firewall software application known as PF was ported to FreeBSD and was made available in the FreeBSD Ports Collection; the first release that contained PF as an integrated part of the base system was FreeBSD 5.3 in November 2004. PF is a complete, fully featured firewall that has optional support for ALTQ (Alternate Queuing). ALTQ provides Quality of Service (QoS) bandwidth shaping that allows guaranteeing bandwidth to different services based on filtering rules. The OpenBSD Project does an outstanding job of maintaining the PF User's Guide that it will not be made part of this handbook firewall section as that would just be duplicated effort.
More info can be found at the PF for FreeBSD web site: http://pf4freebsd.love2party.net/.
PF is included in the basic FreeBSD install for versions newer than 5.3 as a separate run time loadable module. The system will dynamically load the PF kernel loadable module when the rc.conf statement pf_enable="YES" is used. The loadable module was created with pflog(4) logging enabled.
Note: The module assumes the presence of options INET and device bpf. Unless NOINET6 for FreeBSD prior to 6.0-RELEASE and NO_INET6 for later releases (for example in make.conf(5)) was defined during the build, it also requiresoptions INET6.
Once the kernel module is loaded or the kernel is statically built with PF support, it is possible to enable or disable pf with the pfctl command.
This example demonstrates how to enable pf:
# pfctl -e
The pfctl command provides a way to work with the pf firewall. It is a good idea to check the pfctl(8) manual page to find out more information about using it.
It is not a mandatory requirement that you enable PF by compiling the following options into the FreeBSD kernel. It is only presented here as background information. Compiling PF into the kernel causes the loadable module to never be used.
Sample kernel config PF option statements are in the /usr/src/sys/conf/NOTES kernel source and are reproduced here:
device pf device pflog device pfsync
device pf enables support for the “Packet Filter” firewall.
device pflog enables the optional pflog(4) pseudo network device which can be used to log traffic to a bpf(4) descriptor. The pflogd(8) daemon can be used to store the logging information to disk.
device pfsync enables the optional pfsync(4) pseudo network device that is used to monitor “state changes”. As this is not part of the loadable module one has to build a custom kernel to use it.
These settings will take effect only after you have built and installed a kernel with them set.
You need the following statements in /etc/rc.conf to activate PF at boot time:
pf_enable="YES" # Enable PF (load module if required) pf_rules="/etc/pf.conf" # rules definition file for pf pf_flags="" # additional flags for pfctl startup pflog_enable="YES" # start pflogd(8) pflog_logfile="/var/log/pflog" # where pflogd should store the logfile pflog_flags="" # additional flags for pflogd startup
If you have a LAN behind this firewall and have to forward packets for the computers in the LAN or want to do NAT, you have to enable the following option as well:
gateway_enable="YES" # Enable as LAN gateway
ALTQ is only available by compiling the options into the FreeBSD Kernel. ALTQ is not supported by all of the available network card drivers. Please see the altq(4) manual page for a list of drivers that are supported in your release of FreeBSD. The following options will enable ALTQ and add additional functionality.
options ALTQ options ALTQ_CBQ # Class Bases Queuing (CBQ) options ALTQ_RED # Random Early Detection (RED) options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) options ALTQ_PRIQ # Priority Queuing (PRIQ) options ALTQ_NOPCC # Required for SMP build
options ALTQ enables the ALTQ framework.
options ALTQ_CBQ enables Class Based Queuing (CBQ). CBQ allows you to divide a connection's bandwidth into different classes or queues to prioritize traffic based on filter rules.
options ALTQ_RED enables Random Early Detection (RED). RED is used to avoid network congestion. RED does this by measuring the length of the queue and comparing it to the minimum and maximum thresholds for the queue. If the queue is over the maximum all new packets will be dropped. True to its name, RED drops packets from different connections randomly.
options ALTQ_RIO enables Random Early Detection In and Out.
options ALTQ_HFSC enables the Hierarchical Fair Service Curve Packet Scheduler. For more information about HFSC see: http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html.
options ALTQ_PRIQ enables Priority Queuing (PRIQ). PRIQ will always pass traffic that is in a higher queue first.
options ALTQ_NOPCC enables SMP support for ALTQ. This option is required on SMP systems.
The Packet Filter reads its configuration rules from the pf.conf(5) file and it modifies, drops or passes packets according to the rules or definitions specified there. The FreeBSD installation comes with a default /etc/pf.conf which contains useful examples and explanations.
Although FreeBSD has its own /etc/pf.conf the syntax is the same as one used in OpenBSD. A great resource for configuring the pf firewall has been written by OpenBSD team and is available at http://www.openbsd.org/faq/pf/.
Warning: When browsing the pf user's guide, please keep in mind that different versions of FreeBSD contain different versions of pf. The pf firewall in FreeBSD 5.X is at the level of OpenBSD version 3.5 and in FreeBSD 6.X is at the level of OpenBSD version 3.7.
The FreeBSD packet filter mailing list is a good place to ask questions about configuring and running the pf firewall. Do not forget to check the mailing list archives before asking questions.
This, and other documents, can be downloaded from ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/.
For questions about FreeBSD, read the documentation before contacting <[email protected]>.
For questions about this documentation, e-mail <[email protected]>.