pf tricks

OpenBSD journal points that pf is enabled by default on OpenBSD from now on (with the exception of X11 incoming traffic). I take the opportunity to share some minor tricks that I use with pf on my BSD systems (servers mostly):

Regardless of the default policy which may or may not vary across the BSD operating systems that support pf, I always have a pf.conf.block and a pf.conf.pass handy, just in case I need to enable one of the two defaults for debugging:

* pf.conf.block:

block all

* pf.conf.pass:

pass all

On machines that run OpenVPN it happens that pf is enabled and its rules are loaded before OpenVPN is started (and its virtual interface created). So if your pf.conf has rules for a non existent interface, loading it fails leaving your machine’s pf in a state that your clearly do not want. In those cases I boot the machine with a very simple policy and load the intended policy (written in /etc/pf.conf.local) later from /etc/rc.local by issuing the command:

pfctl -Fall -f /etc/pf.conf.local

And the simple policy contents of /etc/pf.conf are:

table <machine> const  { self }
block all
pass all to <machine>
pass all from <machine>

The above policy allows any kind of traffic to and from the machine, but routes no traffic between interfaces. It can be modified depending the services the machines starts (if any) and it is used only for boot time. YMMV.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s