pf

It matches against ALL rules... Avoid with quick.

Terminology

• Tables:
• Macros:
• Anchors:

Add a rule

pfctl -a pass out proto tcp to port 9001

Rules

Macros.

tcp_pass = "{ 80 22 25 110 123 137:139 631 }"
udp_pass = "{ 53 110 631 }"
block all
pass out proto tcp to port $tcp_pass
pass out log on fxp0 proto udp to any port $udp_pass keep state
pass in quick on fxp0 proto tcp to any port 80 keep state

Macros with names.

tcp_pass = "{ www ssh ntp smtp pop3 }" # /etc/services
block all
pass out on fxp0 proto tcp to any port $tcp_pass keep state

Tables

table <local> { 192.168.8.0/24, 192.168.9.0/24 }
pass in quick from <local> to any keep state

Show tables with pfctl -t local -T show

pfctl

Arguments

• d Disable the packet filter.
• e Enable the packet filter.
• f Replace the current ruleset with the rules contained in file.
• g Include output helpful for debugging.
• n Do not actually load rules, just parse them.
• N Do not perform domain name resolution.
• q Quiet.
• v Verbose.

Test the syntax of the rules

pfctl -n -v -f /etc/pf.conf

Re/load rules.

pfctl -f /etc/pf.conf

Show rules

pfctl -sr
pfctl -sn # NAT
pfctl -sa # ALL

Add an address to a table

pfctl -t table -T add 192.168.1.115

Delete an address from a table

pfctl -t table -T delete 192.168.1.115

Enable

It should be enabled.

/etc/rc.conf
---
pf_enable=YES

Enable logging

/etc/rc.conf
---
pflog_enable=YES
pflog_logfile=/var/log/pf.log

Read log

tcpdump -n -e -ttt -r /var/log/pf.log

Realtime

tcpdump -n -e -ttt -i pflog0

Links

• https://www.openbsd.org/faq/pf/index.html
• https://srobb.net/pf.html
• https://rlworkman.net/howtos/OpenBSD_pf_guide.html
• https://home.nuug.no/~peter/pf/en/bruteforce.html