diff --git a/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml b/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml
index 7b1712fb04..101aae6070 100644
--- a/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml
@@ -182,6 +182,17 @@
+
+
+
+ John
+ Ferrell
+ Revised and updated by
+
+
+
+
+
The OpenBSD Packet Filter (PF) and
<acronym>ALTQ</acronym>
@@ -192,60 +203,66 @@
As of July 2003 the OpenBSD firewall software application
- known as PF was ported to &os; and was made
- available in the &os; Ports Collection; the first release that
- contained PF as an integrated part of the
- base system was &os; 5.3 in November 2004.
- PF is a complete, fully featured firewall
+ known as PF was ported to &os; and
+ made available in the &os; Ports Collection. Released in 2004,
+ &os; 5.3 was the first release that contained
+ PF as an integrated part of the base system.
+ PF is a complete, full-featured firewall
that has optional support for ALTQ (Alternate
Queuing). ALTQ provides Quality of Service
- (QoS) bandwidth shaping that allows
- guaranteeing bandwidth to different services based on filtering
- rules. The OpenBSD Project does an outstanding job of
- maintaining the PF User's Guide that it will not be made part of
- this handbook firewall section as that would just be duplicated
- effort.
+ (QoS) functionality.
- More info can be found at the PF for &os; web site: The OpenBSD Project does an outstanding job of
+ maintaining the PF FAQ.
+ As such, this section of the Handbook will focus on
+ PF as it pertains to &os; while providing
+ some general information regarding usage. For detailed usage
+ information please refer to the PF FAQ.
+
+ More information about PF for &os;
+ can be found at .
- Enabling PF
+ Using the PF loadable kernel module
- PF is included in the basic &os; install for versions newer
- than 5.3 as a separate run time loadable module. The system
- will dynamically load the PF kernel loadable module when the
- rc.conf statement pf_enable="YES" is used.
- The loadable module was created with &man.pflog.4; logging
- enabled.
+ Since the release of &os; 5.3, PF has been included in the
+ basic install as a separate run time loadable module. The
+ system will dynamically load the PF kernel module when the
+ &man.rc.conf.5; statement pf_enable="YES"
+ is present. However, the PF module will
+ not load if the system cannot find a PF
+ ruleset configuration file. The default location is
+ /etc/pf.conf. If your
+ PF ruleset is located somewhere else put
+ pf_rules="/path/pf.rules"
+ to your /etc/rc.conf configuration file to
+ specify the location.
-
- The module assumes the presence of options
- INET and device bpf. Unless
- NOINET6 for &os; prior to 6.0-RELEASE and
- NO_INET6 for later releases (for example in
- &man.make.conf.5;) was defined during the build, it also
- requires options INET6.
-
+
+ As of &os; 7.0 the sample pf.conf
+ that was in /etc/ has been
+ moved to /usr/share/examples/pf/. For &os;
+ versions prior to 7.0 there is an /etc/pf.conf
+ by default.
+
- Once the kernel module is loaded or the kernel is statically
- built with PF support, it is possible to enable or disable
- pf with the pfctl
- command.
+ The PF module can also be loaded manually
+ from the command line:
- This example demonstrates how to enable
- pf:
+ &prompt.root; kldload pf.ko
- &prompt.root; pfctl -e
-
- The pfctl command provides a way to work
- with the pf firewall. It is a good
- idea to check the &man.pfctl.8; manual page to find out more
- information about using it.
+ The loadable module was created with &man.pflog.4; enabled
+ which provides support for logging. If you need other
+ PF features you will need to compile
+ PF support into the kernel.
- Kernel options
+ PF kernel optionskernel options
@@ -265,44 +282,43 @@
device pfsync
- It is not a mandatory requirement that you enable PF by
- compiling the following options into the &os; kernel. It is
- only presented here as background information. Compiling PF
- into the kernel causes the loadable module to never be
- used.
+ While it is not necessary that you compile
+ PF support into the &os; kernel, you may want
+ to do so to take advantage of one of PF's advanced features that
+ is not included in the loadable module, namely &man.pfsync.4;, which
+ is a pseudo-device that exposes certain changes to
+ the state table used by PF. It can be
+ paired with &man.carp.4; to create failover firewalls using
+ PF. More information on
+ CARP can be found in
+ chapter 29 of the handbook.
- Sample kernel config PF option statements are in the
- /usr/src/sys/conf/NOTES kernel source and
- are reproduced here:
+ The PF kernel options can be found in
+ /usr/src/sys/conf/NOTES and are reproduced
+ below:device pf
device pflog
device pfsync
- device pf enables support for the
- Packet Filter firewall.
+ The device pf option enables support for the
+ Packet Filter firewall (&man.pf.4;).
- device pflog enables the optional
+ The device pflog option enables the optional
&man.pflog.4; pseudo network device which can be used to log
traffic to a &man.bpf.4; descriptor. The &man.pflogd.8; daemon
can be used to store the logging information to disk.
- device pfsync enables the optional
- &man.pfsync.4; pseudo network device that is used to monitor
- state changes. As this is not part of the
- loadable module one has to build a custom kernel to use
- it.
-
- These settings will take effect only after you have built
- and installed a kernel with them set.
+ The device pfsync option enables the optional
+ &man.pfsync.4; pseudo-network device that is used to monitor
+ state changes.Available rc.conf Options
- You need the following statements in
- /etc/rc.conf to activate PF at boot
- time:
+ The following &man.rc.conf.5; statements configure
+ PF and &man.pflog.4; at boot:pf_enable="YES" # Enable PF (load module if required)
pf_rules="/etc/pf.conf" # rules definition file for pf
@@ -312,22 +328,114 @@ pflog_logfile="/var/log/pflog" # where pflogd should store the logfile
pflog_flags="" # additional flags for pflogd startupIf you have a LAN behind this firewall and have to forward
- packets for the computers in the LAN or want to do NAT, you
- have to enable the following option as well:
+ packets for the computers on the LAN or want to do NAT, you
+ will need the following option as well:
gateway_enable="YES" # Enable as LAN gateway
+
+ Creating Filtering Rules
+
+ PF reads its configuration rules from
+ &man.pf.conf.5; (/etc/pf.conf by
+ default) and it modifies, drops, or passes packets according to
+ the rules or definitions specified there. The &os;
+ installation includes several sample files located in
+ /usr/share/examples/pf/. Please refer to
+ the PF FAQ
+ for complete coverage of PF rulesets.
+
+
+ When browsing the PF FAQ,
+ please keep in mind that different versions of &os; contain
+ different versions of PF:
+
+
+
+ &os; 5.X —
+ PF is at OpenBSD 3.5
+
+
+
+ &os; 6.X —
+ PF is at OpenBSD 3.7
+
+
+
+ &os; 7.X —
+ PF is at OpenBSD 4.1
+
+
+
+
+ The &a.pf; is a good place to ask questions about
+ configuring and running the PF
+ firewall. Do not forget to check the mailing list archives
+ before asking questions!
+
+
+
+ Working with PF
+
+ Use &man.pfctl.8; to control PF. Below
+ are some useful commands (be sure to review the &man.pfctl.8;
+ man page for all available options):
+
+
+
+
+
+ Command
+ Purpose
+
+
+
+
+
+ pfctl
+ Enable PF
+
+
+
+ pfctl
+ Disable PF
+
+
+
+ pfctl all /etc/pf.conf
+ Flush all rules (nat, filter, state, table, etc.) and
+ reload from the file /etc/pf.conf
+
+
+
+ pfctl [ rules | nat | state ]
+ Report on the filter rules, nat rules, or state
+ table
+
+
+
+ pfctl /etc/pf.conf
+ Check /etc/pf.conf for errors,
+ but do not load ruleset
+
+
+
+
+
+
Enabling <acronym>ALTQ</acronym>
- ALTQ is only available by compiling the
- options into the &os; Kernel. ALTQ is not
- supported by all of the available network card drivers. Please
- see the &man.altq.4; manual page for a list of drivers that are
- supported in your release of &os;. The following options will
- enable ALTQ and add additional
- functionality.
+ ALTQ is only available by compiling
+ support for it into the &os; kernel. ALTQ is
+ not supported by all of the available network card drivers.
+ Please see the &man.altq.4; manual page for a list of drivers
+ that are supported in your release of &os;.
+
+ The following kernel options will enable
+ ALTQ and add additional functionality:options ALTQ
options ALTQ_CBQ # Class Bases Queuing (CBQ)
@@ -373,35 +481,6 @@ options ALTQ_NOPCC # Required for SMP build
This option is required on SMP
systems.
-
-
- Creating Filtering Rules
-
- The Packet Filter reads its configuration rules from the
- &man.pf.conf.5; file and it modifies, drops or passes packets
- according to the rules or definitions specified there. The &os;
- installation comes with a default
- /etc/pf.conf which contains useful examples
- and explanations.
-
- Although &os; has its own /etc/pf.conf
- the syntax is the same as one used in OpenBSD. A great
- resource for configuring the pf
- firewall has been written by OpenBSD team and is available at
- .
-
-
- When browsing the pf user's guide, please keep in mind that
- different versions of &os; contain different versions of pf. The
- pf firewall in &os; 6.X is at the level
- of OpenBSD version 3.7.
-
-
- The &a.pf; is a good place to ask questions about
- configuring and running the pf
- firewall. Do not forget to check the mailing list archives
- before asking questions.
-