pf Guide on FreeBSD

[Miraenda]

The following is a basic guide for pf (policy firewall) on FreeBSD. Please note this is for a FreeBSD 8.0-RELEASE system.

Section One -- pf Installation

Adding pf

To add pf if it isn’t already installed onto the system, place the following into /etc/rc.conf file:

Code:

pf_enable=”YES”

There won’t be any filter rules loaded initially, so you would need to copy the rules at /usr/share/examples/pf/pf.conf to /etc/pf.conf as otherwise pf won’t start. Alternatively, you can hardcode a different path for the rules into /etc/rc.conf:

Code:

pf_rules=”/pathto/pf.conf”

Loading and Enabling pf

Load pf using the following:

Code:

kldload pf

or

Code:

kldload pf.ko

To see if it is loaded:

Code:

kldstat

Example:

Code:

freebsd# kldstat
Id Refs Address    Size     Name
 1    7 0xc0400000 b6dfe0   kernel
 2    1 0xc0f6e000 2534     accf_http.ko
 3    2 0xc8406000 35000    pf.ko
 4    1 0xc8460000 3000     pflog.ko

Issue the following command to enable pf:

Code:

pfctl –e

Alternatively, you can start it up using this command:

Code:

/etc/rc.d/pf start

Disable, Restart, and Stop pf

To disable pf, run the following:

Code:

pfctl -d

To restart pf:

Code:

/etc/rc.d/pf restart

To stop pf:

Code:

/etc/rc.d/pf stop

Enable Logging

To enable logging in /etc/rc.conf, you would place the following line:

Code:

pflog_enable=”YES”

You would then start logging with this command:

Code:

/etc/rc.d/pflog start

Please note that logging will go into /var/log/pflog location.

Syntax Check on pf Configuration

To do a syntax check on the existing /etc/pf.conf file:

Code:

pfctl -vnf /etc/pf.conf

Flush the Rules

To flush the current rules and reload your existing /etc/pf.conf file:

Code:

pfctl -F all -f /etc/pf.conf

Example:

Code:

freebsd# pfctl -F all -f /etc/pf.conf
No ALTQ support in kernel
ALTQ related functions disabled
rules cleared
nat cleared
0 tables deleted
0 states cleared
source tracking entries cleared
pf: statistics cleared
pf: interface flags reset

View Current Rules

To display the current pf rules:

Code:

pfctl -s all

To see set rules or information:

Code:

pfctl -s info
pfctl -s nat
pfctl -s rules
pfctl -s state

---------------------------------------------
Section Two -- pf Configuration Ruleset

Defining Lists and Macros

First, let’s define the interface on the machine. At the top of /etc/pf.conf, it originally will have the following (commented out):

Code:

ext_if="ext0"
int_if="int0"

These define ext0 (the outgoing interface, frontend IP) as ext_if and int0 (the internal interface) as int_if. I don’t have two NIC cards, so I don’t have the int0 one and we will disregard that for this discussion.

Now, my machine has this line in /etc/rc.conf file:

Code:

ifconfig_fxp0="inet 209.200.236.74  netmask 255.255.255.0"

As such, I’m going to change the ext0 name in /etc/rc.conf file to fxp0 instead to match this interface:

Code:

ext_if="fxp0"

Next, we are going to define some other macros to see how these work for creating a list and then using a macro (please note the names for the services are taken from /etc/services file):

Code:

tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s }"
udp_services = "{ domain }"

Once a macro is defined, you can use it later in a rule by adding the $ to the front of it such as the following examples:

Code:

pass out proto tcp to any port $tcp_services
pass proto udp to any port $udp_services

Basic Actions

A good generalized discussion of pf syntax and basic rules can be found via this FAQ:

http://www.openbsd.org/faq/pf/filter.html#intro

The basic actions available are the following:
block (in | out) = block incoming or outgoing
pass (in | out) = allow incoming or outgoing
scrub (in | out) = clean incoming or outgoing packets (drop those that are illegal such as SYN and RST and normalize ambiguous combinations such as SYN and FIN)

Some specialized actions:
antispoof = block spoofed packets (those using the source IP or pretending to stem from the network)
set skip on = to skip an interface, used with antispoof to ensure that the loopback interface to local addresses doesn't get blocked

Examples for antispoof and set skip:

Code:

set skip on lo0
antispoof for fxp0 inet

For block and pass actions, here is the syntax:
action (in | out) [log] [quick] on interface [af] [proto protocol] [src_addr | dst_addr] [src_port | dst_port] [tcp_flags] [state]

[ ] around an option means it is optional
Please note that pf is reverse iptables on rule handling. In iptables, your deny must follow your allow or else all traffic is denied. In pf, you can deny everything first and then allow set traffic to come through. Here are the examples to deny all from both in and out traffic:

Code:

block in all
block out all

Other Options

Logging

To log to the /var/log/pflog for a rule, add log in the rule:
pass in log = allow in the packet and log the action to /var/log/pflog file

Quick

Each packet in pf is evaluated through the entire ruleset from top to bottom. The last matching rule will be used for the ruleset. To prevent this from happening and force a packet to a set rule match, use quick in the rule and then no further processing will occur for that rule:
pass in quick = allow in the packet and force it to this set rule

Interface

The interfaces are those found when running this command on your system:

Code:

ifconfig -a

If you’ve used a marco to redefine your external interface (fxp0), then you would use that macro name when referring to the interface.

Here are the interfaces on my system:

Code:

freebsd# ifconfig -a
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
 options=2009<RXCSUM,VLAN_MTU,WOL_MAGIC>
 ether 00:14:85:3c:a4:79
 inet 209.200.236.74 netmask 0xffffff00 broadcast 209.200.236.255
 media: Ethernet autoselect (100baseTX <full-duplex>)
 status: active

plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
 options=3<RXCSUM,TXCSUM>
 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 
 inet6 ::1 prefixlen 128
 inet 127.0.0.1 netmask 0xff000000

pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33200

Here’s an example using the macro name with a list:

Code:

block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 
255.255.255.255/32 } to any

block in = block incoming packets
log = log the activity
quick = force the ruleset
on $ext_if = on the fxp0 interface
from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 }) = from the list 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32
to any = to any destination address or destination port on the system

So, basically, block any incoming packets on the frontend IP (fxp0) interface from 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 addresses to any destination address or destination port on the system, log the block activity and force this rule for the packet without it continuing on the rule chain.

af

af is the address family for the packet (inet for IPv4 and inet6 for IPv6). Normally, this doesn’t need defined as pf can determine based on the source or destination address.

Protocol

The protocols are those founds in /etc/protocols, but the most common are the following:
tcp
udp
icmp
icmp6

Protocols can also be references by protocol number (between 0-255)

Of note, a list can be used to set the protocols, then a macro to reference those protocols:

Code:

mainproto = "{ tcp, udp, icmp }"

Example:

Code:

pass out on $ext_if proto $mainproto from any to any

pass out = allow outgoing packets
on $ext_if = on the fxp0 interface
proto $mainproto = on protocol $mainproto (macro defined tcp, udp, icmp)
from any = from any source address or source port
to any = to any destination address or destination port

So, basically, allow any outgoing packets on the frontend IP (fxp0) interface on tcp, udp, icmp protocols from any source address or source port to any destination address or destination port.

src_addr, dst_addr

These are the source address or destination address in the IP header. The IP or domain (fully qualified domain) can be used here. Additionally, network interfaces can be utilized with netmasks (such as /24).

Modifiers can be used after the network interface such as the following:
:network for the CIDR network block (192.168.0.0/24)
:broadcast for the network broadcast address (192.168.0.255)

For this area, the following can be used in place of actual IPs or domains:
any = all addresses
all = from any to any

src_port, dst_port

These are the source port or destination port, which can either be a number representing the port from 1-65535 or a valid service listed in /etc/services file. As we mentioned earlier, a list or macro can be defined for these services.

The following flags can define the ports:
!= (not equal)
< (less than)
> (greater than)
<= (less than or equal)
>= (greater than or equal)
>< (range)
<> (inverse range)
: (inclusive range)

tcp_flags

These flags for TCP based traffic are used to filter TCP packets attempting to open a connection.

These are the flags that can be used:
F = FIN, finish or end of session
S = SYN, indicates request to start session
R = RST, drop a connection
P = PUSH, packet is sent immediately
A = ACK, acknowledgement
U = URG, urgent
E = ECE, explicit congestion notification echo
W = CWR, congestion window reduced

To use these flags for the rule, you must proceed it with the flags keyword, so the following:

Code:

flags  check/mask

OR

Code:

flags any

Here mask represents the specified flags to inspect and check indicates which flags must be on in the header of the packet for a match to occur. So, you might have the following:

Code:

pass in on $ext_if proto tcp from any to any port flags S/SA

pass in = allow the incoming packets
on $ext_if = on the fxp0 interface
proto tcp = via the tcp protocol
from any = from any source address or port
to any port = to any destination port
flags S/SA = where the header flags have SYN on and match SYN and ACK

So, basically, this means to allow incoming packets on the frontend IP (fxp0) interface via tcp protocol from any source address or port to any destination port where headers have SYN on and match SYN and ACK.

A great, well-marked up pf firewall configuration can be found at the following location:

http://sites.google.com/site/clickde...ds-bsdfirewall