|
Lines 182-187
Link Here
|
| 182 |
</sect1> |
182 |
</sect1> |
| 183 |
|
183 |
|
| 184 |
<sect1 id="firewalls-pf"> |
184 |
<sect1 id="firewalls-pf"> |
|
|
185 |
<sect1info> |
| 186 |
<authorgroup> |
| 187 |
<author> |
| 188 |
<firstname>John</firstname> |
| 189 |
<surname>Ferrell</surname> |
| 190 |
<contrib>Revised and updated by </contrib> |
| 191 |
<!-- 24 March 2008 --> |
| 192 |
</author> |
| 193 |
</authorgroup> |
| 194 |
</sect1info> |
| 195 |
|
| 185 |
<title>The OpenBSD Packet Filter (PF) and |
196 |
<title>The OpenBSD Packet Filter (PF) and |
| 186 |
<acronym>ALTQ</acronym></title> |
197 |
<acronym>ALTQ</acronym></title> |
| 187 |
|
198 |
|
|
Lines 192-251
Link Here
|
| 192 |
</indexterm> |
203 |
</indexterm> |
| 193 |
|
204 |
|
| 194 |
<para>As of July 2003 the OpenBSD firewall software application |
205 |
<para>As of July 2003 the OpenBSD firewall software application |
| 195 |
known as <acronym>PF</acronym> was ported to &os; and was made |
206 |
known as <acronym>PF</acronym> was ported to &os; and |
| 196 |
available in the &os; Ports Collection; the first release that |
207 |
made available in the &os; Ports Collection. Released in 2004, |
| 197 |
contained <acronym>PF</acronym> as an integrated part of the |
208 |
&os; 5.3 was the first release that contained |
| 198 |
base system was &os; 5.3 in November 2004. |
209 |
<acronym>PF</acronym> as an integrated part of the base system. |
| 199 |
<acronym>PF</acronym> is a complete, fully featured firewall |
210 |
<acronym>PF</acronym> is a complete, full-featured firewall |
| 200 |
that has optional support for <acronym>ALTQ</acronym> (Alternate |
211 |
that has optional support for <acronym>ALTQ</acronym> (Alternate |
| 201 |
Queuing). <acronym>ALTQ</acronym> provides Quality of Service |
212 |
Queuing). <acronym>ALTQ</acronym> provides Quality of Service |
| 202 |
(<acronym>QoS</acronym>) bandwidth shaping that allows |
213 |
(<acronym>QoS</acronym>) functionality.</para> |
| 203 |
guaranteeing bandwidth to different services based on filtering |
|
|
| 204 |
rules. The OpenBSD Project does an outstanding job of |
| 205 |
maintaining the PF User's Guide that it will not be made part of |
| 206 |
this handbook firewall section as that would just be duplicated |
| 207 |
effort.</para> |
| 208 |
|
| 209 |
<para>More info can be found at the PF for &os; web site: <ulink |
| 210 |
url="http://pf4freebsd.love2party.net/"></ulink>.</para> |
| 211 |
|
| 212 |
<sect2> |
| 213 |
<title>Enabling PF</title> |
| 214 |
|
| 215 |
<para>PF is included in the basic &os; install for versions newer |
| 216 |
than 5.3 as a separate run time loadable module. The system |
| 217 |
will dynamically load the PF kernel loadable module when the |
| 218 |
rc.conf statement <literal>pf_enable="YES"</literal> is used. |
| 219 |
The loadable module was created with &man.pflog.4; logging |
| 220 |
enabled.</para> |
| 221 |
|
| 222 |
<note> |
| 223 |
<para>The module assumes the presence of <literal>options |
| 224 |
INET</literal> and <literal>device bpf</literal>. Unless |
| 225 |
<literal>NOINET6</literal> for &os; prior to 6.0-RELEASE and |
| 226 |
<literal>NO_INET6</literal> for later releases (for example in |
| 227 |
&man.make.conf.5;) was defined during the build, it also |
| 228 |
requires <literal>options INET6</literal>.</para> |
| 229 |
</note> |
| 230 |
|
214 |
|
| 231 |
<para>Once the kernel module is loaded or the kernel is statically |
215 |
<para>The OpenBSD Project does an outstanding job of |
| 232 |
built with PF support, it is possible to enable or disable |
216 |
maintaining the |
| 233 |
<application>pf</application> with the <command>pfctl</command> |
217 |
<ulink url="http://www.openbsd.org/faq/pf/">PF FAQ</ulink>. |
| 234 |
command.</para> |
218 |
As such, this section of the handbook will focus on |
| 235 |
|
219 |
<acronym>PF</acronym> as it pertains to &os; while providing |
| 236 |
<para>This example demonstrates how to enable |
220 |
some general information regarding usage. For detailed usage |
| 237 |
<application>pf</application>:</para> |
221 |
information please refer to the |
| 238 |
|
222 |
<ulink url="http://www.openbsd.org/faq/pf/">PF FAQ</ulink>. |
| 239 |
<screen>&prompt.root; <userinput>pfctl -e</userinput></screen> |
223 |
</para> |
| 240 |
|
224 |
|
| 241 |
<para>The <command>pfctl</command> command provides a way to work |
225 |
<para>More information about <acronym>PF</acronym> for &os; |
| 242 |
with the <application>pf</application> firewall. It is a good |
226 |
can be found at |
| 243 |
idea to check the &man.pfctl.8; manual page to find out more |
227 |
<ulink url="http://pf4freebsd.love2party.net/"></ulink>.</para> |
| 244 |
information about using it.</para> |
228 |
|
|
|
229 |
<sect2> |
| 230 |
<title>Using the PF loadable kernel module</title> |
| 231 |
|
| 232 |
<para>Since the release of &os; 5.3, PF has been included in the |
| 233 |
basic install as a separate run time loadable module. The |
| 234 |
system will dynamically load the PF kernel module when the |
| 235 |
&man.rc.conf.5; statement <literal>pf_enable="YES"</literal> |
| 236 |
is present. However, the <acronym>PF</acronym> module will |
| 237 |
not load if the system cannot find a <acronym>PF</acronym> |
| 238 |
ruleset configuration file. The default location is |
| 239 |
<filename>/etc/pf.conf</filename>. If your |
| 240 |
<acronym>PF</acronym> ruleset is located somewhere else use |
| 241 |
<option>pf_rules="<replaceable>/path/pf.rules</replaceable>"</option> |
| 242 |
to specify the location.</para> |
| 243 |
|
| 244 |
<note> |
| 245 |
<para>As of &os; 7.0 the sample <filename>pf.conf</filename> that |
| 246 |
was in <filename>/etc/</filename> has been moved to |
| 247 |
<filename>/usr/share/examples/pf/</filename>. For &os; versions |
| 248 |
prior to 7.0 there is an <filename>/etc/pf.conf</filename> by |
| 249 |
default.</para> |
| 250 |
</note> |
| 251 |
|
| 252 |
<para>The <acronym>PF</acronym> module can also be loaded manually |
| 253 |
from the command line:</para> |
| 254 |
|
| 255 |
<screen>&prompt.root; <userinput>kldload pf.ko</userinput></screen> |
| 256 |
|
| 257 |
<para>The loadable module was created with &man.pflog.4; enabled |
| 258 |
which provides support for logging. If you need other |
| 259 |
<acronym>PF</acronym> features you will need to compile |
| 260 |
<acronym>PF</acronym> support into the kernel.</para> |
| 245 |
</sect2> |
261 |
</sect2> |
| 246 |
|
262 |
|
| 247 |
<sect2> |
263 |
<sect2> |
| 248 |
<title>Kernel options</title> |
264 |
<title>PF kernel options</title> |
| 249 |
|
265 |
|
| 250 |
<indexterm> |
266 |
<indexterm> |
| 251 |
<primary>kernel options</primary> |
267 |
<primary>kernel options</primary> |
|
Lines 265-286
Link Here
|
| 265 |
<secondary>device pfsync</secondary> |
281 |
<secondary>device pfsync</secondary> |
| 266 |
</indexterm> |
282 |
</indexterm> |
| 267 |
|
283 |
|
| 268 |
<para>It is not a mandatory requirement that you enable PF by |
284 |
<para>While it is not necessary that you compile |
| 269 |
compiling the following options into the &os; kernel. It is |
285 |
<acronym>PF</acronym> support into the &os; kernel, you may want |
| 270 |
only presented here as background information. Compiling PF |
286 |
to do so to take advantage of one of PF's advanced features that |
| 271 |
into the kernel causes the loadable module to never be |
287 |
is not included in the loadable module, namely &man.pfsync.4;. |
| 272 |
used.</para> |
288 |
pfsync is a pseudo-device that exposes certain changes to |
| 273 |
|
289 |
the state table used by <acronym>PF</acronym>. pfsync can be |
| 274 |
<para>Sample kernel config PF option statements are in the |
290 |
paired with &man.carp.4; to create failover firewalls using |
| 275 |
<filename>/usr/src/sys/conf/NOTES</filename> kernel source and |
291 |
<acronym>PF</acronym>. More information on |
| 276 |
are reproduced here:</para> |
292 |
<acronym>CARP</acronym> can be found in |
|
|
293 |
<link linkend="carp">chapter 29</link> of the handbook.</para> |
| 294 |
|
| 295 |
<para>The <acronym>PF</acronym> kernel options can be found in |
| 296 |
<filename>/usr/src/sys/conf/NOTES</filename> and are reproduced |
| 297 |
below:</para> |
| 277 |
|
298 |
|
| 278 |
<programlisting>device pf |
299 |
<programlisting>device pf |
| 279 |
device pflog |
300 |
device pflog |
| 280 |
device pfsync</programlisting> |
301 |
device pfsync</programlisting> |
| 281 |
|
302 |
|
| 282 |
<para><literal>device pf</literal> enables support for the |
303 |
<para><literal>device pf</literal> enables support for the |
| 283 |
<quote>Packet Filter</quote> firewall.</para> |
304 |
<quote>Packet Filter</quote> firewall (&man.pf.4;).</para> |
| 284 |
|
305 |
|
| 285 |
<para><literal>device pflog</literal> enables the optional |
306 |
<para><literal>device pflog</literal> enables the optional |
| 286 |
&man.pflog.4; pseudo network device which can be used to log |
307 |
&man.pflog.4; pseudo network device which can be used to log |
|
Lines 288-308
Link Here
|
| 288 |
can be used to store the logging information to disk.</para> |
309 |
can be used to store the logging information to disk.</para> |
| 289 |
|
310 |
|
| 290 |
<para><literal>device pfsync</literal> enables the optional |
311 |
<para><literal>device pfsync</literal> enables the optional |
| 291 |
&man.pfsync.4; pseudo network device that is used to monitor |
312 |
&man.pfsync.4; pseudo-network device that is used to monitor |
| 292 |
<quote>state changes</quote>. As this is not part of the |
313 |
<quote>state changes</quote>.</para> |
| 293 |
loadable module one has to build a custom kernel to use |
|
|
| 294 |
it.</para> |
| 295 |
|
| 296 |
<para>These settings will take effect only after you have built |
| 297 |
and installed a kernel with them set.</para> |
| 298 |
</sect2> |
314 |
</sect2> |
| 299 |
|
315 |
|
| 300 |
<sect2> |
316 |
<sect2> |
| 301 |
<title>Available rc.conf Options</title> |
317 |
<title>Available rc.conf Options</title> |
| 302 |
|
318 |
|
| 303 |
<para>You need the following statements in |
319 |
<para>The following &man.rc.conf.5; statements configure |
| 304 |
<filename>/etc/rc.conf</filename> to activate PF at boot |
320 |
<acronym>PF</acronym> and &man.pflog.4; at boot:</para> |
| 305 |
time:</para> |
|
|
| 306 |
|
321 |
|
| 307 |
<programlisting>pf_enable="YES" # Enable PF (load module if required) |
322 |
<programlisting>pf_enable="YES" # Enable PF (load module if required) |
| 308 |
pf_rules="/etc/pf.conf" # rules definition file for pf |
323 |
pf_rules="/etc/pf.conf" # rules definition file for pf |
|
Lines 312-333
Link Here
|
| 312 |
pflog_flags="" # additional flags for pflogd startup</programlisting> |
327 |
pflog_flags="" # additional flags for pflogd startup</programlisting> |
| 313 |
|
328 |
|
| 314 |
<para>If you have a LAN behind this firewall and have to forward |
329 |
<para>If you have a LAN behind this firewall and have to forward |
| 315 |
packets for the computers in the LAN or want to do NAT, you |
330 |
packets for the computers on the LAN or want to do NAT, you |
| 316 |
have to enable the following option as well:</para> |
331 |
will need the following option as well:</para> |
| 317 |
|
332 |
|
| 318 |
<programlisting>gateway_enable="YES" # Enable as LAN gateway</programlisting> |
333 |
<programlisting>gateway_enable="YES" # Enable as LAN gateway</programlisting> |
| 319 |
</sect2> |
334 |
</sect2> |
| 320 |
|
335 |
|
| 321 |
<sect2> |
336 |
<sect2> |
|
|
337 |
<title>Creating Filtering Rules</title> |
| 338 |
|
| 339 |
<para><acronym>PF</acronym> reads its configuration rules from |
| 340 |
&man.pf.conf.5; (<filename>/etc/pf.conf</filename> by |
| 341 |
default) and it modifies, drops, or passes packets according to |
| 342 |
the rules or definitions specified there. The &os; |
| 343 |
installation includes several sample files located in |
| 344 |
<filename>/usr/share/examples/pf/</filename>. Please refer to |
| 345 |
the <ulink url="http://www.openbsd.org/faq/pf/">PF FAQ</ulink> |
| 346 |
for complete coverage of <acronym>PF</acronym> rulesets.</para> |
| 347 |
|
| 348 |
<warning> |
| 349 |
<para>When browsing the <ulink url="http://www.openbsd.org/faq/pf/">PF FAQ</ulink>, |
| 350 |
please keep in mind that different versions of &os; contain |
| 351 |
different versions of PF:</para> |
| 352 |
|
| 353 |
<itemizedlist> |
| 354 |
<listitem> |
| 355 |
<simpara>&os; 5.x - <acronym>PF</acronym> is at OpenBSD 3.5</simpara> |
| 356 |
</listitem> |
| 357 |
|
| 358 |
<listitem> |
| 359 |
<simpara>&os; 6.x - <acronym>PF</acronym> is at OpenBSD 3.7</simpara> |
| 360 |
</listitem> |
| 361 |
|
| 362 |
<listitem> |
| 363 |
<simpara>&os; 7.x - <acronym>PF</acronym> is at OpenBSD 4.1</simpara> |
| 364 |
</listitem> |
| 365 |
</itemizedlist> |
| 366 |
</warning> |
| 367 |
|
| 368 |
<para>The &a.pf; is a good place to ask questions about |
| 369 |
configuring and running the <acronym>PF</acronym> |
| 370 |
firewall. Do not forget to check the mailing list archives |
| 371 |
before asking questions!</para> |
| 372 |
</sect2> |
| 373 |
|
| 374 |
<sect2> |
| 375 |
<title>Working with PF</title> |
| 376 |
|
| 377 |
<para>Use &man.pfctl.8; to control <acronym>PF</acronym>. Below |
| 378 |
are some useful commands (be sure to review the &man.pfctl.8; |
| 379 |
man page for all available options): |
| 380 |
</para> |
| 381 |
|
| 382 |
<informaltable frame="none" pgwide="1"> |
| 383 |
<tgroup cols="2"> |
| 384 |
<thead> |
| 385 |
<row> |
| 386 |
<entry>Command</entry> |
| 387 |
<entry>Purpose</entry> |
| 388 |
</row> |
| 389 |
</thead> |
| 390 |
|
| 391 |
<tbody> |
| 392 |
<row> |
| 393 |
<entry><command>pfctl -e</command></entry> |
| 394 |
<entry>Enable PF</entry> |
| 395 |
</row> |
| 396 |
|
| 397 |
<row> |
| 398 |
<entry><command>pfctl -d</command></entry> |
| 399 |
<entry>Disable PF</entry> |
| 400 |
</row> |
| 401 |
|
| 402 |
<row> |
| 403 |
<entry><command>pfctl -F all -f /etc/pf.conf</command></entry> |
| 404 |
<entry>Flush all rules (nat, filter, state, table, etc.) and reload from the file <filename>/etc/pf.conf</filename></entry> |
| 405 |
</row> |
| 406 |
|
| 407 |
<row> |
| 408 |
<entry><command>pfctl -s [ rules | nat | state ]</command></entry> |
| 409 |
<entry>Report on the filter rules, nat rules, or state table</entry> |
| 410 |
</row> |
| 411 |
|
| 412 |
<row> |
| 413 |
<entry><command>pfctl -vnf /etc/pf.conf</command></entry> |
| 414 |
<entry>Check <filename>/etc/pf.conf</filename> for errors, but do not load ruleset</entry> |
| 415 |
</row> |
| 416 |
|
| 417 |
</tbody> |
| 418 |
</tgroup> |
| 419 |
</informaltable> |
| 420 |
</sect2> |
| 421 |
|
| 422 |
<sect2> |
| 322 |
<title>Enabling <acronym>ALTQ</acronym></title> |
423 |
<title>Enabling <acronym>ALTQ</acronym></title> |
| 323 |
|
424 |
|
| 324 |
<para><acronym>ALTQ</acronym> is only available by compiling the |
425 |
<para><acronym>ALTQ</acronym> is only available by compiling |
| 325 |
options into the &os; Kernel. <acronym>ALTQ</acronym> is not |
426 |
support for it into the &os; kernel. <acronym>ALTQ</acronym> is |
| 326 |
supported by all of the available network card drivers. Please |
427 |
not supported by all of the available network card drivers. |
| 327 |
see the &man.altq.4; manual page for a list of drivers that are |
428 |
Please see the &man.altq.4; manual page for a list of drivers |
| 328 |
supported in your release of &os;. The following options will |
429 |
that are supported in your release of &os;.</para> |
| 329 |
enable <acronym>ALTQ</acronym> and add additional |
430 |
|
| 330 |
functionality.</para> |
431 |
<para>The following kernel options will enable |
|
|
432 |
<acronym>ALTQ</acronym> and add additional functionality: |
| 433 |
</para> |
| 331 |
|
434 |
|
| 332 |
<programlisting>options ALTQ |
435 |
<programlisting>options ALTQ |
| 333 |
options ALTQ_CBQ # Class Bases Queuing (CBQ) |
436 |
options ALTQ_CBQ # Class Bases Queuing (CBQ) |
|
Lines 373-408
Link Here
|
| 373 |
This option is required on <acronym>SMP</acronym> |
476 |
This option is required on <acronym>SMP</acronym> |
| 374 |
systems.</para> |
477 |
systems.</para> |
| 375 |
</sect2> |
478 |
</sect2> |
| 376 |
|
|
|
| 377 |
<sect2> |
| 378 |
<title>Creating Filtering Rules</title> |
| 379 |
|
| 380 |
<para>The Packet Filter reads its configuration rules from the |
| 381 |
&man.pf.conf.5; file and it modifies, drops or passes packets |
| 382 |
according to the rules or definitions specified there. The &os; |
| 383 |
installation comes with a default |
| 384 |
<filename>/etc/pf.conf</filename> which contains useful examples |
| 385 |
and explanations.</para> |
| 386 |
|
| 387 |
<para>Although &os; has its own <filename>/etc/pf.conf</filename> |
| 388 |
the syntax is the same as one used in OpenBSD. A great |
| 389 |
resource for configuring the <application>pf</application> |
| 390 |
firewall has been written by OpenBSD team and is available at |
| 391 |
<ulink url="http://www.openbsd.org/faq/pf/"></ulink>.</para> |
| 392 |
|
| 393 |
<warning> |
| 394 |
<para>When browsing the pf user's guide, please keep in mind that |
| 395 |
different versions of &os; contain different versions of pf. The |
| 396 |
<application>pf</application> firewall in &os; 5.X is at the level |
| 397 |
of OpenBSD version 3.5 and in &os; 6.X is at the level of OpenBSD |
| 398 |
version 3.7.</para> |
| 399 |
</warning> |
| 400 |
|
| 401 |
<para>The &a.pf; is a good place to ask questions about |
| 402 |
configuring and running the <application>pf</application> |
| 403 |
firewall. Do not forget to check the mailing list archives |
| 404 |
before asking questions.</para> |
| 405 |
</sect2> |
| 406 |
</sect1> |
479 |
</sect1> |
| 407 |
|
480 |
|
| 408 |
<sect1 id="firewalls-ipf"> |
481 |
<sect1 id="firewalls-ipf"> |