At least the following documentation and system references, refer to a pf.conf ruleset file doesn't (no longer?) exist in a default installation: Handbook: "The default ruleset is already created and is named /etc/pf.conf" /etc/defaults/rc.conf: pf_rules="/etc/pf.conf" # rules definition file for pf man 5 pf.conf: FILES /etc/pf.conf Default location of the ruleset file. The issue has also been raised in the past: https://lists.freebsd.org/pipermail/freebsd-questions/2015-February/264077.html 1) If the intention was/is only that pf looks in this location/file for a ruleset (by way of its buildtime configuration or similar) as part of a list or set of locations, the documentation should be updated to be more specific. 2) If a default ruleset is supposed to be there, a default ruleset should be put there. 3) If a default ruleset is inappropriate for whatever reason, and (1) does not apply, the references should be removed.
/etc/pf.conf was there in the past but was accidentally removed by freebsd-update when freebsd-update was a fresh new tool. It caused me a big problem in the past when rules were silently deleted during system update. The /etc/pf.conf is no longer there by default and is not handled by freebsd-update.
Adding Kristof for input on this. Kristof, what do you think is better: a) provide a default /etc/pf.conf that only contains a simple, commented ruleset as examples or b) Change the documentation to tell users they need to create an /etc/pf.conf as it is no longer provided with the base system install/upgrade?
There are a number of pf examples in /usr/share/pf. How about having a simple pf.conf that permits everything and includes a reference to /usr/share/pf for examples. I wish I had known about them before. I just found them today.
(In reply to Benedict Reuschling from comment #2) Good question, but I don't really have a strong opinion. ipfw has a default configuration in /etc/rc.firewall, but ipf doesn't. We could certainly use /usr/share/examples/pf/pf.conf as the 'default' pf.conf, as it's all commented out and it already refers to the man pages and the examples in /usr/share/examples/pf. It's probably better to update the documentation though, and do the same for pf as for ipf: no default config, but point at the examples from the documentation.
OK, I also think that changing the handbook text is easier. I've changed the sentence to mention that there is not default /etc/pf.conf ruleset and point people to the /usr/share/examples/pf directory.
A commit references this bug: Author: bcr Date: Sun Mar 10 15:22:55 UTC 2019 New revision: 52854 URL: https://svnweb.freebsd.org/changeset/doc/52854 Log: Mention that FreeBSD does not ship with /etc/pf.conf by default. Previous versions of FreeBSD provided a standard /etc/pf.conf, but that was removed without changing the documentation. Update the handbook to mention it and point people to the directory /usr/share/examples/pf/ where example firewall rules are available. PR: 231977 Submitted by: koobs@ Discussed with: kp@ Changes: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
I've opened a review on Phabricator to discuss the outstanding file changes here: https://reviews.freebsd.org/D19530
Since this resulted in a docs (not base) change, mfc-* requests are no longer applicable
A commit references this bug: Author: bcr Date: Tue Mar 12 20:08:38 UTC 2019 New revision: 345080 URL: https://svnweb.freebsd.org/changeset/base/345080 Log: Extend descriptions and comments about the need to create /etc/pf.conf. FreeBSD removed the default /etc/pf.conf file in previous releases, but the documentation kept mentioning it like any other file present in the system. Change pf.conf(5) to mention in the description of the default ruleset location that this file needs to be created manually. Also, the default rc.conf file had it's comment extended a bit to let people know that this file does not exist by default. PR: 231977 Submitted by: koobs@ Reviewed by: kp@, 0mp@ Approved by: kp@ MFC after: 10 days Differential Revision: https://reviews.freebsd.org/D19530 Changes: head/libexec/rc/rc.conf head/share/man/man5/pf.conf.5
Patch committed to head, waiting until the MFC has happened before closing this PR.
A commit references this bug: Author: bcr Date: Fri Mar 22 06:02:07 UTC 2019 New revision: 345404 URL: https://svnweb.freebsd.org/changeset/base/345404 Log: MFC r345080: Extend descriptions and comments about the need to create /etc/pf.conf. FreeBSD removed the default /etc/pf.conf file in previous releases, but the documentation kept mentioning it like any other file present in the system. Change pf.conf(5) to mention in the description of the default ruleset location that this file needs to be created manually. Also, the default rc.conf file had it's comment extended a bit to let people know that this file does not exist by default. PR: 231977 Submitted by: koobs@ Reviewed by: kp@, 0mp@ Approved by: kp@ Differential Revision: https://reviews.freebsd.org/D19530 Changes: _U stable/12/ stable/12/libexec/rc/rc.conf stable/12/share/man/man5/pf.conf.5
Just committed the MFC, so no reason to keep this PR open any longer. Thanks for reporting it!