Monday, February 21, 2011

PF - FreeBSD packet filter (I)

So, this is about the default firewall in *BSD distros. Considering I know iptables, this should be easy to learn. First of all, to be sure it will get autorun at startup, modify /etc/rc.conf like this:


pf_enable="YES"                  # Set to YES to enable packet filter (pf)
pf_rules="/etc/pf.conf"         # rules definition file for pf
pf_program="/sbin/pfctl"        # where the pfctl program lives
pf_flags=""                     # additional flags for pfctl
pflog_enable="NO"               # Set to YES to enable packet filter logging
pflog_logfile="/var/log/pflog"  # where pflogd should store the logfile
pflog_program="/sbin/pflogd"    # where the pflogd program lives
pflog_flags="" # additional flags for pflogd


This should autorun PF using the config file found at /etc/pf.conf. But first, and I just have to do it right now, to enable PF advanced features, you should compile your kernel with:


device pf
device pflog
device pfsync

...and, to use packet queuing, you should also add this:


options         ALTQ
options         ALTQ_CBQ        # Class Bases Queuing (CBQ)
options         ALTQ_RED        # Random Early Detection (RED)
options         ALTQ_RIO        # RED In/Out
options         ALTQ_HFSC       # Hierarchical Packet Scheduler (HFSC)
options         ALTQ_PRIQ       # Priority Queuing (PRIQ)
options         ALTQ_NOPCC      # Required for SMP build

This is it for now, that's because I got something already compiling on my FreeBSD VM and it's more than enough for a VM running on a EEE PC :)

No comments:

Post a Comment