PF firewall rules and documentation

Da Rock freebsd-questions at
Mon Jan 31 11:01:51 UTC 2011

On 01/31/11 20:30, Patrick Lamaiziere wrote:
> Le Sat, 29 Jan 2011 12:39:18 +1000,
> Da Rock<freebsd-questions at>  a écrit :
>> I spent some time playing with pf and pf.conf, and followed the
>> directions in the handbook. It redirected me to the openbsd site for
>> pf.conf, and recommended it as the most comprehensive documentation
>> for pf.
>> Firstly, I didn't find that. I had to translate the instructions into
>> the current version used in FreeBSD, OpenBSD appears to be further
>> advanced than this based on the current docs.
> Yes, you should refer to the OpenBSD 4.1 Packet FAQ :
>> Secondly, some of the rules don't appear to be following. From my
>> understanding based on the documentation in the handbook and on the
>> site pf is default allowing traffic.
> According to a current discussion on misc at It allows
> traffic to pass but without creating states.
Exactly. 'permitting' is the term in the handbook I believe.
>> So explicit rules to block
>> should be set first and then rules set to allow what is needed in.
>> Some assumptions are made in the rules by the interpreter, so
>> according to OpenBSD one can (even in the older versions) simply
>> state block and it is interpreted as 'block on $interfaces all'. This
>> turned out to not be the case.
> Ah? Do have an example for this?
Yes. Me unfortunately, but I did manage to pick it up quite quickly 
though. I had a little thief attack one of my ports and attempt login on 
the firewall. I had to change it to 'block in $log on $ext_if all
block out $log on $ext_if all' to actually block the traffic. Bit of a 
doozy really, I'm still monitoring the traffic very closely with tcpdump 
on the interface and not the log.

Thankfully I was also getting ready to update and completely rebuild 
most (scratch that- all) of my systems to newer and more manageable levels.
>> I know this has come up before, but I think it might be time to
>> document pf.conf properly. It seems to be a bit of security risk not
>> to. Users may be mistaken in their belief of their security on the
>> network using pf, and may be less likely to trust again when it
>> breaks.
> This is true, many things are now more precise in the manual page of
> OpenBSD's PF. But it will be hard to merge only these precisions in our
> pf.conf manual page.
> There are some plans to update PF to a more recent version. So may
> be it will be better.
Actually, that sounds like a better idea than mine ;) Kills 2 birds with 
one stone then...

More information about the freebsd-questions mailing list