Google
 
   
Login
Username:

Password:


Lost Password?

Register now!
Search

Advanced Search
Main Menu
top books
Polls
What do you think about php-deluxe.net?
Excellent!
Cool
Hmm..not bad
What the hell is this?
encyclopedia
Exception handling
Interiot/Interests
Cmp
Cel programming language
SIMPLE
Mobile IP
SpyKiller
recommendation
compare webbrowser
Freenet DSL
Who's Online
6 user(s) are online (6 user(s) are browsing encyclopedia)

Members: 0
Guests: 6

more...
browser tip
Unix Befehle
manual of unix befehle
recommendation!
Sponsored
partner

Pf

pf is OpenBSD s stateful packet filter, written by Daniel Hartmeier. It replaced Darren Reed s IPFilter in OpenBSD, due to problems with its license, specifically that Reed withheld permission from the OpenBSD developers to change his code.

At the time of ipf s removal Theo de Raadt was quoted as saying, software which OpenBSD uses and redistributes must be free to all (be they people or companies), for any purpose they wish to use it, including modification, use, peeing on, or even integration into baby mulching machines or atomic bombs to be dropped on Australia. Because of the OpenBSD team s distaste over Reed s license, they opted to replace it rather than spend any more time attempting to negotiate over the issue.

pf has since evolved quickly and has now several advantages over other available firewall options. The filtering syntax is similar to IPFilter, though it has been modified to make it cleaner. Network Address Translation (NAT) and Quality of Service (QoS) have been tightly integrated into pf, to allow greater flexibility. QoS is achieved by merging ALTQ into pf itself.

With features like pfsync (and Common Address Redundancy Protocol), authpf (Session authentication), ftp-proxy and related pf extras, pf is a toolset which can be used to build feature rich firewalling devices.

pf has also been ported to NetBSD-current by itojun, is installed by default in FreeBSD starting at version 5.3 and DragonFlyBSD version 1.2.

=Commands and options=

  • pfctl -e -> enables pf
  • pfctl -d -> disables pf
  • pfctl -f -> if no syntax errors are found on target file, new rules will be loaded into pf

    • = Example PF.conf file =

    #Macros ext_if= xl1 int_if= xl0 int_network= 192.168.0.0/24 ext_network= XXX.XXX.XXX.0 ext_ip= XXX.XXX.XXX.XXX loop_back= lo0 #NAT nat on $ext_if from $int_network to any -> $ext_ip #PF-rules block in all pass out all keep state pass in quick on $int_if from $int_network to any keep state pass quick on $loop_back all

    =Logging=

    pf logging is configurable per rule within the pf.conf. Logs are managed in the binary Tcpdump/pcap format.

    Logs can be accessed through the pseudo network device called pflog using a utility like Tcpdump. Alternatively, the pflogd utility can collect and place logs in the binary log file /var/log/pflog which also can be processed using Tcpdump, Ethereal or similar utilities.

    The Tcpdump/pcap format has been modified somewhat to record firewall rule numbers, pass/block status, interface used, and this information is only available to utilities which are aware of the particular encoding used, including both modern versions of Tcpdump and Ethereal.

    =See also=

  • OpenBSD
  • FreeBSD
  • NetBSD
  • DragonFlyBSD
  • packet
  • TCP/IP
  • NAT

    • =External links=

  • [http://www.openbsd.org/faq/pf/index.html pf FAQ]
  • [http://www.openbsd.org/lyrics.html#36 The OpenBSD 3.6 release song] with background information on pf s creation
  • [http://www.dixongroup.net/hatchet/ Hatchet]
  • [http://wolfermann.org/pftabled.html pftabled]
  • [http://slbd.sourceforge.net/ slbd] - load balancing
  • [http://sofi-firewall.sourceforge.net/ SOFI-firewall] - Simple OpenBSD Firewall Interface (Notice of May, 4 2005 states that this is no longer maintained.)
  • [http://www.insecure.dk/rpfcd/ Remote Packet Filter Control Daemon]
    		•