https://ljs.dev | About | Speaking | OpenBSD and Me | Dev Notes | Essays | Contact | </>

pf(4) simple configuration

September 2, 2019

The pf(4) packet filter in OpenBSD is prevalent throughout the world, having been adopted by network device manucaturers and big corps like Apple, to use in macOS and iOS. My first semi-awareness of it was when using pfSense in mainland China, to combine several WAN connections and share a VPN between them.

When I started using OpenBSD, years after doing anything networking related, I was intimidated by the config files people often recommended and gave up on the man pages.

I struggle to understand topics until I can simplify them and think in somple terms. Once over the jargon of pf(4), it is quite simple. Remember, most things are just inputs and outputs with some stuff in the middle!

I won't try to teach you pf(4), for that, you have:

What I will share, is a simple config I use to block everything and just allow what I need. I have used more complex rulesets when using unbound(8) or vmm(4).

Advice: be careful if you are adjusting pf rules for a server you only have remote access to. ie, apply changes temporarily while working, with a reboot script set in the not too distant future

#/etc/pf.conf


# define interface macros
ext_if = "vio0"

# define macro/lists for applications
ssh_port = "22"
web_ports = "{ 80, 443 }"

# don't do anything for local connections
set skip on lo

# block without logging noisy things
block quick proto ipv6-icmp from any to any
block quick proto icmp from any to any
# block and log everything else by default
block return log

# allow out any TCP/UDP
pass out on $ext_if proto { tcp, udp } all

# allow in web and SSH
pass in on $ext_if proto tcp from any to any port $web_ports
pass in on $ext_if proto tcp from any to any port $ssh_port

For logging, there is an example on how to use tcpdump(8) in the pflog(4) man page. Blocking everything and then monitoring while testing out applications has worked well for me. To keep the logs clearer, I quickly block those that are making noise.

# get example of tcpdumping pflog

man pflog | grep tcpdump