Before we start

This lecture[1] will be about firewalls and related functions, starting from a little theory along with a number of examples of filtering and other network traffic directing. As in any number of other endeavors, the things I discuss can be done in more than one way.

NoteMore information: The Book of PF, training, consulting
 

Most of the topics we touch on here is covered in more detail in The Book of PF, which was written by the same author and published by No Starch Press at the end of 2007, with a revised and updated second edition published in November 2010, followed in October 2014 by the now-current third edition. The book is an expanded and extensively rewritten followup to this tutorial, and covers a range of advanced topics in addition to those covered here.

This document is now in minimal maintenance mode after 10 years as a 'work in progress', based on a manuscript prepared for a lecture at the BLUG (see http://www.blug.linux.no/) meeting of January 27th, 2005. Along the way it has spawned several conference tutorials as well as The Book of PF (third edition, No Starch Press 2014), which expands on all topics mentioned in this document presents several topics that are only hinted at here. While this document has been a useful starting point for number of people, I strongly suggest that you get the book.

This tutorial is in minimal-maintainence mode (after 10 years as a work in progress), in that I'll occasionally make an effort to keep the information in it up to date, but it will not expand in scope. For more in-depth information or topics not covered here, check the book, the slides matching the latest tutorial session, the PF User Guide (also known as The PF FAQ) or the relevant man pages.

If you're aiming to use PF on FreeBSD, it's worth looking up the FreeBSD Handbook's PF Firewall chapter, which is based on an earlier version of this tutorial with various edits by FreeBSD documentation maintainers.

If you need PF related consulting or training, please contact me for further details. You may want to read my Rent-a-geek writeup too.

Under any circumstances I will urge you to interrupt me when you need to. That is, if you will permit me to use what I learn from your comments later, either in revised versions of this lecture or in practice at a later time. But first,

WarningThis is not a HOWTO
 

This document is not intended as a pre-cooked recipe for cutting and pasting.

Just to hammer this in, please repeat after me

The Pledge of the Network Admin

This is my network. 

It is mine 
or technically my employer's, 
it is my responsibility 
and I care for it with all my heart

there are many other networks a lot like mine,

but none are just like it.

I solemnly swear 

that I will not mindlessly paste from HOWTOs.

The point is, while the rules and configurations I show you do work, I have tested them and they are in some way related to what has been put into production, they may very well be overly simplistic and are almost certain to be at least a little off and possibly quite wrong for your network.

Please keep in mind that this document is intended to show you a few useful things and inspire you to achieve good things.

Please strive to understand your network and what you need to do to make it better.

Please do not paste blindly from this document or any other.

Now, with that out of the way, we can go on to the meat of the matter.

Notes

[1]

This document is now in minimal maintenance mode after 10 years as a 'work in progress', and is a slightly further developed version of a manuscript prepared for a lecture which was announced as (translated from Norwegian): "This lecture is about firewalls and related functions, with examples from real life with the OpenBSD project's PF (Packet Filter). PF offers firewalling, NAT, traffic control and bandwidth management in a single, flexible and sysadmin friendly system. Peter hopes that the lecture will give you some ideas about how to control your network traffic the way you want - keeping some things outside your network, directing traffic to specified hosts or services, and of course, giving spammers a hard time."

People who have offered significant and useful input regarding this manuscript include Eystein Roll Aarseth, David Snyder, Peter Postma, Henrik Kramshøj, Vegard Engen, Greg Lehey, Ian Darwin, Daniel Hartmeier, Mark Uemura, Hallvor Engen and probably a few who will remain lost in my mail archive until I can grep them out of there.

I would like to thank the following organizations for their kind support: The NUUG Foundation for a travel grant which partly financed my AUUG2005 appearance; The AUUG, BLUG, BSD-DK, NUUG, UKUUG, SANE, BSDCan, EuroBSDCon and AsiaBSDCon organizations for inviting me to their conferences or other events; the FreeBSD Foundation for sponsoring my trips to BSDCan 2006 and EuroBSDCon 2006 and finally my former collegues at FreeCode AS for letting me allocate some time for conferences and writing during 2009 and early 2010.

The main point in making this version available is to offer an update with OpenBSD 4.7 syntax, a secondary consideration is to introduce the reader to the somewhat more comprehensive treatment of all topics by referring to The Book of PF (now in its third edition) when relevant. The last pre-OpenBSD 4.7 version of this document has been preserved at this location.