Simplest possible setup (OpenBSD)

This brings us, finally, to the practical point of actually configuring PF in the simplest possible setup. We'll deal with a single machine which will communicate with a network which may very well be the Internet.

In order to start PF, as previously mentioned, you need to tell the rc system that you want the service to start. That is, in OpenBSD 4.6 and newer, you don't have to do this yourself: PF with a very minimalistic rule set is enabled by default. In OpenBSD versions earlier than 4.6, you enable PF by editing or creating the file /etc/rc.conf.local, and adding the magical line

pf=YES                # enable PF

quite simply. In addition, you may if you like specify the file where PF will find its rules.

pf_rules=/etc/pf.conf # specify which file contains your rules

The default value is the one given here, /etc/pf.conf. At the next startup, PF will be enabled. You can verify this by looking for the message PF enabled on the console. The /etc/pf.conf which comes out of a normal install of OpenBSD or NetBSD contains a number of useful suggestions, but they're all commented out. On FreeBSD, you will need to create a /etc/pf.conf file yourself.

Then again, you really do not need to restart your machine in order to enable PF. You can do this just as easily by using pfctl. We really do not want to reboot for no good reason, so we type the command

$ doas pfctl -ef /etc/pf.conf

which enables PF and loads your rule set.[1][2]. At this point we do not have a rule set (unless you are running with the OpenBSD default), which means that PF does not actually do anything, just passes packets.

It is probably worth noting that if you reboot your machine at this point, the rc script on OpenBSD at least will enable a default rule set, which is in fact loaded before any of the network interfaces are enabled.

This default rule set is designed as a safety measure in case your gateway boots with an invalid configuration. It lets you log in and clean up whichever syntax error caused your rule set not to load. The default rule set allows a basic set of services: ssh from anywhere, basic name resolution and NFS mounts.

Some early versions of PF ports elsewhere appear to have neglected to bring the default rules with them.



As a footnoted aside, on OpenBSD, I tend to use doas (which replaced the venerable sudo in the base system in OpenBSD 5.8) when I need to do something which requires extra privileges. doas is in the OpenBSD base system, while its somewhat more complicated predecessor is available via the package system on OpenBSD and is within easy reach as a port or package elsewhere. If you have not started using doas or sudo yet, you should. Then you'll avoid shooting your own foot simply because you forgot you were root in that terminal window. For the simple cases like the samples in this document, the two commands are essentially interchangeable, but the samples from this point on will use doas to show some OpenBSD bias.


For convenience if you want it - pfctl is able to handle several operations on a single command line. You can, for example, enable PF and load the rule set with the command doas pfctl -ef /etc/pf.conf, and bunch on several other options if you like.