Simplest possible setup (FreeBSD)

On FreeBSD it could seem that you need a little more magic in your /etc/rc.conf, specifically according to the FreeBSD Handbook[1]

pf_enable="YES"                 # Enable PF (load module if required)
pf_rules="/etc/pf.conf"         # rules definition file for PF
pf_flags=""                     # additional flags for pfctl startup
pflog_enable="YES"              # start pflogd(8)
pflog_logfile="/var/log/pflog"  # where pflogd should store the logfile
pflog_flags=""                  # additional flags for pflogd startup

Fortunately almost all of these are already present as the default settings in your /etc/defaults/rc.conf, and only

pf_enable="YES"                 # Enable PF (load module if required)
pflog_enable="YES"              # start pflogd(8)

are in fact needed as additions to your /etc/rc.conf in order to enable PF.

On FreeBSD, PF by default is compiled as a kernel loadable module. This means that you should be able to get started[2] right after you have added those two lines to your configuration with $ sudo kldload pf, followed by $ sudo pfctl -e to enable PF. Assuming you have put these lines in your /etc/rc.conf, you can use the PF rc script to enable or disable PF:

$ sudo /etc/rc.d/pf start

to enable PF, or

$ sudo /etc/rc.d/pf stop

to disable the packet filter. The pf rcNG script supports a few other operations as well. However it is still worth noting that at this point we do not have a rule set, which means that PF does not actually do anything.



There are some differences between the FreeBSD 4.n and 5.n and newer releases with respect to PF. Refer to the FreeBSD Handbook, specifically the PF chapter to see which information applies in your case.


Here I use the sudo command, which is an excellent tool when you need to do something which requires privileges. sudo is not part of the base system on FreeBSD, but is within easy reach from the ports system as security/sudo. If you have not started using sudo (or the modern equivalent from OpenBSD doas) yet, you should. Then you'll avoid shooting your own foot simply because you forgot you were root in that terminal window.