OpenBSD Journal

OpenBSD Packet Filter HOWTO

Contributed by webmaster on from the mirror-mirror dept.

pvk writes : "OpenBSD PF HOWTO is available at . This is a preliminary version, describing only basic firewalling, though it's a very good source of information on our brand new packet filter , which will be available in OpenBSD 3.0."

OpenBSD Journal is carrying a mirror of the PF HOWTO at /pf-howto . Anyone want to make me a PF logo? 60x60 png on white or transparent background please.

Check out the new logo : Will was kind enough to provide me with our PF topic logo. Thanks.

(Comments are closed)

  1. By Bill A () on

    Looks like I will have to download 3.0 and play around some. I like how things got changed around, at least from what I have read so far. Been too busy to follow the project itself. Hehe...I truly hope ALL of the features get documented in one place. That would be very nice.

    I am curious about the art there some kinda PF mascot? All that comes to my mind is either a sponge or baleen whale...sleep, need sleep, can hear the ocean calling. Sexy sea aenemones, that's it...*zzzzzzz*

  2. By Frank DENIS () on


    I'm also using OpenBSD 3 snapshots, and I'm really amazed by the work that have been done since 2.9 (2.9 was already excellent due to the filesystem speedups) .

    However, is the NAT part of PF already implemented and functionnal? While I can easily parse a simple NAT configuration file, it doesn't seem to work. It doesn't NAT anything, and packets got blocked.

    Also, block with return-rst doesn't return anything. Packets got filtered, but they are always blackholed. Are these features implemented?

    Best regards,


    1. By Anonymous Coward () on

      yes they work, are tested and even work on ipv6

      1. By Anonymous Coward () on

        What about NAT w/dynamic IPs?

      2. By Frank DENIS () on

        Here's my pf.conf file :

        block out log all
        block in all
        pass out quick on lo0 all
        pass in quick on lo0 all
        pass out quick proto tcp all flags S/SA keep state
        pass out quick proto udp all flags S/SA keep state
        pass out quick proto icmp all keep state
        block return-rst in quick proto tcp from any to any port = 113

        However, when an external connection to port 113 is made, no packet is sent, just as if "block return-rst" didn't work.

        What's wrong with these rules?

        My nat.conf file is :

        nat on ne3 from to any -> is the OpenBSD box itself (and it has a route to the gateway) . is an alias for the same interface. But from another computer whoose IP is, and gateway is, I can't send any packet to the internet.

        And forwarding has been enabled with sysctl.

        What's wrong?

        1. By Luiz Gustavo () gustavo at shoptime dot com on mailto:gustavo at shoptime dot com

          Since when udp has flags?

          Your conf has some huge mistakes, use pf.conf
          man page to start...

          1. By Frank DENIS () on

            Sorry, the udp flags S/SA was a cut/paste typo when I posted the message. This isn't in my config file.

  3. By danimal () danimal[AT]danimal[DOT]org on

    in the mirror if you try to goto you get a 404 because /pf-howto/html/pf-howto.css wasn't found.


    1. By Ryan Cooley () on

      Disable "Style Sheets" and you should be fine.

      In Netscape:

      Edit -> Preferences -> Advanced -> Enable Style Sheets

      1. By danimal () on

        But I don't wanna disable style sheets! Wah!


        Thanks for reminding me.

    2. By webmaster () on

      That should fix it. It wasn't showing up on my end. Funny, cause I have stylesheets enabled as well :(

    1. By Anonymous Coward () on

      your logo is nice, but shouldn't it need a reference to OpenBSD: a little daemon, blowfish or something.

      I may be nit-picking too much also ;)

      1. By danimal () danimal[AT]danimal[dot]org on mailto:danimal[AT]danimal[dot]org

        your logo is nice, but shouldn't it need a reference to OpenBSD: a little daemon, blowfish or something.

        Sure, if anyone wants the GIMP XCF let me know as it is all broken out into layers (and larger than 60x60).


    2. By Anonymous Coward () on

      Looks good! :)

    3. By jcs () on mailto:jcs(at)openbsd(dot)org

      I started making a logo with the armored blowfish (see the logo) shooting down packets and stomping on a map of australia (that's where darren's from). when it scaled down to 60x60, it was too hard to tell what the blob that used to be australia was, so I gave up.

      1. By Anonymous Coward () on

        C'mon Man, show us that thing!!! :O)

      2. By Miod Vallat () on

        I don't think having a logo looking somewhat anti-Australian is a wise idea.
        Besides, OpenBSD has developers who reside in Australia...

    4. By Anonymous Coward () on

      ... and have a piranha for pf and a shark for openssh!!!

  5. By fansipans () on

    thanks to pf i just got my new fancy network working, dmz, binat & ip aliased craziness all setup and co-existing hap-pilly. fiesta time indeed.

    so yea. you actually can do things with this hip new pf thing. wh00t. the only thing that threw me off is the whole "if you run a binat rule the external ip address has to exist" hehe...quickly solved with a few ip aliases. next thing to try'll be bridging with pf. does anyone have any super hip dmz stories? or hip network topologies they've set up?

    1. By Anonymous Coward () on

      Please post your results on the pf filtering bridge(4) packets... I'd love to try a migration from ipf to pf on my main firewall/bridge.

    2. By Anonymous Coward () on

      For the last paragraph, you should see how funky mine's setup.. 4 tier, DMZ and all bridging and nat in there... I should draw up of topology with visio or something like that.. I'll post it once 3.0 is out, and i migrate from 2.8 to 3.0 ;)

  6. By Eric Bullen () on

    I didn't see it clearly stated, but does the modulation work for incomming NATted connections? This was a cool feature of the Arrowpoint switches where it does the 3-way handshake, then passes the flow onto the receiving host.

    Let me know...



Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]