OpenBSD Journal

pf FAQ

Contributed by jose on from the new-docs dept.

Philipp Buehler writes: "Now there is an official pf FAQ out there!

Thanks to Nick Holland (and others) for their effort and the complete covering of all nifty topics, which are now possible in 3.3

http://www.openbsd.org/faq/pf/ " Now you can get answers to all the questions you have about all of those nifty new features. Thanks, guys!

(Comments are closed)


Comments
  1. By Nick Holland () nick@holland-consulting.net on http://www.holland-consulting.net

    Credit needs to be given where it is due...

    While I did start this project, Joel Knight stepped in and did a fantastic job of making it what it is now. I do believe Joel's work is at least 90% of what is there now, and a little of the remaining 10% came from the old FAQ...

    This was probably the most exciting commit I have made after my first when I started with the OpenBSD team, but the excitement was just the quality of the work I was putting in, and the value to the users, not the fact that I did it.

    Great work, Joel Knight!

    Nick.

  2. By Jason () on

    I like pf so much that even though I've never written a book, I was considering writing a book about using it and all the cool features, that is, until I saw this FAQ!

    Well done!!

    A book from me about pf would have sucked anyway, I'm still a "hobby user". ;-)

    Comments
    1. By Anonymous Coward () on

      I would have bought it even if it sucked, so long as it contained the word "OpenBSD" in it...

      Waiting now for the Absolute OpenBSD book, in June.

  3. By rabbit () rabbit@ulyssis.org on http://ace.ulyssis.org/rabbit

    This is really a great piece of work! It'll be of great value to me (and others) when I explore all of the new features of pf.

    I like it that all of the features are explained in short, so that you can know what something is for, without having to go through dozens of pages of complicated text, which would leave you even more confused :)

    Also it's really cool to have a lot of real world, functional examples, to get ideas from.

    I'd better get to work rewriting my lousy, badly coded pf ruleset as soon as my 3.3 cd's arrive :-)

  4. By Joy Almacen () on

    I have used pf in production since it first came out with the 3.0 release. I should say that the improvements are impressive (based on the release announcement). I will definitely upgrade my 3.2 very soon.

    One wish remains for me, better FTP support ala Cisco PIX 'fixup' flag.

    Kudos to the OpenBSD developers. I will definitely buy two more T-shirts and the CD set.

  5. By Michael Anuzis () on

    for anyone interested, my ruleset's been 100% redone and made available at:
    http://www.anuzis.net/pf.conf

    It takes advantage of most all of the new PF tricks (outside anchors). Including giving priority to SSH over web/ftp, etc, etc, etc

    Comments / critique also appreciated.

    Comments
    1. By Michael Anuzis () on

      p.s. it *is* just for a simple cable modem at home protection schema though, so it doesn't do anything too fancy.

      it will give bandwidth priority to the people I put in the "friends" rule and things like that, but i'm sure it's really nothing special compared to the avg ruleset out there.

  6. By Anonymous Coward () on

    I think we have seen the bar raised for good clear FAQ descriptions. Congrats! Now I hope the VPN section is/becomes as clear. that part is still mud for me.

  7. By Anonymous Coward () on

    when pf replaced ipf it wasn't possible to use it (pf) with interfaces that can go up and down (e.g. tun for use with dsl) which is something that ipf could do.

    has this been fixed "out of the box"? does anything special need to be done to use pf with dsl?

    Comments
    1. By Anonymous Coward () on

      I don't use tun with my DSL... I assume that's for PPPoE?

      I've never used PPPoE either (thank God) but check this link:

      http://www.benzedrine.cx/ackpri.html

      He seems to be using DSL with PPPoE so I assume it should work.

    2. By bobo () on

      Sure, no problem. Use '(if)'.
      I think it's PF has always had this capability.
      Granted, I could be wrong on that. Anyway,
      for a long time you can do '(ppp0)'.

      #### NAT ####
      # Translate so that kreechta can talk to the world.
      # Using PPPD with a dynamic dial-up IP assignment...
      nat on ppp0 from 192.168.0.3 to ! 192.168.0.0/24 -> (ppp0)
      rdr on ppp0 inet proto tcp from any to (ppp0) port auth -> 192.168.0.3

  8. By Anonymous Coward () on

    The pf FAQ is great but lack of the statement on the rules grouping and sequence (including sequence of in and out)as far as I see it.
    Anyway it is great job. Thanks.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]