How To Setup And Use PF Firewall On FreeBSD 12.1?


A firewall is a network security system that monitors incoming and outgoing network traffic flows through a system. It allows or blocks the data packets based on a set of security rules that are predefined in the system. It acts as a barrier between internal and external sources such as the internet and blocks malicious traffic.

FreeBSD provides three firewalls all of them are built-in into the base system-

  • PF
  • IPFW
  • IPFILTER

Here in this article, we will discuss setting up a firewall with PF on FreeBSD 12.1.

PF (Packet Filter)

PF is the acronym for packet filter it was originally developed for OpenBSD but later ported for various other operating systems. It is a stateful firewall you can compare it with Netfilter (iptables), ipfw, or ipfilter used in Linux.

Enable the Packet filter

So before you start using the PF firewall first you need to turn it on. You can enable it by using the following command –

sysrc pf_enable=yes

Next, add the pf ruleset configuration file path to /etc/rc.conf file, use –

sysrc pf_rules=/etc/pf.conf

Turn on logging support for pf by using –

sysrc pflog_enable=yes

Now add the logging file path to /etc/rc.conf file –

sysrc pflog_logfile=/var/log/pflog

Now when next time you open your system it will start the PF firewall automatically.

Defining PF firewall rules

First, open the /etc/pf.conf file in your terminal by using the given command –

vi /etc/pf.conf

You can start adding rules into this file as given below –

block all
pass in proto tcp to port { 22 }
pass out proto { tcp udp } to port { 22 80 123 443 }

The PF firewall reads this file from top to bottom. The first line will block all the incoming and outgoing traffic on the system. In the next line, rules will be revised initially it was blocking all the traffic but now it allows the incoming traffic for ssh that means you will now able to ssh into a server.

In the last line, the outbound traffic is allowed for services such as SSH, HTTP, NTP, and  HTTPS, etc. which means now you can do tasks like downloading the packages from the internet, synchronizing system time, etc.

You can create a set skip rule for the loopback devices because it does not need to filter the traffic. Internet control message protocol(ICMP) is required for tools used for debugging and troubleshooting of TCP/IP network so we also define a rule for ICMP. Now simply you can copy and paste the given lines into the /etc/pf.conf file.

#skip loopback interface
set skip on lo
#block all the traffic in and out on the system
block all
#allow incoming traffic to port ssh
pass in proto tcp to port { 22 }
#allow outbound traffic for ssh, HTTP, NTP, HTTPS
pass out proto { tcp udp } to port { 22 80 123 443 }
pass inet proto icmp from any to any

At the end of this file, you can append any new rule as given above. Once you are done with adding rules save the file and exit from the editor.

Start the PF firewall

Start the PF firewall services by using –

service pf start

Use the given command to start logging support –

service pflog start

Check for errors in /etc/pf.conf

After modifying the pf.conf files check for any errors by executing one of the given commands –

service pf check

or

pfctl -n -f /etc/pf.conf

Check pf status

Now to check the status of pf you can use the following command in the terminal –

service pf status

Now see the output first thing is it confirms that our firewall is working and secondly the criteria of the ruleset are matched 10 times.

Enable or disable PF from the command line

Use the following command to disable the PF from the terminal –

pfctl -d

Or if you want to enable PF firewall use –

pfctl -e

We can advance the rules by using macros and tables. You can learn more about defining rules and using pfctl command from PF (Packet Filter) FreeBSD.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.