Pf

From Hackepedia
Jump to navigationJump to search

If you're using the OpenBSD pf, make sure it's enabled. 

# pfctl -si
Status: Enabled

I've been bitten by this while debugging. 

# pfctl -N -f /etc/pf.conf

This will reload the nat rules only.. often best to disable the firewall rules when testing nat, so do 

# pfctl -Fr

to flush the rules, and just 

# pfctl -R -f /etc/pf.conf

to use them again. 

# pfctl -Fs

to flush the current nat states, just remember the existing natted connections will drop when you do this. 

# pfctl -ss

to show the current nat states.

in summary, -Fn the F means to Flush. -sn the s means to show. -N and -R are to load only the Nat or filter Rules respectively.


If you're satisfied with your pf ruleset, you might be interesting in looking into ALTQ. Alternate queuing (ALTQ) is a framework that allows to shape network traffic.


helpful rules for pf.conf

These can mostly be found by logging all of your block rules and then watching with: 

# tcpdump -vvv -e -ttt -i pflog0

Once you see something you want to block, usually a reoccuring sequence, you can add a block rule without log enabled. 

# block Microsoft Calendar
block in quick on $ext_if proto udp from any to any port {1024 1025 1026 1027 1028 1029 1030 }
# block nmap OS detection scans somewhat (-O)
block in quick proto tcp flags FUP/WEUAPRSF
block in quick proto tcp flags WEUAPRSF/WEUAPRSF
block in quick proto tcp flags SRAFU/WEUAPRSF
block in quick proto tcp flags /WEUAPRSF
block in quick proto tcp flags SR/SR
block in quick proto tcp flags SF/SF
Retrieved from "https://hackepedia.org/?title=Pf&oldid=2823"