World Library  
Flag as Inappropriate
Email this Article

Packet Filter

Article Id: WHEBN0003720603
Reproduction Date:

Title: Packet Filter  
Author: World Heritage Encyclopedia
Language: English
Subject: Pfsync
Collection:
Publisher: World Heritage Encyclopedia
Publication
Date:
 

Packet Filter

PF (Packet Filter, also written pf) is a BSD licensed stateful packet filter, a central piece of software for firewalling. It is comparable to netfilter (iptables), ipfw and ipfilter. PF is developed on OpenBSD, but has been ported to many other operating systems including FreeBSD, NetBSD, DragonFly BSD, Debian GNU/kFreeBSD, and Mac OS X 10.7 "Lion" and later.

History

PF was written by Daniel Hartmeier. It appeared in OpenBSD 3.0, which was released on 1 December 2001.[1]

PF was originally designed as replacement for Darren Reed's IPFilter, from which it derives much of its rule syntax. IPFilter was removed from OpenBSD's CVS tree on 30 May 2001 due to OpenBSD developers' concerns with its license.[2]

Features

The filtering syntax is similar to IPFilter, with some modifications to make it clearer. Network Address Translation (NAT) and Quality of Service (QoS) have been integrated into PF, QoS by importing the ALTQ queuing software and linking it with PF's configuration. Features such as pfsync and CARP for failover and redundancy, authpf for session authentication, and ftp-proxy to ease firewalling the difficult FTP protocol, have also extended PF.

PF's logging is configurable per rule within the pf.conf and logs are provided from PF by a pseudo-network interface called pflog, which is the only way to lift data from kernel-level mode for user-level programs. Logs may be monitored using standard utilities such as tcpdump, which in OpenBSD has been extended especially for the purpose, or saved to disk in a modified tcpdump/pcap binary format using the pflogd daemon.

Ports

Apart from its home platform OpenBSD, PF is also installed by default in FreeBSD starting with version 5.3, in NetBSD from version 3.0, and appeared in DragonFly BSD from version 1.2. Core force, a firewalling and security product for Microsoft Windows, is derived from PF. PF is also included in Mac OS X Lion (OS X 10.7), released in July 2011 and Mountain Lion (OS X 10.8).

Annotated example pf.conf file

## Macros
 
# The internal interface (connected to the local network).
int_if="xl0"
 
## Options
 
# Set the default policy to return RSTs or ICMPs for blocked traffic.
set block-policy return
 
# Ignore the loopback interface entirely.
set skip on lo0
 
## Translation rules
 
# NAT traffic on the interface in the default egress interface group (to
# which the interface out of which the default route goes is assigned) from the
# local network.
match out on egress from $int_if:network to any nat-to (egress)
 
## Filtering rules
 
# Default deny rule, with all blocked packets logged.
block log all
 
# Pass all traffic to and from the local network, using quick so that later
# rules are not evaluated if a packet matches this. Some rulesets would restrict
# local traffic much further.
pass quick on $int_if all
 
# Permit all traffic going out, keep state so that replies are automatically passed;
# many rulesets would have many rules here, restricting traffic in and out on the
# external (egress) interface. (keep state is not needed in the newest version of pf)
pass out keep state

See also

Free software portal

Notes and references

Books

  • ISBN 978-1-59327-274-6.
  • ISBN 83-916651-1-9.
  • ISBN 0-9790342-0-5.

External links

  • OpenBSD's pf man page
  • OpenBSD's pfctl man page
  • The OpenBSD PF guide
  • The OpenBSD 3.6 release song with humorous background information on PF's creation
  • PF section on Daniel Hartmeier's site
  • PF tutorial by Peter N. M. Hansteen
  • Packet Filter Wiki
  • pfSense, PF based firewall (FreeBSD) distribution
  • IceFloor, free PF frontend for OS X
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and USA.gov, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for USA.gov and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
 
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
 
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.
 


Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.