Unix and Linux Stack Exchange
Unix and Linux Stack Exchange

Questions tagged [pf]

pf (Packet Filter) is the TCP/IP packet filtering firewall subsystem on BSD systems.

PF is the BSD packet filtering subsystem (i.e. the guts of the firewall subsystem). Pf (short for “packet filter”) originated on OpenBSD and is also available on FreeBSD, NetBSD, DragonFly BSD and Mac OS X.

Documentation

86 questions
13
votes
3 answers

How to block abusive IP addresses with pf in OpenBSD?

We can see from the nginx logs that there is an IP address doing nasty things. How can we block it with a pf command and then later permanently with the /etc/pf.log? How can we block a x.x.x.x/24 for that IP? It is example: 1.2.3.4 UPDATE: no,…
somelooser28533
  • 965
  • 3
  • 9
  • 23
9
votes
1 answer

iptables/pf rule to only allow XY application/user?

I think there is no iptables/pf solution to only allow an XY application on e.g.: outbound tcp port 80, eth0. So if I have a userid: "500" then how could I block any other communications then the mentioned on port 80/outbound/tcp/eth0? (e.g.: just…
LanceBaynes
  • 39,295
  • 97
  • 250
  • 349
8
votes
2 answers

NAT and source IP filtering in PF, using OpenBSD >= 4.7

I just read a book about PF (The Book Of PF, No Starch), but there's one question not answered by it. If I have a gateway machine using two interfaces, $int_if and $ext_if, and I NAT the packages coming from $int_if:net (which is, let's say,…
dermesser
  • 81
  • 1
  • 4
8
votes
1 answer

Is berkeley packet filter ported to linux?

I am doing some research to figure out what distro's of linux contain kernel packet filtering and are compatible with BPF. http://kernelnewbies.org/Linux_3.0 http://lwn.net/Articles/437981/ These two articles lead me to believe there is a package…
Derek
  • 213
  • 2
  • 5
7
votes
1 answer

How to setup simple port forwarding on macOS with pf? "Rules must be in order: options, normalization, queueing, translation, filtering"

I am trying to pass traffic from Mac A port 5800 to Mac B on port 5900 using pf. This is the intended path of travel: Client to port 5800 → Router (Yes, port forwarding is setup here) → Mac with PF → PF → 192.168.1.246 port 5900 The following is…
JBis
  • 211
  • 2
  • 9
7
votes
6 answers

Can I use Unix to load-balance two Linux servers?

I'm trying to work out a solution in my head where two backend linux-servers run HTTP, SMTP, XMPP mirrored and should load balance connections between them. My current solution is an OpenBSD box infront, that can of course be extended with carp to…
Stefan Midjich
  • 187
  • 1
  • 9
6
votes
1 answer

NAT outbound IPSEC packets using pf on FreeBSD 11 and StrongSwan x FortiGATE

I've been working for more than a week trying to get outbound packets nat'ed to fit a Security Association. This is my (example) scenario: LAN: 1.1.1.0/24 FreeBSD interface: xn0 (Amazon EC2 instance) Virtual Address to nat traffic from:…
Tiago Sampaio
  • 101
  • 6
5
votes
2 answers

Accessing ports on public IP from within a FreeBSD jail

In a FreeBSD 10 setup, I have a jail running the publicly accessible nginx web server and another jail for the Java backend server based on Jetty. Each jail has its own internal IP address 127.0.1.x attached to the lo1 loopback interface. All this…
Martin Dirichs
  • 61
  • 4
5
votes
1 answer

Block outgoing connections to certain IP using PF

Can someone give me a hint on how to setup a basic deny rule whenever any TCP request is sent to a specific IP address? I am using the PF packet filter. Any help?
Joseph
  • 211
  • 3
  • 8
4
votes
1 answer

Should changing firewall settings to block all interrupt ongoing ssh session

Suppose I am logged into a server via ssh. While in the session, I change the firewall config to block all traffic. When I tried this previously with FreeBSD and pf, the current connection was broken. When I try it now, the current connection…
ahron
  • 394
  • 5
  • 20
4
votes
2 answers

should I fix "No ALTQ support in kernel" to run the firewall?

I just messed with my pf.conf and ran pf and I got: Enabling pf. No ALTQ support in kernel Of course the fix is to re-compile the kernel, but that article is for freebsd 7. I'm on FreeBSD 9.1 I want to know: Should I really bother to enable ALTQ…
gideon
  • 353
  • 3
  • 6
  • 17
4
votes
1 answer

How to configure pfsense to NAT servers?

How can I configure pfsense so it will NAT servers so they can be accessed outside of the company? I tried to play around with the NAT settings, but didn't get anywhere. I want to be able to access them remotely using HTTP, SSH, and RDP if I can.
user1575708
4
votes
1 answer

Inserting a nat solution into a network while it's not the gateway

I have tried this a few different ways. Currently trying with pf on freebsd 8.2 I am trying to insert a nat solution into an existing network that will redirect traffic from an outside ip address to an inside ip address on all ports (static nat)…
lostinip
  • 41
  • 2
4
votes
1 answer

Converting a line from a firewall on OpenBSD 4.9 to OpenBSD 4.7

What is the OpenBSD 4.7 equivalent of this line from OpenBSD 4.9 for use with pf? no nat on egress proto udp from 192.168.1.10 port 4672 to any
unclejamil
  • 914
  • 6
  • 12
4
votes
3 answers

OpenBSD's pf: disable network access for a given user, except for ssh.

If we are using the default firewall for OpenBSD, how can we modify it to disable all the network access for a normal user except for one thing: we want to ssh to the user from random hosts! So example if the user want's to "wget google.com", it…
user90825
1
2 3 4 5 6