How to enable PF?

[Trojan]

Please help me to solve the problem with enabling PF on FreeBSD 7.1. I added in /etc/rc.conf:

pf_enable="YES"
pf_rules="/etc/pf.conf"

but when I run pfctl -f /etc/pf.conf, the following message appears :

shlus# pfctl -f /etc/pf.conf
pfctl: /dev/pf: No such file or directory.

I checked the content of /etc directory and there no pf.conf file indeed.

What should I do for enabling PF?

 

[mwatkins]

As a general rule of thumb, always check the man pages.

man pf.conf

Look at the bottom of the page - you'll see a section titled "FILES".

FILES
     /etc/hosts              Host name database.
     /etc/pf.conf            Default location of the ruleset file.
     /etc/pf.os              Default location of OS fingerprints.
     /etc/protocols          Protocol name database.
     /etc/services           Service name database.
     [B]/usr/share/examples/pf  Example rulesets.[/B]

You'll find a pf.conf *example* in there.

Don't blindly enable, particularly if the machine is remote to you and you don't have console access. You may find yourself locked out.

If you search the forum here no doubt you'll find a practical testing solution that involves firing up the test rule set, sleeping, and then disabling pf after X seconds. Worth doing while learning.

 

[SirDice]

The kernel module is probably not loaded.

# kldload pf

Or start pf using the rc script:

# /etc/rc.d/pf start

 

[Trojan]

As a general rule of thumb, always check the man pages.

man pf.conf

Look at the bottom of the page - you'll see a section titled "FILES".

FILES
     /etc/hosts              Host name database.
     /etc/pf.conf            Default location of the ruleset file.
     /etc/pf.os              Default location of OS fingerprints.
     /etc/protocols          Protocol name database.
     /etc/services           Service name database.
     [B]/usr/share/examples/pf  Example rulesets.[/B]

You'll find a pf.conf *example* in there.

Don't blindly enable, particularly if the machine is remote to you and you don't have console access. You may find yourself locked out.

If you search the forum here no doubt you'll find a practical testing solution that involves firing up the test rule set, sleeping, and then disabling pf after X seconds. Worth doing while learning.

There is a pf.conf file in /usr/share/examples/pf directory. Should I copy it to /etc directory so that PF could be enabled? If yes, is it enough for enabling PF?

The kernel module is probably not loaded.

# kldload pf

When I run this command no messages are appeared.

shlus# kldload pf
shlus#

 

[SirDice]

There is a pf.conf file in /usr/share/examples/pf directory. Should I copy it to /etc directory so that PF could be enabled? If yes, is it enough for enabling PF?

No, you should use that as an example and create your own /etc/pf.conf. See pf.conf(5).

When I run this command no messages are appeared.

shlus# kldload pf
shlus#

That's ok. You can see if it's loaded with kldstat.

 

[Trojan]

No, you should use that as an example and create your own /etc/pf.conf. See pf.conf(5).

Well, if I'll just copy that file and paste it to /etc directory and then edit it according to my needs, will the PF works afterwards?

I suppose there is no difference between creating the new /etc/pf.conf file and copying/pasting the existing one. Am I right or mistaken?

 

[DutchDaemon]

There are gradations in 'PF works'. It can mean: "Yes, pf is running, but nobody can get in or out" or "Yes, pf is running, but everybody can get in and out" and "Yes, I'll read pf.conf(5) now, so I don't have to ask the same question four times in a row, just to get the same advice". Don't take shortcuts when it comes to security and firewalling. You'll regret it.

 

[Djn]

It's just a plain text file, so either way works fine.

 

[Trojan]

So, I copied/pasted the pf.conf file from /usr/share/examples/pf to /etc.
Now when I run pfctl -f /etc/pf.conf and kldload pf I get the next:

shlus# pfctl -f /etc/pf.conf
No ALTQ support in kernel
ALTQ related functions disabled
shlus# kldload pf
kldload: can't load pf: File exists

Some questions:

1. Is it normal that no ALTQ support in kernel and ALTQ related functions is disabled?
2. Why kldload can't load pf if file exists?
3. Does t have any effect on PF work?

 

[mwatkins]

ALTQ is optional. You'll only know you need it when you know more. In your paste above pf.ko is already loaded. Loading it again results in the error message.

Up thread DutchDaemon said two key things:

1. There are variations in what "works" means when it comes to any firewall; what "works" for you will not be the same for me.
2. Read the man pages.

http://www.freebsd.org/cgi/man.cgi?query=pf.conf&sektion=5#QUEUEING/ALTQ

Hopefully you are experimenting on a box which is sitting in front of you, so that you have access to the local console. Unless you take steps to protect yourself, experimenting with firewall rules is likely to result in you locking yourself and everyone else from gaining network access.

If the box isn't sitting right in front of you, search the forums for a solution (hint, involves running rules, sleep for X number of seconds, disabling pf)

 

[nikobordx]

Hi,

1. I don't know, I've always known FreeBSD without ALTQ enabled by default.
2. The pf module are certainly already loaded !
3. Probably ...

Add this to your kernel config file and rebuild it:

# Firewall
device		pf
device		pflog
device		pfsync

# altq
options         ALTQ
options         ALTQ_CBQ        # Class Bases Queuing (CBQ)
options         ALTQ_RED        # Random Early Detection (RED)
options         ALTQ_RIO        # RED In/Out
options         ALTQ_HFSC       # Hierarchical Packet Scheduler (HFSC)
options         ALTQ_PRIQ       # Priority Queuing (PRIQ)
options         ALTQ_NOPCC      # Required for SMP build

Nicolas.

 

[halplus]

When I run this command no messages are appeared.

shlus# kldload pf
shlus#

try:

shlus# kldstat

to list the loaded modules

 

[Trojan]

Finally I enabled PF and ALTQ with rebuilding the kernel but now the question: is rebuilding the kernel is the only way to enable PF and ALTQ? Is it possible to enable these features durin instalation of operating system?

 

[icer]

Is it possible to enable these features durin instalation of operating system?

no, you have to reconigure kernel and install new kernel.

 

[DutchDaemon]

To be precise: PF is built-in (kernel loadable module), ALTQ is add-on (custom kernel required).

 

[Oko]

Finally I enabled PF and ALTQ with rebuilding the kernel but now the question: is rebuilding the kernel is the only way to enable PF and ALTQ? Is it possible to enable these features during installation of operating system?

PF version shipped with FreeBSD is quite outdated and lacks many features of OpenBSD version. Also the only way to enable ALTQ is by recompiling kernel. ALTQ is part of generic OpenBSD kernel.

I do not want to piss people of on FreeBSD forum but OpenBSD is just far better tool for firewall than FreeBSD. That doesn't mean that FreeBSD doesn't have gazillion of other strengths.

 

[SirDice]

PF version shipped with FreeBSD is quite outdated and lacks many features of OpenBSD version.

Which ones?

I do not want to piss people of on FreeBSD forum but OpenBSD is just far better tool for firewall than FreeBSD.

I would disagree. Many people don't need all those 'new' features. There's really no added benefit in running OpenBSD as a firewall. I would also argue that OpenBSD performs like a snail on Valium.

 

[Oko]

Which ones?
I would disagree. Many people don't need all those 'new' features.

PF implementation shipped with 4.5 is about twice as fast as the one which was shipped with OpenBSD 3.7. FreeBSD version of PF is not much beyond that. Who would not benefit from the faster PF?
FreeBSD Desktop users who have a single machine attached to Internet?

There's really no added benefit in running OpenBSD as a firewall.

Sure

I would also argue that OpenBSD performs like a snail on Valium.

Where? On the firewall. I just told you that OpenBSD is twice as fast as FreeBSD as a firewall solution. I have never suggested anybody running large data-base on OpenBSD.

 

[SirDice]

PF implementation shipped with 4.5 is about twice as fast as the one which was shipped with OpenBSD 3.7. FreeBSD version of PF is not much beyond that.

For RELENG_7 it's 4.1 actually, not 3.7

http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/pf/net/?only_with_tag=RELENG_7_BP
http://pf4freebsd.love2party.net/

Unfortunately time's probably too short for 4.5 to make it into 8.0-RELEASE:
http://lists.freebsd.org/pipermail/freebsd-pf/2009-May/005145.html

Perhaps you should do your measurements again?

 

[Oko]

For RELENG_7 it's 4.1 actually, not 3.7

http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/pf/net/?only_with_tag=RELENG_7_BP
http://pf4freebsd.love2party.net/

Unfortunately time's probably too short for 4.5 to make it into 8.0-RELEASE:
http://lists.freebsd.org/pipermail/freebsd-pf/2009-May/005145.html

Perhaps you should do your measurements again?

On average OpenSSH and PF shipped with FreeBSD will be at least
one year behind their original implementations in OpenBSD.
That seems has never been an issue for FreeBSD users so why would I worry about it. I don't even use FreeBSD