OpenBSD’s Packet Filter subsystem and also referred to as PF is acting as a firewall and NAT gateway for a small network or office network. The overall goal is to provide internet access to the network and allow limited access to the firewall machine from the internet, and maybe expose some servers to the external internet, if that is a decision. The Packet Filter has been proven among the years as one of the most secure systems and probably one of the cheapest solutions as well.
The system is command line based and a bit hard configure depending on the knowledge in general.
PF operates in a world which consists of packets, protocols, connections and ports.
One important feature of the PF that needs to be noticed and probably the most important feature, is that it is able to identify and block traffic not allowing into the local network or out to the world outside.
Block “bad” or “unwanted” traffic and denying access can be sometimes quite important. This way the administrator takes control of what happens to the internal network.
It is important to assign two network interfaces before editing the ruleset of the Packet Filter. The next step is to create the ruleset that applies to the specific internal network.
Below here is an example of an entire ruleset found in the configuration file called “pf.conf”. Notice that this is only a basic ruleset that can be expanded more into details, but that is a decision by the administrator to take.
# The internal interface (connected to the local network).
# Set the default policy to return RSTs or ICMPs for blocked traffic.
set block-policy return
# Ignore the loopback interface entirely.
set skip on lo0
## Translation rules
# NAT traffic on the interface in the default egress interface group (to
# which the interface out of which the default route goes is assigned) from the
# local network.
match out on egress from $int_if:network to any nat-to (egress)
## Filtering rules
# Default deny rule, with all blocked packets logged.
block log all
# Pass all traffic to and from the local network, using quick so that later
# rules are not evaluated if a packet matches this. Some rulesets would restrict
# local traffic much further.
pass quick on $int_if all
# Permit all traffic going out, keep state so that replies are automatically passed;
# many rulesets would have many rules here, restricting traffic in and out on the
# external (egress) interface. (keep state is not needed in the newest version of pf)
pass out keep state