Scribd
Upload
20 views2 pages

Razorlabs Ovh-4

The document provides an example of a simple pf firewall configuration file for OpenBSD. It begins with some default settings and blocks X11 connections. It then shows how to add a shebang line to make the file executable and reloadable from the command line. Variables and tables are defined to allow certain ports and blacklist specific IP addresses. The full configuration shown blocks all incoming traffic by default but allows outgoing traffic on the defined ports and blacklisted IPs and allows ping. It provides instructions for testing and reloading the configuration.

Uploaded by

obsdcloud
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
20 views2 pages

Razorlabs Ovh-4

The document provides an example of a simple pf firewall configuration file for OpenBSD. It begins with some default settings and blocks X11 connections. It then shows how to add a shebang line to make the file executable and reloadable from the command line. Variables and tables are defined to allow certain ports and blacklist specific IP addresses. The full configuration shown blocks all incoming traffic by default but allows outgoing traffic on the defined ports and blacklisted IPs and allows ping. It provides instructions for testing and reloading the configuration.

Uploaded by

obsdcloud
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Simple pf configuration

pf (packet filter) is the firewall from OpenBSD.

the following is the default pf.conf as of release 6.2

# $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $


#
# See pf.conf(5) and /etc/examples/pf.conf

set skip on lo

block return # block stateless traffic


pass # establish keep-state

# By default, do not permit remote connections to X11


block return in on ! lo0 proto tcp to port 6000:6010

it's simple, and self expanatory, but what I want is something like what I did in my simple
nftables configuration article.

first thing we'll do is to add a shebang.

#!/sbin/pfctl -f

we'll also have to mark the file as executable.

chmod 700 /etc/pf.conf

having added this as the first line of the config, we'll be able to reload the pf configuration by
executing /etc/pf.conf as root.

as for the rest of the config, we'll add a variable holding all of the tcp ports we want to let
through.

tcp_services="{ ssh, 443 }"

you can specify the service name (check /etc/services), or port number. to use this variable;

pass in on egress inet proto tcp from any to any port $tcp_services

this rule will let in any tcp traffic on the ports defined in the tcp_services macro on the egress
interface. the egress interface is naturally the device from which data egresses, or "leaves".

we're also gonna add a table that's going to be contained in /etc/blacklist. all traffic from the
hosts in the blacklist table will be immediately rejected.

to add a host;

echo 104.43.195.251 >>/etc/blacklist

you'll have to reload pf.conf every time you apply a modification in blacklist.

as for the full configuration

#!/sbin/pfctl -f

tcp_services="{ ssh, 443 }"

# don't filter local interface


set skip on lo

# block everything in our blacklist


table <blacklist> persist file "/etc/blacklist"
block drop in quick from <blacklist> to any

# block all incoming traffic


block in

# allow ping
pass on egress inet proto icmp all icmp-type 8 code 0

# accept outgoing traffic


pass out inet
pass in on egress inet proto tcp from any to any port $tcp_services

to check our config file for any syntax errors, we can run pfctl -nf /etc/pf.conf to read it
without loading.
it's a good idea to /etc/pf.conf ; sleep 30 && pfctl -d in case you did something to block yourself
out. -d disables pf, use -e to enable it again.

to load the configuration we run /etc/pf.conf as root.

You might also like