PF (firewall)

PF (firewall)

PF (Packet Filter, also written pf) is a BSD licensed stateful packet filter, a central piece of software for firewalling. It is comparable to iptables, ipfw and ipfilter. PF is developed on OpenBSD, but has been ported to many other operating systems.

History

PF was primarily written by Daniel Hartmeier. It appeared in OpenBSD 3.0, which was released on 1 December 2001. [ [http://www.openbsd.org/30.html OpenBSD 3.0 Release ] ]

PF was originally designed as replacement for Darren Reed's IPFilter, from which it derives much of its rule syntax. IPFilter was removed from OpenBSD's CVS tree on 30 May 2001 due to OpenBSD developers' concerns with its license. [ [http://marc.info/?l=openbsd-cvs&m=99118918928072&w=2 CVS commit removing ipf from the OpenBSD tree] ]

Features

The filtering syntax is similar to IPFilter, with some modifications to make it clearer. Network Address Translation (NAT) and Quality of Service (QoS) have been integrated into PF, QoS by importing the ALTQ queuing software and linking it with PF's configuration. Features such as pfsync and CARP for failover and redundancy, authpf for session authentication, and ftp-proxy to ease firewalling the difficult FTP protocol, have also extended PF.

PF's logging is configurable per rule within the pf.conf and logs are provided from PF by a pseudo-network interface called "pflog", which is the only way to lift data from kernel-level mode for user-level programs. Logs may be monitored using standard utilities such as tcpdump, which in OpenBSD has been extended especially for the purpose, or saved to disk in a modified tcpdump/pcap binary format using the "pflogd" daemon.

Ports

Apart from its home platform OpenBSD, PF is also installed by default in FreeBSD starting with version 5.3, in NetBSD from version 3.0, and appeared in DragonFly BSD from version 1.2. Core force, a firewalling and security product for Microsoft Windows, is derived from PF.

Annotated example pf.conf file

## Macros # The internal interface (connected to the local network). int_if="xl0" ## Options # Set the default policy to return RSTs or ICMPs for blocked traffic. set block-policy return # Ignore the loopback interface entirely. set skip on lo0 ## Translation rules # NAT traffic on the interface in the default "egress" interface group (to # which the interface out of which the default route goes is assigned) from the # local network. nat on egress from $int_if:network to any -> (egress) ## Filtering rules # Default deny rule, with all blocked packets logged. block log all # Pass all traffic to and from the local network, using "quick" so that later # rules are not evaluated if a packet matches this. Some rulesets would restrict # local traffic much further. pass quick on $int_if all # Permit all traffic going out, keep state so that replies are automatically passed; # many rulesets would have many rules here, restricting traffic in and out on the # external (egress) interface. (keep state is not needed in the newest version of pf) pass out keep state

See also

* Internet protocol suite
* Network address translation
* Reverse path forwarding
* Pfsense

Notes and references

Books

* [http://www.nostarch.com/pf.htm The Book of PF: A No-Nonsense Guide to the OpenBSD Firewall] by Peter N. M. Hansteen. No Starch Press. 2007. ISBN 9781593271657.
* [http://www.devguide.net/books/openbsdfw-02-ed/index.html Building Firewalls with OpenBSD and PF, 2nd Edition] by Jacek Artymiak. 2003. ISBN 83-916651-1-9.
* [http://www.reedmedia.net/books/pf-book/ The OpenBSD PF Packet Filter Book: PF for NetBSD, FreeBSD, DragonFly and OpenBSD] . Published by Reed Media Services. 2006. ISBN 0-9790342-0-5.

External links

* [http://www.openbsd.org/cgi-bin/man.cgi?query=pf OpenBSD's pf man page]
* [http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl&sektion=8 OpenBSD's pfctl man page]
* [http://www.openbsd.org/faq/pf/ The OpenBSD PF guide]
* [http://www.openbsd.org/lyrics.html#36 The OpenBSD 3.6 release song] with humorous background information on PF's creation
* [http://www.benzedrine.cx/pf.html PF section on Daniel Hartmeier's site]
* [http://home.nuug.no/~peter/pf/ PF tutorial by Peter N. M. Hansteen]
* [https://calomel.org/pf_config.html Pf "how to"] and [https://calomel.org/pf_hfsc.html HFSC Quality of Service explanation with examples]


Wikimedia Foundation. 2010.

Игры ⚽ Нужно решить контрольную?

Look at other dictionaries:

  • FireWall-1 — is a firewall product created by Check Point Software Technologies Ltd. The FireWall 1 is a stateful firewall which also filters traffic by inspecting the application layer. It was the first commercially available software firewall to use… …   Wikipedia

  • FireWall-1 — FireWall 1/VPN 1 ist eine kommerzielle Firewall Software des israelischen Softwareherstellers Check Point. Es handelt sich um eine SPI Firewall, das bedeutet der Datenverkehr wird nicht nur anhand der Informationen auf OSI Ebene 3–4, sondern… …   Deutsch Wikipedia

  • Firewall-1 — FireWall 1/VPN 1 ist eine kommerzielle Firewall Software des israelischen Softwareherstellers Check Point. Es handelt sich um eine SPI Firewall, das bedeutet der Datenverkehr wird nicht nur anhand der Informationen auf OSI Ebene 3–4, sondern… …   Deutsch Wikipedia

  • Firewall-1/vpn-1 — ist eine kommerzielle Firewall Software des israelischen Softwareherstellers Check Point. Es handelt sich um eine SPI Firewall, das bedeutet der Datenverkehr wird nicht nur anhand der Informationen auf OSI Ebene 3–4, sondern explizit auch auf der …   Deutsch Wikipedia

  • Firewall (disambiguation) — Firewall may refer to:* Firewall (construction), a physical barrier inside a building or vehicle, designed to limit the spread of fire, heat and structural collapse * Firewall, a logical barrier designed to prevent unauthorized or unwanted… …   Wikipedia

  • FireWall-1/VPN-1 — ist eine kommerzielle Firewall Software des israelischen Softwareherstellers Check Point. Es handelt sich um eine SPI Firewall, das bedeutet der Datenverkehr wird nicht nur anhand der Informationen auf OSI Ebene 3–4, sondern explizit auch auf der …   Deutsch Wikipedia

  • Firewall (Homonymie) — Cette page d’homonymie répertorie les différents sujets et articles partageant un même nom …   Wikipédia en Français

  • Firewall (homonymie) — Cette page d’homonymie répertorie les différents sujets et articles partageant un même nom …   Wikipédia en Français

  • Firewall (película) — Saltar a navegación, búsqueda Firewall Título Firewall Ficha técnica Dirección Richard Loncraine Producción Armyam Bernstein Basil Iwanyk Guión …   Wikipedia Español

  • Firewall (Film) — Pour les articles homonymes, voir Firewall (homonymie). Firwall (Le Pare feu en français) est un film américain réalisé par Richard Loncraine, sorti en 2006 Sommaire 1 Synopsis 2 Fiche t …   Wikipédia en Français

  • FireWall-1/VPN-1 — FireWall 1 FireWall 1 / VPN 1 est une solution logicielle ou matérielle de pare feu édité par Check Point. FireWall 1 s inscrit dans une architecture réseau de type Zone démilitarisée (DMZ). Il se paramètre par un ensemble de règles définissant… …   Wikipédia en Français

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”