Showing posts with label pf. Show all posts
Showing posts with label pf. Show all posts

Sunday, November 27, 2011

pf Tables

pf has tables, which are extremely useful when creating and destroying jails. The given link has all the information needed, but below are some quick commands to get started.

A series of jails will be created, with IP addresses 10.10.10.100-105. A small excerpt from pf.conf follows, in which a table is created, IPs given, and a rule to use it.

table <jails> persist { \
        10.10.10.100, \
        10.10.10.101, \
        10.10.10.102, \
        10.10.10.103, \
}

pass in on $ext_if proto tcp from any to <jails> port 22

This should permit SSH to the jails table. A new jail has just been created, add it to the table and then display the table contents.

$ sudo pfctl -t jails -T add 10.10.10.104
$ sudo pfctl -t jails -T show
10.10.10.100
10.10.10.101
10.10.10.102
10.10.10.103
10.10.10.104

The pf.conf file must still be modified to include this new IP address if it is to persist across reboots.
Posted by Colin at 21:01 0 comments
Labels: ,

Wednesday, November 16, 2011

Packet Filter (pf)

There are several firewall options for FreeBSD - this is about pf.

Kernel Options
While pf can be loaded as a kernel module, ALTQ cannot. If the kernel is to be recompiled, may as well add both. Below are all the pieces available, but not all are required depending on usage. If there is no intended use of ALTQ, then kernel modules may be used instead.

# pf - manually added
device          pf              # OpenBSD Packet Filter firewall
device          pflog           # pseudo network device for logging
device          pfsync          # state change log interface (HA)
# ALTQ - queues
options         ALTQ            # ALTQ framework
options         ALTQ_CBQ        # Class Based Queueing
options         ALTQ_RED        # Random Early Detection
options         ALTQ_RIO        # Random Early Detection In and Out
options         ALTQ_HFSC       # Hierarchical Fair Service Curve Sched.
options         ALTQ_PRIQ       # Priority Queueing. high traffic first
options         ALTQ_NOPCC      # SMP support. Required on SMP systems

There are some pieces for rc.conf:

# pf
pf_enable="YES"                 # enable pf
pf_rules="/etc/pf.conf"         # rules definition file for pf
pf_flags=""                     # additional flags for pfctl
pflog_enable="YES"              # start pflogd(8)
pflog_logfile="/var/log/pflog"  # where pflogd stores logfile
pflog_flags=""                  # additional flags for pflogd

Example configurations for pf can be found in /usr/share/examples/pf on FreeBSD. Or, read through the documentation.

Recompile the kernel and restart. Or, if using modules: kldload pf.
Posted by Colin at 20:46 0 comments
Labels: ,
Subscribe to: Comments (Atom)