head.daveops.net

Snippets for yer computer needs

pf

pf

@OpenBSD, @firewalls

pfctl

flag command
-e Enable pf
-d Disable pf
-nf parse file, don’t load
-f load pf.conf file
-sr show rulesets
-ss show state table
-si show filter stats+counters
-sa show everything

General rule syntax

action [direction] [log] [quick] [on interface] [af] [proto protocol] \ [from src_addr [port src_port]] [to dst_addr [port dst_port]] \ [flags tcp_flags] [state]

action pass/block
direction in/out
quick if packet matches rule, do action and skip rest of rules
af (address family) inet/inet6
protocol udp/tcp/icmp

($ext_if) is shorthand for “use the IP address for the rule” (handy with NAT)

Default deny

block in all block out all

Table containing all IP addresses to firewall

table const { self }

Resources