العربية
中国
Français
Deutsch
Ελληνική
हिन्दी
Italiano
日本語
Português
Русский
EspañolPF (FIREWALL)
'PF' ('Packet Filter', also written 'pf') is a BSD licensed stateful packet filter, a central piece of software for firewalling. It has been noted for its clean design and clear rule syntax and is comparable to iptables, ipfw and ipfilter. PF is developed on OpenBSD, but has been ported to many other operating systems.
PF was primarily written by Daniel Hartmeier. It appeared in OpenBSD 3.0, which was released on 1 December 2001.[1]
PF was originally designed as replacement for Darren Reed's IPFilter, from which it derives much of its rule syntax. IPFilter was removed from OpenBSD's CVS tree on 30 May 2001 due to perceived problems with its license. Specifically, Reed distributed some versions of his software with the license clause, "[D]erivative or modified works are not permitted without the author's prior consent."[2] While the FreeBSD and NetBSD projects apparently consulted with Reed and received such consent, the OpenBSD team decided to replace the software rather than continuing to redistribute it.
The OpenBSD team's decision became the subject of wrangling among the parties involved, degenerating largely into a flame war and failing to bring about mutual or public understanding. OpenBSD project leader Theo de Raadt wrote, "[S]oftware which OpenBSD uses and redistributes must be free to all... for any purpose... including modification, use, peeing on, or even integration into baby mulching machines or atomic bombs to be dropped on Australia."[3] (Reed was based in Australia at the time.) Reed authored a FAQ stating his own position, including, "[Can I] use IPFilter and fix any problems... or add new features? Of course. Next person who asks will get brick'd."[4]
PF has since evolved quickly and has now several advantages over other available firewalls. The filtering syntax is similar to IPFilter, with some modifications to make it clearer. Network Address Translation (NAT) and Quality of Service (QoS) have been integrated into PF, QoS by importing the ALTQ queuing software and linking it with PF's configuration. Features such as pfsync and CARP for failover and redundancy, authpf for session authentication, and ftp-proxy to ease firewalling the difficult FTP protocol, have also extended PF.
One innovative feature is PF's logging. Logging is configurable per rule within the pf.conf and logs are provided from PF by a pseudo-network interface called ''pflog''. Logs may be monitored using standard utilities such as tcpdump, which in OpenBSD has been extended especially for the purpose, or saved to disk in a modified tcpdump/pcap binary format using the ''pflogd'' daemon.
Apart from its home platform OpenBSD, PF is also installed by default in FreeBSD starting with version 5.3, in NetBSD from version 3.0, and appeared in DragonFly BSD from version 1.2. Core force, a firewalling and security product for Microsoft Windows, is derived from PF.
'## Macros'
# The internal interface (connected to the local network).
int_if="xl0"
'## Options'
# Set the default policy to return RSTs or ICMPs for blocked traffic.
set block-policy return
# Ignore the loopback interface entirely.
set skip on lo0
'## Translation rules'
# NAT traffic on the interface in the default ''egress'' interface group (to
# which the interface out of which the default route goes is assigned) from the
# local network.
nat on egress from $int_if:network to any -> (egress)
'## Filtering rules'
# Default deny rule, with all blocked packets logged.
block log all
# Pass all traffic to and from the local network, using ''quick'' so that later
# rules are not evaluated if a packet matches this. Some rulesets would restrict
# local traffic much further.
pass quick on $int_if all
# Permit all traffic going out, keep state so that replies are automatically passed;
# many rulesets would have many rules here, restricting traffic in and out on the
# external (egress) interface. (keep state is not need in the newest version of pf)
pass out keep state
★ Internet protocol suite
★ Network address translation
★ Reverse path filtering
1. http://www.openbsd.org/30.html
2. http://mail-index.netbsd.org/port-i386/2001/05/30/0000.html
3. http://bsdnews.com/view_story.php3?story_id=2038
4. http://coombs.anu.edu.au/ipfilter/ipfstory.html
★ Building Firewalls with OpenBSD and PF, 2nd Edition by Jacek Artymiak. 2003. ISBN 83-916651-1-9.
★ The OpenBSD PF Packet Filter Book: PF for NetBSD, FreeBSD, DragonFly and OpenBSD. Published by Reed Media Services. 2006. ISBN 0-9790342-0-5.
★ OpenBSD's pf man page
★ OpenBSD's pfctl man page
★ The OpenBSD PF guide
★ The OpenBSD 3.6 release song with humorous background information on PF's creation
★ PF section on Daniel Hartmeier's site
★ PF tutorial by Peter N. M. Hansteen
| Contents |
| History |
| Features |
| Ports |
| Annotated example pf.conf file |
| See also |
| Notes and references |
| Books |
| External links |
History
PF was primarily written by Daniel Hartmeier. It appeared in OpenBSD 3.0, which was released on 1 December 2001.[1]
PF was originally designed as replacement for Darren Reed's IPFilter, from which it derives much of its rule syntax. IPFilter was removed from OpenBSD's CVS tree on 30 May 2001 due to perceived problems with its license. Specifically, Reed distributed some versions of his software with the license clause, "[D]erivative or modified works are not permitted without the author's prior consent."[2] While the FreeBSD and NetBSD projects apparently consulted with Reed and received such consent, the OpenBSD team decided to replace the software rather than continuing to redistribute it.
The OpenBSD team's decision became the subject of wrangling among the parties involved, degenerating largely into a flame war and failing to bring about mutual or public understanding. OpenBSD project leader Theo de Raadt wrote, "[S]oftware which OpenBSD uses and redistributes must be free to all... for any purpose... including modification, use, peeing on, or even integration into baby mulching machines or atomic bombs to be dropped on Australia."[3] (Reed was based in Australia at the time.) Reed authored a FAQ stating his own position, including, "[Can I] use IPFilter and fix any problems... or add new features? Of course. Next person who asks will get brick'd."[4]
Features
PF has since evolved quickly and has now several advantages over other available firewalls. The filtering syntax is similar to IPFilter, with some modifications to make it clearer. Network Address Translation (NAT) and Quality of Service (QoS) have been integrated into PF, QoS by importing the ALTQ queuing software and linking it with PF's configuration. Features such as pfsync and CARP for failover and redundancy, authpf for session authentication, and ftp-proxy to ease firewalling the difficult FTP protocol, have also extended PF.
One innovative feature is PF's logging. Logging is configurable per rule within the pf.conf and logs are provided from PF by a pseudo-network interface called ''pflog''. Logs may be monitored using standard utilities such as tcpdump, which in OpenBSD has been extended especially for the purpose, or saved to disk in a modified tcpdump/pcap binary format using the ''pflogd'' daemon.
Ports
Apart from its home platform OpenBSD, PF is also installed by default in FreeBSD starting with version 5.3, in NetBSD from version 3.0, and appeared in DragonFly BSD from version 1.2. Core force, a firewalling and security product for Microsoft Windows, is derived from PF.
Annotated example pf.conf file
'
int_if="xl0"
'
set block-policy return
set skip on lo0
'
nat on egress from $int_if:network to any -> (egress)
'
block log all
pass quick on $int_if all
pass out keep state
See also
★ Internet protocol suite
★ Network address translation
★ Reverse path filtering
Notes and references
1. http://www.openbsd.org/30.html
2. http://mail-index.netbsd.org/port-i386/2001/05/30/0000.html
3. http://bsdnews.com/view_story.php3?story_id=2038
4. http://coombs.anu.edu.au/ipfilter/ipfstory.html
Books
★ Building Firewalls with OpenBSD and PF, 2nd Edition by Jacek Artymiak. 2003. ISBN 83-916651-1-9.
★ The OpenBSD PF Packet Filter Book: PF for NetBSD, FreeBSD, DragonFly and OpenBSD. Published by Reed Media Services. 2006. ISBN 0-9790342-0-5.
External links
★ OpenBSD's pf man page
★ OpenBSD's pfctl man page
★ The OpenBSD PF guide
★ The OpenBSD 3.6 release song with humorous background information on PF's creation
★ PF section on Daniel Hartmeier's site
★ PF tutorial by Peter N. M. Hansteen
This article provided by Wikipedia. To edit the contents of this article, click here for original source.
psst.. try this: add to faves
