How to Configure the PF Firewall (Basic Rules) on FreeBSD Operating System

Introduction

The Packet Filter (PF) firewall is a robust and flexible tool for network security on FreeBSD. Originally developed for OpenBSD, PF has been integrated into FreeBSD and provides powerful filtering capabilities for controlling network traffic. This guide explains how to configure PF with basic rules to secure your FreeBSD system.

Prerequisites

Before configuring PF, ensure you have:

• A FreeBSD system installed and running.
• Root or superuser privileges.
• A basic understanding of networking concepts.

Enabling the PF Firewall

By default, PF is included in FreeBSD but is not enabled. To activate it:

1. Enable PF at Boot: Edit the /etc/rc.conf file and add the following lines:

   pf_enable="YES"
   

2. Start PF Manually: If you do not want to reboot immediately, start PF using:

   service pf start
   

3. Verify the Status:

   pfctl -s info
   

   This command confirms whether PF is active.

Configuring PF Rules

PF uses a configuration file located at /etc/pf.conf. This file defines filtering rules, NAT settings, and traffic redirections.

Step 1: Creating a Basic PF Configuration

Open /etc/pf.conf using a text editor:

vi /etc/pf.conf

Add the following basic rules:

# Define network interfaces
ext_if = "em0" # Replace em0 with your external interface

# Default policy: block everything
set block-policy drop

# Allow all traffic on the loopback interface
set skip on lo

# Allow outgoing connections but block incoming by default
pass out on $ext_if proto { tcp, udp, icmp } from any to any keep state

# Allow SSH connections
pass in on $ext_if proto tcp from any to any port 22 keep state

# Allow HTTP and HTTPS
pass in on $ext_if proto tcp from any to any port { 80, 443 } keep state

# Block everything else
block in on $ext_if

Step 2: Loading the Configuration

After editing /etc/pf.conf, load the new configuration with:

pfctl -f /etc/pf.conf

To check if the rules have been applied correctly:

pfctl -sr

Step 3: Enabling PF Logging

Logging is essential for monitoring and troubleshooting firewall activity. Enable logging with:

echo 'pflog_enable="YES"' >> /etc/rc.conf
service pflog start

You can monitor logged packets with:

tcpdump -n -e -ttt -i pflog0

Testing the PF Configuration

Checking Firewall Status

Use the following command to verify PF’s operational status:

pfctl -s info

Testing Rules

To simulate how PF would handle a given packet:

pfctl -sr | grep "port 22"

To manually test connectivity:

nc -zv <server-ip> 22

This checks if the SSH port is open.

Managing PF Rules

Adding and Removing Rules on the Fly

If you need to make temporary changes without modifying /etc/pf.conf:

• To add a rule:

  echo "pass in on em0 proto tcp from any to any port 8080" | pfctl -f -
  

• To remove a rule:

  pfctl -d
  

Reloading Configuration Without Disrupting Connections

To apply changes without breaking active sessions:

pfctl -nf /etc/pf.conf && pfctl -f /etc/pf.conf

This ensures there are no syntax errors before reloading.

Troubleshooting PF

Checking for Errors

To check for syntax errors in your rules:

pfctl -nf /etc/pf.conf

Debugging Rule Application

To see which rules are being matched:

pfctl -vvsr

Resetting PF

If you encounter issues, reset PF to default:

pfctl -F all

Conclusion

Configuring PF on FreeBSD provides an efficient way to control network traffic and enhance security. With basic rules in place, you can customize the firewall to suit your needs. Always test changes before applying them and regularly check logs for unexpected behavior. By mastering PF, you can effectively safeguard your FreeBSD system against network threats.