www.nostarch.com
THE FINEST IN GEEK ENTERTAINMENT
™
SHELVE IN:
OPERATING SYSTEMS/UNIX
$29.95 ($34.95 CDN)
BUILD A
MORE SECURE
NET WORK
WITH PF
BUILD A
MORE SECURE
NET WORK
WITH PF
OpenBSD’s stateful packet filter, PF, is the heart of
the OpenBSD firewall and a necessity for any admin
working in a BSD environment. With a little effort and
this book, you’ll gain the insight needed to unlock PF’s
full potential.
This second edition of The Book of PF has been
completely updated and revised. Based on Peter N.M.
Hansteen’s popular PF website and conference tutorials,
this no-nonsense guide covers NAT and redirection,
wireless networking, spam fighting, failover provisioning,
logging, and more. Throughout the book, Hansteen
emphasizes the importance of staying in control with
a written network specification, keeping rule sets
readable using macros, and performing rigid testing
when loading new rules.
The Book of PF tackles a broad range of topics that will
stimulate your mind and pad your resume, including

Covers OpenBSD 4.8,
FreeBSD 8.1, and
NetBSD 5
“I LIE FLAT.”
This book uses a lay-flat binding that won't snap shut.
PETER N.M. HANSTEEN
THE BOOK
OF PF
THE BOOK
OF PF
A NO-NONSENSE GUIDE TO THE
OPENBSD FIREWALL
2ND
EDITION
HANSTEEN
2ND
EDITION
THE BOOK OF PF
THE BOOK OF PF
www.it-ebooks.info
www.it-ebooks.info
PRAISE FOR THE FIRST EDITION OF THE BOOK OF PF
“This book is for everyone who uses PF. Regardless of operating system and
skill level, this book will teach you something new and interesting.”
—BSD M
AGAZINE
“With Mr. Hansteen paying close attention to important topics like state
inspection, SPAM, black/grey listing, and many others, this must-have
reference for BSD users can go a long way to helping you fine tune the
who/what/where/when/how of access control on your BSD box.”

THE BOOK OF PF, 2ND EDITION. Copyright © 2011 by Peter N.M. Hansteen.
All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior
written permission of the copyright owner and the publisher.
14 13 12 11 10 1 2 3 4 5 6 7 8 9
ISBN-10: 1-59327-274-X
ISBN-13: 978-1-59327-274-6
Publisher: William Pollock
Production Editors: Ansel Staton and Serena Yang
Cover and Interior Design: Octopod Studios
Developmental Editor: William Pollock
Technical Reviewer: Henning Brauer
Copyeditor: Marilyn Smith
Compositors: Riley Hoffman and Ansel Staton
Proofreader: Linda Seifert
Indexer: Valerie Haynes Perry
For information on book distributors or translations, please contact No Starch Press, Inc. directly:
No Starch Press, Inc.
38 Ringold Street, San Francisco, CA 94103
phone: 415.863.9900; fax: 415.863.9950; [email protected]; www.nostarch.com
The Library of Congress has cataloged the first edition as follows:
Hansteen, Peter N. M.
The book of PF : a no-nonsense guide to the OpenBSD firewall / Peter N.M. Hansteen.
p. cm.
Includes index.
ISBN-13: 978-1-59327-165-7
ISBN-10: 1-59327-165-4
1. OpenBSD (Electronic resource) 2. TCP/IP (Computer network protocol) 3. Firewalls (Computer security)
I. Title.
TK5105.585.H385 2008

Index 177
www.it-ebooks.info
www.it-ebooks.info
CONTENTS IN DETAIL
FOREWORD by Bob Beck (from the first edition) xiii
ACKNOWLEDGMENTS xv
INTRODUCTION xvii
This Is Not a HOWTO xviii
What This Book Covers xviii
1
BUILDING THE NETWORK YOU NEED 1
Your Network: High Performance, Low Maintenance, and Secure 1
Where the Packet Filter Fits In 3
The Rise of PF 3
If You Came from Elsewhere 5
Pointers for Linux Users 6
Frequently Answered Questions About PF 7
A Little Encouragement: A PF Haiku 9
2
PF CONFIGURATION BASICS 11
The First Step: Enabling PF 12
Setting Up PF on OpenBSD 12
Setting Up PF on FreeBSD 13
Setting Up PF on NetBSD 15
A Simple PF Rule Set: A Single, Stand-Alone Machine 16
A Minimal Rule Set 16
Testing the Rule Set 18
Slightly Stricter: Using Lists and Macros for Readability 18
A Stricter Baseline Rule Set 19
Reloading the Rule Set and Looking for Errors 20

Setting Up a Simple Wireless Network 44
An OpenBSD WPA Access Point 47
A FreeBSD WPA Access Point 48
The Access Point’s PF Rule Set 49
Access Points with Three or More Interfaces 50
Handling IPSec, VPN Solutions 50
The Client Side 51
Guarding Your Wireless Network with authpf 54
A Basic Authenticating Gateway 55
Wide Open but Actually Shut 57
5
BIGGER OR TRICKIER NETWORKS 59
A Web Server and Mail Server on the Inside—Routable Addresses 60
A Degree of Separation: Introducing the DMZ 63
Sharing the Load: Redirecting to a Pool of Addresses 65
Getting Load Balancing Right with relayd 66
A Web Server and Mail Server on the Inside—the NAT Version 71
DMZ with NAT 73
Redirection for Load Balancing 73
Back to the Single NATed Network 74
Filtering on Interface Groups 76
The Power of Tags 77
The Bridging Firewall 78
Basic Bridge Setup on OpenBSD 79
Basic Bridge Setup on FreeBSD 80
Basic Bridge Setup on NetBSD 81
The Bridge Rule Set 82
Handling Nonroutable Addresses from Elsewhere 83
www.it-ebooks.info
Contents in Detail xi

Keeping States Synchronized: Adding pfsync 125
Putting Together a Rule Set 126
CARP for Load Balancing 128
8
LOGGING, MONITORING, AND STATISTICS 131
PF Logs: The Basics 132
Logging All Packets: log (all) 134
Logging to Several pflog Interfaces 135
Logging to Syslog, Local or Remote 135
Tracking Statistics for Each Rule with Labels 137
Additional Tools for PF Logs and Statistics 139
Keeping an Eye on Things with systat 139
Keeping an Eye on Things with pftop 141
Graphing Your Traffic with pfstat 141
Collecting NetFlow Data with pflow(4) 143
Collecting NetFlow Data with pfflowd 149
SNMP Tools and PF-Related SNMP MIBs 150
Log Data as the Basis for Effective Debugging 150
www.it-ebooks.info
xii Contents in Detail
9
GETTING YOUR SETUP JUST RIGHT 151
Things You Can Tweak and What You Probably Should Leave Alone 151
Block Policy 152
Skip Interfaces 152
State Policy 153
State Defaults 153
Timeouts 154
Limits 155
Debug 156

in late 2001. While you’ll find out more about PF’s
history in this book, in a nutshell, PF happened
because it was needed by the developers and users of OpenBSD. Since the
original release, PF has evolved greatly and has become the most powerful
free tool available for firewalling, load balancing, and traffic managing.
When PF is combined with CARP and
pfsync, PF lets system administrators
not only protect their services from attack, but it makes those services more
reliable by allowing for redundancy, and it makes them faster by scaling
them using pools of servers managed through PF and
relayd.
While I have been involved with PF’s development, I am first and foremost
a large-scale user of PF. I use PF for security, to manage threats both internal
and external, and to help me run large pieces of critical infrastructure in a
redundant and scalable manner. This saves my employer (the University of
Alberta, where I wear the head sysadmin hat by day) money, both in terms
of downtime and in terms of hardware and software. You can use PF to do
the same.
www.it-ebooks.info
xiv Foreword
With these features comes the necessary evil of complexity. For someone
well versed in TCP/IP and OpenBSD, PF’s system documentation is quite
extensive and usable all on its own. But in spite of extensive examples in the
system documentation, it is never quite possible to put all the things you can
do with PF and its related set of tools front and center without making the
system documentation so large that it ceases to be useful for those experi-
enced people who need to use it as a reference.
This book bridges the gap. If you are a relative newcomer, it can get you
up to speed on OpenBSD and PF. If you are a more experienced user, this
book can show you some examples of the more complex applications that

still apply to this book:
This manuscript is a slightly further developed version of a
manuscript prepared for a lecture which was announced as
(translated from Norwegian):
“This lecture is about firewalls and related functions, with
examples from real life with the OpenBSD project’s PF (Packet
Filter). PF offers firewalling, NAT, traffic control, and bandwidth
management in a single, flexible, and sysadmin-friendly system.
Peter hopes that the lecture will give you some ideas about how to
www.it-ebooks.info
xvi Acknowledgments
control your network traffic the way you want—keeping some
things outside your network, directing traffic to specified hosts or
services, and of course, giving spammers a hard time.”
Some portions of content from the tutorial (and certainly all the really
useful topics) made it into this book in some form. During the process of
turning it into a useful book, a number of people have offered insights and
suggestions.
People who have offered significant and useful input regarding early
versions of this manuscript include Eystein Roll Aarseth, David Snyder, Peter
Postma, Henrik Kramshøj, Vegard Engen, Greg Lehey, Ian Darwin, Daniel
Hartmeier, Mark Uemura, Hallvor Engen, and probably a few who will
remain lost in my mail archive until I can
grep them out of there.
I would like to thank the following organizations for their kind support:
the NUUG Foundation for a travel grant, which partly financed my AUUG
2005 appearance; the AUUG, UKUUG, SANE, BSDCan, and AsiaBSDCon
organizations for inviting me to their conferences; and the FreeBSD Founda-
tion for sponsoring my trips to BSDCan 2006 and EuroBSDCon 2006.
Much like the first, the second edition was written mainly at night and on

and other ways to direct network traffic. I’ll assume that
you have a basic to intermediate command of TCP/IP
networking concepts and Unix administration.
All the information in this book comes with a fair warning: As in any
number of other endeavors, the solutions we discuss can be done in more than
one way. You should also be aware that the software world could have changed
slightly or quite a bit since the book was printed.
The information in the book is as up to date and correct as possible at
the time of writing, and refers to OpenBSD version 4.8, FreeBSD 8.1, and
NetBSD 5.0, with any patches available in late August 2010.
www.it-ebooks.info
xviii Introduction
This Is Not a HOWTO
The book is a direct descendant of a moderately popular PF tutorial. The
tutorial is also the source of the following admonition, and you may be
exposed to this live if you attend one of my tutorial sessions:
This document is not intended as a precooked recipe for cutting
and pasting.
Just to hammer this in, please repeat after me:
The Pledge of the Network Admin
This is my network.
It is mine,
or technically, my employer's.
It is my responsibility,
and I care for it with all my heart.
There are many other networks a lot like mine,
but none are just like it.
I solemnly swear
that I will not mindlessly paste from HOWTOs.
The point is that while the configurations I show you do work (I have

on the one we build in this chapter.
z Chapter 3, “Into the Real World,” builds on the single-machine configu-
ration in Chapter 2 and leads you through the basics of setting up a
gateway that serves as a point of contact between separate networks. By
the end of Chapter 3, you’ll have built a configuration that is fairly typi-
cal for a home or small office network, with some tricks up your sleeve to
make network management easier. You’ll also get an early taste of how
to handle services with odd requirements such as FTP, as well as some
tips on how to make your network troubleshooting-friendly by catering
to some of the frequently less understood Internet protocols and services.
z Chapter 4, “Wireless Networks Made Easy,” walks you through adding
wireless networking to your setup. The wireless environment presents
some security challenges, and by the end of this chapter, you may find
yourself with a wireless network with access control and authentication
via
authpf. Some of the information is likely to be useful in wired environ-
ments, too.
z Chapter 5, “Bigger or Trickier Networks,” tackles the situation where you
introduce servers and services that need to be accessible from outside
your own network. By the end of this chapter, you may have a network
with one or several separate subnets and DMZs, and you will have tried
your hand at a couple of different load-balancing schemes via redirec-
tions and
relayd in order to improve service quality for your users.
z Chapter 6, “Turning the Tables for Proactive Defense,” shows you some
of the tools in the PF tool chest for dealing with attempts at undesirable
activity, and how to use them productively. Here, we deal with brute-
force password-guessing attempts and other network flooding, as well
as the ever-favorite antispam tool
spamd, the OpenBSD spam deferral

BUILDING THE NETWORK
YOU NEED
PF, the OpenBSD Packet Filter subsystem, is
one of the finest tools available for taking
control of your network. Before diving into
the specifics of how to make your network the
fine-tuned machinery of your dreams, please read this
chapter. It introduces basic networking terminology
and concepts, provides some PF history, and gives
you an overview of what you can expect to find in
this book.
Your Network: High Performance, Low Maintenance,
and Secure
If this heading accurately describes your network, you’re most likely reading
this for pure entertainment, and I hope you will enjoy the rest of the book.
If, on the other hand, you’re still learning how to build networks or you’re
www.it-ebooks.info
2 Chapter 1
not quite confident of your skills yet, a short recap of basic network security
concepts can be useful.
Information technology (IT) security is a large, complex and sometimes
confusing subject. Even if we limit ourselves to thinking only in terms of net-
work security, there is a perception that we haven’t really narrowed down the
field much or eliminated enough of the inherently confusing terminology.
Matters became significantly worse some years ago when personal computers
started joining the networked world, equipped with system software and
applications that were clearly not designed for a networked environment.
The result was rather predictable. Even before the small computers
became networked, they had become home to malicious software such as
viruses (semiautonomous software that is able to “infect” other files in order

you will see in the following chapters, the network level offers a lot of fun and
excitement, in addition to the blocking or passing packets.
1. The famous worms before the Windows era were the IBM Christmas Tree EXEC worm (1987)
and the first Internet worm, the Morris worm (1988), both within easy reach of your favorite
search engine. The Windows era of networked worms is considered to have started with the
ILOVEYOU worm in May 2000.
2. Several presentations on OpenBSD’s approach to security can be found via http://www
.openbsd.org/papers/. Some of my favorites are Theo de Raadt’s “Exploit Mitigation Techniques,”
Damien Miller’s “Security Measures in OpenSSH,” and “Puffy at Work—Getting Code Right and
Secure, the OpenBSD Way,” by Henning Brauer and Sven Dehmlow.
www.it-ebooks.info
Building the Network You Need 3
Where the Packet Filter Fits In
The packet filter’s main function is, as the name suggests, to filter network
packets by matching the properties of individual packets and the network
connections built from those packets against the filtering criteria defined in
its configuration files. The packet filter is responsible for deciding what to
do with those packets. That could mean passing them through or rejecting
them, or triggering events that other parts of the operating system or exter-
nal applications are set up to handle.
PF lets you write custom filtering criteria to control network traffic based
on essentially any packet or connection property, including address family,
source and destination address, interface, protocol, port, and direction. Based
on these criteria, the packet filter performs the action you specify. One of the
simplest and most common actions is to block traffic.
A packet filter can keep unwanted traffic out of your network. It can also
help contain network traffic inside your own network. Both those functions
are important to the firewall concept, but blocking is far from the only useful
or interesting feature of a functional packet filter. As you will see in this book,
you can use filtering criteria to direct certain kinds of network traffic to spe-