PF (firewall)

Pf - an abbreviation of the packet filter ( German: packet filter ) - is a firewall software, which was originally written for the OpenBSD operating system.

Pf is in addition to its function as a packet filter as NAT software, that is, to translate Internet addresses of a private network to the Internet, and may also regulate the data transfer rates of the filtered or translated network traffic (see QoS). Furthermore pf provides a filtering based on the operating system, advanced packet handling ( assembling fragmented packets ) and an authentication mode called pf -auth.


Pf arose when the OpenBSD project because of license issues removed the packet filter IPFilter contained by then and needed a replacement. He was called by Daniel Hart Meier launched in June 2001 and has since OpenBSD 3.0 (published on 1 December 2001 ) is part of OpenBSD. Meanwhile pf has been ported to FreeBSD, NetBSD, DragonFly BSD and Mac OS X.


PF can be easily configured to be read rules that roughly follow the following syntax (compared to iptables). This round brackets represent ( ... | ... ) necessary elements, square brackets [ ... | ... ] Optional elements:

( pass | block [ drop | return | return-icmp | return icmp6 | return- rst] | match) [ in | out ] [ log] [ quick ] [on ] [on rdomain ] [ inet | inet6 ] [ proto ( tcp | udp | icmp | icmp6 ) ] ( [from [port ] [ os ] | to [port ] ] | all ) [flags / ] [ icmp-type code | icmp6 -type code ] [ probability ] [user ] [ nat -to | rdr -to ] The following rules block all packets from hosts that are allowed to consign any emails ( blocked_hosts ), and allow for all others:

Blocked_hosts = {,, / 8} pass in on em0 inet proto tcp from any to self port 25.587 block in on em0 inet proto tcp from $ blocked_hosts to self port 25.587 It is em0 the network interface on which occurs the filtering in the direction ( inbound), inet stands for IPv4 packets proto tcp applies to TCP packets, the symbolic constant from any encounters all hosts ( IP notation 0.0. 0.0), and self is the unique IP address of each interface.

A special feature of PF is that always the case the last matching rule, which is usually below are the most specialized rules and above the most common ( blacklisting ). Whitelisting is realized by performing a prohibitive rule at the beginning and following, permitting rules.

Therefore, the reverse order of the rules described here would cause any mails should deliver, because the blocked hosts in the first rule would be allowed to pass in the second rule.

The next example shows an exemplary NAT solution that can run on a router, for example:

Ext_schnittstelle = em0 intern_netz = match out on $ ext_schnittstelle inet from $ intern_netz to any nat -to $ ext_schnittstelle meets this match if the packet, but decides not passing or blocking. All packets leaving the firewall on the interface $ ext_schnittstelle and IPv4 packets ( inet ) from their own ( internal ) network are $ intern_netz be provided with the return address of $ ext_schnittstelle. Other rules for the functioning of NAT firewall are no longer necessary.

PF is also able to act, as a TCP proxy, so to confirm the incoming TCP connections and will then pass on to the applications. This prevents SYN floods.