OpenBSD pf ported to FreeBSD 5.x
Installation-
and testguide
For the first stable release 1.0
there is a port which will install everything. Get it from the FreeBSD ports-tree
(security/pf)
- Preparation
- Build and install a custom
Kernel with "device bpf" and "options PFIL_HOOKS"
enabled. Keep "options INET6" as pf_freebsd won't (yet)
work without. For version 0.4 based apon upcoming OpenBSD 3.3 you will
need "options RANDOM_IP_ID" as well.
If you don't want RANDOM_IP_ID in your kernel you can build with "make
WITH_RANDOM_ID=1" to link the random_id stuff to the module.
See http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/kernelconfig.html
from the FreeBSD FAQ for further information on this.
- Boot your new kernel and make
sure that you don't use ipfw (i.e. "ipfw show" should
tell you something like "ipfw: getsockopt(IP_FW_GET): Protocol
not available") or ipfilter.
- Get the pf_freebsd tarball
and make everything in there. Do not "make
install" without testing!
- Copy the kernelmodules and toolbinaries
to a testdirectory and test:
- If you untared to ~/pf_freebsd_0.4
and want ~/test_pf as your test directory:
$ cp ~/pf_freebsd_0.4/pf/pf.ko ~/test_pf/
$ cp ~/pf_freebsd_0.4/pflog/pflog.ko ~/test_pf/
$ cp ~/pf_freebsd_0.4/pfsync/pfsync.ko ~/test_pf/
$ cp ~/pf_freebsd_0.4/pflogd/pflogd ~/test_pf/
$ cp ~/pf_freebsd_0.4/pfctl/pfctl ~/test_pf/
- Load the kernel modules:
$ kldload ~/test_pf/pflog.ko
$ ifconfig pflog0 up
$ kldload ~/test_pf/pfsync.ko
$ ifconfig pfsync0 up
$ ~/test_pf/pflogd
$ kldload ~/test_pf/pf.ko
Note:
After loading pflogd.ko you may see a message like:
in6_ifattach: pflog0 is not multicast capable, IPv6 not enabled
on your console. This is okay and will not cause any trouble.
- Load a basic ruleset and enable
the pf:
$ ~/test_pf/pfctl -e -f <your_ruleset>
- You can now adjust the ruleset
to fit you needs. See the pf.conf and pfctl man-pages which come with the
tarball. You may find it usefull to look at the output of "~/pf_freebsd_0.4/tcpdump/tcpdump
-n -e -ttt -i pflog0" to see what packets are blocked. Note that
the tcpdump that comes with FreeBSD does not understand pflog0 data and hence
you have to use the modified version from the tarball.
- Send
a report about everything to us. Patches, questions and error or success reports
are very much wellcome!
- If you really want to install
you can use "make PREFIX=/usr/local install". This will install
all tools to /usr/local/sbin.
The serverprograms: authpf, ftp-proxy and spamd are installed to $PREFIX/libexec
or /usr/libexec if PREFIX is empty! authpf
will have setguid!
make install will install a pflog-enabled version of tcpdump as $PREFIX/sbin/pftcpdump.
- If you have to unload pf (for
what reason ever) use:
$ kldunload pf
$ killall pflogd
$ ifconfig pfsync0 down
$ ifconfig pflog0 down
$ kldunload pfsync
$ kldunload pflog
Back