OpenBSD pf ported to FreeBSD 5.x

Installation- and testguide

For the first stable release 1.0 there is a port which will install everything. Get it from the FreeBSD ports-tree (security/pf)

  1. Preparation
    1. Build and install a custom Kernel with "device bpf" and "options PFIL_HOOKS" enabled. Keep "options INET6" as pf_freebsd won't (yet) work without. For version 0.4 based apon upcoming OpenBSD 3.3 you will need "options RANDOM_IP_ID" as well.
      If you don't want RANDOM_IP_ID in your kernel you can build with "make WITH_RANDOM_ID=1" to link the random_id stuff to the module.
      See from the FreeBSD FAQ for further information on this.
    2. Boot your new kernel and make sure that you don't use ipfw (i.e. "ipfw show" should tell you something like "ipfw: getsockopt(IP_FW_GET): Protocol not available") or ipfilter.
  2. Get the pf_freebsd tarball and make everything in there. Do not "make install" without testing!
  3. Copy the kernelmodules and toolbinaries to a testdirectory and test:
    1. If you untared to ~/pf_freebsd_0.4 and want ~/test_pf as your test directory:
      $ cp ~/pf_freebsd_0.4/pf/pf.ko ~/test_pf/
      $ cp ~/pf_freebsd_0.4/pflog/pflog.ko ~/test_pf/
      $ cp ~/pf_freebsd_0.4/pfsync/pfsync.ko ~/test_pf/
      $ cp ~/pf_freebsd_0.4/pflogd/pflogd ~/test_pf/
      $ cp ~/pf_freebsd_0.4/pfctl/pfctl ~/test_pf/
    2. Load the kernel modules:
      $ kldload ~/test_pf/pflog.ko
      $ ifconfig pflog0 up
      $ kldload ~/test_pf/pfsync.ko
      $ ifconfig pfsync0 up
      $ ~/test_pf/pflogd
      $ kldload ~/test_pf/pf.ko
      Note: After loading pflogd.ko you may see a message like:
      in6_ifattach: pflog0 is not multicast capable, IPv6 not enabled
      on your console. This is okay and will not cause any trouble.
    3. Load a basic ruleset and enable the pf:
      $ ~/test_pf/pfctl -e -f <your_ruleset>
  4. You can now adjust the ruleset to fit you needs. See the pf.conf and pfctl man-pages which come with the tarball. You may find it usefull to look at the output of "~/pf_freebsd_0.4/tcpdump/tcpdump -n -e -ttt -i pflog0" to see what packets are blocked. Note that the tcpdump that comes with FreeBSD does not understand pflog0 data and hence you have to use the modified version from the tarball.
  5. Send a report about everything to us. Patches, questions and error or success reports are very much wellcome!
  6. If you really want to install you can use "make PREFIX=/usr/local install". This will install all tools to /usr/local/sbin.
    The serverprograms: authpf, ftp-proxy and spamd are installed to $PREFIX/libexec or /usr/libexec if PREFIX is empty! authpf will have setguid!
    make install will install a pflog-enabled version of tcpdump as $PREFIX/sbin/pftcpdump.
  7. If you have to unload pf (for what reason ever) use:
    $ kldunload pf
    $ killall pflogd
    $ ifconfig pfsync0 down
    $ ifconfig pflog0 down
    $ kldunload pfsync
    $ kldunload pflog


...powered by