Simple pf configuration

pf (packet filter) is the firewall from OpenBSD.

the following is the default pf.conf as of release 6.2

#       $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
# See pf.conf(5) and /etc/examples/pf.conf

set skip on lo

block return    # block stateless traffic
pass            # establish keep-state

# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010

it's simple, and self expanatory, but what I want is something like what I did in my simple nftables configuration article.

first thing we'll do is to add a shebang.

#!/sbin/pfctl -f

we'll also have to mark the file as executable.

chmod 700 /etc/pf.conf

having added this as the first line of the config, we'll be able to reload the pf configuration by executing /etc/pf.conf as root.

as for the rest of the config, we'll add a variable holding all of the tcp ports we want to let through.

tcp_services="{ ssh, 443 }"

you can specify the service name (check /etc/services), or port number. to use this variable;

pass in on egress inet proto tcp from any to any port $tcp_services

this rule will let in any tcp traffic on the ports defined in the tcp_services macro on the egress interface. the egress interface is naturally the device from which data egresses, or "leaves".

we're also gonna add a table that's going to be contained in /etc/blacklist. all traffic from the hosts in the blacklist table will be immediately rejected.

to add a host;

echo >>/etc/blacklist
you'll have to reload pf.conf every time you apply a modification in blacklist.

as for the full configuration

#!/sbin/pfctl -f

tcp_services="{ ssh, 443 }"

# don't filter local interface
set skip on lo

# block everything in our blacklist
table <blacklist> persist file "/etc/blacklist"
block drop in quick from <blacklist> to any

# block all incoming traffic
block in

# allow ping
pass on egress inet proto icmp all icmp-type 8 code 0

# accept outgoing traffic
pass out inet
pass  in on egress inet proto tcp from any to any port $tcp_services

to check our config file for any syntax errors, we can run pfctl -nf /etc/pf.conf to read it without loading.

it's a good idea to /etc/pf.conf ; sleep 30 && pfctl -d in case you did something to block yourself out. -d disables pf, use -e to enable it again.

to load the configuration we run /etc/pf.conf as root.

see also; pf.conf(5), simple nftables configuration