PF sample configuration

To setup PF you will first need enable PF and define where the rules file will reside. This can be done by editing /etc/rc.conf and adding the following lines:

pf_enable="YES"
pf_rules="/etc/pf.conf"

Next, you must define the rule set which you will put in /etc/pf.conf. Below is an example which essentially allows all outgoing traffic and blocks anything other than TCP ports 22, 80, and 443. It will also allow incoming ICMP unreachable and echo requests.

# PF Rules Example
## definitions
## make sure to set these for your environment
public_int = "em0"                      # public interface
tcp_svcs = "{ 22 80 443 }"              # tcp service ports
icmp_types = "{ echoreq, unreach }"     # icmp types

## ignore loopback interface
set skip on lo

## restrict incoming traffic / unrestrict outgoing traffic
block in all
pass out all

## allow tcp ports specified by $tcp_svcs
pass in quick on $public_int proto tcp from any to any port $tcp_svcs

## allow icmp request types specified by $icmp_types
pass in inet proto icmp all icmp-type $icmp_types

You can now start PF by rebooting. Or you can load it manually, without rebooting, by running the following:

/etc/rc.d/pf restart
If you want to verify the PF rule set has been loaded, use the command:

pfctl -s rules
Which should output something similar to:

block drop in all
pass out all flags S/SA keep state
pass in quick on em0 proto tcp from any to any port = ssh flags S/SA keep state
pass in quick on em0 proto tcp from any to any port = http flags S/SA keep state
pass in quick on em0 proto tcp from any to any port = https flags S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass in inet proto icmp all icmp-type unreach keep state

Instantly deploy a BSD cloud VPS with RootBSD

deploy instantly

  • Fast SSD hosting
  • Full root access
  • IPv6 and IPv4 enabled hosting
  • Over 25 data center locations worldwide
  • Friendly and knowledgeable support
  • Build with current FreeBSD, OpenBSD, NetBSD, Linux releases