NetBSD Packet Filter information
The OpenBSD Packet Filter has been integrated in NetBSD since July 2004 and the first supporting release is NetBSD 3.0. Usage of PF is NetBSD basically the same as in OpenBSD, but there are a few differences. This page tries to explain such differences and provides additional information about the port and integration of PF in NetBSD.
Information
Links
Information
Availability (top)
NetBSD -current includes PF from OpenBSD 3.7 with patches from the 3.7 branch.
NetBSD 3.0 is the first release with official support for PF. It includes PF from OpenBSD 3.6 with patches from the 3.6 branch.
NetBSD 2.x does not have support for PF in the base system, but there's a LKM available in pkgsrc (security/pflkm) that provides support for PF. See the PF loadable kernel module for NetBSD 2 page for more information.
NetBSD 1.6 or older does not have support for PF.
Kernel options (top)
To use PF, you don't need to compile your own kernel, you can use the LKM
/usr/lkm/pf.o. Use modload(8) to load the LKM:
# modload /usr/lkm/pf.o |
But if you prefer to use PF in the kernel, then you need least the following option enabled:
options PFIL_HOOKS # pfil(9) packet filter hooks |
This option should be enabled in the GENERIC kernel by default. To enable PF in the kernel, the following pseudo-devices should be added to the kernel configuration:
pseudo-device pf # PF packet filter pseudo-device pflog # PF log interface |
If you're not interested in logging packets with PF, then you might want to leave out the pflog device.
You need to recompile and install the kernel for the settings to take effect.
Enabling PF (top)
To enable PF at boot-time, set pf=YES in
/etc/rc.conf.
Please note that the boot procedure will be aborted if the PF configuration
file doesn't exist
(see also Configuration).
To start, stop, restart or reload PF manually, you can use the rc.d script
/etc/rc.d/pf.
To enable pflogd(8) (the pf logging daemon) at boot-time,
set pflogd=YES in /etc/rc.conf.
To start, stop or restart pflogd(8) manually, you can use the rc.d
script /etc/rc.d/pflogd.
To load the LKM at boot-time, you need to set lkm=YES
in /etc/rc.conf and add the following line to
/etc/lkm.conf:
/usr/lkm/pf.o - - - - BEFORENET |
If /usr is on another partition from the root partition, you'll also need to
add the following to /etc/rc.conf:
critical_filesystems_local="${critical_filesystems_local} /usr"
|
Configuration (top)
The default configuration file is /etc/pf.conf.
This can be changed by setting the variable pf_rules
in /etc/rc.conf.
The initial configuration file is
/etc/defaults/pf.boot.conf. This configuration is only
used during the network configuration to protect the machine from
possible attacks. You can override the default initial configuration by
creating a file named /etc/pf.boot.conf, but that
should not be needed in most setups.
Please see pf.boot.conf(5) for more information about this file.
The syntax of both configuration files are described in the manual page pf.conf(5).
PF in bridge setup (top)
PF in bridging mode is supported, but you need to compile a new kernel to enable packet filtering on a bridge. The following line should be added to the kernel configuration:
options BRIDGE_IPF # bridge uses IP/IPv6 pfil hooks too |
Configure the bridge as described in the NetBSD Guide. Then use the brconfig(8) command to enable packet filtering on the bridge:
# brconfig bridgeN ipf |
The "ipf" option also applies to PF, because this option actually enables the pfil(9) interface. PF should now be able to filter packets on the interfaces configured as the bridge. Note that it's only needed to filter on one interface because the same data goes through both interfaces.
Differences with OpenBSD (top)
There are a few differences in PF for NetBSD when compared to OpenBSD. Most of them are missing features.
- pfsync(4) is not supported (due to protocol # assignment issues). This will hopefully be solved in a future release.
- ALTQ is not supported. Enabling it in the kernel will result in compile errors. You can only use ALTQ by using PF as LKM and having ALTQ enabled in the kernel. There's ongoing work to make a decent ALTQ API and change PF to use that API.
- carp(4) is not supported (not really part of pf).
- The 'group' keyword does nothing, because NetBSD doesn't keep the GID in the uidinfo structure. This issue will probably be solved in a future release.
- Filtering on route labels is not working, NetBSD doesn't have labels for routes. It is unknown whether this will be supported in a future release or not.
- The initial configuration file pf.boot.conf(5) is a NetBSD specific file. OpenBSD loads the initial configuration for PF from /etc/rc which is a bit clumsy in case you need to change it. For this reason has NetBSD added a new file for the initial PF configuration.
- spamd was orginally imported into NetBSD, but it was removed before 3.0 was released. It is not considered to be part of PF and has been made available via pkgsrc (mail/spamd).
Links
Miscellaneous links (top)
Manual pages (top)
- pf(4) - packet filter
- pflog(4) - packet filter logging interface
- pf.boot.conf(5) - initial configuration for packet filter
- pf.conf(5) - packet filter configuration file
- pf.os(5) - format of the operating system fingerprints file
- authpf(8) - authenticating gateway user shell
- ftp-proxy(8) - Internet File Transfer Protocol proxy server
- pfctl(8) - control the packet filter (PF) and network address translation (NAT) device
- pflogd(8) - packet filter logging daemon
Back to Networking documentation (contact us) Generated from %NetBSD: pf.xml,v 1.3 2006/02/14 17:02:54 peter Exp %
![[NetBSD flag]](/images/NetBSD-flag.png)
Copyright © 1994-2006 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
NetBSD® is a registered trademark of The NetBSD Foundation, Inc.