PF Firewall Configuration

Configure the PF packet filter firewall on FreeBSD for secure network traffic management

PF Firewall Configuration

PF (Packet Filter) is the default firewall on FreeBSD, known for its clean syntax and powerful features.

Enabling PF

Add to /etc/rc.conf:

pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"

Basic Configuration

Create /etc/pf.conf:

# Macros
ext_if = "vtnet0"
tcp_services = "{ ssh, http, https }"

# Options
set block-policy drop
set skip on lo0

# Normalisation
scrub in all

# Default deny
block all

# Allow outbound
pass out quick on $ext_if

# Allow inbound services
pass in on $ext_if proto tcp to port $tcp_services

# Allow ICMP ping
pass in inet proto icmp icmp-type echoreq

Useful Commands

# Load rules
pfctl -f /etc/pf.conf

# Check syntax
pfctl -nf /etc/pf.conf

# Show current rules
pfctl -sr

# Show state table
pfctl -ss

# View logs
tcpdump -n -e -ttt -i pflog0

Rate Limiting

Protect against brute force attacks:

# Limit SSH connections
pass in on $ext_if proto tcp to port ssh \
    flags S/SA keep state \
    (max-src-conn 5, max-src-conn-rate 3/60)