This is an archive of past FreeBSD releases; it's part of the FreeBSD Documentation Archive.
As of July 2003 the OpenBSD firewall software application known as PF was ported to FreeBSD and was made available in the FreeBSD ports collection; the first release that contained PF as an integrated part of the base system was FreeBSD 5.3 in November 2004. PF is a complete, fully featured firewall that contains ALTQ for bandwidth usage management in a way similar to what DUMMYNET provides in IPFW. The OpenBSD project does an outstanding job of maintaining the PF users' guide that it will not be made part of this handbook firewall section as that would just be duplicated effort.
For older 5.X version of FreeBSD you can find PF in the FreeBSD ports collection here: security/pf.
More info can be found at the PF for FreeBSD web site: http://pf4freebsd.love2party.net/.
The OpenBSD PF user's guide is here: http://www.openbsd.org/faq/pf/.
Warning: PF in FreeBSD 5.X is at the level of OpenBSD version 3.5. The port from the FreeBSD ports collection is at the level of OpenBSD version 3.4. Keep that in mind when browsing the user's guide.
PF is included in the basic FreeBSD install for versions newer than 5.3 as a separate run time loadable module. The system will dynamically load the PF kernel loadable module when the rc.conf statement pf_enable="YES" is used. The loadable module was created with pflog(4) logging enabled.
It is not a mandatory requirement that you enable PF by compiling the following options into the FreeBSD kernel. It is only presented here as background information. Compiling PF into the kernel causes the loadable module to never be used.
Sample kernel config PF option statements are in the /usr/src/sys/conf/NOTES kernel source and are reproduced here:
device pf device pflog device pfsync
device pf enables support for the ``Packet Filter'' firewall.
device pflog enables the optional pflog(4) pseudo network device which can be used to log traffic to a bpf(4) descriptor. The pflogd(8) daemon can be used to store the logging information to disk.
device pfsync enables the optional pfsync(4) pseudo network device that is used to monitor ``state changes''. As this is not part of the loadable module one has to build a custom kernel to use it.
These settings will take effect only after you have built and installed a kernel with them set.
You need the following statements in /etc/rc.conf to activate PF at boot time:
pf_enable="YES" # Enable PF (load module if required) pf_rules="/etc/pf.conf" # rules definition file for pf pf_flags="" # additional flags for pfctl startup pflog_enable="YES" # start pflogd(8) pflog_logfile="/var/log/pflog" # where pflogd should store the logfile pflog_flags="" # additional flags for pflogd startup
If you have a LAN behind this firewall and have to forward packets for the computers in the LAN or want to do NAT, you have to enable the following option as well:
gateway_enable="YES" # Enable as Lan gateway
This, and other documents, can be downloaded from ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/.
For questions about FreeBSD, read the documentation before contacting <questions@FreeBSD.org>.
For questions about this documentation, e-mail <doc@FreeBSD.org>.