|
As of July 2003 the OpenBSD firewall software application known as PF was ported to FreeBSD and was made available in the FreeBSD Ports Collection; the first release that contained PF as an integrated part of the base system was FreeBSD 5.3 in November 2004. PF is a complete, fully featured firewall that has optional support for ALTQ (Alternate Queuing). ALTQ provides Quality of Service (QoS) bandwidth shaping that allows guaranteeing bandwidth to different services based on filtering rules. The OpenBSD Project does an outstanding job of maintaining the PF User's Guide that it will not be made part of this handbook firewall section as that would just be duplicated effort.
The availability of PF for the various FreeBSD releases and versions is summarized below:
FreeBSD Version | PF Availability |
---|---|
Pre-4.X versions | PF is not available for any release of FreeBSD older than the 4.X branch. |
All versions of the 4.X branch | PF is available as part of KAME. |
5.X releases before 5.3-RELEASE | The security/pf port can be used to install PF on these versions of FreeBSD. These releases were targeted to developers and people who wanted a preview of early 5.X versions. Upgrading to 5.3-RELEASE or newer versions of FreeBSD is strongly recommended. |
5.3-RELEASE and later versions | PF is part of the base system. Do not use the security/pf port on these versions of FreeBSD. It will not work. Use the pf(4) support of the base system instead. |
More info can be found at the PF for FreeBSD web site: http://pf4freebsd.love2party.net/.
The OpenBSD PF user's guide is here: http://www.openbsd.org/faq/pf/.
Warning: PF in FreeBSD 5.X is at the level of OpenBSD version 3.5. The port from the FreeBSD Ports Collection is at the level of OpenBSD version 3.4. Keep that in mind when browsing the user's guide.
PF is included in the basic FreeBSD install for versions newer than 5.3 as a separate run time loadable module. The system will dynamically load the PF kernel loadable module when the rc.conf statement pf_enable="YES" is used. The loadable module was created with pflog(4) logging enabled.
Note: The module assumes the presence of options INET and device bpf. Unless NOINET6 (for example in make.conf(5)) was defined during the build, it also requires options INET6.
It is not a mandatory requirement that you enable PF by compiling the following options into the FreeBSD kernel. It is only presented here as background information. Compiling PF into the kernel causes the loadable module to never be used.
Sample kernel config PF option statements are in the /usr/src/sys/conf/NOTES kernel source and are reproduced here:
device pf device pflog device pfsync
device pf enables support for the “Packet Filter” firewall.
device pflog enables the optional pflog(4) pseudo network device which can be used to log traffic to a bpf(4) descriptor. The pflogd(8) daemon can be used to store the logging information to disk.
device pfsync enables the optional pfsync(4) pseudo network device that is used to monitor “state changes”. As this is not part of the loadable module one has to build a custom kernel to use it.
These settings will take effect only after you have built and installed a kernel with them set.
You need the following statements in /etc/rc.conf to activate PF at boot time:
pf_enable="YES" # Enable PF (load module if required) pf_rules="/etc/pf.conf" # rules definition file for pf pf_flags="" # additional flags for pfctl startup pflog_enable="YES" # start pflogd(8) pflog_logfile="/var/log/pflog" # where pflogd should store the logfile pflog_flags="" # additional flags for pflogd startup
If you have a LAN behind this firewall and have to forward packets for the computers in the LAN or want to do NAT, you have to enable the following option as well:
gateway_enable="YES" # Enable as LAN gateway
ALTQ is only available by compiling the options into the FreeBSD Kernel. ALTQ is not supported by all of the available network card drivers. Please see the altq(4) manual page for a list of drivers that are supported in your release of FreeBSD. The following options will enable ALTQ and add additional functionality.
options ALTQ options ALTQ_CBQ # Class Bases Queuing (CBQ) options ALTQ_RED # Random Early Detection (RED) options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) options ALTQ_PRIQ # Priority Queuing (PRIQ) options ALTQ_NOPCC # Required for SMP build
options ALTQ enables the ALTQ framework.
options ALTQ_CBQ enables Class Based Queuing (CBQ). CBQ allows you to divide a connection's bandwidth into different classes or queues to prioritize traffic based on filter rules.
options ALTQ_RED enables Random Early Detection (RED). RED is used to avoid network congestion. RED does this by measuring the length of the queue and comparing it to the minimum and maximum thresholds for the queue. If the queue is over the maximum all new packets will be dropped. True to its name, RED drops packets from different connections randomly.
options ALTQ_RIO enables Random Early Detection In and Out.
options ALTQ_HFSC enables the Hierarchical Fair Service Curve Packet Scheduler. For more information about HFSC see: http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html.
options ALTQ_PRIQ enables Priority Queuing (PRIQ). PRIQ will always pass traffic that is in a higher queue first.
options ALTQ_NOPCC enables SMP support for ALTQ. This option is required on SMP systems.
This, and other documents, can be downloaded from ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/.
For questions about FreeBSD, read the documentation before contacting <questions@FreeBSD.org>.
For questions about this documentation, e-mail <doc@FreeBSD.org>.
Hosting by: Hurra Communications Ltd.
Generated: 2007-01-26 17:58:42