On 2022-04-07, Steve Litt <sl...@troubleshooters.com> wrote: > I need some easy beginner's pf documentation as well as some > intermediate pf documentation. I plan to make an OpenBSD/pf firewall. I > haven't done this in ten years, and imagine pf and the process of > turning OpenBSD into a firewall have changed in that time.
The pf.conf(5) manual is the primary reference, if you prefer to have a nicely formatted printable version you can get one with $ man -T pdf pf.conf > pf.conf.pdf There are many many online guides about configuring PF; some are helpful, many less so. If you do use these, cross-referring to pf.conf(5) is a good idea. IMHO the "building a router" example on the FAQ complicates things a bit too much (it is actually "how to setup dhcp, wifi hostap [which few people actually use and doesn't work on many adapters], and a DNS resolver", and uses some PF features which I think it's really better if you understand what they do before using them. My main tips would be: - start the ruleset with a "block" or "block log" rule so that no packets match the implicit default "rule 0", which is effectively "pass all no state". This avoids one of the main hard-to-diagnose cases where some packets accepted without creating firewall state. - tags and received-on can be pretty helpful and most guides don't use them. - if you can't figure out which rules are matching a packet, put a "match log(matches)" rule at the top of the ruleset (maybe with a from/to or port restriction if it's on a busy machine), and watch "tcpdump -nevvipflog0" - when a packet traverses the PF ruleset, you'll get some output for every rule matching that packet, with a final line showing the overall pass/drop outcome. the rule numbers shown can be looked up with "pfctl -sr -R XX -v".
