OpenBSD pf notes

2025-01-16

For me to RTFM

#       $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf

set skip on lo

block all
pass out on em0 from em0 to any

# Port build user does not need network
block return out log proto {tcp udp} user _pbuild

# I sometimes put stuff on port 8000
pass in on em0 proto tcp from 192.168.0.1/24 to em0 port 8000

pass / block / drop - these are actions
in / out - these are directions of packet flowing. packet entering, or packet exiting
on {interface} - means the rule is for the specific interface
proto {protoname} - which network protocols to process information for
from ip/interface port {port} - means the sender’s ip address, sender’s port
to ip/interface port {port} - means the receiver’s ip address, receiver’s port

What is a sender

If my computer sends packet to remote computer, my computer is sender If remote computer sends packet to my computer, remove computer is sender

What is a receiver

If the computer sends packet to some remote computer, then remote computer is receiver If some outside computer sends the packet, then my computer is the receiver

STATES

Ok so I only allowed packets to EXIT from my computer, nowhere mentioned allowing packets to ENTER my computer. i.e. I only allowed outgoing packets, didn’t allow any incoming packets. i.e. HTTP GET Request is a request between my computer to someone else’s remote computer. Then the remote computer has to send HTTP Response back to me, so it is an “INCOMING connection”, which I did not allow anywhere in the file.

Then why can I ping or visit sites?

The merciful pf firewall is a stateful firewall that can keep states and associate incoming packets with outgoing packets. So if I sent request from me to server, pf can keep track of it. So when I get response back from the server, pf will know that response is associated to the allowed request, so the response would be allowed as well since the request was allowed. It can be done through inserting keep state at the end, but for all pass actions, keep state is default.

To disable such behavior, no state needs to be inserted at the end.

In any case, put keep state for everything and no state for everything else.

NAT

pass out on egress inet from 192.168.0.1/24 nat-to em0 # OR (wg0) if DHCP is on

Basically, translate any request that come OUT from MY COMPUTER to outside internet, for all requests whose SOURCE IP ADDRESS is in range 192.168.0.1/24, TRANSLATE the SOURCE IP from 192.168.0.x to whatever IP em0 interface has. em0 would mean the IP is retrieved initially from interface when pf is started/restarted. (em0) would mean the IP would be dynamically assigned on the fly if it is changed with DHCP.