I have been meaning to try out both IPFW and PF.
After reading bsdnow pf tutorial and skimming over nice FreeBSD handbook’s pf section I was a bit hesitant to try PF on FreeBSD as it was said to have slightly older version from OpenBSD and that would cause syntax to differ. So I tried out IPFW first and it was really simple to set up however after adding some rules I realized that I’m not loving the syntax.
So I thought that it’s time to give PF a go (especially since I’m not too comitted to IPFW yet) and it turns out it’s not so bad with those syntax differences, though I did run into one.
Once I wrote up a minimal ruleset with PF and tried to load load it I was getting syntax error:
[fx@badger ~]$ sudo pfctl -f /etc/pf.conf
ALTQ support in kernel
ALTQ related functions disabled
/etc/pf.conf:21: syntax error
pfctl: Syntax error in config file: pf rules not loaded
However there really was nothing eye catching on that line.
So after some experimenting and more careful re-reading of handbook it turns out that FreeBSD’s PF version wants all the lists to be enclosed in curly braces (just as it shows on the nice FreeBSD handbook). Doooh.
After changing that one syntax problem PF complained a bit more about rules ordering
/etc/pf.conf:13: Rules must be in order: options, normalization, queueing, translation, filtering
But that was an easy fix of changing the order (which totally makes sense).
Then I tested rebooting the machine and realized that even though I have /etc/rc.conf
set up correctly, the PF is not loading the rules on boot.
Enlightment came when I realized that this is because I am using my OpenVPN tun0
interface in the rules and it is not available until after OpenVPN has come up. So I changed the rules to use vpn IP instead of the nic and all was good.
I really like the fact that PF does some syntax checking before it loads the rules. Much better than realizing that your SSH session has hung because you made a noobish mistake in the ruleset 🙂
And also loving the nice stats and counters it can print out.
Overall a positive first experience with PF.