PF (firewall)

Last updated
PF
Original author(s) Daniel Hartmeier
Developer(s) The OpenBSD Project
Initial release1 December 2001;20 years ago (2001-12-01)
Repository
Written inC
Operating system OpenBSD
Type Packet filtering
License BSD license
Website www.openbsd.org/faq/pf/index.html

PF (Packet Filter, also written pf) is a BSD licensed stateful packet filter, a central piece of software for firewalling. It is comparable to netfilter (iptables), ipfw, and ipfilter.

Contents

PF was developed for OpenBSD, but has been ported to many other operating systems.

History

PF was originally designed as replacement for Darren Reed's IPFilter, from which it derives much of its rule syntax. IPFilter was removed from OpenBSD's CVS tree on 30 May 2001 due to OpenBSD developers' concerns with its license. [1]

The initial version of PF was written by Daniel Hartmeier. [2] It appeared in OpenBSD 3.0, which was released on 1 December 2001. [3]

It was later extensively redesigned by Henning Brauer and Ryan McBride [4] with most of the code written by Henning Brauer. Henning Brauer is currently the main developer of PF.

Features

The filtering syntax is similar to IPFilter, with some modifications to make it clearer. Network address translation (NAT) and quality of service (QoS) have been integrated into PF. Features such as pfsync and CARP for failover and redundancy, authpf for session authentication, and ftp-proxy to ease firewalling the difficult FTP protocol, have also extended PF. Also PF supports SMP (Symmetric multiprocessing) & STO (Stateful Tracking Options).

One of the many innovative features is PF's logging. PF's logging is configurable per rule within the pf.conf and logs are provided from PF by a pseudo-network interface called pflog, which is the only way to lift data from kernel-level mode for user-level programs. Logs may be monitored using standard utilities such as tcpdump, which in OpenBSD has been extended especially for the purpose, or saved to disk in the tcpdump/pcap binary format using the pflogd daemon.

Ports

Apart from running on its home platform OpenBSD, PF has been ported to many other operating systems, however there are major differences in capabilities. Some ports date back many years. OpenBSD always has the latest version with the most features.

PF is currently used in:

See also

Related Research Articles

tcpdump Data-network packet analyzer

tcpdump is a data-network packet analyzer computer program that runs under a command line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distributed under the BSD license, tcpdump is free software.

Unix security refers to the means of securing a Unix or Unix-like operating system. A secure environment is achieved not only by the design concepts of these operating systems, but also through vigilant user and administrative practices.

Explicit Congestion Notification (ECN) is an extension to the Internet Protocol and to the Transmission Control Protocol and is defined in RFC 3168 (2001). ECN allows end-to-end notification of network congestion without dropping packets. ECN is an optional feature that may be used between two ECN-enabled endpoints when the underlying network infrastructure also supports it.

IPFilter is an open-source software package that provides firewall services and network address translation (NAT) for many Unix-like operating systems. The author and software maintainer is Darren Reed. IPFilter supports both IPv4 and IPv6 protocols, and is a stateful firewall.

m0n0wall was an embedded firewall distribution of FreeBSD, one of the BSD operating system descendants. It provides a small image which can be put on Compact Flash cards as well as on CD-ROMs and hard disks. It runs on a number of embedded platforms and generic PCs. The PC version can be run with just a Live CD and a floppy disk to store configuration data, or on a single Compact Flash card. This eliminates the need for a hard drive, which reduces noise and heat levels.

Application firewall Layer 7/application layer network security system

An application firewall is a form of firewall that controls input/output or system calls of an application or service. It operates by monitoring and blocking communications based on a configured policy, generally with predefined rule sets to choose from. The application firewall can control communications up to the application layer of the OSI model, which is the highest operating layer, and where it gets its name. The two primary categories of application firewalls are network-based and host-based.

iptables is a user-space utility program that allows a system administrator to configure the IP packet filter rules of the Linux kernel firewall, implemented as different Netfilter modules. The filters are organized in different tables, which contain chains of rules for how to treat network traffic packets. Different kernel modules and programs are currently used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames.

Netfilter is a framework provided by the Linux kernel that allows various networking-related operations to be implemented in the form of customized handlers. Netfilter offers various functions and operations for packet filtering, network address translation, and port translation, which provide the functionality required for directing packets through a network and prohibiting packets from reaching sensitive locations within a network.

NetFlow Communications protocol

NetFlow is a feature that was introduced on Cisco routers around 1996 that provides the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow, a network administrator can determine things such as the source and destination of traffic, class of service, and the causes of congestion. A typical flow monitoring setup consists of three main components:

The Common Address Redundancy Protocol or CARP is a computer networking protocol which allows multiple hosts on the same local area network to share a set of IP addresses. Its primary purpose is to provide failover redundancy, especially when used with firewalls and routers. In some configurations, CARP can also provide load balancing functionality. CARP provides functionality similar to VRRP and to Cisco Systems' HSRP. It is implemented in several BSD-based operating systems and has been ported to Linux (ucarp).

ipfirewall Firewall software

ipfirewall or ipfw is a FreeBSD IP, stateful firewall, packet filter and traffic accounting facility. Its ruleset logic is similar to many other packet filters except IPFilter. ipfw is authored and maintained by FreeBSD volunteer staff members. Its syntax enables use of sophisticated filtering capabilities and thus enables users to satisfy advanced requirements. It can either be used as a loadable kernel module or incorporated into the kernel; use as a loadable kernel module where possible is highly recommended. ipfw was the built-in firewall of Mac OS X until Mac OS X 10.7 Lion in 2011 when it was replaced with the OpenBSD project's PF. Like FreeBSD, ipfw is open source. It is used in many FreeBSD-based firewall products, including m0n0wall and FreeNAS. A port of an early version of ipfw was used since Linux 1.1 as the first implementation of firewall available for Linux, until it was replaced by ipchains. A modern port of ipfw and the dummynet traffic shaper is available for Linux and Microsoft Windows. wipfw is a Windows port of an old (2001) version of ipfw.

pfSense is a firewall/router computer software distribution based on FreeBSD. The open source pfSense Community Edition (CE) and pfSense Plus is installed on a physical computer or a virtual machine to make a dedicated firewall/router for a network. It can be configured and upgraded through a web-based interface, and requires no knowledge of the underlying FreeBSD system to manage.

pfsync is a computer protocol used to synchronise firewall states between machines running Packet Filter (PF) for high availability. It is used along with CARP to make sure a backup firewall has the same information as the main firewall. When the main machine in the firewall cluster dies, the backup machine is able to accept current connections without loss.

These tables compare free software / open-source operating systems. Where not all of the versions support a feature, the first version which supports it is listed.

FreeBSD Free Unix-like operating system

FreeBSD is a free and open-source Unix-like operating system descended from the Berkeley Software Distribution (BSD), which was based on Research Unix. The first version of FreeBSD was released in 1993. In 2005, FreeBSD was the most popular open-source BSD operating system, accounting for more than three-quarters of all installed and permissively licensed BSD systems.

The Berkeley Packet Filter (BPF) is a technology used in certain computer operating systems for programs that need to, among other things, analyze network traffic. It provides a raw interface to data link layers, permitting raw link-layer packets to be sent and received. In addition, if the driver for the network interface supports promiscuous mode, it allows the interface to be put into that mode so that all packets on the network can be received, even those destined to other hosts.

OpenBSD Security-focused Unix-like operating system

OpenBSD is a security-focused, free and open-source, Unix-like operating system based on the Berkeley Software Distribution (BSD). Theo de Raadt created OpenBSD in 1995 by forking NetBSD. According to the website, the OpenBSD project emphasizes "portability, standardization, correctness, proactive security and integrated cryptography."

NPF is a BSD licensed stateful packet filter, a central piece of software for firewalling. It is comparable to iptables, ipfw, ipfilter and PF. NPF is developed on NetBSD.

WireGuard is a communication protocol and free and open-source software that implements encrypted virtual private networks (VPNs), and was designed with the goals of ease of use, high speed performance, and low attack surface. It aims for better performance and more power than IPsec and OpenVPN, two common tunneling protocols. The WireGuard protocol passes traffic over UDP.

systat is a BSD UNIX console application for displaying system statistics in fullscreen mode using ncurses/curses. It is available on, and by default ships in the base systems of, FreeBSD, NetBSD, OpenBSD and DragonFly BSD. It was first released as part of 4.3BSD in 1986.

References

  1. de Raadt, Theo (2001-05-30). "CVS: cvs.openbsd.org: src; Remove ipf" . Retrieved 2018-08-20.
  2. Hartmeier, Daniel (2017-09-26). "A new stateful packet filter for OpenBSD" . Retrieved 2018-08-20.
  3. "OpenBSD 3.0". 2001-12-01. Retrieved 2018-08-20.
  4. Brauer, Henning. "Henning Brauer Consulting: pf" . Retrieved 2018-08-20.
  5. "FreeBSD/amd64 5.3-RELEASE Release Notes". 2004-11-03. Retrieved 2018-08-20.
  6. "xnu/xnu-1456.1.26/bsd/net/pf.c.auto.html". Apple, Inc. 2008-12-05. Retrieved 2018-08-20.
  7. "Changes and NetBSD News in 2005: 23 Dec 2005 - NetBSD 3.0 released" . Retrieved 2018-08-20.
  8. "pf(4) manual page". DragonFly Kernel Interfaces Manual. 2011-01-02. Retrieved 2018-08-20.
  9. "Introduction to Packet Filter". Securing the Network in Oracle® Solaris 11.3. Oracle Corporation. March 2018. Retrieved 2018-08-20.

Books