Setting up PF

E.g. on NetBSD/XEN, make sure you got those enabled in the kernel,

pseudo-device  pf                      # PF packet filter
pseudo-device  pflog                   # PF log if
pseudo-device  pfsync                  # PF sync if

Enable IP forwarding,

sysctl net.inet.ip.forwarding
sysctl -w net.inet.ip.forwarding=1
echo net.inet.ip.forwarding=1 >> /etc/sysctl.conf

Configure the rules e.g. NAT and logging everything on the external interface,

mv -i /etc/pf.conf /etc/pf.conf.dist
vi /etc/pf.conf

ext_if="xennet0"
int_if="xennet1"

nat on $ext_if from $int_if:network -> $ext_if
#rdr on $ext_if proto tcp from any to any port XX -> INTERNAL_IP

pass in log on xennet0
#pass in log all on xennet0

Enable and run,

grep pf /etc/defaults/rc.conf
cat >> /etc/rc.conf <<-EOF
pf=yes
pflogd=yes
EOF
ifconfig pflog0
/etc/rc.d/pflogd restart
/etc/rc.d/pf restart

Watch live,

tcpdump -n -e -ttt -i pflog0

or review past logs,

tcpdump -n -e -ttt -r /var/log/pflog

Refs. syntax

• https://man.openbsd.org/pf.conf
• https://forums.freebsd.org/threads/pf-and-multiple-external-interfaces.21270/

Refs. ICMP

• https://www.cymru.com/Documents/icmp-messages.html

Refs. NAT

• https://www.openbsd.org/faq/pf/nat.html
• https://www.openbsd.org/faq/pf/rdr.html
• https://www.freebsd.org/doc/en/books/handbook/firewalls-pf.html
• http://www.ignix.ru/public/daemon/easy-nat-pf
• http://tutorials.section6.net/home/setting-up-a-firewall-nat-using-pf

Refs. logging

• https://www.techrepublic.com/blog/it-security/filtering-pf-firewall-logs/
• https://www.openbsd.org/faq/pf/logging.html

helper scripts

cat > log <<EOF
tail -F /var/log/messages
EOF

cat > logpf <<EOF
tcpdump -n -e -ttt -i pflog0
EOF

chmod +x log logpf

---

Nethence | Pub | Lab | Pbraun | SNE Russia