# Basic PF setup



## mj12net (Apr 16, 2014)

I'm following the handbook here: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/book.html#firewalls-pf

My /etc/pf.conf looks like this since "_The simplest possible ruleset is for a single machine that does not run any services and which needs access to one network, which may be the Internet._"

```
tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s }"
udp_services = "{ domain }"
block in all
pass out all keep state
pass inet proto icmp from $localnet to any keep state
pass inet proto icmp from any to $ext_if keep state
```

In the terminal...

```
# service pf start
Enabling pfNo ALTQ support in kernel
ALTQ related functions disabled
No ALTQ support in kernel
ALTQ related functions disabled

# service pflog start
Starting pflog.

# pfctl -e
No ALTQ support in kernel
ALTQ related functions disabled
pfctl: pf already enabled

# pfctl -f /etc/pf.conf
No ALTQ support in kernel
ALTQ related functions disabled
```

Is it safe to ignore those ALTQ messages?  And does my pf.conf look fine? Or is there a better/safer ruleset?

Thanks.


----------



## SirDice (Apr 16, 2014)

mj12net said:
			
		

> Is it safe to ignore those ALTQ messages?


Yes, those are fine. ALTQ can only be enabled on a custom kernel. The messages would go away but they don't do any harm. 




> And does my pf.conf look fine? Or is there a better/safer ruleset?


Looks fine for a start. There are always ways to improve things


----------



## bryn1u (Apr 16, 2014)

You can add 
	
	



```
scrub in all
```


----------



## mj12net (Apr 16, 2014)

Thanks for your replies.

And how do add a rule to allow CUPS (localhost:631).  When PF is enabled it's not going through.


----------



## kpa (Apr 16, 2014)

Add this rule, it's almost always a good idea unless you want to start playing with filtering on lo0 which is a very advanced concept:


```
set skip on lo0
```


----------



## mj12net (Apr 16, 2014)

kpa said:
			
		

> Add this rule, it's almost always a good idea unless you want to start playing with filtering on lo0 which is a very advanced concept:
> 
> 
> ```
> ...



Worked, thank you!


----------



## mj12net (Apr 16, 2014)

bryn1u said:
			
		

> You can add
> 
> 
> 
> ...



When trying to reload the pf.conf with this, it give me a syntax error.

And does it matter what order you place the rules?


----------



## kpa (Apr 16, 2014)

Yes, there is certain order for options and rules. From pf.conf(5) manual page:


```
STATEMENT ORDER
     There are seven types of statements in pf.conf:

     Macros
           User-defined variables may be defined and used later, simplifying
           the configuration file.  Macros must be defined before they are
           referenced in pf.conf.

     Tables
           Tables provide a mechanism for increasing the performance and flex‐
           ibility of rules with large numbers of source or destination
           addresses.

     Options
           Options tune the behaviour of the packet filtering engine.

     Traffic Normalization (e.g. scrub)
           Traffic normalization protects internal machines against inconsis‐
           tencies in Internet protocols and implementations.

     Queueing
           Queueing provides rule-based bandwidth control.

     Translation (Various forms of NAT)
           Translation rules specify how addresses are to be mapped or redi‐
           rected to other addresses.

     Packet Filtering
           Packet filtering provides rule-based blocking or passing of pack‐
           ets.
```

The set skip rule is actually an option and should be placed before any scrub, queue, nat or filter rules. The scrub rules should come after the options but before any queue, nat or filter rules.


----------



## mj12net (Apr 16, 2014)

kpa said:
			
		

> Yes, there is certain order for options and rules. From pf.conf(5) manual page:
> 
> 
> ```
> ...



So mine should look like: 


```
tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s }"
udp_services = "{ domain }"
set skip on lo0
block in all
pass out all keep state
```

Before the "block in all"?


----------



## kpa (Apr 17, 2014)

Yes. Put the scrub rule in too:



```
#tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s }"
#udp_services = "{ domain }"

set skip on lo0

scrub in all

block in all
pass out all
```

These rules are not making use of the two macros that are defined (tcp_services and udp_services) so you can comment them out until you really start using them. Also keep state is always on by default unless you explicitly set no state in a rule so that can be left out.


----------



## mj12net (Apr 17, 2014)

kpa said:
			
		

> Yes. Put the scrub rule in too:
> 
> 
> 
> ...



This worked, thanks.


----------

