# How to enable PF?



## Trojan (May 3, 2009)

Please help me to solve the problem with enabling PF on FreeBSD 7.1. I added in /etc/rc.conf:  

*pf_enable="YES"
pf_rules="/etc/pf.conf"*

but when I run pfctl -f /etc/pf.conf, the following message appears :


```
shlus# pfctl -f /etc/pf.conf
pfctl: /dev/pf: No such file or directory.
```
 
I checked the content of  /etc directory and there no pf.conf file indeed. 

What should I do for enabling PF?


----------



## mwatkins (May 3, 2009)

As a general rule of thumb, always check the man pages.

man pf.conf

Look at the bottom of the page - you'll see a section titled "FILES".


```
FILES
     /etc/hosts              Host name database.
     /etc/pf.conf            Default location of the ruleset file.
     /etc/pf.os              Default location of OS fingerprints.
     /etc/protocols          Protocol name database.
     /etc/services           Service name database.
     [B]/usr/share/examples/pf  Example rulesets.[/B]
```

You'll find a pf.conf *example* in there.

Don't blindly enable, particularly if the machine is remote to you and you don't have console access. You may find yourself locked out.

If you search the forum here no doubt you'll find a practical testing solution that involves firing up the test rule set, sleeping, and then disabling pf after X seconds. Worth doing while learning.


----------



## SirDice (May 3, 2009)

The kernel module is probably not loaded.


```
# kldload pf
```

Or start pf using the rc script:

```
# /etc/rc.d/pf start
```


----------



## Trojan (May 5, 2009)

mwatkins said:
			
		

> As a general rule of thumb, always check the man pages.
> 
> man pf.conf
> 
> ...


There is a pf.conf file in /usr/share/examples/pf directory. Should I copy it to /etc directory so that PF could be enabled? If yes, is it enough for enabling PF?



			
				SirDice said:
			
		

> The kernel module is probably not loaded.
> 
> 
> ```
> ...


When I run this command no messages are appeared.


```
shlus# kldload pf
shlus#
```


----------



## SirDice (May 5, 2009)

Trojan said:
			
		

> There is a pf.conf file in /usr/share/examples/pf directory. Should I copy it to /etc directory so that PF could be enabled? If yes, is it enough for enabling PF?


No, you should use that as an example and create your own /etc/pf.conf. See pf.conf(5).




> When I run this command no messages are appeared.
> 
> ```
> shlus# kldload pf
> ...


That's ok. You can see if it's loaded with *kldstat*.


----------



## Trojan (May 5, 2009)

SirDice said:
			
		

> No, you should use that as an example and create your own /etc/pf.conf. See pf.conf(5).


Well, if I'll just copy that file and paste it to /etc directory and then edit it according to my needs, will the PF works afterwards?

I suppose there is no difference between creating the new /etc/pf.conf file and copying/pasting the existing one. Am I right or mistaken?


----------



## DutchDaemon (May 5, 2009)

There are gradations in 'PF works'. It can mean: "Yes, pf is running, but nobody can get in or out" or "Yes, pf is running, but everybody can get in and out" and "Yes, I'll read pf.conf(5) now, so I don't have to ask the same question four times in a row, just to get the same advice". Don't take shortcuts when it comes to security and firewalling. You'll regret it.


----------



## Djn (May 5, 2009)

It's just a plain text file, so either way works fine.


----------



## Trojan (May 6, 2009)

So, I copied/pasted the pf.conf file from /usr/share/examples/pf to /etc. 
Now when I run pfctl -f /etc/pf.conf and kldload pf I get the next:


```
shlus# pfctl -f /etc/pf.conf
No ALTQ support in kernel
ALTQ related functions disabled
shlus# kldload pf
kldload: can't load pf: File exists
```

Some questions:

1. Is it normal that no ALTQ support in kernel and ALTQ related functions is disabled?
2. Why kldload can't load pf if file exists? 
3. Does t have any effect on PF work?


----------



## mwatkins (May 6, 2009)

ALTQ is optional. You'll only know you need it when you know more. In your paste above pf.ko is already loaded. Loading it again results in the error message.

Up thread DutchDaemon said two key things:

1. There are variations in what "works" means when it comes to any firewall; what "works" for you will not be the same for me.
2. Read the man pages.

http://www.freebsd.org/cgi/man.cgi?query=pf.conf&sektion=5#QUEUEING/ALTQ

Hopefully you are experimenting on a box which is sitting in front of you, so that you have access to the local console. Unless you take steps to protect yourself, experimenting with firewall rules is likely to result in you locking yourself and everyone else from gaining network access.

If the box isn't sitting right in front of you, search the forums for a solution (hint, involves running rules, sleep for X number of seconds, disabling pf)


----------



## nikobordx (May 6, 2009)

Hi,

1. I don't know, I've always known FreeBSD without ALTQ enabled by default.
2. The pf module are certainly already loaded !
3. Probably ...

Add this to your kernel config file and rebuild it:


```
# Firewall
device		pf
device		pflog
device		pfsync

# altq
options         ALTQ
options         ALTQ_CBQ        # Class Bases Queuing (CBQ)
options         ALTQ_RED        # Random Early Detection (RED)
options         ALTQ_RIO        # RED In/Out
options         ALTQ_HFSC       # Hierarchical Packet Scheduler (HFSC)
options         ALTQ_PRIQ       # Priority Queuing (PRIQ)
options         ALTQ_NOPCC      # Required for SMP build
```

Nicolas.


----------



## halplus (May 14, 2009)

> When I run this command no messages are appeared.
> 
> 
> ```
> ...



try:

```
shlus# kldstat
```

to list the loaded modules


----------



## Trojan (May 18, 2009)

Finally I enabled PF and ALTQ with rebuilding the kernel but now the question: is rebuilding the kernel is the only way to enable PF and ALTQ? Is it possible to enable these features durin instalation of operating system?


----------



## icer (May 18, 2009)

Trojan said:
			
		

> Is it possible to enable these features durin instalation of operating system?


no, you have to reconigure kernel and install new kernel.


----------



## DutchDaemon (May 18, 2009)

To be precise: PF is built-in (kernel loadable module), ALTQ is add-on (custom kernel required).


----------



## Oko (May 19, 2009)

Trojan said:
			
		

> Finally I enabled PF and ALTQ with rebuilding the kernel but now the question: is rebuilding the kernel is the only way to enable PF and ALTQ? Is it possible to enable these features during installation of operating system?



PF version shipped with FreeBSD is quite outdated and lacks many features of OpenBSD version. Also the only way to enable ALTQ is by recompiling kernel. ALTQ is part of generic OpenBSD kernel.

I do not want to piss people of on FreeBSD forum but OpenBSD is just far better tool for firewall than FreeBSD. That doesn't mean that FreeBSD doesn't have gazillion of other strengths.


----------



## SirDice (May 19, 2009)

Oko said:
			
		

> PF version shipped with FreeBSD is quite outdated and lacks many features of OpenBSD version.


Which ones? 



> I do not want to piss people of on FreeBSD forum but OpenBSD is just far better tool for firewall than FreeBSD.


I would disagree. Many people don't need all those 'new' features. There's really no added benefit in running OpenBSD as a firewall. I would also argue that OpenBSD performs like a snail on Valium.


----------



## Oko (May 19, 2009)

SirDice said:
			
		

> Which ones?
> I would disagree. Many people don't need all those 'new' features.


PF implementation shipped with 4.5 is about twice as fast as the one which was shipped with OpenBSD 3.7. FreeBSD version of PF is not much beyond that. Who would not benefit from the faster PF? 
FreeBSD Desktop users who have a single machine attached to Internet? 



			
				SirDice said:
			
		

> There's really no added benefit in running OpenBSD as a firewall.


Sure 



			
				SirDice said:
			
		

> I would also argue that OpenBSD performs like a snail on Valium.


Where? On the firewall. I just told you that OpenBSD is twice as fast as FreeBSD as a firewall solution. I have never suggested anybody running large data-base on OpenBSD.


----------



## SirDice (May 19, 2009)

Oko said:
			
		

> PF implementation shipped with 4.5 is about twice as fast as the one which was shipped with OpenBSD 3.7. FreeBSD version of PF is not much beyond that.


For RELENG_7 it's 4.1 actually, not 3.7

http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/pf/net/?only_with_tag=RELENG_7_BP
http://pf4freebsd.love2party.net/

Unfortunately time's probably too short for 4.5 to make it into 8.0-RELEASE:
http://lists.freebsd.org/pipermail/freebsd-pf/2009-May/005145.html

Perhaps you should do your measurements again?


----------



## Oko (May 19, 2009)

SirDice said:
			
		

> For RELENG_7 it's 4.1 actually, not 3.7
> 
> http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/pf/net/?only_with_tag=RELENG_7_BP
> http://pf4freebsd.love2party.net/
> ...


On average OpenSSH and PF shipped with FreeBSD will be at least 
one year behind their *original* implementations in OpenBSD.
That seems has never been an issue for FreeBSD users so why would I worry about it. I don't even use FreeBSD


----------

