The OpenBSD Packet Filter has been integrated in NetBSD since July 2004 and the first supporting release was NetBSD 3.0. Usage of PF in NetBSD is basically the same as in OpenBSD, but there are a few differences. This page tries to explain the differences and provides additional information about the port and integration of PF in NetBSD. NetBSD 4.0 includes PF from OpenBSD 3.7 with patches from the 3.7 branch. NetBSD 3.0 was the first release with official support for PF. It includes PF from OpenBSD 3.6 with patches from the 3.6 branch. To use PF, you don't need to compile your own kernel, you can use the LKM /usr/lkm/pf.o. Use &man.modload.8; to load the LKM: # modload /usr/lkm/pf.o But if you prefer to use PF in the kernel, then you need least the following option enabled: options PFIL_HOOKS # &man.pfil.9; packet filter hooks This option should be enabled in the GENERIC kernel by default. To enable PF in the kernel, the following pseudo-devices should be added to the kernel configuration: pseudo-device pf # PF packet filter pseudo-device pflog # PF log interface If you're not interested in logging packets with PF, then you might want to leave out the pflog device. You need to recompile and install the kernel for the settings to take effect. To enable PF at boot-time, set pf=YES in /etc/rc.conf. Please note that the boot procedure will be aborted if the PF configuration file doesn't exist (see also Configuration). To start, stop, restart or reload PF manually, you can use the rc.d script /etc/rc.d/pf. To enable &man.pflogd.8; (the pf logging daemon) at boot-time, set pflogd=YES in /etc/rc.conf. To start, stop or restart &man.pflogd.8; manually, you can use the rc.d script /etc/rc.d/pflogd. To load the LKM at boot-time, you need to set lkm=YES in /etc/rc.conf and add the following line to /etc/lkm.conf: /usr/lkm/pf.o - - - - BEFORENET If /usr is on another partition from the root partition, you'll also need to add the following to /etc/rc.conf: critical_filesystems_local="${critical_filesystems_local} /usr" The default configuration file is /etc/pf.conf. This can be changed by setting the variable pf_rules in /etc/rc.conf. The initial configuration file is /etc/defaults/pf.boot.conf. This configuration is only used during the network configuration to protect the machine from possible attacks. You can override the default initial configuration by creating a file named /etc/pf.boot.conf, but that should not be needed in most setups. Please see &man.pf.boot.conf.5; for more information about this file. The syntax of both configuration files are described in the manual page &man.pf.conf.5;. PF in bridging mode is supported, but you need to compile a new kernel to enable packet filtering on a bridge. The following line should be added to the kernel configuration: options BRIDGE_IPF # bridge uses IP/IPv6 pfil hooks too Configure the bridge as described in the NetBSD Guide. Then use the &man.brconfig.8; command to enable packet filtering on the bridge: # brconfig bridgeN ipf The "ipf" option also applies to PF, because this option actually enables the &man.pfil.9; interface. PF should now be able to filter packets on the interfaces configured as the bridge. Note that it's only needed to filter on one interface because the same data goes through both interfaces. Using ALTQ in PF is supported since NetBSD 4.0. The following kernel options are relevant: options ALTQ # Manipulate network interfaces' output queues options ALTQ_CBQ # Class-Based Queueing options ALTQ_HFSC # Hierarchical Fair Service Curve options ALTQ_PRIQ # Priority Queueing options ALTQ_RED # Random Early Detection Please note that you must compile pf in the kernel, using the PF LKM and ALTQ in the kernel will not work. For the configuration of ALTQ is nothing special needed, just follow the documentation to setup the rules. Some example rules can be found in /usr/share/examples/pf. There are a few differences in PF for NetBSD when compared to OpenBSD. Most of them are missing features. pfsync(4) is not supported (due to protocol # assignment issues). This will hopefully be solved in a future release. ALTQ is supported since NetBSD 4.0. carp(4) is supported since NetBSD 4.0. The 'group' keyword does nothing, because NetBSD doesn't keep the GID in the uidinfo structure. This issue will probably be solved in a future release. Filtering on route labels is not working, NetBSD doesn't have labels for routes. It is unknown whether this will be supported in a future release or not. The initial configuration file &man.pf.boot.conf.5; is a NetBSD specific file. OpenBSD loads the initial configuration for PF from /etc/rc which is a bit clumsy in case you need to change it. For this reason has NetBSD added a new file for the initial PF configuration. spamd was orginally imported into NetBSD, but it was removed before 3.0 was released. It is not considered to be part of PF and has been made available via pkgsrc (mail/spamd). OpenBSD PF User's Guide Peter N. M. Hansteen's Firewalling with PF PF loadable kernel module for NetBSD 2 &man.pf.4; - packet filter &man.pflog.4; - packet filter logging interface &man.pf.boot.conf.5; - initial configuration for packet filter &man.pf.conf.5; - packet filter configuration file &man.pf.os.5; - format of the operating system fingerprints file &man.authpf.8; - authenticating gateway user shell &man.ftp-proxy.8; - Internet File Transfer Protocol proxy server &man.pfctl.8; - control the packet filter (PF) and network address translation (NAT) device &man.pflogd.8; - packet filter logging daemon