OpenBSD enables PF by default at system boot with these rc.conf variables:
pf=YES pf_rules=/etc/pf.conf
To disable PF at boot, set pf
to NO
in rc.conf.local.
The default configuration file for PF is /etc/pf.conf. There’s nothing special about this file—it’s just a standard location. The pf(4)
kernel interface doesn’t read the file directly; the PF control program pfctl(8)
reads the file and sends the configuration to the kernel.
The default PF configuration (hard-coded in /etc/rc) blocks all network traffic except for ICMP and SSH. During boot, PF replaces those defaults with rules from /etc/pf.conf. If an error in pf.conf renders the file unparsable when the system boots, PF can’t load those rules; instead, it retains the default configuration. You’ll be able to connect to your machine to correct your rules, but that’s about it. (And, as anyone who administers remote firewalls can tell you, this ability can save you a lot of driving and phone calls.)
Running PF by default, even with a permissive ruleset, cleans up incoming traffic before the rest of the kernel has to deal with it. PF reassembles packets before handing them to the kernel, and obviously bogus traffic, such as packets too short to be legitimate, is discarded.
If you want to forward packets between interfaces (that is, act like a “firewall”), tell the kernel to forward packets with the net.inet.ip.forwarding
and net.inet6.ip6.forwarding
sysctls. (See /etc/sysctl.conf for commented-out examples.)
#net.inet.ip.forwarding=1 #net.inet6.ip6.forwarding=1
Remove the pound signs and reboot, or use sysctl(8)
to enable and disable packet forwarding on the fly.