31.4 The OpenBSD Packet Filter (PF) and ALTQ

Revised and updated by John Ferrell.

As of July 2003 the OpenBSD firewall software application known as PF was ported to FreeBSD and made available in the FreeBSD Ports Collection. Released in 2004, FreeBSD 5.3 was the first release that contained PF as an integrated part of the base system. PF is a complete, full-featured firewall that has optional support for ALTQ (Alternate Queuing). ALTQ provides Quality of Service (QoS) functionality.

The OpenBSD Project does an outstanding job of maintaining the PF FAQ. As such, this section of the Handbook will focus on PF as it pertains to FreeBSD while providing some general information regarding usage. For detailed usage information please refer to the PF FAQ.

More information about PF for FreeBSD can be found at http://pf4freebsd.love2party.net/.

31.4.1 Using the PF loadable kernel modules

To load the PF Kernel Module add the following line to /etc/rc.conf:

pf_enable="YES"

Then run the startup script to load the module:

# /etc/rc.d/pf start

Note that the PF Module will not load if it cannot find the ruleset config file. The default location is /etc/pf.conf. If the PF ruleset is located somewhere else, PF can be instructed to look there by adding a line like the following to /etc/rc.conf:

pf_rules="/path/to/pf.conf"

The sample pf.conf can be found in /usr/share/examples/pf/.

The PF module can also be loaded manually from the command line:

# kldload pf.ko

Logging support for PF is provided by the pflog.ko and can be loaded by adding the following line to /etc/rc.conf:

pflog_enable="YES"

Then run the startup script to load the module:

# /etc/rc.d/pflog start

If you need other PF features you will need to compile PF support into the kernel.

31.4.2 PF kernel options

While it is not necessary that you compile PF support into the FreeBSD kernel, you may want to do so to take advantage of one of PF's advanced features that is not included in the loadable module, namely pfsync(4), which is a pseudo-device that exposes certain changes to the state table used by PF. It can be paired with carp(4) to create failover firewalls using PF. More information on CARP can be found in Section 32.14 of the Handbook.

The PF kernel options can be found in /usr/src/sys/conf/NOTES and are reproduced below:

device pf
device pflog
device pfsync

The device pf option enables support for the Packet Filter firewall (pf(4)).

The device pflog option enables the optional pflog(4) pseudo network device which can be used to log traffic to a bpf(4) descriptor. The pflogd(8) daemon can be used to store the logging information to disk.

The device pfsync option enables the optional pfsync(4) pseudo-network device that is used to monitor state changes.

31.4.3 Available rc.conf Options

The following rc.conf(5) statements configure PF and pflog(4) at boot:

pf_enable="YES"                 # Enable PF (load module if required)
pf_rules="/etc/pf.conf"         # rules definition file for pf
pf_flags=""                     # additional flags for pfctl startup
pflog_enable="YES"              # start pflogd(8)
pflog_logfile="/var/log/pflog"  # where pflogd should store the logfile
pflog_flags=""                  # additional flags for pflogd startup

If you have a LAN behind this firewall and have to forward packets for the computers on the LAN or want to do NAT, you will need the following option as well:

gateway_enable="YES"            # Enable as LAN gateway

31.4.4 Creating Filtering Rules

PF reads its configuration rules from pf.conf(5) (/etc/pf.conf by default) and it modifies, drops, or passes packets according to the rules or definitions specified there. The FreeBSD installation includes several sample files located in /usr/share/examples/pf/. Please refer to the PF FAQ for complete coverage of PF rulesets.

Warning: When browsing the PF FAQ, please keep in mind that different versions of FreeBSD can contain different versions of PF. Currently, FreeBSD is using the same version of PF as OpenBSD 4.1.

The FreeBSD packet filter mailing list is a good place to ask questions about configuring and running the PF firewall. Do not forget to check the mailing list archives before asking questions!

31.4.5 Working with PF

Use pfctl(8) to control PF. Below are some useful commands (be sure to review the pfctl(8) man page for all available options):

Command Purpose
pfctl -e Enable PF
pfctl -d Disable PF
pfctl -F all -f /etc/pf.conf Flush all rules (nat, filter, state, table, etc.) and reload from the file /etc/pf.conf
pfctl -s [ rules | nat | state ] Report on the filter rules, nat rules, or state table
pfctl -vnf /etc/pf.conf Check /etc/pf.conf for errors, but do not load ruleset

31.4.6 Enabling ALTQ

ALTQ is only available by compiling support for it into the FreeBSD kernel. ALTQ is not supported by all of the available network card drivers. Please see the altq(4) manual page for a list of drivers that are supported in your release of FreeBSD.

The following kernel options will enable ALTQ and add additional functionality:

options         ALTQ
options         ALTQ_CBQ        # Class Bases Queuing (CBQ)
options         ALTQ_RED        # Random Early Detection (RED)
options         ALTQ_RIO        # RED In/Out
options         ALTQ_HFSC       # Hierarchical Packet Scheduler (HFSC)
options         ALTQ_PRIQ       # Priority Queuing (PRIQ)
options         ALTQ_NOPCC      # Required for SMP build

options ALTQ enables the ALTQ framework.

options ALTQ_CBQ enables Class Based Queuing (CBQ). CBQ allows you to divide a connection's bandwidth into different classes or queues to prioritize traffic based on filter rules.

options ALTQ_RED enables Random Early Detection (RED). RED is used to avoid network congestion. RED does this by measuring the length of the queue and comparing it to the minimum and maximum thresholds for the queue. If the queue is over the maximum all new packets will be dropped. True to its name, RED drops packets from different connections randomly.

options ALTQ_RIO enables Random Early Detection In and Out.

options ALTQ_HFSC enables the Hierarchical Fair Service Curve Packet Scheduler. For more information about HFSC see: http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html.

options ALTQ_PRIQ enables Priority Queuing (PRIQ). PRIQ will always pass traffic that is in a higher queue first.

options ALTQ_NOPCC enables SMP support for ALTQ. This option is required on SMP systems.