PF (firewall)

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
PF
Original author(s)Daniel Hartmeier
Developer(s)The OpenBSD Project
Initial release1 December 2001; 16 years ago (2001-12-01)
Repository Edit this at Wikidata
Written inC
Operating systemOpenBSD
TypePacket filtering
LicenseBSD license
Websitewww.openbsd.org/faq/pf/index.html


PF (Packet Filter, also written pf) is a BSD licensed stateful packet filter, a central piece of software for firewalling. It is comparable to netfilter (iptables), ipfw, and ipfilter.

PF was developed for OpenBSD, but has been ported to many other operating systems.

History[edit]

PF was originally designed as replacement for Darren Reed's IPFilter, from which it derives much of its rule syntax. IPFilter was removed from OpenBSD's CVS tree on 30 May 2001 due to OpenBSD developers' concerns with its license.[1]

The initial version of PF was written by Daniel Hartmeier.[2] It appeared in OpenBSD 3.0, which was released on 1 December 2001.[3]

It was later extensively redesigned by Henning Brauer and Ryan McBride[4] with most of the code written by Henning Brauer. Henning Brauer is currently the main developer of PF.

Features[edit]

The filtering syntax is similar to IPFilter, with some modifications to make it clearer. Network Address Translation (NAT) and Quality of Service (QoS) have been integrated into PF, QoS by importing the ALTQ queuing software and linking it with PF's configuration. Features such as pfsync and CARP for failover and redundancy, authpf for session authentication, and ftp-proxy to ease firewalling the difficult FTP protocol, have also extended PF. Also PF supports SMP (Symmetric multiprocessing) & STO (Stateful Tracking Options).

One of the many innovative features is PF's logging. PF's logging is configurable per rule within the pf.conf and logs are provided from PF by a pseudo-network interface called pflog, which is the only way to lift data from kernel-level mode for user-level programs. Logs may be monitored using standard utilities such as tcpdump, which in OpenBSD has been extended especially for the purpose, or saved to disk in the tcpdump/pcap binary format using the pflogd daemon.

Ports[edit]

Apart from running on its home platform OpenBSD, PF has been ported to many other operating systems, however there are major differences in capabilities. Some ports date back many years. OpenBSD always has the latest version with the most features.

PF is currently used in:

See also[edit]

References[edit]

  1. ^ de Raadt, Theo (2001-05-30). "CVS: cvs.openbsd.org: src; Remove ipf". Retrieved 2018-08-20.
  2. ^ Hartmeier, Daniel (2017-09-26). "A new stateful packet filter for OpenBSD". Retrieved 2018-08-20.
  3. ^ "OpenBSD 3.0". 2001-12-01. Retrieved 2018-08-20.
  4. ^ Brauer, Henning. "Henning Brauer Consulting: pf". Retrieved 2018-08-20.
  5. ^ "FreeBSD/amd64 5.3-RELEASE Release Notes". 2004-11-03. Retrieved 2018-08-20.
  6. ^ "xnu/xnu-1456.1.26/bsd/net/pf.c.auto.html". Apple, Inc. 2008-12-05. Retrieved 2018-08-20.
  7. ^ "Changes and NetBSD News in 2005: 23 Dec 2005 - NetBSD 3.0 released". Retrieved 2018-08-20.
  8. ^ "pf(4) manual page". DragonFly Kernel Interfaces Manual. 2011-01-02. Retrieved 2018-08-20.
  9. ^ "Introduction to Packet Filter". Securing the Network in Oracle® Solaris 11.3. Oracle Corporation. March 2018. Retrieved 2018-08-20.

Books[edit]

External links[edit]