OpenBSD Firewall

This is a basic summary for installing OpenBSD and setting it up as a firewall/gateway using PF.

Installing Server

Use amd64 OpenBSD 4.9

Accept all defaults except for the following:

  • At system hostname use fw
  • Type in root password
  • Type no for X window System
  • Type administrator for setup user
  • Type in administrator password
  • When formatting the disk use (W)hole then (A)uto layout


Log in as root and edit the following files:

(See Browse configuration files)

PF Configuration

The PF configuration makes use of PF anchors. The file tree is:

  • /etc/pf.conf - Main PF Configuration file

  • /etc/pf.conf.old - Old Main PF Configuration file for reference

  • /etc/pf/ - folder containing the rest of the configuration

    • global.txt - contains some global options and definitions

    • anc/ - contains anchors for PF
      • core_bullard/ - firewall specific rules
        • pf.txt - rules about passing firewall traffic
        • tab/self.txt - contains fw’s IP
      • net/ - rules for all traffic
        • pf.txt - Rules for passing allowed ports
        • ports.txt - file describing what each port is used for
      • <server>/ - anchor for each public IP
        • pf.txt - PF rules for specific anchor
          • tab/ - Tables for specific anchor
            • admin.txt - specific table for ssh access
            • blacklist.txt - specific blacklist
            • whitelist.txt - specific whitelist
    • tab/ - contains global tables
      • admin.txt - global table to allow ssh access
      • blacklist.txt - global blacklist
      • nat_for.txt - table containing all NATed addresses
      • whitelist.txt - global whitlist


To restart the networking (in case something gets unplugged) run in the following order:

sudo pfctl -f /etc/pf.conf
sudo sh /etc/netstart

To view loaded rules (to use in conjunction with Monitoring below) run:

sudo pfctl -g -s rules

And to view the rules in an anchor run:

sudo pfctl -a "<anchor name>" -g -s rules

where <anchor name> would be ubuntu-lb1 for example.

To check if an address is in a table, first list tables with:

sudo pfctl -s Tables

Then list the addresses in a table with:

sudo pfctl -t <table name> -T show

Where <table name> is a table from the previous command.

How the Template Works

Anchors are used for efficiency. Only packets that apply to an anchor go into it, so not all rules are read for each packet. Normal traffic is handled with the net anchor. All open outbound ports for normal traffic are listed here.

Each external IP (i.e. a server) has it’s own anchor (TEMPLATE.) Each anchor has its own separate whitelist, blacklist, and admin tables. Each anchor also has its own outbound and inbound ports (the net anchor does not affect the IPs in these anchors.)


Monitoring can be done with tcpdump To look at all traffice going through the firewall run:

sudo tcpdump -eee -n -i pflog0

To look at a single host:

sudo tcpdump -eee -n -i pflog0 host <ip address or dns name>

To look at a single port:

sudo tcpdump -eee -n -i pflog0 port <port>

These and more options can be chained with and and or:

sudo tcpdump -eee -n -i pflog0 net and port 80

View the man page for tcpdump for complete filtering usage.

Table Of Contents

Previous topic

Piwik Web Analytics

Next topic

Request Tracker Helpdesk

This Page