Configure PF Firewall on OpenBSD 7.5

PF (Packet Filter) is OpenBSD's built-in stateful firewall.

Basic `/etc/pf.conf`

# Variables
ext_if = "em0"
tcp_services = "(22, 80, 443)"

# Default: block all, log blocked
set block-policy return
set loginterface egress
set skip on lo0

block log all

# Allow established connections
pass in quick inet proto tcp to port ssh flags S/SA keep state \
    (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global)

pass in on egress proto tcp to port $tcp_services
pass in on egress proto icmp

pass out all keep state

Apply the ruleset

pfctl -f /etc/pf.conf

Enable PF at boot

# In /etc/rc.conf.local:
pf=YES

Useful commands

pfctl -s all       # show all rules
pfctl -s state     # show state table
pfctl -t bruteforce -T show   # show brute-force table
pfctl -e           # enable PF
pfctl -d           # disable PF

Configure Firewall on OpenBSD 7.5

Configure PF Firewall on OpenBSD 7.5

Basic /etc/pf.conf

Apply the ruleset

Enable PF at boot

Useful commands

Basic `/etc/pf.conf`