pf for FreeBSD

[Philip Payne]

Hi,

>             hello folks,
>     i want to install the packet filter for FreeBSD so i recompile the
> kernel with the options :
> 
> device          bpf
> options         PFIL_HOOKS
> options         RANDOM_IP_ID
> 
>      and installed pf from ports ( i did a cvsup before installing to
> get the latest ports). Now my dilemma is ... in pf start script ... i
> have to enter a prefix ... but what prefix, 'cause after 
> installing and
> rebooting .... the modules that I want to load are still in source
> directory . I installed pf with
> 
>    make  WITH_ALTQ=yes
>    make install
> 
>           after a deinstall I can't install it anymore, the install
> crashes with the error that is allready installed !!
> 
>                What can I do ??/

I'm using pf without a problem. Not sure what exact version of FreeBSD 5.x
you're using. According to /usr/src/UPDATING Since 08-Mar-2004 pf has been
part of the base system and doesn't require the pf port to be installed. So,
a way forward could be to ensure you've updated to latest 5.x version (cvs
tag RELENG_5). Then I suggest you read /usr/src/UPDATING as it also contains
some info on the pf groups & users required.

I have the following devices in my kernel:
device	PFIL_HOOKS
device	pf
device	pflog

I have the following in /etc/rc.conf:
pf_enable="YES"
pflog_enable="YES"
pf_rules="<Path to rules>"

You will also need the authpf group and the  _pflogd user & group. You can
get the details by downloading the latest source and checking the passwd &
group files under /usr/src/etc.

in /etc/passwd:
_pflogd:*:64:64:pflogd privesp user:/var/empty:/usr/sbin/nologin

in /etc/group:
authpf:*:63:
_pflogd:*:64:

I will leave it to you on how you generate a ruleset. Personally I use
fwbuilder.org .

Thanks,
Phil.