12.7.2. Making the Firewall Load the Firewall Policy After Reboot: pf

For OpenBSD pf, Firewall Builder puts the firewall policy in the file firewall.conf and the activation script in firewall.fw

To activate the policy, copy both files to the directory /etc on the firewall machine using fwbinstaller. Fwbinstaller executes the activation script to install the policy immediately. The activation script not only loads PF rules, it also configures aliased IP addresses on the firewall's interfaces, which is important if you use multiple addresses for NAT and want Firewall Builder to configure them for you. It also sets kernel parameters defined in the "Network" tab of the firewall dialog (such as IP forwarding etc.) In order to make the firewall activate it at a boot time, call the firewall script from the file /etc/rc.local, as follows:


If you do not want to use the activation script provided by Firewall Builder, you can use standard mechanisms supplied by OpenBSD. Edit the file /etc/rc.conf as follows:

pf=YES                          # Packet filter / NAT
pf_rules=/etc/firewall.conf     # Packet filter rules file
pflogd_flags=                   # add more flags, i.e. "-s 256"

Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.