Shortcuts

Search Users Guide

6.3.3. Information Regarding PF Import
Prev Next

6.3.3. Information Regarding PF Import

Most firewall platforms like iptables, Cisco ASA, etc. are designed based on a first match and exit paradigm and these firewalls also usually have an implicit "deny all" rule as the last rule in the firewall. This means that anything that is not explicitly allowed is denied. Firewall Builder is also designed with this approach and we even add an explicit "deny all" rule as our final entry in the firewall rules to enforce this behavior.

PF is a bit unique in that it does not require first match and exit behavior. You can force match and exit behavior by using the "quick" keyword, but by default traffic in a PF firewall will traverse all rules and each time a rule is matched the action or other parameters are updated. Once the entire rule set has been evaluated the packet is checked to see what parameter values have been set and and the firewall will act based on those parameters.

When Firewall Builder generates a PF policy, we always use the "quick" command and we add a "block all" command at the end of the configuration file. This makes PF behave the same way as other firewalls that we configure which helps to maintain consistency across platforms. The problem that arises is when we need to import a pf.conf configuration that has "block all" at the top of the configuration and that does not make use of the "quick" command. Since we don't generate rules this way we don't have a way to import configurations that use this format.

Example of PF configuration that IS NOT supported

The following is an example of a pf.conf style that cannot be imported into Firewall Builder. 

  block in log
  pass out keep state
  pass in on em0 proto tcp from any to self port 22 keep state
  pass in on em0 proto udp from any to self port 53 keep state

Example of PF configuration that IS supported

The following is an example of a pf.conf style that is supported for importing into Firewall Builder. 

  pass out keep state
  pass in quick on em0 proto tcp from any to self port 22 keep state
  pass in quick on em0 proto udp from any to self port 53 keep state
  block in log
Prev  Up  Next
6.3.2. iptables Import Example  Home  Chapter 7. Firewall Policies
 

Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.