The BSD PF firewall

secure networking with PF firewall

The PF firewall is one of the most powerfull open-source firewall systems. PF is part of OpenBSD, NetBSD and FreeBSD (incl. kGNU/FreeBSD via Debian) and since version 10.7 'Lion' also part of MacOS X.

This training give an introduction into building firewall systems using the 'pf' firewall system. Included in the training are advanced topics such as redunant firewall-cluster and load-balancing.

The training covers the use of the pf-firewall in IPv4 and IPv6 networks.

Trainer und Dozenten

The trainer, Carsten Strotmann, has more than 15 years experience in working with Linux/Unix and DNS in TCP/IP networks. Carsten Strotmann designs, implements and operates firewall systems using commercial- and open-source software since 1997.


This training is designed for system administrators with experience and knowledge on Unix/Linux/BSD-Unix system administration and IP networking (IPv4 or IPv6).

Almost all topics listed below will be covered in hands-on exercises during the training. Every attendee can follow on his/her own laptop or can use the laptops provided. Please be aware that experience with Unix/Linux is required to follow along with some of the advanced exercises.

The required network knowledge can be learned in the

The system administration knowledge can be gained from



the history of the pf firewall

firewall overview

  • Packet Filter
  • Application Level Gateway
  • Stateful Packet Inspection
  • State-Table in firewalls

use-cases for firewall systems

  • perimeter firewall
  • internal firewall
  • host-firewall

the pf-firewall on different operating systems

  • OpenBSD
  • NetBSD
  • FreeBSD
  • MacOS X

pf-firewall basics

  • enable the pf-firewall
  • a simple ruleset for a host-firewall
  • flushing and loading of firewall rules
  • pf-firewall logging (pflog)
  • macros and lists in the firewall ruleset
  • how to write a readable ruleset
  • firewall ruleset documentation
  • Block Policy: 'drop' or 'return'
  • tagging -- marking network packets

IPv4 filter

  • ICMPv4
  • FTP
  • Network Address Translation (NAT)
  • Routing protocols

IPv6 filter

  • ICMPv6
  • IPv6 multicast

dynamic rulesets

  • dynamic adapting firewall rules
  • the 'tables' datastructure

load-balancing and quality of service

  • load-balancing of incoming traffic to a cluster of servers
  • denial-of-service attack mitigation
  • DNS load-balancing

PF-firewall high availability

  • state-table sync with a firewall-cluster
  • the CARP-protocol
  • Updating a firewall cluster

transparent proxy

  • spamfilter with PF-Firewall
  • transparent HTTP-Proxy
  • authenticating users to the firewall

PF-Firewall monitoring

  • Monitoring tools
  • Alarm on attacks
  • Reporting
  • network traffic accounting

PF-Firewall tricks

  • filter based on operating-systems (OS-Fingerprinting)
  • Port-Knocking