Hello everyone. Excuse my bad english, I'm French. I want to setup an OpenBSD firewall for my LAN, behind an ADSL (512/128) router. In my LAN, I have a webserver. These rules work fine, but i want to know if I can optimize it. This is my network :

[Internet]---[Router]---[OBSD Firewall]---[Private LAN + Webserver]
10.0.0.0 192.168.1.0

My rules are :

### VARIABLES ###

Ext = "ne4" # Router-OBSD
Int = "ne3" # OBSD-LAN
IntNet = "192.168.1.0/24"
RouterIP = "192.168.1.1"
Loop = "lo0"
ServWeb = "192.168.1.2"

InServicesTCP = "{ ftp, auth, http, ssh }"

table <spammers> persist


### OPTIONS ###

set loginterface $Ext

set limit { states 10000, frags 5000 }

set optimization aggressive

scrub in on $Ext all fragment reassemble
scrub out on $Ext all random-id max-mss 1440


### ALTQ ###

altq on $Ext priq bandwidth 100Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)


### NAT & FORWARD ###

nat on $Ext from $IntNet to any -> $Ext static-port

rdr on $Int proto tcp from !$RouterIP to !$IntNet port 21 -> 127.0.0.1 port 8081

rdr on $Ext proto tcp from any to any port 80 -> $ServWeb
rdr on $Ext proto tcp from any to any port 757 -> $ServWeb

rdr-anchor redirect


### FILTER ###

block log on $Ext

block return log on $Ext

block log quick inet6

block in log quick on $Ext inet proto tcp from any to any flags FUP/FUP
block in log quick on $Ext inet proto tcp from any to any flags SF/SFRA
block in log quick on $Ext inet proto tcp from any to any flags /SFRA
block in log quick on $Ext inet proto tcp from any to any flags F/SFRA
block in log quick on $Ext inet proto tcp from any to any flags U/SFRAU

antispoof log quick for $Ext inet
antispoof log quick for $Int inet
antispoof log quick for $Loop inet

block log quick on $Ext from <spammers> to any

pass quick on $Loop

pass in quick on $Ext inet proto tcp from any to any port > 49151 user proxy flags S/SAFR keep state queue (q_def, q_pri)

pass in quick on $Ext inet proto icmp all icmp-type 8 code 0 keep state

pass in quick on $Ext inet proto tcp from any to any port $InServicesTCP flags S/SAFR keep state label ServicesTCP queue (q_def, q_pri)

anchor passin

pass out on $Ext proto tcp all flags S/SA modulate state queue (q_def, q_pri)
pass out on $Ext proto { udp, icmp } all keep state

Looks pretty solid to me. I usually put the pass rule for unfiltered interfaces (int_if, lo0) a bit higher, but with a rule section that small, it shouldn't make much difference. Other than that, you may want to explore adding a table for all the bogon networks, I wouldn't rely completely on the 'antispoof' rules for spoofing protection. See the pf-r for more on bogons.

Is it ok if I post your pf.conf on the pf-r? A 'pfctl -sr' output would be nice too, just to see how pf interprets your pf.conf.

Thanx for your analyse SolarfluX. I would be happy that you add my pf.conf to the pf-r. A 'pfctl -sr' give me :


scrub in on ne4 all fragment reassemble
scrub out on ne4 all random-id max-mss 1440 fragment reassemble
block drop log on ne4 all
block return log on ne4 all
block drop log quick inet6 all
block drop in log quick on ne4 inet proto tcp all flags FPU/FPU
block drop in log quick on ne4 inet proto tcp all flags FS/FSRA
block drop in log quick on ne4 inet proto tcp all flags /FSRA
block drop in log quick on ne4 inet proto tcp all flags F/FSRA
block drop in log quick on ne4 inet proto tcp all flags U/FSRAU
block drop in log quick on ! ne4 inet from 10.0.0.0/8 to any
block drop in log quick inet from 10.0.0.1 to any
block drop in log quick on ! ne3 inet from 192.168.1.0/24 to any
block drop in log quick inet from 192.168.1.1 to any
block drop in log quick on ! lo0 inet from 127.0.0.0/8 to any
block drop log quick on ne4 from <spammers> to any
pass quick on lo0 all
pass in quick on ne4 inet proto tcp from any to any port > 49151 user = 71 flags
S/FSRA keep state queue(q_def, q_pri)
pass in quick on ne4 inet proto icmp all icmp-type echoreq code 0 keep state
pass in quick on ne4 inet proto tcp from any to any port = ftp flags S/FSRA keep
state label "ServicesTCP" queue(q_def, q_pri)
pass in quick on ne4 inet proto tcp from any to any port = auth flags S/FSRA kee
p state label "ServicesTCP" queue(q_def, q_pri)
pass in quick on ne4 inet proto tcp from any to any port = www flags S/FSRA keep
state label "ServicesTCP" queue(q_def, q_pri)
pass in quick on ne4 inet proto tcp from any to any port = 756 flags S/FSRA keep
state label "ServicesTCP" queue(q_def, q_pri)
pass in quick on ne4 inet proto tcp from any to any port = 757 flags S/FSRA keep
state label "ServicesTCP" queue(q_def, q_pri)
anchor passin all
pass out on ne4 proto tcp all flags S/SA modulate state queue(q_def, q_pri)
pass out on ne4 proto udp all keep state
pass out on ne4 proto icmp all keep state


I don't know if a table for bogons, is useful with my config because i use a router, so on the firewall, the ext_if and the int_if are both with private adress.

Hi, sorry for the lateness of my reply, but could you post this on a site somewhere and post the URLs here for addition? Reason being is that if you change anything, you won't have to re-submit the files. If not, I can just use this URL in the meantime...

Ok, I did a little brushing up by re-reading most of the PF FAQ, and I found a LOT of good tips for cleaning up your pf.conf a bit.

Here goes:

(1) Use of 'scrub' means that you do NOT have to add multiple 'antiscan' block rules with different combinations of TCP flags; scrub takes care of it for you!

(2) The scrub option 'fragment reassemble' is the default, so no need to specify it in your ruleset.

(3) Use scrub option 'no-df' on outbound packets if you use NFS or play multiplayer
games (just in case); its use with option 'random-id' is recommended.

(4) Use of 'from any to any' and 'all' are inferred by default, no need to specify them in your ruleset.

(5) 'block in' and 'block out' can be combined into a single 'block' rule.

I added these to https://solarflux.org/pf/pf-tips

If anyone has additional tips, post!

Awesome solar, these will go a long way in my rulesets for sure.