Migration from ipfw to pf

For too long I have had plans to take a look af pf(4) to figure out whether I liked it or not. Today I managed to build a working pf ruleset that was not only better than the old ipfw ruleset but much shorter as well.

Kernel support

Since I have always been building ipfw into my kernels I decided to remove that and add pf instead. That way the motivation for getting pf to work well would be greater too.

Adding pf to the kernel is simple enough:
device pf

The ruleset

Since the ruleset is for my laptop I need all ports to be closed and just allow connections initiated on the host itself. I didn't find an example that did this but it proved easy enough to build it myself.

Here it is:
set block-policy return
set skip on lo0
block in all

pass out proto { tcp, udp } all keep state

pass in proto {icmp,icmp6} all
pass out proto {icmp,icmp6} all

Traffic shaping and NAT

The next machine to be migrated away from ipfw will probably be my workstation. To do that I need to figure out how to make ALTQ do the same as ipfw pipes. The last machine will probably be my gateway which does NAT. There are lots of examples on that so I expect it to be easy enough.


E-mail Valid XHTML 1.1 Valid CSS!