File: README.pf

package info (click to toggle)
fwbuilder 5.3.7-8
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 43,112 kB
  • sloc: cpp: 193,089; sh: 71,239; ansic: 4,343; xml: 3,963; python: 83; makefile: 76; perl: 49
file content (152 lines) | stat: -rw-r--r-- 4,714 bytes parent folder | download | duplicates (8) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
 
fwb_pf(1)                Firewall Builder               fwb_pf(1)



NNAAMMEE
       fwb_pf - Policy compiler for OpenBSD packet filter "pf"

SSYYNNOOPPSSIISS
       ffwwbb__ppff [[--vvVVxx]] [[--dd wwddiirr]] --ff ddaattaa__ffiillee..xxmmll object_name


DDEESSCCRRIIPPTTIIOONN
       ffwwbb__ppff is a firewall policy compiler component of Firewall
       Builder (see fwbuilder(1)). This compiler  generates  code
       for  OpenBSD  Packet  Filter  (pf). Compiler reads objects
       definitions and firewall description from  the  data  file
       specified  with "-f" option and generates pf configuration
       files and firewall activation script.

       All generated files have names that start with the name of
       the firewall object. Firewall activation script has exten
       sion ".fw" and is simple shell script that flushes current
       policy,  loads new filter and nat rules and then activates
       pf.  PF configuration file name starts with  the  name  of
       the  firewall  object, plus "-pf.conf".  NAT configuration
       file name also  starts  with  the  name  of  the  firewall
       object,  plus "-nat.conf". For example, if firewall object
       has name "myfirewall", then  compiler  will  create  three
       files: "myfirewall.fw", "myfirewall-pf.conf", "myfirewall-
       nat.conf".

       The data file and the name of the firewall objects must be
       specified  on the command line. Other command line parame
       ters are optional.



OOPPTTIIOONNSS
       -f FILE
              Specify the name of the data file to be  processed.


       -d wdir
              Specify   working   directory.   Compiler   creates
              firewall activation  script  and  PF  configuration
              files  in  this  directory.   If  this parameter is
              missing, then all files will be placed in the  cur
              rent working directory.


       -v     Be  verbose:  compiler  prints  diagnostic messages
              when it works.


       -V     Print version number and quit.


       -x     Generate debugging information while working.  This
              option  is intended for debugging only and may pro
              duce lots of cryptic messages.


NNOOTTEESS
       Support for PF has been introduced  in  version  1.0.1  of
       Firewall Builder


       Supported features:


       o      both pf.conf and nat.conf files are generated


       o      negation in policy and NAT rules


       o      grouping  in  "from",  "to" and ports using '{' '}'
              syntax


       o      if checkbox "Scrub" is checked in the rule  options
              dialog,  and  rule's action is Accept, the compiler
              generates two (almost) identical rules: first  with
              action  'scrub'  and  the  second with action 'pass
              quick'


       o      stateful  inspection  in  individual  rule  can  be
              turned  off in rule options dialog. By default com
              piler adds "keep state" or "modulate state" to each
              rule with action 'pass'


       o      rule  options  dialog  provides a choice of icmp or
              tcp rst replies for rules with action "Reject"


       o      compiler adds flag  "allow-opts"  if  match  on  ip
              options is needed


       o      compiler can generate rules matching on TCP flags


       o      compiler  can generate script adding ip aliases for
              NAT rules using addresses that do not belong to any
              interface of the firewall


       o      compiler  always adds rule "block quick all" at the
              very bottom of the script to ensure "block  all  by
              default" policy even if the policy is empty.


       o      Address ranges in both policy and NAT



       Features that are not supported (yet)


       o      custom services



       What will not be supported (at least not anytime soon)


       o      policy routing


UURRLL
       Firewall  Builder  home  page  is located at the following
       URL: hhttttpp::////wwwwww..ffwwbbuuiillddeerr..oorrgg//


BBUUGGSS
       Please report bugs using bug tracking  system  on  Source
       Forge:

       hhttttpp::////ssoouurrcceeffoorrggee..nneett//ttrraacckkeerr//??ggrroouupp__iidd==55331144&&aattiidd==110055331144



SSEEEE AALLSSOO
       ffwwbbuuiillddeerr((11)),, ffwwbb__iipptt((11)),, ffwwbb__iippff((11))





FWB                                                     fwb_pf(1)