Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
fwb_pf(1)		       Firewall	Builder			     fwb_pf(1)

       fwb_pf -	Policy compiler	for OpenBSD packet filter "pf"

       fwb_pf  [-vVx]  [-d  wdir]  [-o	output.fw]  [-i]  -f data_file.xml ob-

       fwb_pf is a firewall policy compiler component of Firewall Builder (see
       fwbuilder(1)).  This  compiler generates	code for OpenBSD Packet	Filter
       (pf). Compiler reads objects definitions	and firewall description  from
       the data	file specified with "-f" option	and generates pf configuration
       files and firewall activation script.

       All generated files have	names that start with the name of the firewall
       object.	Firewall  activation  script has extension ".fw" and is	simple
       shell script that flushes current policy,  loads	 new  filter  and  nat
       rules  and  then	 activates pf.	PF configuration file name starts with
       the name	of the firewall	object,	plus  "-pf.conf".   NAT	 configuration
       file  name  also	 starts	 with  the  name  of the firewall object, plus
       "-nat.conf". For	example, if firewall  object  has  name	 "myfirewall",
       then  compiler  will  create three files: "myfirewall.fw", "myfirewall-
       pf.conf", "myfirewall-nat.conf".

       The data	file and the name of the firewall objects must be specified on
       the command line. Other command line parameters are optional.

       -f FILE
	      Specify the name of the data file	to be processed.

       -o output.fw
	      Specify output file name

       -d wdir
	      Specify	working	 directory.  Compiler  creates	firewall acti-
	      vation script and	PF configuration files in this directory.   If
	      this  parameter is missing, then all files will be placed	in the
	      current working directory.

       -v     Be verbose: compiler prints diagnostic messages when it works.

       -V     Print version number and quit.

       -i     When this	option is present, the last argument  on  the  command
	      line is supposed to be firewall object ID	rather than its	name

       -x     Generate debugging information while working. This option	is in-
	      tended for debugging only	and may	produce	lots of	 cryptic  mes-

       Support for PF has been introduced in version 1.0.1 of Firewall Builder

       Supported features:

       o      both pf.conf and nat.conf	files are generated

       o      negation in policy and NAT rules

       o      grouping in "from", "to" and ports using '{' '}' syntax

       o      if  checkbox  "Scrub" is checked in the rule options dialog, and
	      rule's action is Accept, the  compiler  generates	 two  (almost)
	      identical	 rules:	 first with action 'scrub' and the second with
	      action 'pass quick'

       o      stateful inspection in individual	rule can be turned off in rule
	      options  dialog. By default compiler adds	"keep state" or	"modu-
	      late state" to each rule with action 'pass'

       o      rule options dialog provides a choice of icmp or tcp rst replies
	      for rules	with action "Reject"

       o      compiler adds flag "allow-opts" if match on ip options is	needed

       o      compiler can generate rules matching on TCP flags

       o      compiler can generate script adding ip aliases for NAT rules us-
	      ing addresses that do not	belong to any interface	of  the	 fire-

       o      compiler	always	adds rule "block quick all" at the very	bottom
	      of the script to ensure "block all by default"  policy  even  if
	      the policy is empty.

       o      Address ranges in	both policy and	NAT

       Features	that are not supported (yet)

       o      custom services

       What will not be	supported (at least not	anytime	soon)

       o      policy routing

       Firewall	  Builder   home   page	 is  located  at  the  following  URL:

       Please report bugs using	bug tracking system on SourceForge:

       fwbuilder(1), fwb_ipt(1), fwb_ipf(1)

FWB								     fwb_pf(1)


Want to link to this manual page? Use this URL:

home | help