Simplest possible setup (OpenBSD)

This brings us, finally, to the practical point of actually configuring PF in the simplest possible setup. We'll deal with a single machine which will communicate with a network which may very well be the Internet.

In order to start PF, as previously mentioned, you need to tell the rc system that you want the service to start. On OpenBSD, this is done in /etc/rc.conf.local, with the magical line

pf=YES                # enable PF

quite simply. In addition, you may if you like specify the file where PF will find its rules.

pf_rules=/etc/pf.conf # specify which file contains your rules

The default value is the one given here, /etc/pf.conf. At the next startup, PF will be enabled. You can verify this by looking for the message PF enabled on the console. The /etc/pf.conf which comes out of a normal install of OpenBSD, FreeBSD or NetBSD contains a number of useful suggestions, but they're all commented out.

Then again, you really do not need to restart your machine in order to enable PF. You can do this just as easily by using pfctl. We really do not want to reboot for no good reason, so we type the command

peter@skapet:~$ sudo pfctl -ef /etc/pf.conf

which enables PF and loads your rule set.[1][2]. At this point we do not have a rule set, which means that PF does not actually do anything.

It is probably worth noting that if you reboot your machine at this point, the rc script on OpenBSD at least will enable a default rule set, which is in fact loaded before any of the network interfaces are enabled.

This default rule set is designed as a safety measure in case your gateway boots with an invalid configuration. It lets you log in and clean up whichever syntax error caused your rule set not to load. The default rule set allows a basic set of services: ssh from anyhere, basic name resolution and NFS mounts.

Some early versions of PF ports elsewhere appear to have neglected to bring the default rules with them.