BSD PF IPv6 and IPv4 /etc/pf.conf Firewall Script

Posted on in Categories Firewall last updated February 2, 2009

This is my working IPv6 and IPv4 dual stack script from FreeBSD 7.1 server. It should work with any latest PF version under OpenBSD / FreeBSD / NetBSD without a problem.

You need to add following lines to /etc/rc.conf under FreeBSD to turn on PF firewall:

Next create /etc/pf.conf file as follows. Replace variable with appropriate values.

  1. By default firewall drops all incoming and outgoing connections for both IPv4 and IPv6.
  2. By default IPv4 and IPv6 outgoing allowed for ssh, smtp, domain / dns, www, https, ntp, ping and whois requests.
  3. By default IPv4 and IPv6 incoming allowed for ssh, smtp, domain / dns, www, https, and ping only.

You also need to create /etc/pf.block.ip.conf file with list of IPs and subnet to block manually as follows:

This script also supports Spamhaus database to block SMTP / WWW spam bots. Download Shell Script To Update Spamhaus Lasso Spam Database for PF .

5 comment

  1. Hi there! I would like to know if this configuration can help me block IPv6 domain like https facebook? I have a problem blocking Https facebook.

  2. Hi, I think i got a small security problem.

    At the end of the script you have a few lines controlling what of icmp6 can get in. But at the start of the script you have

    #IPv6 – pass in/out all IPv6 ICMP traffic
    pass in quick proto icmp6 all

    which lets all icmp6 traffic in. Or did I get something wrong?

  3. There should be a correction on the line below, of where to put pf_enable=”YES”

    You need to add following lines to /etc/pf.conf under FreeBSD to turn on PF firewall:

    It should be rc.conf?

    You need to add following lines to /etc/rc.conf under FreeBSD to turn on PF firewall:

Leave a Comment