I recently made the choice to switch firewall software on one of my servers from ipfw to pf. One of the reasons was to use the same software on all systems, and to simplify my rules wich needed some oversight anyway.
This is just a simple outline of how I did the move. There are some steps wich could be skipped or simoltaneous. But since this will all be done remote, I like to keep a bit to the cautious side.
First step, disabling ipfw:
Comment out the stuff related to ipdivert or nat in /etc/rc.conf since you cant kldunload the ipfw.ko module when it is in use. And you can’t kldunload ipdivert.ko. This meens you need to reboot it out.
After that is done
kldunload ipfw.ko
should work just fine. (you will loose your connection if you are logged in from remote since all the states were dropped, just login again)
Then comment out all the rest related to ipfw in rc.conf:
#firewall_enable="YES"
#firewall_script"/path/to/rule-script"
#firewall_etc..
Remember to also check in /boot/loader.conf that you’re not loading anything IPFW related there, like ipdivert. I forgot just that and it caused a lot of confusion at the time.
now just load up the pf kld to get the /dev/pf
kldload pf.ko
and you are ready to load your new shiny pf ruleset with the command
pfctl -e -f /etc/pf.conf
/etc/pf.conf is the default location so we dont need to add anything to /etc/rc.conf except
pf_enable="YES"
(if you want to change that use pf_rules=”/path/to/your/config”)
And you’re done, simple as that!
other interresting flags for rc.conf is
pf_flags (str) If pf_enable is set to ``YES'', these flags are passed
to the pfctl(8) program when loading the ruleset.
pflog_enable
(bool) Set to ``NO'' by default. Setting this to ``YES''
enables pflogd(8) which logs packets from the pf(4) packet
filter.
pflog_logfile
(str) If pflog_enable is set to ``YES'' this controls where
pflogd(8) stores the logfile (default /var/log/pflog). Check
/etc/newsyslog.conf to adjust logfile rotation for this.
pflog_program
(str) Path to pflogd(8) (default /sbin/pflogd).
pflog_flags
(str) Empty by default. This variable contains additional
flags passed to the pflogd(8) program.