Enabling PF

PF is enabled at system boot by the following two /etc/rc.conf variables:

 pf=YES pf_rules=/etc/pf.conf 

By changing the pf value to "NO," you disable the packet filter. Similarly, you can choose a different boot-time PF configuration file by changing the pf_rules variable. If something is wrong with your PF configuration file and it won't parse, the OpenBSD startup routine will install some basic PF rules that will block almost all traffic to the machine, with the exception of SSH. You'll be able to connect to the machine and correct your rules, but that's about it. (And, as anyone who administers firewalls remotely can tell you, this ability is enough to save a lot of pain.)

If you want to forward packets between multiple interfaces (i.e., be a "firewall"), you need to tell OpenBSD to do this with the net.inet.ip.forwarding sysctl MIB. There's a commented-out entry for this in /etc/sysctl.conf.

 #net.inet.ip.forwarding=1 

Just remove the pound sign and reboot!

If you want to have stop and start packet forwarding without rebooting your system, you can do this easily with sysctl(8), as discussed in Chapter 11. Setting this MIB to 0 stops packet forwarding; setting the MIB to 1 enables it. If you want to perform some basic system maintenance that may interfere with your network in some way you can stop packet forwarding, do your work, and restart forwarding.