Home

Awesome

PFRE

PFRE is a packet filter rule editor for OpenBSD/pf. PFRE is expected to be used by beginners and system administrators alike.

The UTMFW and PFFW projects use PFRE on their web administration interfaces. If you don't want to install PFRE yourself, you can download the installation files of UTMFW or PFFW to test drive PFRE easily.

Features

Using PFRE, you can develop rules from scratch or modify existing ones:

A couple of notes about the requirements, design decisions, and implementation of PFRE:

UI Design

PFRE takes security seriously:

PFRE

You can find a couple of screenshots on the wiki.

How to install

Here are the basic steps to obtain a working PFRE installation:

The following sections provide the details.

Install OpenBSD

The OpenBSD installation guide is at faq4.

Here are a couple of guidelines:

Reboot the system after installation is complete and log in as root.

Install packages

Create a package cache folder:

# cd /var/db/
# mkdir pkg_cache

Set the $PKG_PATH env variable to the cache folder you have just created:

# export PKG_PATH=/var/db/pkg_cache/

Download the required packages from an OpenBSD mirror and copy them to $PKG_PATH. The following is the list of files you should have under $PKG_PATH:

argon2-20190702p0.tgz
bzip2-1.0.8p0.tgz
capstone-5.0.tgz
femail-1.0p1.tgz
femail-chroot-1.0p3.tgz
gettext-runtime-0.22.5.tgz
libiconv-1.17.tgz
libsodium-1.0.20.tgz
libxml-2.13.3p0.tgz
oniguruma-6.9.9.tgz
pcre2-10.37p2.tgz
php-8.3.11p1.tgz
php-cgi-8.3.11p1.tgz
php-pcntl-8.3.11p1.tgz
xz-5.6.2.tgz

Install PHP, php-pcntl, and php-cgi by running the following commands, which should install their dependencies as well:

# pkg_add -v php
# pkg_add -v php-pcntl
# pkg_add -v php-cgi

If you want to see if all required packages are installed successfully, run the following command:

# pkg_info -a

Here is the expected output of that command:

argon2-20190702p0   C implementation of Argon2 - password hashing function
bzip2-1.0.8p0       block-sorting file compressor, unencumbered
capstone-5.0        multi-platform, multi-architecture disassembly framework
femail-1.0p1        simple SMTP client
femail-chroot-1.0p3 simple SMTP client for chrooted web servers
gettext-runtime-0.22.5 GNU gettext runtime libraries and programs
libiconv-1.17       character set conversion library
libsodium-1.0.20    library for network communications and cryptography
libxml-2.13.3p0     XML parsing library
oniguruma-6.9.9     regular expressions library
pcre2-10.37p2       perl-compatible regular expression library, version 2
php-8.3.11p1        server-side HTML-embedded scripting language
php-cgi-8.3.11p1    php CGI binary
php-pcntl-8.3.11p1  PCNTL extensions for php
xz-5.6.2            library and tools for XZ and LZMA compressed files

Install PFRE

Create a 'pfre' folder under /var/www/htdocs/ and copy all the contents of the PFRE src folder to /var/www/htdocs/pfre/. Their user permissions should be root:daemon.

Make sure /var/www/htdocs/pfre/Controller/ctlr.php is executable. If not, go to /var/www/htdocs/pfre/Controller/ and make it executable:

# cd /var/www/htdocs/pfre/Controller/
# chmod u+x ctlr.php

And create the folder for configuration files:

# mkdir /etc/pfre/

Configure web server

Configure PFRE in httpd.conf under /etc. Note that we should disable chroot by chrooting to /. Your configuration might look like the following:

chroot "/"
#prefork 3

server "pfre" {
	listen on * port 80
	listen on * tls port 443
	directory index "index.php"

	location "*.php" {
		fastcgi socket "/var/www/run/php-fpm.sock"
	}

	log syslog
	root "/var/www/htdocs/pfre/View/"
}

Create a self-signed server certificate. Run the following commands to generate your own CA:

# openssl genrsa -des3 -out ca.key 2048
# openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Next, to generate a server key and request for signing, run the following:

# openssl genrsa -des3 -out server.key 2048
# openssl req -new -key server.key -out server.csr

You should sign the certificate signing request (csr) with the self-created certificate authority (CA) that you made earlier:

# openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

To make a server.key which doesn't cause httpd to prompt for a password:

# openssl rsa -in server.key -out server.key.insecure
# mv server.key server.key.secure
# mv server.key.insecure server.key

Finally, you should copy server.crt and server.key files to the default locations defined in httpd.conf(5):

# cp server.key /etc/ssl/private/
# cp server.crt /etc/ssl/

Run useradd(8) to create admin and user users (you can omit the -c, -d, and -s options, as we will set them with the chpass command next):

# useradd -c "PFRE admin" -d /var/empty -s /var/www/htdocs/pfre/Controller/sh.php admin
# useradd -c "PFRE user" -d /var/empty -s /var/www/htdocs/pfre/Controller/sh.php user

Then set their passswords to soner123 by running the following commands (actually, to the sha1 hash of soner123, because passwords are double encrypted on PFRE):

# /usr/bin/chpass -a "admin:$(/usr/bin/encrypt `/bin/echo -n soner123 | sha1 -`):$(id -u admin):$(id -g admin)::0:0:PFRE admin:/var/empty:/var/www/htdocs/pfre/Controller/sh.php"
# /usr/bin/chpass -a "user:$(/usr/bin/encrypt `/bin/echo -n soner123 | sha1 -`):$(id -u user):$(id -g user)::0:0:PFRE user:/var/empty:/var/www/htdocs/pfre/Controller/sh.php"

However, you are advised to pick a better password than soner123.

Configure PHP

Go to /usr/local/bin/ and create a link to php executable:

# cd /usr/local/bin
# ln -s php-8.3 php

Edit the /etc/php-8.3.ini file to write error messages to syslog, otherwise they may disturb pfctl test reports:

error_log = syslog

Also, edit the /etc/php-fpm.conf file to write error messages to syslog:

error_log = syslog

To enable pcntl, go to /etc/php-8.3/ and create the pcntl.ini file:

# cd /etc/php-8.3/
# touch pcntl.ini

And add the following line to pcntl.ini:

extension=pcntl.so

Disable chroot in /etc/php-fpm.conf by commenting out the chroot line:

;chroot = /var/www

If you want to use the Turkish translations, you should first install the gettext-tools package to generate the gettext mo file:

# cd /var/www/htdocs/pfre/View/locale/tr_TR/LC_MESSAGES/
# msgfmt -o pfre.mo pfre.po

Configure doas

Go to /etc/ and create the doas.conf file:

# cd /etc/
# touch doas.conf

And add the following lines to it:

permit nopass www as root cmd /var/www/htdocs/pfre/Controller/ctlr.php
permit nopass admin as root cmd /var/www/htdocs/pfre/Controller/ctlr.php
permit nopass user as root cmd /var/www/htdocs/pfre/Controller/ctlr.php
permit nopass keepenv root as root

Configure system

If you want the web server to be started automatically after a reboot, first copy the sample rc.local file to /etc/:

# cd /etc/
# cp examples/rc.local .

Then add the following lines to it:

if [ -x /usr/local/sbin/php-fpm-8.3 ]; then
	echo 'PHP CGI server'
	/usr/local/sbin/php-fpm-8.3
fi

Create the rc.conf.local file under /etc/

# cd /etc/
# touch rc.conf.local

And add the following line to it:

httpd_flags=

Also, if you want to use this PFRE test system as a firewall, you should enable packet forwarding between interfaces in /etc/sysctl.conf. So, copy the sample sysctl.conf file under /etc/examples/ to /etc/:

# cd /etc/
# cp examples/sysctl.conf .

And uncomment the line which enables forwarding of IPv4 packets:

net.inet.ip.forwarding=1

Start PFRE

Now you can either reboot the system or start the php cgi server and the web server manually using the following commands:

# /usr/local/sbin/php-fpm-8.3
# /usr/sbin/httpd

Finally, if you point your web browser to the IP address of PFRE, you should see the login page. And you should be able to log in by entering admin:soner123 as user and password.