Validating a PF configuration

Test Environment

[Ref: PF: Testing your Firewall]

The test environment provides a secure environment for validating presumptions of traffic flow behaviour encapsulated in our Policy and subsequent firewall ruleset.

Test conditions should provide checklists and methodologies for subsequent verification of the firewall in the live environment.

The base test environment, as pictured below minimises a number of network routing issues that can occur when testing your new firewall rules while the test firewall is connected to your live network.

Firewall - Traffic Flow


  • Clear routes, arp state
  • Inspect PFE states (refer pfctl notes)
  • Inspect Traffic Flow (refer flow notes)
  • Writing Tests (in these notes)
  • Verify Performance


Our test/validation strategy involves securing an environment to verify our Policy and subsequent ruleset interpretation.

The rest of these notes covers these strategies.

  • Using pfctl to parse and inspect PFE states
  • Using tcpdump to inspect traffic flow
  • Using other tools to inject traffic

The test environment is generally as in the below diagram.

Writing Tests

Tests are gleaned from the proposed firewall rules, as moving betweeen rule symantics into flow semantics.

from ruleset:

pass in on $int_if inet proto tcp from <lan> to any
pass out on $ext_if

evolves to flow routes

<lan> to dmz {tcp}
<lan> to inet {tcp}

The firewall/gateways should remain essentially static during the test and various changes will be needed on the Internal and External hosts to simulate the appropriate IP Addresses to validate the rulesets

During IP Address and routing changes on the hosts, ensure route states are cleared (or the hosts restarted) to minimise errors caused by stagnant routing information.