# 18.2 Packet Filter（PF）

PF（Packet Filter，包过滤器）是一款源自 OpenBSD 的防火墙，具备 ALTQ（Alternate Queuing，交替队列）等多种功能。ALTQ 是 PF 的流量队列管理机制，用于服务质量（QoS）控制。

## 启用 PF

启用 PF 前，需先加载内核模块、准备配置文件并启动相关服务，具体步骤如下。

```sh
# kldload pf                  # 加载 pf 内核模块，使系统能够识别和使用 PF 防火墙
# cp /usr/share/examples/pf/pf.conf /etc/  # 复制示例文件作为默认配置规则集，否则 pf 无法启动
# service pf enable           # 设置 pf 在系统启动时自动启动
# service pf start            # 启动 pf 服务
```

* ① 如果不执行上述操作，系统会提示 `pfctl: /dev/pf: No such file or directory`，此时可重启系统后再执行 `service pf start`。
* ② 若未复制配置文件，将提示如下信息：

```sh
/etc/rc.d/pf: WARNING: /etc/pf.conf is not readable.
```

## 文件结构

PF 防火墙的配置文件结构如下。

```sh
/
├── etc
│   └── pf.conf
└── usr
    └── share
        └── examples
            └── pf
                └── pf.conf
```

## 参考文献

* FreeBSD Project. pf -- packet filter\[EB/OL]. \[2026-04-14]. <https://man.freebsd.org/cgi/man.cgi?query=pf&sektion=4>. PF 包过滤器的内核接口手册页，描述 ioctl 接口与内核可调参数。
* FreeBSD Project. pfctl -- control the packet filter (PF) device\[EB/OL]. \[2026-04-14]. <https://man.freebsd.org/cgi/man.cgi?query=pfctl&sektion=8>. PF 用户空间管理工具手册页，涵盖规则加载、状态查看与表操作。
* FreeBSD Project. pf.conf -- PF configuration file\[EB/OL]. \[2026-04-14]. <https://man.freebsd.org/cgi/man.cgi?query=pf.conf&sektion=5>. PF 规则配置文件语法手册页，定义过滤、NAT 与队列规则格式。
* FreeBSD Project. pflog -- packet filter logging interface\[EB/OL]. \[2026-04-14]. <https://man.freebsd.org/cgi/man.cgi?query=pflog&sektion=4>. PF 日志伪设备手册页，描述包过滤日志记录机制。
* FreeBSD Project. pfsync -- packet filter state table synchronisation interface\[EB/OL]. \[2026-04-14]. <https://man.freebsd.org/cgi/man.cgi?query=pfsync&sektion=4>. PF 状态同步接口手册页，用于防火墙冗余部署。
* FreeBSD Project. altq -- alternate queuing of network packets\[EB/OL]. \[2026-04-14]. <https://man.freebsd.org/cgi/man.cgi?query=altq&sektion=4>. ALTQ 流量整形框架手册页，提供 QoS 支持的队列调度算法。
* FreeBSD Project. FreeBSD Handbook, Chapter 33.3: PF\[EB/OL]. \[2026-04-14]. <https://docs.freebsd.org/en/books/handbook/firewalls/#firewalls-pf>. FreeBSD 手册中关于 PF 防火墙的配置指南与示例。
* The OpenBSD Project. PF FAQ\[EB/OL]. \[2026-04-14]. <https://www.openbsd.org/faq/pf/>. OpenBSD 官方 PF 常见问题解答，为 PF 功能的重要参考文档。
* The OpenBSD Project. PF: Packet Filtering\[EB/OL]. \[2026-04-17]. <https://www.openbsd.org/faq/pf/filter.html>. OpenBSD PF 官方文档，包含 traceroute 所需的 ICMP 规则说明。


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.bsdcn.org/di-18-zhang-fang-huo-qiang/di-18.2-jie-packet-filter-pf.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.