{"id":19466652,"url":"https://github.com/sonertari/pfre","last_synced_at":"2025-08-22T14:03:09.060Z","repository":{"id":82034079,"uuid":"71669132","full_name":"sonertari/PFRE","owner":"sonertari","description":"Packet Filter Rule Editor for OpenBSD/pf","archived":false,"fork":false,"pushed_at":"2025-05-08T13:54:55.000Z","size":3457,"stargazers_count":31,"open_issues_count":1,"forks_count":7,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-08-12T18:54:45.175Z","etag":null,"topics":["firewall","openbsd","packet-filter","pffw","pfre","rule-editor","utmfw"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sonertari.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2016-10-22T22:27:53.000Z","updated_at":"2025-07-12T20:35:12.000Z","dependencies_parsed_at":"2024-11-10T18:31:01.756Z","dependency_job_id":"e9867b55-9604-4b8a-a0d0-f96c34effe0a","html_url":"https://github.com/sonertari/PFRE","commit_stats":null,"previous_names":[],"tags_count":18,"template":false,"template_full_name":null,"purl":"pkg:github/sonertari/PFRE","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sonertari%2FPFRE","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sonertari%2FPFRE/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sonertari%2FPFRE/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sonertari%2FPFRE/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sonertari","download_url":"https://codeload.github.com/sonertari/PFRE/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sonertari%2FPFRE/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":271650833,"owners_count":24796723,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-22T02:00:08.480Z","response_time":65,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["firewall","openbsd","packet-filter","pffw","pfre","rule-editor","utmfw"],"created_at":"2024-11-10T18:29:31.991Z","updated_at":"2025-08-22T14:03:08.997Z","avatar_url":"https://github.com/sonertari.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"# PFRE\n\nPFRE is a packet filter rule editor for OpenBSD/pf. PFRE is expected to be used by beginners and system administrators alike.\n\nThe [UTMFW](https://github.com/sonertari/UTMFW) and [PFFW](https://github.com/sonertari/PFFW) projects use PFRE on their web administration interfaces. If you don't want to [install PFRE](https://github.com/sonertari/PFRE#how-to-install) yourself, you can download the installation files of [UTMFW](https://github.com/sonertari/UTMFW#download) or [PFFW](https://github.com/sonertari/PFFW#download) to test drive PFRE easily.\n\n## Features\n\nUsing PFRE, you can develop rules from scratch or modify existing ones:\n\n- Load, save, upload, download, and delete rule files.\n- Display the rules in a tabular form, classified to their rule types and parsed into their individual elements.\n- Add and delete rules, and move them within the ruleset.\n- Edit rules in almost all possible detail: PFRE supports most, if not all of the BNF syntax specification in pf.conf(5).\n- Test rules: PFRE validates all input and tests rules using pfctl to provide detailed error reports on-the-fly, while editing individual rules or displaying whole rulesets.\n- Install the rules as the main ruleset, and activate them by loading into pf.\n\nA couple of notes about the requirements, design decisions, and implementation of PFRE:\n\n- PFRE does not provide any wizards nor even try to simplify rule development by hiding details. On the contrary, it enables the user by providing as much relevant detail as possible.\n- PFRE aims to generate text ruleset output as close to what a system administrator would produce as possible:\n\t+ PFRE tries to be true to the original rule file loaded: PFRE does not insert any extra lines into its output, such as PFRE specific marks or rule generation dates (you cannot tell if its output is generated by PFRE or not).\n\t+ You can insert blank lines between rules: Blank lines are of a separate rule type.\n\t+ Comments are of a separate rule type too.\n\t+ All other rule types support inline comments.\n- The edit page provides help links to relevant sections on the pf.conf(5) man page, which opens in a separate tab on your browser.\n- PFRE uses gettext to support different languages, currently English and Turkish only.\n- All important messages and test results are reported in error and information boxes.\n- PFRE writes detailed logs to syslog, which you can filter into separate log files.\n- PFRE uses MVC design to separate business logic from presentation, e.g. the View does not know how to parse, generate, validate or test pf rules (it is as thin or dumb as possible).\n- PFRE has been tested using PHPUnit and Codeception.\n- Source code is documented using Doxygen.\n\n![UI Design](https://github.com/sonertari/UTMFW/blob/master/screenshots/UIDesign.png)\n\nPFRE takes security seriously:\n\n- All input is untainted.\n- Invalid rules are never tested using pfctl.\n- Pfctl is executed in a separate process, which times out if pfctl takes too long.\n- The Model is similar to the server of a privilege separation design. It defines and supports only a set of commands which can be executed by the View.\n- As the sole gatekeeper for the Model, PFRE controller, ctlr.php is the only executable enabled in the doas configuration.\n- The View executes all controller commands over an SSH connection.\n- The login shells of admin and user users are set to sh.php. Also, they don't have a home folder. So the admin and user users can log in to the system and pass arguments to sh.php, but cannot drop to a command line shell.\n- The login shell sh.php of admin and user users validates all commands and their arguments given to it, and then runs them using ctlr.php.\n- No argument passed to sh.php or ctlr.php is ever expanded before being executed.\n- Passwords are never visible plain text anywhere, not even in the doas logs.\n- The View never reaches to the filesystem, nor runs any system executable (perhaps only /bin/sleep and /bin/date).\n- All system executables are called using their full pathnames.\n- The number of nested anchors in inline rules is restricted to a configurable maximum.\n- JavaScript use is kept to a minimum.\n\n![PFRE](https://github.com/sonertari/PFRE/blob/master/screenshots/PFRE.png)\n\nYou can find a couple of screenshots on the [wiki](https://github.com/sonertari/PFRE/wiki).\n\n## How to install\n\nHere are the basic steps to obtain a working PFRE installation:\n\n- Install OpenBSD 7.7, perhaps in a VM.\n- Install PHP 8.4.5, php-pcntl, and php-cgi.\n- Copy the files in PFRE src folder to /var/www/htdocs/pfre/.\n- Configure httpd.conf for PFRE.\n- Create admin and user users, and set their passwords.\n- Enable ctlr.php in doas for admin and user users, and make sure ctlr.php is executable.\n- Point your web browser to the web server and log in.\n\nThe following sections provide the details.\n\n### Install OpenBSD\n\nThe OpenBSD installation guide is at [faq4](http://www.openbsd.org/faq/faq4.html).\n\nHere are a couple of guidelines:\n\n- You can download install77.iso available at OpenBSD mirrors.\n- It may be easier to install a PFRE test system on a VM of your choice, e.g. VMware or VirtualBox, rather than bare hardware.\n- 256MB RAM and 8GB HD should be enough.\n- If you want to obtain a packet filtering firewall, make sure the VM has at least 2 ethernet interfaces:\n\t+ The external interface may obtain its IP address over DHCP\n\t+ The internal interface should have a static IP address\n- You can simply accept the default disk layout and partitions suggested by the OpenBSD install script.\n- You can safely leave out x\\*, comp\\*, and game\\* install sets; you won't need them for a PFRE test system.\n\nReboot the system after installation is complete and log in as root.\n\n### Install packages\n\nCreate a package cache folder:\n\n\t# cd /var/db/\n\t# mkdir pkg_cache\n\nSet the $PKG\\_PATH env variable to the cache folder you have just created:\n\n\t# export PKG_PATH=/var/db/pkg_cache/\n\nDownload the required packages from an OpenBSD mirror and copy them to $PKG\\_PATH. The following is the list of files you should have under $PKG\\_PATH:\n\n\targon2-20190702p0.tgz\n\tbzip2-1.0.8p0.tgz\n\tcapstone-5.0.tgz\n\tfemail-1.0p1.tgz\n\tfemail-chroot-1.0p3.tgz\n\tgettext-runtime-0.23.1.tgz\n\tlibiconv-1.17.tgz\n\tlibsodium-1.0.20.tgz\n\tlibxml-2.13.7.tgz\n\toniguruma-6.9.10.tgz\n\tpcre2-10.44.tgz\n\tphp-8.4.5.tgz\n\tphp-cgi-8.4.5.tgz\n\tphp-pcntl-8.4.5.tgz\n\txz-5.6.4p0.tgz\n\nInstall PHP, php-pcntl, and php-cgi by running the following commands, which should install their dependencies as well:\n\n\t# pkg_add -v php\n\t# pkg_add -v php-pcntl\n\t# pkg_add -v php-cgi\n\nIf you want to see if all required packages are installed successfully, run the following command:\n\n\t# pkg_info -a\n\nHere is the expected output of that command:\n\n\targon2-20190702p0   C implementation of Argon2 - password hashing function\n\tbzip2-1.0.8p0       block-sorting file compressor, unencumbered\n\tcapstone-5.0        multi-platform, multi-architecture disassembly framework\n\tfemail-1.0p1        simple SMTP client\n\tfemail-chroot-1.0p3 simple SMTP client for chrooted web servers\n\tgettext-runtime-0.23.1 GNU gettext runtime libraries and programs\n\tlibiconv-1.17       character set conversion library\n\tlibsodium-1.0.20    library for network communications and cryptography\n\tlibxml-2.13.7       XML parsing library\n\toniguruma-6.9.10    regular expressions library\n\tpcre2-10.44         perl-compatible regular expression library, version 2\n\tphp-8.4.5           server-side HTML-embedded scripting language\n\tphp-cgi-8.4.5       php CGI binary\n\tphp-pcntl-8.4.5     PCNTL extensions for php\n\txz-5.6.4p0          library and tools for XZ and LZMA compressed files\n\n### Install PFRE\n\nCreate a 'pfre' folder under /var/www/htdocs/ and copy all the contents of the PFRE src folder to /var/www/htdocs/pfre/. Their user permissions should be root:daemon.\n\nMake sure /var/www/htdocs/pfre/Controller/ctlr.php is executable. If not, go to /var/www/htdocs/pfre/Controller/ and make it executable:\n\n\t# cd /var/www/htdocs/pfre/Controller/\n\t# chmod u+x ctlr.php\n\nAnd create the folder for configuration files:\n\n\t# mkdir /etc/pfre/\n\n#### Configure web server\n\nConfigure PFRE in httpd.conf under /etc. Note that we should disable chroot by chrooting to /. Your configuration might look like the following:\n\n\tchroot \"/\"\n\t#prefork 3\n\n\tserver \"pfre\" {\n\t\tlisten on * port 80\n\t\tlisten on * tls port 443\n\t\tdirectory index \"index.php\"\n\n\t\tlocation \"*.php\" {\n\t\t\tfastcgi socket \"/var/www/run/php-fpm.sock\"\n\t\t}\n\n\t\tlog syslog\n\t\troot \"/var/www/htdocs/pfre/View/\"\n\t}\n\nCreate a self-signed server certificate. Run the following commands to generate your own CA:\n\n\t# openssl genrsa -des3 -out ca.key 2048\n\t# openssl req -new -x509 -days 365 -key ca.key -out ca.crt\n\nNext, to generate a server key and request for signing, run the following:\n\n\t# openssl genrsa -des3 -out server.key 2048\n\t# openssl req -new -key server.key -out server.csr\n\nYou should sign the certificate signing request (csr) with the self-created certificate authority (CA) that you\nmade earlier:\n\n\t# openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt\n\nTo make a server.key which doesn't cause httpd to prompt for a password:\n\n\t# openssl rsa -in server.key -out server.key.insecure\n\t# mv server.key server.key.secure\n\t# mv server.key.insecure server.key\n\nFinally, you should copy server.crt and server.key files to the default locations defined in httpd.conf(5):\n\n\t# cp server.key /etc/ssl/private/\n\t# cp server.crt /etc/ssl/\n\nRun useradd(8) to create admin and user users (you can omit the -c, -d, and -s options, as we will set them with the chpass command next):\n\n\t# useradd -c \"PFRE admin\" -d /var/empty -s /var/www/htdocs/pfre/Controller/sh.php admin\n\t# useradd -c \"PFRE user\" -d /var/empty -s /var/www/htdocs/pfre/Controller/sh.php user\n\nThen set their passswords to soner123 by running the following commands (actually, to the sha1 hash of soner123, because passwords are double encrypted on PFRE):\n\n\t# /usr/bin/chpass -a \"admin:$(/usr/bin/encrypt `/bin/echo -n soner123 | sha1 -`):$(id -u admin):$(id -g admin)::0:0:PFRE admin:/var/empty:/var/www/htdocs/pfre/Controller/sh.php\"\n\t# /usr/bin/chpass -a \"user:$(/usr/bin/encrypt `/bin/echo -n soner123 | sha1 -`):$(id -u user):$(id -g user)::0:0:PFRE user:/var/empty:/var/www/htdocs/pfre/Controller/sh.php\"\n\nHowever, you are advised to pick a better password than soner123.\n\nAlso, you should enable one of the DH kex algorithms phpseclib 1.0 supports in sshd, otherwise WUI login fails with sshd v10+. Because sshd 10.0 on OpenBSD 7.7 disables finite field DH kex by default, but phpseclib 1.0 supports finite field DH kex only, no ECDH kex, see https://phpseclib.sourceforge.net.\n\nSo, add the following line at the bottom of /etc/ssh/sshd_config\n\n\tKexAlgorithms +diffie-hellman-group-exchange-sha256\n\n#### Configure PHP\n\nGo to /usr/local/bin/ and create a link to php executable:\n\n\t# cd /usr/local/bin\n\t# ln -s php-8.4 php\n\nEdit the /etc/php-8.4.ini file to write error messages to syslog, otherwise they may disturb pfctl test reports:\n\n\terror_log = syslog\n\nAlso, edit the /etc/php-fpm.conf file to write error messages to syslog:\n\n\terror_log = syslog\n\nTo enable pcntl, go to /etc/php-8.4/ and create the pcntl.ini file:\n\n\t# cd /etc/php-8.4/\n\t# touch pcntl.ini\n\nAnd add the following line to pcntl.ini:\n\n\textension=pcntl.so\n\nDisable chroot in /etc/php-fpm.conf by commenting out the chroot line:\n\n\t;chroot = /var/www\n\nIf you want to use the Turkish translations, you should first install the gettext-tools package to generate the gettext mo file:\n\n\t# cd /var/www/htdocs/pfre/View/locale/tr_TR/LC_MESSAGES/\n\t# msgfmt -o pfre.mo pfre.po\n\n#### Configure doas\n\nGo to /etc/ and create the doas.conf file:\n\n\t# cd /etc/\n\t# touch doas.conf\n\nAnd add the following lines to it:\n\n\tpermit nopass www as root cmd /var/www/htdocs/pfre/Controller/ctlr.php\n\tpermit nopass admin as root cmd /var/www/htdocs/pfre/Controller/ctlr.php\n\tpermit nopass user as root cmd /var/www/htdocs/pfre/Controller/ctlr.php\n\tpermit nopass keepenv root as root\n\n#### Configure system\n\nIf you want the web server to be started automatically after a reboot, first copy the sample rc.local file to /etc/:\n\n\t# cd /etc/\n\t# cp examples/rc.local .\n\nThen add the following lines to it:\n\n\tif [ -x /usr/local/sbin/php-fpm-8.4 ]; then\n\t\techo 'PHP CGI server'\n\t\t/usr/local/sbin/php-fpm-8.4\n\tfi\n\nCreate the rc.conf.local file under /etc/\n\n\t# cd /etc/\n\t# touch rc.conf.local\n\nAnd add the following line to it:\n\n\thttpd_flags=\n\nAlso, if you want to use this PFRE test system as a firewall, you should enable packet forwarding between interfaces in /etc/sysctl.conf. So, copy the sample sysctl.conf file under /etc/examples/ to /etc/:\n\n\t# cd /etc/\n\t# cp examples/sysctl.conf .\n\nAnd uncomment the line which enables forwarding of IPv4 packets:\n\n\tnet.inet.ip.forwarding=1\n\n### Start PFRE\n\nNow you can either reboot the system or start the php cgi server and the web server manually using the following commands:\n\n\t# /usr/local/sbin/php-fpm-8.4\n\t# /usr/sbin/httpd\n\nFinally, if you point your web browser to the IP address of PFRE, you should see the login page. And you should be able to log in by entering admin:soner123 as user and password.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsonertari%2Fpfre","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsonertari%2Fpfre","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsonertari%2Fpfre/lists"}