Building the Network You Need: Part One, PF

OpenCON 2007, Venezia, November 30th 2007

Peter N. M. Hansteen

peter@bsdly.net

Table of Contents
This is not a HOWTO
You're wondering ...
You're wondering ... Linux?
You're wondering ... Learn BSD?
You're wondering ... GUI tools?
You're wondering ... Automatic conversion?
You're wondering ... More info?
PF - Haiku
What PF is
Packet filter? Firewall?
NAT?
PF today
Simplest possible setup
First rule set - single machine
Testing your first rule set
Slightly stricter
Testing your rule set
Statistics from pfctl
A gateway
Pitfalls: in, out, on
What is your local network, anyway?
Simple gateway (with NAT if you need to)
Simple gateway with NAT (cont'd.)
Simple gateway with NAT (cont'd.)
Testing your rule set
Domain names and host names?
That old and sad FTP thing
ftp-proxy
Making your network troubleshooting friendly
Then, do we let it all through?
The easy way out: The buck stops here
Letting ping through
Helping traceroute
Path MTU discovery
Path MTU discovery (cont'd)
Tables make your life easier
Tables make your life easier: command line
Wireless networks: background
Wireless networks made easy
Wireless networks made easy (cont'd)
Wireless networks made easy (cont'd)
authpf: per user rules
Basic authpf setup
Basic authpf setup (cont)
Basic authpf setup (cont)
Per user rules
Wide open but actually shut
Open but shut: pf.conf
Filtering for services
Filtering for services (cont)
Physical Separation: The DMZ
DMZ ruleset
DMZ ruleset: tighten
Sharing the load: Address pools
hoststated
Basic hoststated config
Basic hoststated config (cont)
Basic hoststated config (cont)
hoststatectl
hoststated for SSL load balancing
The NAT version
Back to the single NATed network
Single NAT, web & mail server on the inside: from the inside
Single NAT, web & mail server on the inside: from the inside
Filtering on interface groups
The power of tags
The filtering bridge
Where does it go?
Bridge setup

Handling non-routable addresses from elsewhere
Turning away the brutes
Turning away the brutes: The rules
Turning away the brutes (cont'd)
Turning away the brutes (cont'd)
Expiring table entries with pfctl
expiretable tidies your tables
Giving spammers a hard time: you're not alone
Giving spammers a hard time (cont'd)
Giving spammers a hard time: The rules
Setting up spamd
Greylisting: See the RFC
Greylisting: My admin told me not to talk to strangers
Setting up spamd
track real SMTP connections: spamdlogd
Giving spammers a hard time (cont'd)
Giving spammers a hard time (cont'd)
Giving spammers a hard time (cont'd)
Beating'em up some more: spamdb and greytrapping
spamdb and greytrapping
Greytrapping - the result
Keeping several spamds in sync
Some people really do not get it
Fixing for the people who really do not get it
Giving spammers a hard time: Conclusion
Directing traffic with altq
What is your usable bandwidth?
ALTQ - prioritizing by traffic type
ALTQ - allocation by percentage
Queueing for a DMZ
Queueing or a DMZ: rules part 1
Queueing or a DMZ: rules part 2
overloading to a tiny queue
ALTQ - handling unwanted traffic
CARP and pfsync
CARP: project spec
CARP: project spec 2
Setting up CARP
CARP: ifconfig
pfsync
What happens to the rule set?
Logging
Taking a peek with tcpdump
Log to syslog
Statistics via labels
Keeping an eye on things with pftop
Graph your traffic: pfstat
Other log tools you may want to look into
Good logs for good debugging
Getting your setup just right
block-policy
skip
state-policy
timeout
limit
debug
ruleset-optimiation
optimization
Hygiene: scrub and antispoof
Testing your setup
Specification (possibly incomplete)
Debugging your setup
Debugging some more
Debug - use tcpdump
Have fun!
If you enjoyed this: Support OpenBSD!
References