Firewalling with OpenBSD's PF packet filter

Peter N. M. Hansteen

Table of Contents
Before we start
Packet filter? Firewall?
PF today
BSD vs Linux - Configuration
Simplest possible setup (OpenBSD)
Simplest possible setup (FreeBSD)
Simplest possible setup (NetBSD)
First rule set - single machine
Slightly stricter
Statistics from pfctl
A simple gateway, NAT if you need it
Gateways and the pitfalls of in, out and on
What is your local network, anyway?
Setting up
That sad old FTP thing
If We Have To: ftp-proxy With Divert or Redirection
Historical FTP proxies: do not use
Ancient FTP through NAT: ftp-proxy
Ancient: FTP, PF and routable addresses: ftpsesame, pftpx and ftp-proxy!
ftp-proxy, slightly new style
Making your network troubleshooting friendly
Then, do we let it all through?
The easy way out: The buck stops here
Letting ping through
Helping traceroute
Path MTU discovery
Network hygiene: Blocking, scrubbing and so on
Handling non-routable addresses from elsewhere
A web server and a mail server on the inside
Taking care of your own - the inside
Tables make your life easier
Taking a peek with tcpdump
Other log tools you may want to look into
But there are limits (an anecdote)
Keeping an eye on things with systat
Keeping an eye on things with pftop
Invisible gateway - bridge
Directing traffic with ALTQ
ALTQ - prioritizing by traffic type
So why does this work?
Using a match Rule for Queue Assignment
ALTQ - allocation by percentage
ALTQ - handling unwanted traffic
CARP and pfsync
Wireless networks made simple
A little IEEE 802.11 background
WEP (Wired Equivalent Privacy)
WPA (WiFi Protected Access)
Setting up a simple wireless network
An open, yet tightly guarded wireless network with authpf
Turning away the brutes
expiring table entries with pfctl
Using expiretable to tidy your tables
Giving spammers a hard time
Remember, you are not alone: blacklisting
List of black and grey, and the sticky tarpit
Setting up spamd
Some early highlights of our spamd experience
Beating'em up some more: spamdb and greytrapping
Enter greytrapping
Your own traplist
Deleting, handling trapped entries
The downside: some people really do not get it
Conclusions from our spamd experience
PF - Haiku
Where to find the tutorial on the web
If you enjoyed this: Buy OpenBSD CDs and other items, donate!