Firewalling with OpenBSD's PF packet filter

Peter N. M. Hansteen

<peter@bsdly.net>

Table of Contents

Before we start

PF?

Packet filter? Firewall?

NAT?

PF today

BSD vs Linux - Configuration

Simplest possible setup (OpenBSD)

Simplest possible setup (FreeBSD)

Simplest possible setup (NetBSD)

First rule set - single machine

Slightly stricter

Statistics from pfctl

A simple gateway, NAT if you need it

Gateways and the pitfalls of in, out and on
What is your local network, anyway?
Setting up

That sad old FTP thing

If We Have To: ftp-proxy With Divert or Redirection

Historical FTP proxies: do not use

Ancient FTP through NAT: ftp-proxy
Ancient: FTP, PF and routable addresses: ftpsesame, pftpx and ftp-proxy!
ftp-proxy, slightly new style

Making your network troubleshooting friendly

Then, do we let it all through?
The easy way out: The buck stops here
Letting ping through
Helping traceroute
Path MTU discovery

Network hygiene: Blocking, scrubbing and so on

block-policy
scrub
antispoof
Handling non-routable addresses from elsewhere

A web server and a mail server on the inside

Taking care of your own - the inside

Tables make your life easier

Logging

Taking a peek with tcpdump
Other log tools you may want to look into
But there are limits (an anecdote)

Keeping an eye on things with systat

Keeping an eye on things with pftop

Invisible gateway - bridge

Directing traffic with ALTQ

ALTQ - prioritizing by traffic type

So why does this work?
Using a match Rule for Queue Assignment

ALTQ - allocation by percentage

ALTQ - handling unwanted traffic

CARP and pfsync

Wireless networks made simple

A little IEEE 802.11 background

WEP (Wired Equivalent Privacy)
WPA (WiFi Protected Access)

Setting up a simple wireless network

An open, yet tightly guarded wireless network with authpf

Turning away the brutes

expiring table entries with pfctl
Using expiretable to tidy your tables

Giving spammers a hard time

Remember, you are not alone: blacklisting

List of black and grey, and the sticky tarpit

Setting up spamd

Some early highlights of our spamd experience

Beating'em up some more: spamdb and greytrapping

Enter greytrapping
Your own traplist
Deleting, handling trapped entries
The downside: some people really do not get it

Conclusions from our spamd experience

PF - Haiku

References

Where to find the tutorial on the web

If you enjoyed this: Buy OpenBSD CDs and other items, donate!

		Next
		Before we start