Building the Network You Need with OpenBSD's PF
UKUUG, London November 26th, 2008
Peter N. M. Hansteen
FreeCode AS
peter.hansteen@freecode.no, peter@bsdly.net
Copyright
© 2005 - 2008 by Peter N. M. Hansteen
Table of Contents
This is not a HOWTO
You're wondering ...
You're wondering ... Linux?
You're wondering ... Learn BSD?
You're wondering ... GUI tools?
You're wondering ... Automatic conversion?
You're wondering ... More info?
PF - Haiku
What PF is
Packet filter? Firewall?
NAT?
PF today
Simplest possible setup
Simplest possible setup (FreeBSD)
Simplest possible setup (NetBSD)
First rule set - single machine
Testing your first rule set
Slightly stricter
Testing your rule set
Statistics from pfctl
A gateway
Pitfalls: in, out, on
What is your local network, anyway?
Simple gateway (with NAT if you need to)
Simple gateway with NAT (cont'd.)
Simple gateway with NAT (cont'd.)
Simple gateway with NAT (cont'd.)
Testing your rule set
Domain names and host names?
That old and sad FTP thing
If we have to:
ftp-proxy
with redirection
This will become historical: pre-3.8 FTP proxies
Other historical ftp solutions: ftpsesame, pftpx
Tables make your life easier
Table commands
Filtering for services
Filtering for services (cont)
Giving spammers a hard time: you're not alone
Giving spammers a hard time (cont'd)
Giving spammers a hard time: The rules
Setting up spamd
Setting up spamd - FreeBSD
Greylisting: See the RFC
Greylisting: My admin told me not to talk to strangers
Setting up spamd
Track real SMTP connections: spamdlogd
Giving spammers a hard time (cont'd)
Giving spammers a hard time (cont'd)
Giving spammers a hard time (cont'd)
Connection lengths
Beating'em up some more: spamdb and greytrapping
spamdb and greytrapping
Greytrapping - the result
Keeping several spamds in sync
Some people really do not get it
Fixing for the people who really do not get it
Giving spammers a hard time: Conclusion
Turning away the brutes
Turning away the brutes: The rules
Turning away the brutes (cont'd)
Turning away the brutes (cont'd)
Expiring table entries with
pfctl
expiretable
tidies your tables
Advanced state tracking
State tracking (cont)
Physical Separation: The DMZ
DMZ ruleset
DMZ ruleset: tighten
Anchors
Anchors: commands
Anchors: ruleset
Anchors: alternative structure
Anchors - tag and quick
Including files
Wireless networks: background
Wireless networks made easy
Wireless networks: WPA setup
Wireless networks made easy (cont'd)
Wireless networks made easy (cont'd)
authpf
: per user rules
Basic authpf setup
Basic authpf setup (cont)
Basic authpf setup (cont)
Per user rules
Wide open but actually shut
Open but shut: pf.conf
authpf-noip (4.3)
Sharing the load: Address pools
hoststated
Basic hoststated config
Basic hoststated config (cont)
Basic hoststated config (cont)
hoststatectl
hoststated for SSL load balancing
OpenBSD 4.3/4.4 news: hoststated -> relayd
Moving to relayd
Relayd DSR support (4.4)
Filtering for services, the NAT version
Back to the single NATed network
Single NAT, web & mail server on the inside: from the inside
Single NAT, web & mail server on the inside: from the inside
Filtering on interface groups
The power of tags
The filtering bridge
Where does it go?
OpenBSD bridge setup
FreeBSD bridge setup
Bridge PF filtering config
Handling non-routable addresses from elsewhere
Directing traffic with altq
Setting up for ALTQ
Setting up for ALTQ: FreeBSD
Setting up for ALTQ: NetBSD
What is your usable bandwidth?
ALTQ - prioritizing by traffic type
ALTQ - allocation by percentage
Queueing for a DMZ
Queueing for a DMZ: rules part 1
Queueing for a DMZ: rules part 2
overloading to a tiny queue
ALTQ - handling unwanted traffic
CARP and pfsync
CARP: project spec
CARP: project spec cont'd
CARP: project spec cont'd
Is your system CARP ready?
Setting up CARP
CARP: ifconfig
pfsync
What happens to the rule set?
carp config example
Carp ruleset
Making your network troubleshooting friendly
Then, do we let it all through?
The easy way out: The buck stops here
Letting
ping
through
Helping
traceroute
Path MTU discovery
Path MTU discovery (cont'd)
Logging
Taking a peek with
tcpdump
tcpdump is your friend
Matching log data to your rule set
Log to syslog
Statistics via labels
$variable label names
$variable label names: example
Keeping an eye on things with pftop
Graph your traffic: pfstat
Other log tools you may want to look into
Good logs for good debugging
Getting your setup just right
block-policy
skip
state-policy
timeout
limit
debug
ruleset-optimiation
optimization
Hygiene: scrub and antispoof
Testing your setup
Specification (possibly incomplete)
Debugging your setup
Debugging some more
Debug - use tcpdump
Have fun!
If you enjoyed this: Support OpenBSD!
References