PF - The OpenBSD Packet Filter

BLUG, Bergen, January 25, 2011

Peter N. M. Hansteen

BSDly.net

peter@bsdly.net


Table of Contents
It all started with a copyright violation
PF: design goals, evolution
PF: Design goals, evolution
PF: design goals, evolution
PF: design goals, evolution
PF: design goals, evolution
4.7: Henning's Monster Diff
How To Enable?
Simplest rule set
Simplest Secure Rule Set
More than one rule: evaluation
The quick escape
Stateful by default
Readability: Macros
Readability: Port ranges
Readability: Lists and names
Introducing Tables
Tables operations
4.6 news flash: match
Useful Tip #1: set skip
Redirection
Directing traffic with altq
ALTQ - prioritizing by traffic type
ALTQ: queue assignment with match rule
ALTQ: systat queues
ALTQ - allocation by percentage
A Basic HFSC Traffic Shaper
HFSC systat queues view
OpenBSD 4.6 Alert: match rules
Turning away the brutes
Turning away the brutes: The rules
Turning away the brutes (cont'd)
Turning away the brutes (cont'd)
Expiring table entries with pfctl
Advanced state tracking
Giving spammers a hard time: you're not alone
Greylisting: My admin told me not to talk to strangers
Giving spammers a hard time: The rules
Setting up spamd: spamd.conf
Giving spammers a hard time (cont'd)
Giving spammers a hard time (cont'd)
spamdb and greytrapping
Greytrapping - the result
Some people really do not get it
Giving spammers a hard time: Conclusion
Anchors
Anchors: commands
Anchors: ruleset
Anchors: alternative structure
Anchors - tag and quick
Including files
authpf: per user rules
Basic authpf setup
Basic authpf setup (cont)
Basic authpf setup (cont)
Per user rules
Wide open but actually shut
Open but shut: pf.conf
Sharing the load: Address pools
relayd, nee hoststated
Basic relayd config
Basic relayd config (cont)
Basic relayd config (cont)
relayctl
relayd for SSL load balancing
Filtering on interface groups
The power of tags
CARP and pfsync
CARP: project spec
CARP: project spec cont'd
CARP: project spec cont'd
Setting up CARP
CARP: ifconfig
pfsync
What happens to the rule set?
Logging
Taking a peek with tcpdump
tcpdump is your friend
Matching log data to your rule set
Statistics via labels
Keeping an eye on things with systat states
New in 4.5: pflow(4) and pflow state option
pflow in your rule set
pflow: config the interface
pflow: set up a collector
Good logs for good debugging
Getting your setup just right
Have fun!
If you enjoyed this: Support OpenBSD!
References