This document is © Copyright 2005 - 2017, Peter N. M. Hansteen. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The document is now in minimal maintenance mode after 10 years as a 'work in progress', based on a manuscript prepared for a lecture at the BLUG (see http://www.blug.linux.no/) meeting of January 27th, 2005. Along the way it has spawned several conference tutorials as well as The Book of PF (third edition, No Starch Press 2014), which expands on all topics mentioned in this document presents several topics that are only hinted at here. While this document has been a useful starting point for number of people, I strongly suggest that you get the book.

I'm interested in comments of all kinds, and you may if you wish add web or other references to html or pdf versions of the manuscript. If you do, I would like, but can not require, you to send me an email message that you've done it. For communication regarding this document please use the address and preferably a recognizable subject line; $ whois bsdly.net provides full contact information.

Revision History
Revision 0.03e12 february 2005
initial English version, based on Norwegian 0.03 version
Revision 0.04e15 february 2005
expanded copyright message, added intro footnote, based on Norwegian 0.04 version
Revision 0.05e16 february 2005
sudo footnote to first occurence, added some userinput tags, fixed typos. Thanks to: David Snyder
Revision 0.06e10 april 2005
Misc corrections/clarifications esp about tables, spamd. Special thanks to: Eystein Roll Aarseth.
Revision 0.07e10 april 2005
Added NetBSD info (Thanks: Peter Postma), Hygiene, keywordset for searchability
Revision 0.08e10 april 2005
License is now BSD
Revision 0.081e14 april 2005
Phrase desillification, typo nuking.
Revision 0.082e15 april 2005
webserver example uses macro now
Revision 0.09e02 october 2005
AUUG2005 edition revision - pftpx info updated, traceroute clarification (thanks to: Henrik Kramshøj) bruteforce protection, wireless basics and Vegard's authpf (Thanks: Vegard Engen). spamd part updated (new log format and new numbers).
Revision 0.09117 october 2005
AUUG2005 version plus how to find info. Thanks: Stuart Henderson for pftpx in tree data.
Revision 0.09228 november 2005
simplified rdr rules.
Revision 0.093e19 december 2005
misc minor fixes, most discovered while working on the No version
Revision 0.0931e27 december 2005
adjustments to bruteforce section, typo
Revision 0.0945e22 february 2006
UKUUG2006 edition w/restrict-to date (BSD license after $date) expanded icmp info, rdr w/'reflect', new ftp-proxy, altq restruct, more wifi, spamd update, logging update, conditionals online vs print
Revision 0.0946e21 march 2006
refreshed UKUUG2006 edition typo fixes; added 'if you enjoyed this, buy stuff'; added source link
Revision 0.09461e25 march 2006
refreshed UKUUG2006 edition minus a few typos
Revision 0.0948e28 march 2006
SANE 2006 edition; $int_if -> $localnet and what's your local net section (thanks: UKUUG delegate whose name I did unfortunately did not catch, do send me that email message!) ; hint at ftp-proxy's -R mode; added expiretable tip to the bruteforce section; refer to 3.9 as current version
Revision 0.09492e12 april 2006
Some clarification on ALTQ and authpf, more about expiretable, non-routables handling; changed order or ALTQ examples - explained why ACK prioritization works; turned expiretable tip into a section with a bit more motivation; added license audit footnote and slight rephrase in PF? intro; blackholing non-routable addresses in hygiene part, added some explanation in the authpf section
Revision 0.095e03 may 2006
new spamd statistics;
Revision 0.095e10 may 2006
spamd lists note- Bob Beck gave permission, mention his traplist in spamd section;
Revision 0.0951e11 may 2006
corrected FreeBSD wifi config- /etc/start_if.$ifname is really nice; thanks: Eric Bates
Revision 0.0952e15 may 2006
refresh for SANE appearance- localnet clarification wrt interface names
Revision 0.0953e27 may 2006
fix localnet definition + cvsup in examples. syntax errors are bad for you - cvsup is not in OpenBSD's services file
Revision 0.0955e21 august 2006
fix typos, note acx(4) now supports TI ACX1nn, greytrap footnote.
Revision 0.0956e27 august 2006
Cleanup from Eystein's notes.
Revision 0.0957e14 september 2006
typo fix - thanks Dimitri Umnov- who pointed out a rather obvious error in the reflection part; strangely not present in either NO version or the slides.
Revision 0.0958e25 september 2006
wrong url fixed - thanks Robby Cauwerts- who pointed out that what I thought all this time was a link to the archived haiku message was a link to something else entirely.
Revision 0.096e7 november 2006
EuroBSDCon 2006 edition OpenBSD 4.0 is out; refreshed overload section mainly from Eystein's comments; greytrapping - spamd is way too much fun to just leave alone, sprinkling refreshes there and adding more spamd setup details; touch up ftp section with references to ftpsesame and pftpx ports on FreeBSD
Revision 0.0955e14 february 2007
AsiaBSDCon 2007 edition OpenBSD 4.1 is very close, mention stateful filtering default; small adjustments in FreeBSD setup section; remove OpenBSD mention from pre-3.9 ftp-proxy sections;
Revision 0.09651e27 april 2007
typokill edition OpenBSD 4.1 is out; marc.theaimsgroup.com is now called marc.info; spamd refresh
Revision 0.09655e13 may 2007
BSDCan 2007 edition complete the spamd refresh; minor tweaks elsewhere
Revision 0.096551e28 may 2007
typofix. Thanks: Austin Hook. While here, update references
Revision 0.0966e11 sep 2007
EuroBSDCon 2007 edition 4.2 is close enough, minor edits and rephrasings
Revision 0.0967e05 jan 2008
Greytrapping correction + footnote. Thanks: Olli Hauer. The Book of PF is out, refer to it with clickables.
Revision 0.0968e13 oct 2008
SSH is TCP only. Thanks: Darren Tucker. Also, 4.4 is close enough to release that cranking the version reference makes sense.
Revision 0.0969e21 jan 2009
typo fixes + ICMP tweak. Thanks: Tom Van Looy.
Revision 0.09691e06 oct 2009
corrections to altq by percent example. Thanks: Pedro Caetano
Revision 0.09692e03 jan 2010
minor 4.6 related fixes, push book, mention wpa
Revision 0.0967e28 nov 2010
4.8 is out, intro new syntax examples, push book some more
Revision 0.0968e30 nov 2010
Add warning that the bridge example is incomplete, not pasteworthy
Revision 0.09685e09 feb 2011
Added inet vs inet6 language, hint of tutorial
Revision 0.09686e24 apr 2011
Moved slightly reworded note about the book up
Revision 0.09687e02 may 2011
expiretable removed from OpenBSD ports. Thanks: Rodolfo Gouveia. Also: we're at 4.9
Revision 0.096871e07 may 2011
in OpenBSD 4.9, ifconfig wpa syntax is simpler
Revision 0.0968711e05 jan 2012
-stable is 5.0, bump references where appropriate, rev latest year
Revision 0.0968712e12 sep 2012
-stable is 5.1, bump references where appropriate, typokill (thanks: Robert Frånberg)
Revision 0.0968713e24 jan 2013
-stable is 5.2, bump references where appropriate, update ftp-proxy example with divert-to
Revision 0.0968714e29 jun 2013
-stable is 5.3, bump references where appropriate, correct ICMP example (thanks: Warren Block wblock at wonkity dot com)
Revision 0.0968715e27 jan 2014
-stable is 5.4, bump references where appropriate, add ftpproxy_enable="YES" for FreeBSD (thanks: Warren Block wblock at wonkity dot com and Robert Simmons rsimmons0 at gmail dot com)
Revision 0.0968716e09 feb 2014
clarify that ftp-proxy anchor and divert rule needs to be before any NAT. Thanks: Nikola Gyurov
Revision 0.0968717e28 sep 2014
Add refs to newest tutorial slides, update references
Revision 0.0968718e28 jan 2015
correct modern spamd rules, thanks wiggl3 via irc #OpenBSD; also update book link to third edition
Revision 0.0968719e23 dec 2015
Update 'please look elsewhere for updates' note
Revision 0.0968720e24 dec 2015
The OpenBSD Bookstore as such does not exist anymore
Revision 0.0968721e03 oct 2016
It's 2016, OpenBSD base doesn't have sudo anymore. Recommend doas and the book, go back to sleep.
Revision 0.0968722e09 dec 2016
It's 2016, and people still confuse the OpenBSD spamd with the Spamassassin one. Add appropriate note in two relevant places. While here, remove ref to now sadly defunct uatraps blacklist.
Revision 0.0968723e28 may 2017
It's 2017, and people still find this. Add note about nospamd and friends. While here note that OpenBSD-release is is 6.1, introduce man.openbsd.org links where appropriate, fix some broken links and edit out embarrasing brokenness.