Firewalling with OpenBSD's PF packet filter

BSDCan 2007, Ottawa, May 17th 2007

Peter N. M. Hansteen

Datadokumentasjon A/S

Table of Contents
This is not a HOWTO
PF?
Packet filter? Firewall?
NAT?
PF today
BSD vs Linux - configuration
Simplest possible setup (OpenBSD)
Simplest possible setup (FreeBSD)
Simplest possible setup (NetBSD)
First rule set - single machine
Slightly stricter
Statistics from pfctl
A gateway
Pitfalls: in, out, on
What is your local network, anyway?
Simple gateway with NAT
Simple gateway with NAT (cont'd.)
Simple gateway with NAT (cont'd.)
That old and sad FTP thing
ftp: if we really have to (redirection)
ftp + pf + routable addresses: ftpsesame, pftpx and ftp-proxy!
ftp-proxy, new style
Making your network troubleshooting friendly
Then, do we let it all through?
The easy way out: The buck stops here
Letting ping through
Helping traceroute
Path MTU discovery
Path MTU discovery (cont'd)
Hygiene: block-policy, scrub and antispoof
Handling non-routable addresses from elsewhere
A web server and a mail server on the inside
A web & mail server on the inside: from the inside
A web & mail server on the inside: from the inside
Tables make your life easier
Tables make your life easier: command line
Logging
Taking a peek with tcpdump
Log sizes: there are limits
Keeping an eye on things with pftop
Invisible gateway - bridge
Directing traffic with altq
ALTQ - prioritizing by traffic type
ALTQ - allocation by percentage
ALTQ - handling unwanted traffic
CARP and pfsync
Wireless networks: background
Wireless networks made simple
Wireless networks made simple (cont'd)
Wireless networks made simple (cont'd)
authpf: per user rules
Open, yet shut: authpf
Open, yet shut: pf.conf
Open, yet shut: authpf.rules
Open, yet shut: user authpf.rules
Turning away the brutes
Turning away the brutes: The rules
Turning away the brutes (cont'd)
Turning away the brutes (cont'd)
expiretable tidies your tables
Expiring table entries with pfctl
Giving spammers a hard time: you're not alone
Giving spammers a hard time (cont'd)
Giving spammers a hard time: The rules
Setting up spamd
Setting up spamd - FreeBSD
Setting up spamd
Giving spammers a hard time (cont'd)
Giving spammers a hard time (cont'd)
Giving spammers a hard time (cont'd)
Beating'em up some more: spamdb and greytrapping
spamdb and greytrapping
Greytrapping - the result
Some people really do not get it
Fixing for the people who really do not get it
Giving spammers a hard time: Conclusion
PF - Haiku
If you enjoyed this: Support OpenBSD!
References
Where to find the tutorial on the web