BSDCan2007 - Confirmed Schedule
BSDCan 2007
The Technical BSD Conference
| Speakers | |
|---|---|
|
Peter Hansteen |
| Schedule | |
|---|---|
| Day | 2 |
| Room | SITE F0126 |
| Start time | 13:00 |
| Duration | 04:00 |
| Info | |
| ID | 14 |
| Event type | Workshop |
| Track | Tutorial |
| Language | English |
| Feedback | |
|---|---|
|
Did you attend this event? Give Feedback |
Packet filtering for fun and profit
Putting PF to good use - an introduction which gets you to the point where adminning is fun again
This half day tutorial is a further evolved version of the "Firewalling with PF" tutorial offered at various conferences over the last year and a half. The tutorial's intended audience are aspiring or seasoned network professionals with at least a basic knowledge of networking in general and TCP/IP particular. By the time May rolls around, OpenBSD 4.1 will be the latest released version, with subtle but significant changes which will be included in the updated tutorial.
The manuscript is due for significant revisions over the next few months, however the main points remain:
Before we start - this is a tutorial, how we conduct the session
PF? - why PF was needed and some history
Packet filter? Firewall? - some common terms explained
NAT? - common tricks of TCP/IP explained
PF today - a short overview of PF's feature set
BSD vs Linux - Configuration - if you came from Linux, how network config is done on BSD
Simplest possible setup (OpenBSD) - the minimal setup for an OpenBSD machine
Simplest possible setup (FreeBSD) - the bare minimum, on FreeBSD
Simplest possible setup (NetBSD) - the bare minimum, on NetBSD
First rule set - single machine - introducing actual filtering rules
Slightly stricter - tightening security while introducing PF's macros, lists and other readability helpers
Statistics from pfctl - getting to know your main tool
Simple gateway with NAT - going stepwise to a typical home or small office gateway, adding some received wisdom and eliminating some bad habits, subsectioned into "Gateways and the pitfalls of in, out and on" "What is your local network, anyway?" and finally "Setting up"
That sad old FTP thing
- our first introduction to redirection is an attempt to handle that weird old protocol geeks all geeks hate with a passion, we end up with ways to make life more tolerable. Progresses through the use of several proxy-type applications, covering "FTP through NAT: ftp-proxy", "FTP through pf with routable addresses: ftpsesame, pftpx and ftp-proxy!" and finally "ftp-proxy, new style".
Making your network troubleshooting friendly - you do need ICMP, and you can filter away the bits you do not need. Provides some background, which leads to the subsections "Then, do we let it all through?", "The easy way out: The buck stops here", "Letting ping through", "Helping traceroute", and finally "Path MTU discovery".
Network hygiene: Blocking, scrubbing and so on - at this point, your filtering gateway will work, but a few tweaks might be what adds that extra sparkle: "block-policy", "scrub", "antispoof" and "Handling non-routable addresses from elsewhere".
A web server and a mail server on the inside - over time, your needs *will* change. Here we build on previous examples up to set up an environment where you need to host your own mail and web server on your LAN, still using only that single official IP address. The "Taking care of your own - the inside" subsection adds some extra tips for making your servers accessible to the LAN as well
Tables make your life easier - changing your filtering gateway's configuration while it's running, some command-line and script ideas.
Logging - explains how PF logs work and how to get just the data you need, with "Taking a peek with tcpdump" and "But there are limits (an anecdote)" to point you in useful directions.
Keeping an eye on things with pftop - introducing a useful monitoring tool which is not in the base system.
Invisible gateway - bridge - stealth firewalling, shows the bare basics of filtering while hiding the actual machine doing the filtering.
Directing traffic with ALTQ - introducing the ALTQ traffic shaping, bandwidth allocating network, with three examples, "ALTQ - prioritizing by traffic type" "ALTQ - allocation by percentage" and "ALTQ - handling unwanted traffic", introducing the reader to filtering on operating system SYN signatures in the last example.
CARP and pfsync - explains the principles of setting up redundant hosts with automagic failover.
Wireless networks made simple - given useful hardware, wireless networks with BSD are easy and fun. Provides "A little IEEE 802.11 background" covering basic principles and some words about link level encryption methods before proceeding to "Setting up a simple wireless network".
An open, yet tightly guarded wireless network with authpf - using the authpf authenticating shell to load per user rule sets; useful for wireless and wired networks both.
Turning away the brutes - introduces 'pass with overload' rules which add DOS wannabes to a table we "block quick", proceeds to "expiretable tidies your tables" to prune tables of old clutter using a third-party tool.
Giving spammers a hard time - introduces redirecting to spamd, the fake SMTP daemon. spamd can use blacklists for tarpitting, do greylisting or both; we explain the principles, describe how to set it up and shows how much fun we can have at spammers' expense. It hurts them, not us.
and finally, "PF - Haiku", "References", "Where to find the tutorial on the web" and "If you enjoyed this: Buy OpenBSD CDs and other items, donate!".
The work in progress manuscript is BSD licensed and downloadable from http://home.nuug.no/~peter/pf/.