Jump to content
Nytro

Firewalling with OpenBSD's PF packet filter

By Nytro, in Tutoriale in engleza

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Firewalling with OpenBSD's PF packet filter

Peter N. M. Hansteen

<peter _@_ bsdly.net>

Copyright 2005 - 2011 Peter N. M. Hansteen

Table of Contents
Before we start
PF?
Packet filter? Firewall?
NAT?
PF today
BSD vs Linux - Configuration
Simplest possible setup (OpenBSD)
Simplest possible setup (FreeBSD)
Simplest possible setup (NetBSD)
First rule set - single machine
Slightly stricter
Statistics from pfctl
A simple gateway, NAT if you need it
Gateways and the pitfalls of in, out and on
What is your local network, anyway?
Setting up
That sad old FTP thing
If We Have To: ftp-proxy With Redirection
Historical FTP proxies: do not use
Ancient FTP through NAT: ftp-proxy
Ancient: FTP, PF and routable addresses: ftpsesame, pftpx and ftp-proxy!
ftp-proxy, slightly new style
Making your network troubleshooting friendly
Then, do we let it all through?
The easy way out: The buck stops here
Letting ping through
Helping traceroute
Path MTU discovery
Network hygiene: Blocking, scrubbing and so on
block-policy
scrub
antispoof
Handling non-routable addresses from elsewhere
A web server and a mail server on the inside
Taking care of your own - the inside
Tables make your life easier
Logging
Taking a peek with tcpdump
Other log tools you may want to look into
But there are limits (an anecdote)
Keeping an eye on things with systat
Keeping an eye on things with pftop
Invisible gateway - bridge
Directing traffic with ALTQ
ALTQ - prioritizing by traffic type
So why does this work?
Using a match Rule for Queue Assignment
ALTQ - allocation by percentage
ALTQ - handling unwanted traffic
CARP and pfsync
Wireless networks made simple
A little IEEE 802.11 background
WEP (Wired Equivalent Privacy)
WPA (WiFi Protected Access)
Setting up a simple wireless network
An open, yet tightly guarded wireless network with authpf
Turning away the brutes
expiring table entries with pfctl
Using expiretable to tidy your tables
Giving spammers a hard time
Remember, you are not alone: blacklisting
List of black and grey, and the sticky tarpit
Setting up spamd
Some early highlights of our spamd experience
Beating'em up some more: spamdb and greytrapping
Enter greytrapping
Your own traplist
Deleting, handling trapped entries
The downside: some people really do not get it
Conclusions from our spamd experience
PF - Haiku
References
Where to find the tutorial on the web
If you enjoyed this: Buy OpenBSD CDs and other items, donate!

Before we start

This lecture[1] will be about firewalls and related functions, starting from a little theory along with a number of examples of filtering and other network traffic directing. As in any number of other endeavors, the things I discuss can be done in more than one way.

More information: The Book of PF, training, consulting

Most of the topics we touch on here is covered in more detail in The Book of PF, which was written by the same author and published by No Starch Press at the end of 2007, with a revised and updated second edition published in November 2010. The book is an expanded and extensively rewritten followup to this tutorial, and covers a range of advanced topics in addition to those covered here.

This tutorial is in minimal-maintainence mode, in that I'll occasionally make an effort to keep the information in it up to date, but it will not expand in scope. For more in-depth information or topics not covered here, check the book, the PF User Guide (also known as The PF FAQ) or the relevant man pages. If you buy the book via The OpenBSD Bookstore, the OpenBSD project gets a slightly larger a cut.

If you need PF related consulting or training, please contact me for further details. You may want to read my Rent-a-geek writeup too.

Under any circumstances I will urge you to interrupt me when you need to. That is, if you will permit me to use what I learn from your comments later, either in revised versions of this lecture or in practice at a later time.

PF?

What, then is PF? Let us start by looking briefly at the project's history to put things in their proper context.

OpenBSD's Packet Filter subsystem, which most people refer to simply by using the abbreviated form 'PF', was originally written in an effort of extremely rapid development during the northern hemisphere summer and autumn months of 2001 by Daniel Hartmeier and a number of OpenBSD developers, and was launched as a default part of the OpenBSD 3.0 base system in December of 2001.

The need for a new firewalling software subsystem for OpenBSD arose when Darren Reed announced to the world that IPFilter, which at that point had been rather intimately integrated in OpenBSD, was not after all BSD licensed. In fact quite to the contrary. The license itself was almost a word by word copy of the BSD license, omitting only the right to make changes to the code and distribute the result. The OpenBSD version of IPFilter contained quite a number of changes and customizations, which it turned out were not allowed according to the license. IPFilter was removed from the OpenBSD source tree on May 29th, 2001, and for a few weeks OpenBSD-current did not contain any firewalling software.

Fortunately, in Switzerland Daniel Hartmeier was already doing some limited experiments involving kernel hacking in the networking code.

His starting point was hooking a small function of his own into the networking stack, making packets pass through it, and after a while he had started thinking about filtering. Then the license crisis happened.

IPFilter was pruned from the source tree on May 29th. The first commit of the PF code happened Sunday, June 24 2001 at 19:48:58 UTC.[2]

A few months of rather intense activity followed, and the version of PF to be released with OpenBSD 3.0 contained a rather complete implementation of packet filtering, including network address translation.

From the looks of it, Daniel Hartmeier and the other PF developers made good use of their experience with the IPFilter code. Under any circumstances Daniel presented a USENIX 2002 paper with performance tests which show that the OpenBSD 3.1 PF performed equally well as or better under stress than IPFilter on the same platform or iptables on Linux.

In addition, some tests were run on the original PF from OpenBSD 3.0. These tests showed mainly that the code had gained in efficiency from version 3.0 to version 3.1. The article which provides the details is available from Daniel Hartmeier's web, see http://www.benzedrine.cx/pf-paper.html.

I have not seen comparable tests performed recently, but in my own experience and that of others, the PF filtering overhead is pretty much negligible. As one data point, the machine which gateways between one of the networks where I've done a bit of work and the world is a Pentium III 450MHz with 384MB of RAM. When I've remembered to check, I've never seen the machine at less than 96 percent 'idle' according to top.

It is however worth noting that various optimisations have been introduced to OpenBSD's PF code during recent releases (mainly by the current main PF developers Henning Brauer and Ryan McBride with contributions from others), making each release from 4.4 through 4.9 perform better than its predecessors.

.................................................................

Online:

http://home.nuug.no/~peter/pf/en/long-firewall.html

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...