BSDCan2009 - Final Release

BSDCan 2009
The Technical BSD Conference

Speakers
Peter Hansteen
Schedule
Day Tutorials - 1 - 2009-05-06
Room DMS 1130
Start time 09:00
Duration 03:00
Info
ID 114
Event type Workshop
Track Tutorial
Language used for presentation English

Building the Network You Need with PF, the OpenBSD packet filter

Building the network you need is the central theme for any network admin. This tutorial is for aspiring or seasoned network professionals with at least a basic knowledge of networking in general and TCP/IP particular. The session aims at teaching tools and techniques to make sure you build your network to work the way it's supposed to, keeping you in charge. Central to the toolbox is the OpenBSD PF packet filter, supplemented with tools that interact with it. Whether you are a greybeard looking for ways to optimize your setups or a greenhorn just starting out, this session will give you valuable insight into the inner life of your network and provide pointers to how to use that knowledge to build the network you need. The session will also offer some fresh information on changes introduced in OpenBSD 4.5, the most recent version of PF and OpenBSD. The tutorial is loosely based on Hansteen's recent book, /The Book of PF/ (No Starch Press), with updates and adaptations based on developments since the book's publication date.

Tutorial abstract:

Building the network you need is the central theme for any network admin. This tutorial is for aspiring or seasoned network professionals with at least a basic knowledge of networking in general and TCP/IP particular. The session aims at teaching tools and techniques to make sure you build your network to work the way it's supposed to, keeping you in charge. Central to the toolbox is the OpenBSD PF packet filter, supplemented with tools that interact with it. Whether you are a greybeard looking for ways to optimize your setups or a greenhorn just starting out, this session will give you valuable insight into the inner life of your network and provide pointers to how to use that knowledge to build the network you need. The session will also offer some fresh information on changes introduced in OpenBSD 4.5, the most recent version of PF and OpenBSD. The tutorial is loosely based on Hansteen's recent book, /The Book of PF/ (No Starch Press), with updates and adaptations based on developments since the book's publication date.

Short bio:

Peter N. M. Hansteen is a consultant, writer and sysadmin from Bergen, Norway. A longtime freenix advocate and during recent years a frequent lecturer and tutor with emphasis on FreeBSD and OpenBSD, author of several articles and /The Book of PF/ (No Starch Press 2007).

Long bio:

Peter N. M. Hansteen is a consultant, writer and sysadmin based in Bergen, Norway, since 2008 employed by the Norwegian free software consultancy FreeCode AS. He has been tinkering with computers since the mid 1980s, mainly while working to document how the systems work and why they don't, in English as well as his native Norwegian. In 1991 he co-founded Datadokumentasjon AS, a documentation and localization company where he remained chairman and senior consultant until 2008. Peter rediscovered Unixes about the time 386BSD appeared. After a few years on Linux, which included participation in the RFC1149 implementation (2001), he eventually migrated all important bits to FreeBSD and OpenBSD. A long time freenix advocate, he is a member of the BLUG (Bergen (BSD and) Linux User Group) core group and current vice president of NUUG (the Norwegian Unix User Group). During recent years a frequent lecturer and tutor with emphasis on FreeBSD and OpenBSD topics, author of several articles and /The Book of PF/ (No Starch Press 2007) and maintains his blogosphere presence at http://bsdly.blogspot.com.

Tutorial outline:

0 intro: This is not a HOWTO You're wondering ... (Linux? Learn BSD? GUI tools? Automatic conversion? More info?) PF - Haiku What PF is Packet filter? Firewall? NAT? PF today Simplest possible setup (OpenBSD, FreeBSD, NetBSD) First rule set - single machine Testing your first rule set Slightly stricter Testing your rule set Statistics from pfctl

1 smalltime networking: A gateway Pitfalls: in, out, on What is your local network, anyway? Simple gateway (with NAT if you need to) Testing your rule set Domain names and host names? That old and sad FTP thing ftp-proxy Making your network troubleshooting friendly Then, do we let it all through? The easy way out: The buck stops here Letting ping through Helping traceroute Path MTU discovery Tables make your life easier

2 wireless Wireless networks: background Wireless networks made easy authpf: per user rules Basic authpf setup Per user rules Wide open but actually shut Open but shut: pf.conf

3 up a notch: handling services Filtering for services Physical Separation: The DMZ DMZ ruleset DMZ ruleset: tighten Sharing the load: Address pools relayd Basic relayd config relayctl relayd for SSL load balancing The NAT version Back to the single NATed network Single NAT, web & mail server on the inside: from the inside Filtering on interface groups The power of tags The filtering bridge Where does it go? Bridge setup Handling non-routable addresses from elsewhere

4 proactive defense Turning away the brutes Expiring table entries with pfctl expiretable tidies your tables

Giving spammers a hard time
Setting up spamd
Greylisting: My admin told me not to talk to strangers
Setting up spamd
track real SMTP connections: spamdlogd
Beating'em up some more: spamdb and greytrapping
spamdb and greytrapping
Greytrapping - the result
Keeping several spamds in sync
Some people really do not get it
Fixing for the people who really do not get it
Giving spammers a hard time: Conclusion

5 traffic shaping, queueing Directing traffic with altq What is your usable bandwidth? ALTQ - prioritizing by traffic type ALTQ - allocation by percentage Queueing for a DMZ Queueing for a DMZ: rules part 1 Queueing for a DMZ: rules part 2 overloading to a tiny queue ALTQ - handling unwanted traffic

6 Redundancy and failover CARP and pfsync CARP: project spec Setting up CARP CARP: ifconfig pfsync What happens to the rule set?

7 Logs, debugging, tuning Logging basics Taking a peek with tcpdump Log to syslog Statistics via labels Keeping an eye on things with pftop Graph your traffic: pfstat Other log tools you may want to look into Good logs for good debugging

Getting your setup just right
block-policy
skip
state-policy
timeout
limit
debug
ruleset-optimiation
optimization
Hygiene: scrub and antispoof

Testing your setup
Specification (possibly incomplete)
Debugging your setup
Debugging some more
Debug - use tcpdump
Have fun!
If you enjoyed this: Support OpenBSD!
References