BSDCan2007 - Confirmed Schedule

BSDCan 2007
The Technical BSD Conference

Peter Hansteen
Day 2
Room SITE F0126
Start time 13:00
Duration 04:00
ID 14
Event type Workshop
Track Tutorial
Language English

Packet filtering for fun and profit

Putting PF to good use - an introduction which gets you to the point where adminning is fun again

This half day tutorial is a further evolved version of the "Firewalling with PF" tutorial offered at various conferences over the last year and a half. The tutorial's intended audience are aspiring or seasoned network professionals with at least a basic knowledge of networking in general and TCP/IP particular. By the time May rolls around, OpenBSD 4.1 will be the latest released version, with subtle but significant changes which will be included in the updated tutorial.

The manuscript is due for significant revisions over the next few months, however the main points remain:

Before we start - this is a tutorial, how we conduct the session

PF? - why PF was needed and some history

Packet filter? Firewall? - some common terms explained

NAT? - common tricks of TCP/IP explained

PF today - a short overview of PF's feature set

BSD vs Linux - Configuration - if you came from Linux, how network config is done on BSD

Simplest possible setup (OpenBSD) - the minimal setup for an OpenBSD machine

Simplest possible setup (FreeBSD) - the bare minimum, on FreeBSD

Simplest possible setup (NetBSD) - the bare minimum, on NetBSD

First rule set - single machine - introducing actual filtering rules

Slightly stricter - tightening security while introducing PF's macros, lists and other readability helpers

Statistics from pfctl - getting to know your main tool

Simple gateway with NAT - going stepwise to a typical home or small office gateway, adding some received wisdom and eliminating some bad habits, subsectioned into "Gateways and the pitfalls of in, out and on" "What is your local network, anyway?" and finally "Setting up"

That sad old FTP thing

- our first introduction to redirection is an attempt to handle that weird old protocol geeks all geeks hate with a passion, we end up with ways to make life more tolerable. Progresses through the use of several proxy-type applications, covering "FTP through NAT: ftp-proxy", "FTP through pf with routable addresses: ftpsesame, pftpx and ftp-proxy!" and finally "ftp-proxy, new style".

Making your network troubleshooting friendly - you do need ICMP, and you can filter away the bits you do not need. Provides some background, which leads to the subsections "Then, do we let it all through?", "The easy way out: The buck stops here", "Letting ping through", "Helping traceroute", and finally "Path MTU discovery".

Network hygiene: Blocking, scrubbing and so on - at this point, your filtering gateway will work, but a few tweaks might be what adds that extra sparkle: "block-policy", "scrub", "antispoof" and "Handling non-routable addresses from elsewhere".

A web server and a mail server on the inside - over time, your needs *will* change. Here we build on previous examples up to set up an environment where you need to host your own mail and web server on your LAN, still using only that single official IP address. The "Taking care of your own - the inside" subsection adds some extra tips for making your servers accessible to the LAN as well

Tables make your life easier - changing your filtering gateway's configuration while it's running, some command-line and script ideas.

Logging - explains how PF logs work and how to get just the data you need, with "Taking a peek with tcpdump" and "But there are limits (an anecdote)" to point you in useful directions.

Keeping an eye on things with pftop - introducing a useful monitoring tool which is not in the base system.

Invisible gateway - bridge - stealth firewalling, shows the bare basics of filtering while hiding the actual machine doing the filtering.

Directing traffic with ALTQ - introducing the ALTQ traffic shaping, bandwidth allocating network, with three examples, "ALTQ - prioritizing by traffic type" "ALTQ - allocation by percentage" and "ALTQ - handling unwanted traffic", introducing the reader to filtering on operating system SYN signatures in the last example.

CARP and pfsync - explains the principles of setting up redundant hosts with automagic failover.

Wireless networks made simple - given useful hardware, wireless networks with BSD are easy and fun. Provides "A little IEEE 802.11 background" covering basic principles and some words about link level encryption methods before proceeding to "Setting up a simple wireless network".

An open, yet tightly guarded wireless network with authpf - using the authpf authenticating shell to load per user rule sets; useful for wireless and wired networks both.

Turning away the brutes - introduces 'pass with overload' rules which add DOS wannabes to a table we "block quick", proceeds to "expiretable tidies your tables" to prune tables of old clutter using a third-party tool.

Giving spammers a hard time - introduces redirecting to spamd, the fake SMTP daemon. spamd can use blacklists for tarpitting, do greylisting or both; we explain the principles, describe how to set it up and shows how much fun we can have at spammers' expense. It hurts them, not us.

and finally, "PF - Haiku", "References", "Where to find the tutorial on the web" and "If you enjoyed this: Buy OpenBSD CDs and other items, donate!".

The work in progress manuscript is BSD licensed and downloadable from