OpenBSD Journal

Some useful tips and examples of the new PF syntax

Contributed by jose on from the merged dept.

m0nknutz writes:
"This articles includes everything I need to know about the new pf syntax. As well some great information on altqd. "

I had a look at this last night, and it looks pretty useful. I've been meaning to dig in to the new bandwidth throttling features of the merged PF and altqd, now looks like a good time to start.

(Comments are closed)

  1. By Shane () on

    "Once your firewall is online, you should start reading pf.conf(5), nat.conf(5), ftp-proxy(8), pfctl(8), pf(4) and The OpenBSD Packet Filter HOWTO."

    Seems a bit backwards to suggest reading the man pages after you have the firewall set up. Still, not a bad resource.

  2. By Ben Goren () on

    There's good stuff there, but there're also some things you'll want to take with a good-sized grain of salt.

    First, don't just go blindly turning off everything. Important cron jobs deliver their output via email; disabling sendmail without making appropriate provisions could well keep you from learning of a crisis (disk full, unexpected network connections, whatever). ntpd can be useful, even on a firewall, to ensure that log files have coordinated timestamps. (Of course, you want to be darn careful of how it's configured.) And so on….

    Don't bother with making your own kernel unless you've got a damn good reason to do so. The paper doesn't give any reason, let alone a good one. GENERIC is fantastic for firewalls.

    Don't start randomly adjusting sysctls, either. As shipped, the system is already overkill for nearly any kind of Internet connection a mere mortal is ever likely to control. Why try to get more performance out of it unless it's too slow and you actually understand the ramifications of what you're doing?

    But, having said that, the sample configurations and the like look useful.



    1. By niekze () on

      i pretty much agree, except for compiling kernels. I pretty much take out everything that isn't in a GENERIC dmesg and stuff i know i don't need. Who needs sound or usb support on a firewall? no 8-port serial cards either and so on. In the end, it cuts down the kernel size tremendously. When you have an old p90 for a firewall, that extra memory and faster booting speed is nice. on the other hand, if you encounter problems doing that, it's best to just go back to GENERIC.

      one thing that bugs me though is ntpd. no man page, the html docs leave a lot of questions, and the example configs are quite strange. Mind providing us with 2 ntpd configs? 1 that synchronizes with an outside server and another where the rest of the machines get the time from it. that would work fine for most people.

      1. By Anonymous Coward () on

        Try this for a start, is the machine you get time from, this config allows clients in 10/8 to update from you but not change your clock...


        driftfile /etc/ntp.drift
        restrict default nomodify ignore notrust
        restrict noquery nomodify notrap nopeer
        restrict mask nomodify nopeer



        ntpdate runs at boot before ntpd - if your clock is far away from ntpdate will get it in step much more rapidly than ntpd.

        ntp.drift keeps your clock reasonably accurate when you're disconnected from the network.

        You do need to reboot for this, ntpd should start *before* securelevel is set, rc knows about this and does things in the correct order.

        Check it's up and running with 'ntptrace'. It will usually take a few minutes after startup for things to settle sufficiently for ntpd to give time to clients.

        ~> sthen@eeyore$ ntptrace stratum 2, offset 0.000260, synch distance 0.55710 stratum 1, offset -0.091382, synch distance 0.00000, refid '1PPS'

        Also see /usr/local/share/examples/ntp/ and of course the documentation that comes with the distribution (maybe /usr/ports/net/ntp/).

  3. By Anonymous Bastard () on

    Does anyone know how to make altq/pf combo to give ACK packets highest priority?

    This page describes how to make it work in Linux's CBQ:

    Is such thing possible at all in current Altq on openbsd? When i upload something on my silly DSL, ACK packets get lost and download speed goes almost to zero :-( By giving ACKs the highest priority it should be fixed

    Any hints, suggestions & links to RTFM are greatly appreciated

    1. By jolan () on

      This is possible, but not integrated. People are working on it, be patient.

  4. By Mucman () on N/A

    Very helpful document! My project for the holidays is to get a OpenBSD firewall working.

    I am planning on making a bridging firewall, and keep my Freesco box doing NAT. I would love to see some docs on this kind of setup. I don't plan
    on having any IP addresses on the firewall box.

    One thing that I don't like about the article is that the author does not really describe "WHY" for a few of the things he did.

    1. By Anonymous Coward () on

      There are of course certain advantages to just using a single box for firewall and NAT (faster processing, integrated pf/nat state table, avoiding having interfaces in promiscuous mode, less noise and lower electricity use :-)

      1. By Mucman () on

        Thanks, for the links... I now have a a nice collection of pf related links now to keep me busy :). I like a more modular approach and having each individual doing 1 thing, and doing it well :). Plus, what else am I to do with the 9 computers I got lying around? After I get the P60 running pf, all I got left is a 486/66 as my left over DOS 6.22 box for playing losts of old games :P


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]