Some useful tips and examples of the new PF syntax

Contributed by jose on 2002-12-03 from the merged dept.

"This articles includes everything I need to know about the new pf syntax. As well some great information on altqd.
http://www.muine.org/~hoang/openpf.html "

I had a look at this last night, and it looks pretty useful. I've been meaning to dig in to the new bandwidth throttling features of the merged PF and altqd, now looks like a good time to start.

(Comments are closed)

Comments

By Shane () on 2002-12-03 20:27

"Once your firewall is online, you should start reading pf.conf(5), nat.conf(5), ftp-proxy(8), pfctl(8), pf(4) and The OpenBSD Packet Filter HOWTO."

Seems a bit backwards to suggest reading the man pages after you have the firewall set up. Still, not a bad resource.
By Ben Goren () ben@trumpetpower.com on 2002-12-04 01:09 http://www.trumpetpower.com/

There's good stuff there, but there're also some things you'll want to take with a good-sized grain of salt.
First, don't just go blindly turning off everything. Important cron jobs deliver their output via email; disabling sendmail without making appropriate provisions could well keep you from learning of a crisis (disk full, unexpected network connections, whatever). ntpd can be useful, even on a firewall, to ensure that log files have coordinated timestamps. (Of course, you want to be darn careful of how it's configured.) And so on….
Don't bother with making your own kernel unless you've got a damn good reason to do so. The paper doesn't give any reason, let alone a good one. GENERIC is fantastic for firewalls.
Don't start randomly adjusting sysctls, either. As shipped, the system is already overkill for nearly any kind of Internet connection a mere mortal is ever likely to control. Why try to get more performance out of it unless it's too slow and you actually understand the ramifications of what you're doing?
But, having said that, the sample configurations and the like look useful.
Cheers,
b&
Comments
1. By niekze () on 2002-12-05 05:46
  
  i pretty much agree, except for compiling kernels. I pretty much take out everything that isn't in a GENERIC dmesg and stuff i know i don't need. Who needs sound or usb support on a firewall? no 8-port serial cards either and so on. In the end, it cuts down the kernel size tremendously. When you have an old p90 for a firewall, that extra memory and faster booting speed is nice. on the other hand, if you encounter problems doing that, it's best to just go back to GENERIC.
  
  one thing that bugs me though is ntpd. no man page, the html docs leave a lot of questions, and the example configs are quite strange. Mind providing us with 2 ntpd configs? 1 that synchronizes with an outside server and another where the rest of the machines get the time from it. that would work fine for most people.
  Comments
  1. By Anonymous Coward () on 2002-12-05 14:55
    
    Try this for a start, 11.22.33.44 is the machine you get time from, this config allows clients in 10/8 to update from you but not change your clock...
    
    ntp.conf
    
    driftfile /etc/ntp.drift
    server 11.22.33.44
    restrict default nomodify ignore notrust
    restrict 11.22.33.44 noquery nomodify notrap nopeer
    restrict 10.0.0.0 mask 255.0.0.0 nomodify nopeer
    restrict 127.0.0.1
    
    rc.conf
    
    ntpd=YES
    ntpdate=11.22.33.44
    
    ntpdate runs at boot before ntpd - if your clock is far away from 11.22.33.44 ntpdate will get it in step much more rapidly than ntpd.
    
    ntp.drift keeps your clock reasonably accurate when you're disconnected from the network.
    
    You do need to reboot for this, ntpd should start *before* securelevel is set, rc knows about this and does things in the correct order.
    
    Check it's up and running with 'ntptrace'. It will usually take a few minutes after startup for things to settle sufficiently for ntpd to give time to clients.
    
    ~> sthen@eeyore$ ntptrace
    localhost.37.spacehopper.org: stratum 2, offset 0.000260, synch distance 0.55710
    ntp1.linx.net: stratum 1, offset -0.091382, synch distance 0.00000, refid '1PPS'
    
    Also see /usr/local/share/examples/ntp/ and of course the documentation that comes with the distribution (maybe /usr/ports/net/ntp/).
By Anonymous Bastard () on 2002-12-04 09:15

Does anyone know how to make altq/pf combo to give ACK packets highest priority?

This page describes how to make it work in Linux's CBQ: http://mailman.ds9a.nl/pipermail/lartc/2001q4/001831.html

Is such thing possible at all in current Altq on openbsd? When i upload something on my silly DSL, ACK packets get lost and download speed goes almost to zero :-( By giving ACKs the highest priority it should be fixed

Any hints, suggestions & links to RTFM are greatly appreciated
Comments
1. By jolan () on 2002-12-04 15:18
  
  This is possible, but not integrated. People are working on it, be patient.
By Mucman () mucmanATmucmail.com on 2002-12-04 21:54 N/A

Very helpful document! My project for the holidays is to get a OpenBSD firewall working.

I am planning on making a bridging firewall, and keep my Freesco box doing NAT. I would love to see some docs on this kind of setup. I don't plan
on having any IP addresses on the firewall box.

One thing that I don't like about the article is that the author does not really describe "WHY" for a few of the things he did.
Comments
1. By Anonymous Coward () on 2002-12-05 13:50
  
  http://cfm.gs.washington.edu/security/firewall/pf-bridge/
  http://ezine.daemonnews.org/200207/transpfobsd.html
  http://www.openbsd.org/faq/faq6.html#PF
  http://www.openbsd.org/faq/faq6.html#Bridge
  
  There are of course certain advantages to just using a single box for firewall and NAT (faster processing, integrated pf/nat state table, avoiding having interfaces in promiscuous mode, less noise and lower electricity use :-)
  Comments
  1. By Mucman () mucmanATmucmail.com on 2002-12-05 21:36 mailto:mucmanATmucmail.com
    
    Thanks, for the links... I now have a a nice collection of pf related links now to keep me busy :). I like a more modular approach and having each individual doing 1 thing, and doing it well :). Plus, what else am I to do with the 9 computers I got lying around? After I get the P60 running pf, all I got left is a 486/66 as my left over DOS 6.22 box for playing losts of old games :P

Latest Articles

Fri, Apr 26
- 08:33 Passphrase timeout for disk decryption at boot added (potential battery lifesaver) (1)
Wed, Apr 24
- 04:35 Game of Trees 0.98 released (2)
Tue, Apr 23
- 05:25 pfctl(8) and systat(8) to display fragment reassembly statistics (0)
Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (12)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]