OpenBSD Journal

A PF lecture/tutorial

Contributed by grey on from the pretranslated pf presentations dept.

Peter N. M. Hansteen writes:

I've completed an English version of my PF lecture manuscript (with slight updates) originally written for a 1 1/2-2 hour session at BLUG.

The material is available in various formats,

English: (full manuscript, pdf) (full manuscript, html) (foils, html)

Norwegian: (full manuscript, pdf) (full manuscript, html) (foils, html)

This is very much a work in progress, so I'd love to hear your feedback.

(Comments are closed)

  1. By Willem ( on

    First of all, very good piece ! Its good reading ! Second of all, THANKS a zillion for the remark about ftp trough pf with routeable addresses : ftpsesame... That's an issue I have been messing around with since, well..., forever..., and ftpsesame seems to be the solution for me..!! you made me a happy dude today :-)

  2. By Anonymous Coward ( on

    in the beginning it seemed to me almost like a copy of the pf faq, but actually it offers some pretty useful information on top of it... Good work! and thank you for sharing it!

    1. By Michael Knudsen ( on

      If you're doing a pf configuration intro talk, it's hard to cover the basics without being very similar to the pf FAQ, I think.

  3. By Anonymous Coward ( on

    I read the whole thing and it's good. I think you miss an important piece about the "The last matching rule "wins"." Although you mention "quick", the explanation doesn't really explain "the last matching rule."

    Moreover, I think you should include an example of tcpdump to demonstrate PF's logging ability, and include PF's log location in OpenBSD.

    Otherwise, Nice Job! ^_^

    1. By Peter N. M. Hansteen ( on

      > Although you mention "quick", the explanation doesn't really explain "the last matching rule."

      Good point. I've gotten a few other pieces of very valuable feedback - keep them coming, guys and gals!

      The response I've gotten so far guarantees that I'll keep updating the document(s) - although I probably will not announce each update (well, if you send me an email telling me you want to be notified, I will) I'll put updated versions in the same places.

      Good fun, this.

      1. By Anonymous Coward ( on

        Can you give a reply here for now, for the next updated version? Excellent work, this is GREAT!

        1. By Peter N. M. Hansteen ( on

          > Can you give a reply here for now, for the next updated version? Excellent work, this is GREAT!

          :) Thanks!

          I've received quite a few good comments on the manuscript. It will be a few days at least until I can get anything beyond typo corrections done, unfortunately.

          I'm not sure an update will be undeadly story material, but I *will* send email notifications of updates to all who ask.

          In the meantime, I'm still delighted to hear your views and suggestions.

  4. By Mike ( on

    Thanks for the great work on the PF lecture/tutorial.
    Adding a changelog page or listing the date of the last update to the index page would be a nice touch.

    1. By Peter N. M. Hansteen ( on

      I put the change log in in the legalnotice.html file along with the copyright info (click the Copyright link on the index.html page). In the pdf version, it's even easier to find.

      The source format is DocBook SGML, by the way.

      1. By Paladdin ( on

        So you keep the copyright of this doc... What about translating to other languages? (Thinking in spanish) :-)

        1. By Peter N. M. Hansteen ( on

          I will make an update soon (once a few higher priority tasks are completed), and I'll also probably put a BSD license on the doc at some point in the near future. I'm afraid my command of languages other than Norwegian and English is rather limited, but if you want to make a translated version, I'll be happy to cooperate.

          1. By Anonymous Coward ( on

            Excellent! My comments: 'sudo pfctl -e -f /etc/pf.conf' works. No need for 2 commands. Please mention binat (with i/f aliases) for mapping routable addresses on the outside to RFC1918 addressed servers on the inside. It's a very common configuration when you have a block of routable IP addresses but want to use nat for most of your machines. I disagree about not having 'block log' (no need for "all" btw) as the default rule and explicity turning off logging for noisy stuff. I also like to log my pass rules by default, again turning off noisy or uninteresting stuff explicitly (last matching rule has no log).

  5. By Jameel Akari ( on

    A nice introductory talk and the slides are pretty good, I think.

    It's funny I stumbled across this today, given that last night I was convinced into giving a talk on PF at a meeting next week.

    Do you mind if we use your slides and outline?


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]