OpenBSD Journal

Firewalling with OpenBSD's PF Packet Filter

Contributed by deanna on from the another take on a beloved topic dept.

Sean Cody writes:

Peter Hansteen has apparently been maintaining his own PF tutorial. I originally noticed Peter's guide through a submission to RootPrompt.org.

The tutorial like many others goes through the configuration basics and ends off with specific case studies for certain configuration approaches. One nice addition to this particular guide is a section on setting up a wireless access point and doing access control via authpf. This can be a bit confusing to those who've not tried doing setup wireless stuff (save for connecting to one) but there is enough here to get one going.

Older comments on this article...
Re: Firewalling with OpenBSD's PF Packet Filter (mod 3/3)
by Barry (63.237.125.20) on Tue May 1 19:57:28 2007 (GMT)
Peter's Tutorial has helped me on several occasions. Most recently with setting up spamd
 on 4.0

Some of his configuration methods are not seen elsewhere. It lends a new perspective to 
configuring OpenBSD.

Thanks Peter.

Re: Firewalling with OpenBSD's PF Packet Filter (mod 3/3)
by Peter N. M. Hansteen (194.54.107.19) (peter@bsdly.net) on Tue May 1 20:18:26 2007 (GMT)

http://bsdly.blogspot.com
    I revisit the tutorial often, and it always gets updated for conferences and other 
sessions.

I'm doing some updates on the tutorial for BSDCan at the moment (and writing a related 
book in parallel, watch out for announcements from No Starch Press in the next few weeks).
If enough people sign up for the session they've announced at Linuxtag, I will be giving the tutorial there too at the end of May.

(Comments are closed)


Comments
  1. By Anonymous Coward (80.144.243.39) on

    Quite an excellent documentation to pf. I'll appreciate reading it.

  2. By Damon McMahon (198.142.101.229) damon.mcmahon@gmail.com on

    One of the better pf HOWTOs in all, however the wireless access point section still relies on WEP for confidentiality (encryption) at the network layer.

    With the known flaws in WEP (which to the author's credit he acknowledges) and no sign any time soon on WPA support, surely a HOWTO on setting up an OpenBSD wireless access point requires a discussion about using IPsec and pf to filter on the enc(4) interface?

    Comments
    1. By Peter N. M. Hansteen (194.54.103.97) peter@bsdly.net on http://bsdly.blogspot.com

      > With the known flaws in WEP (which to the author's credit he acknowledges) and no sign any time soon on WPA support, surely a HOWTO on setting up an OpenBSD wireless access point requires a discussion about using IPsec and pf to filter on the enc(4) interface?

      a valid point and possibly a quite useful way to extend that bit of the tutorial. Thanks for the suggestion!

      Comments
      1. By Damon McMahon (198.142.101.229) damon.mcmahon@gmail.com on

        >
        > a valid point and possibly a quite useful way to extend that bit of the tutorial. Thanks for the suggestion!

        You're welcome, and i apologise for lecturing as i'm a big believer in the OpenBSD philosophy of "don't ask, do"; it's something that I've been meaning to document myself as this is the setup I have for my home wireless network. If you wish, please drop me an email and I'll be happy to send you the resources I used and my configuration (ipsec, pf, dhcpd, named, etc)

      2. By Damon McMahon (211.26.115.78) damon.mcmahon@gmail.com on

        > > With the known flaws in WEP (which to the author's credit he acknowledges) and no sign any time soon on WPA support, surely a HOWTO on setting up an OpenBSD wireless access point requires a discussion about using IPsec and pf to filter on the enc(4) interface?
        > 
        > a valid point and possibly a quite useful way to extend that bit of the tutorial.  Thanks for the suggestion!
        
        
        It has been suggested off-site that I publish what I have rather than solicit email enquiries...

        Fair enough, here are the links which got me going, a thorough understanding of the relevant documentation in the man pages is also a necessity:

        http://www2.papamike.ca:8082/tutorials/pub/obsd_ipsec.html
        http://www.openbsd-support.com/jp/en/htm/mgp/pacsec05/index.html
        http://ezine.daemonnews.org/200401/wifi-ipsec.html
        http://www.onlamp.com/pub/a/bsd/2004/10/21/wifi_ipsec.html
        Assistance from Reyk Floeter and HÃ¥kan Olsson on misc@openbsd.org list gratefully acknowledged.

  3. By Vuud (69.24.33.254) on


    I recently used this guide to get started on moving from a GUI->PF builder to hand coding PF. I also used a few of the other guides, the FAQ and the three chapters from that book that never came out. All were really good and worth checking out in my opinion.

    There were a few things lacking in all of them, which may seem obvious to experienced PF users... for instance, the benefit of doing "quick" on all your rules versus not and going with last matching... I know what they do, just not what is best to use when.

    I have this guide printed out - its a good thing.

    Thanks!

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]