For those of you wondering what happened to the #PF #tutorial slides, the new home for the slides is at https://nxdomain.no/~peter/pf_fullday.pdf - as PDF for reasons only to be discussed over refreshments when we meet.
New versions will be available at that location in sync with updated sessions. #openbsd #pf #packetfilter #freebsd #networking #ipv6
And since somebody asked - yes, the older version slides exist but now also sport a link the new location.
After a lot of nftables documentation read, I have a working ruleset with two-way blocking.
One thing that was a nuisance all along:
nftables provides a way to use configuration files to lay out your ruleset, which is great, and from what I infer was not possible in iptables and only accomplished with scripting.
But the docs are still very centered on configuring everything through imperative commands, which is just... hard to grasp, to say the least.
Compared to pf, there are some more complex possibilities, like dictionaries and typed sets.
The underlying processing is very different though. While in nftables I felt like I was writing the rules themselves, in pf I was writing syntax that would then expand to the rules. That meant much more concise rulesets.
It also defaults to stopping evaluation at the first block, while pf defaults to "last rule wins". Not sure how I feel about that, but overall pf seems to be easier to reason about.
A recent kerfuffle over a issues in a popular firewall out there makes me think it's time to point to an article I wrote about my favorite -
"A Few of My Favorite Things About The OpenBSD Packet Filter Tools" https://nxdomain.no/~peter/better_off_with_pf.html (or with nicer formatting but trackers https://bsdly.blogspot.com/2022/09/a-few-of-my-favorite-things-about.html) #firewalls #pf #openbsd
@badgerops Ok that's pretty fine it seems. Authentication and remote desktops working with these pretty minimal firewall rules (#pf on #FreeBSD):
pass proto tcp from $rdgwhost to $adhost port ldaps
pass proto tcp from $rdgwhost to $rdhosts port rdp
I can't be 100% sure no credential stealing will EVER be possible, but at least it seems unlikely. Both of these allowed connections use #TLS, so assuming an attacker would succeed to "enter" the #guacamole #jail, any attack on credentials would involve trying to get them from the virtual address space of running services.
The #asiabsdcon 2024 #PF tutorial is done, *updated* slides as PDF at https://nxdomain.no/~peter/pf_asiabsdcon2024.pdf #openbsd #freebsd #networking #security #bsd #taipei
This week it's #asiabsdcon https://2024.asiabsdcon.org/program.html - I'll be doing a refresh of the "Network Management with the OpenBSD Packet Filter Toolset" tutorial with Max Stucchi @stucchimax #openbsd #freebsd #networking #pf #packetfilter #security #trickery
Impatiently waiting for my #ZFS backup to complete ...
Then the next step will be to test #jailed #NFS (as introduced in #FreeBSD 13.3), to finally replace my horrible hack of redirecting NFS-related traffic with #pf (and, therefore, punching a hole for LAN machines to access the physical host located in the management segment).
I hope to also move to #nfsv4 at the same time. And once *this* works, enable #krb5 auth and encryption. We will see 😎
A Few of My Favorite Things About The OpenBSD Packet Filter Tools https://nxdomain.no/~peter/better_off_with_pf.html (or with trackers https://bsdly.blogspot.com/2022/09/a-few-of-my-favorite-things-about.html) reprising my 2022 piece about fun and useful things to do with #openbsd #pf, some of which are doeable on #freebsd, #solaris, #macos and elsewhere too.
I will be hosting #OpenBSD and #PF firewall courses at @linuxhotel in the city of Essen, Germany.
July 1-3 2024: OpenBSD: https://www.linuxhotel.de/course/openbsd-de
July 4-5 2024: PF: https://www.linuxhotel.de/course/pf-de
The target audience are system administrators who would like to learn about OpenBSD and PF in order to use them as part of their network security tool set.
(Do not be afraid to sign up if you do not understand German. While the courses are advertised in German, written course material will be in English and the presentation will be in English if preferred by participants.)
![# https://www.spamhaus.org/drop/
curl -s https://www.spamhaus.org/drop/drop.txt | \
grep "^[^#;]" | grep -Eo "^[^ ]+" > /tmp/sdrop.block
curl -s https://www.spamhaus.org/drop/edrop.txt | \
grep "^[^#;]" | grep -Eo "^[^ ]+" >> /tmp/sdrop.block
pfctl -t sdrop -T replace -f /tmp/sdrop.block
# /etc/pf.conf
# table <sdrop> persist file "/tmp/sdrop.block"
# block log quick from <sdrop> to any](https://files.mastodon.social/media_attachments/files/111/903/346/724/222/176/original/08c34f5e9a740918.png "# https://www.spamhaus.org/drop/
curl -s https://www.spamhaus.org/drop/drop.txt | \
grep \"^[^#;]\" | grep -Eo \"^[^ ]+\" > /tmp/sdrop.block
curl -s https://www.spamhaus.org/drop/edrop.txt | \
grep \"^[^#;]\" | grep -Eo \"^[^ ]+\" >> /tmp/sdrop.block
pfctl -t sdrop -T replace -f /tmp/sdrop.block
# /etc/pf.conf
# table <sdrop> persist file \"/tmp/sdrop.block\"
# block log quick from <sdrop> to any")
