SlideShare a Scribd company logo

Pf: the OpenBSD packet filter

Giovanni Bechis
Giovanni Bechis

pf(4) is the OpenBSD packet filter that provides stateful packet filtering and network address translation (NAT). It is used in OpenBSD, FreeBSD, NetBSD, DragonflyBSD, and other systems. Some key features of pf include its flexible rule syntax, atomic ruleset updates, integrated traffic shaping, and ability to divert packets to userspace processes like spamd for inspection. It provides logging in tcpdump format and can integrate with CARP and other services. The pf code was developed for OpenBSD after the previous IPFilter code was removed due to licensing issues.

Internet
1 of 20
Download to read offline
pf(4): the OpenBSD packet filter Giovanni Bechis <giovanni@openbsd.org>
What is pf ? Packet filtering is the selective passing or blocking of data packets as they pass through a network interface The criteria that pf(4) uses when inspecting packets are based on the Layer 3 (IPv4 and IPv6) and Layer 4 (TCP, UDP, ICMP, and ICMPv6) headers last rule wins
Why you should use pf ? syntax (not a pain with lot of rules; macros, tables, interface groups) atomic rule set commit integrated traffic shaper log files in tcpdump(8) format carp(4) spamd(8) and relayd(8) integration proxies in user space, not in kernel space
pf(4) story OpenBSD up to 2.9 used Darren Reed’s IPFilter IPFilter was almost, but not quite BSD licensed - no right to distribute changed versions IPFilter removed on May 29th, 2001 First commit of the new PF code June 24, 2001
Who uses pf(4) ? OpenBSD (upstream development) FreeBSD, NetBSD and DragonflyBSD Apple MacOSX and IOS (via FreeBSD) Oracle in Solaris 11.3 and 12 (IPF replaced) Blackberry (via NetBSD)
network interfaces in *BSD world interface name is similar to the driver’s name and has some ”properties” all interfaces can be part of a group (enc,pppx,trunk,vlan,wlan, ...) the group egress is automatically set to the interface you are using for outbound connections
network interfaces in *BSD world lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768 index 4 priority 0 llprio 3 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff000000 em0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500 lladdr b8:6b:23:7a:3c:8a index 1 priority 0 llprio 3 trunk: trunkdev trunk0 media: Ethernet autoselect (none) status: no carrier iwm0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 lladdr b8:6b:23:7a:3c:8a index 2 priority 4 llprio 3 trunk: trunkdev trunk0 groups: wlan media: IEEE802.11 autoselect (HT-MCS14 mode 11n) status: active ieee80211: nwid XXX chan 112 bssid XXX 79% wpakey <not displayed> wpaprotos wpa2 wpaakms psk ... enc0: flags=0<> index 3 priority 0 llprio 3 groups: enc status: active trunk0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr b8:6b:23:7a:3c:8a index 5 priority 0 llprio 3 trunk: trunkproto failover trunkport iwm0 active trunkport em0 master groups: trunk egress media: Ethernet autoselect status: active inet 192.168.11.32 netmask 0xffffff00 broadcast 192.168.11.255 pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33144 index 6 priority 0 llprio 3 groups: pflog
pf.conf(5) macros tables (can be used with pfctl -t $table -T add $addr) divert(4) to pass packets to userland for further inspection ftp-proxy(8) squid(8) spamd(8) anchors tags
pf.conf(5) clients = "192.168.11/24" tcp_ports = "{ ftp, ssh, domain, ntp, whois, www, https, auth, nntp, imaps, rtsp, submission, 8080:8082 }" udp_ports = "{domain, ntp}" match out on egress inet nat-to (egress) block log all pass inet proto tcp from $clients to port $tcp_ports pass inet proto udp from $clients to port $udp_ports
pf.conf(5) queue rootq on $ext_if bandwidth 20M queue main parent rootq bandwidth 20479K min 1M max 20479K qlimit 100 queue qdef parent main bandwidth 9600K min 6000K max 18M default queue qweb parent main bandwidth 9600K min 6000K max 18M queue qpri parent main bandwidth 700K min 100K max 1200K queue qdns parent main bandwidth 200K min 12K burst 600K for 3000ms queue spamd parent rootq bandwidth 1K min 0K max 1K qlimit 300 match out on $ext_if proto tcp to port { www https } set queue (qweb, qpri) set prio (5,6) match out on $ext_if proto { tcp udp } to port domain set queue (qdns, qpri) set prio (6,7) match out on $ext_if proto icmp set queue (qdns, qpri) set prio (6,7) pass in log on egress proto tcp to port smtp divert-to 127.0.0.1 port spamd set queue spamd set prio 0
spamd(8) table <spamd-white> persist table <nospamd> persist file "/etc/mail/nospamd" pass in log on egress proto tcp to port smtp divert-to 127.0.0.1 port spamd pass in log on egress proto tcp from <nospamd> to port smtp pass in log on egress proto tcp from <spamd-white> to port smtp pass out log on egress proto tcp to port smtp
spamd(8) Aug 8 09:08:35 home spamd[77105]: 114.36.210.200: connected (1/0) Aug 8 09:08:47 home spamd[2758]: new entry 114.36.210.200 from <support@microsoft.com> to <support@microsoft.com>, helo 79.22.69.186 Aug 8 09:08:47 home spamd[77105]: 114.36.210.200: disconnected after 12 seconds. Aug 8 09:48:20 home spamd[77105]: 186.225.243.130: connected (1/1), lists: nixspam Aug 8 09:49:16 home spamd[77105]: 186.225.243.130: disconnected after 56 seconds. lists: nixspam Aug 8 09:50:25 home spamd[77105]: 47.89.53.55: connected (1/0) Aug 8 09:50:38 home spamd[2758]: new entry 47.89.53.55 from <cycnvoeyildos@163.com> to <gogo@linwayedm.com.tw>, helo 79.22.69.186 Aug 8 09:50:38 home spamd[77105]: 47.89.53.55: disconnected after 13 seconds. Aug 8 09:50:39 home spamd[77105]: 47.89.53.55: connected (1/0) Aug 8 09:50:46 home spamd[77105]: 121.228.209.208: connected (2/0) Aug 8 09:50:51 home spamd[2758]: new entry 47.89.53.55 from <mfjtuaukmnuj@163.com> to <gogo@linwayedm.com.tw>, helo 79.22.69.186 Aug 8 09:50:51 home spamd[77105]: 47.89.53.55: disconnected after 12 seconds. Aug 8 09:50:52 home spamd[77105]: 47.89.53.55: connected (2/0) Aug 8 09:51:04 home spamd[2758]: new entry 47.89.53.55 from <bhuehnlslwiaw@163.com> to <gogo@linwayedm.com.tw>, helo 79.22.69.186 Aug 8 09:51:05 home spamd[77105]: 47.89.53.55: disconnected after 13 seconds.
carp(4)
log files log files in binary, tcpdump(8) readable format pflog(4) is a cloneable interface, rules can log to a specific interface pass log (all, to pflog2) inet proto tcp from $mailserver to port smtp
log files Mar 12 15:33:49.592419 rule 0/(match) [uid 0, pid 8015] block out on trunk0: [uid 4294967295, pid 100000] 192.168.11.32.43849 > 216.58.205.165.25: S 1629842603:1629842603(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 6,nop,nop,timestamp 1140560815[|tcp]> (DF) (ttl 64, id 13397, len 64, bad ip cksum 14! -> 94ba)
log files
pfctl(8) Status: Enabled for 0 days 01:24:26 Debug: err State Table Total Rate current entries 23 searches 24884 4.9/s inserts 2078 0.4/s removals 2055 0.4/s Counters match 2240 0.4/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 159 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s translate 0 0.0/s no-route 0 0.0/s
systat(8) 4 users Load 1.39 1.60 1.58 fw.domain.net 15:47:44 LOCAL ADDRESS FOREIGN ADDRESS PROTO RECV-Q SEND-Q STATE 192.168.11.32:48285 mil04s28-in-f161.1e100.net:443 tcp 0 0 ESTABLISHED 192.168.11.32:33012 mil04s28-in-f163.1e100.net:443 tcp 0 0 ESTABLISHED 192.168.11.32:46466 mil04s26-in-f14.1e100.net:443 tcp 0 0 ESTABLISHED 192.168.11.32:19338 mil04s28-in-f174.1e100.net:443 tcp 0 0 ESTABLISHED 192.168.11.32:23282 74.125.111.135:443 tcp 0 0 ESTABLISHED 192.168.11.32:8453 server-54-192-25-25.mxp4.r.cloudfront.net:www tcp 0 0 TIME_WAIT 192.168.11.32:45682 host33-137-dynamic.26-79-r.retail.telecomital tcp 0 0 ESTABLISHED 192.168.11.32:43126 weber.freenode.net:6667 tcp 0 0 ESTABLISHED 192.168.11.32:22989 host69-172-177-94.serverdedicati.aruba.it:ntp udp 0 0 192.168.11.32:42148 213.251.52.250:ntp udp 0 0
pf(4) #include <sys/types.h> #include <sys/socket.h> #include <sys/ioctl.h> #include <sys/fcntl.h> #include <net/if.h> #include <net/pfvar.h> #include <stdio.h> #include <err.h> int main(int argc, char *argv[]) { int dev; dev = open("/dev/pf", O_RDWR); if (dev == -1) err(1, "open("/dev/pf") failed"); if (ioctl(dev, DIOCSTOP)) err(1, "DIOCSTOP"); else printf("pf disabledn"); return 0; }
Need some more info ? man pages about pf(4), pfctl(8) and pf.conf(5) man pages about tcpdump(8) and pcap-filter(3) https://www.openbsd.org/faq/pf/index.html https://home.nuug.no/˜peter/pf/newest/ https://www.freebsd.org/doc/en/books/handbook/firewalls-pf.html

Recommended

Linux Linux Traffic Control
Linux Linux Traffic ControlLinux Linux Traffic Control
Linux Linux Traffic ControlSUSE Labs Taipei
 
P4によるデータプレーンプログラミングとユースケースのご紹介
P4によるデータプレーンプログラミングとユースケースのご紹介P4によるデータプレーンプログラミングとユースケースのご紹介
P4によるデータプレーンプログラミングとユースケースのご紹介Kumapone
 
ルーティングチュートリアル - AS間経路制御
ルーティングチュートリアル - AS間経路制御ルーティングチュートリアル - AS間経路制御
ルーティングチュートリアル - AS間経路制御Shintaro Kojima
 
Quick and Solid - Baremetal on OpenStack | Rico Lin
Quick and Solid - Baremetal on OpenStack | Rico LinQuick and Solid - Baremetal on OpenStack | Rico Lin
Quick and Solid - Baremetal on OpenStack | Rico LinVietnam Open Infrastructure User Group
 
データセンターネットワークの構成について
データセンターネットワークの構成についてデータセンターネットワークの構成について
データセンターネットワークの構成についてMicroAd, Inc.(Engineer)
 
VMs All the Way Down (BSides Delaware 2016)
VMs All the Way Down (BSides Delaware 2016)VMs All the Way Down (BSides Delaware 2016)
VMs All the Way Down (BSides Delaware 2016)John Hubbard
 
ROS2勉強会@別府 第7章Pythonクライアントライブラリrclpy
ROS2勉強会@別府 第7章PythonクライアントライブラリrclpyROS2勉強会@別府 第7章Pythonクライアントライブラリrclpy
ROS2勉強会@別府 第7章PythonクライアントライブラリrclpyAtsuki Yokota
 
TCAMのしくみ
TCAMのしくみTCAMのしくみ
TCAMのしくみogatay
 

Recommended

Linux Linux Traffic Control
Linux Linux Traffic ControlLinux Linux Traffic Control
Linux Linux Traffic ControlSUSE Labs Taipei
 
P4によるデータプレーンプログラミングとユースケースのご紹介
P4によるデータプレーンプログラミングとユースケースのご紹介P4によるデータプレーンプログラミングとユースケースのご紹介
P4によるデータプレーンプログラミングとユースケースのご紹介Kumapone
 
ルーティングチュートリアル - AS間経路制御
ルーティングチュートリアル - AS間経路制御ルーティングチュートリアル - AS間経路制御
ルーティングチュートリアル - AS間経路制御Shintaro Kojima
 
Quick and Solid - Baremetal on OpenStack | Rico Lin
Quick and Solid - Baremetal on OpenStack | Rico LinQuick and Solid - Baremetal on OpenStack | Rico Lin
Quick and Solid - Baremetal on OpenStack | Rico LinVietnam Open Infrastructure User Group
 
データセンターネットワークの構成について
データセンターネットワークの構成についてデータセンターネットワークの構成について
データセンターネットワークの構成についてMicroAd, Inc.(Engineer)
 
VMs All the Way Down (BSides Delaware 2016)
VMs All the Way Down (BSides Delaware 2016)VMs All the Way Down (BSides Delaware 2016)
VMs All the Way Down (BSides Delaware 2016)John Hubbard
 
ROS2勉強会@別府 第7章Pythonクライアントライブラリrclpy
ROS2勉強会@別府 第7章PythonクライアントライブラリrclpyROS2勉強会@別府 第7章Pythonクライアントライブラリrclpy
ROS2勉強会@別府 第7章PythonクライアントライブラリrclpyAtsuki Yokota
 
TCAMのしくみ
TCAMのしくみTCAMのしくみ
TCAMのしくみogatay
 
RFC8071(NETCONF Call Home and RESTCONF Call Home)の勉強資料
RFC8071(NETCONF Call Home and RESTCONF Call Home)の勉強資料RFC8071(NETCONF Call Home and RESTCONF Call Home)の勉強資料
RFC8071(NETCONF Call Home and RESTCONF Call Home)の勉強資料Tetsuya Hasegawa
 
Scaling DNS
Scaling DNSScaling DNS
Scaling DNSelliando dias
 
Enable DPDK and SR-IOV for containerized virtual network functions with zun
Enable DPDK and SR-IOV for containerized virtual network functions with zunEnable DPDK and SR-IOV for containerized virtual network functions with zun
Enable DPDK and SR-IOV for containerized virtual network functions with zunheut2008
 
Volatile memory analysis
Volatile memory analysisVolatile memory analysis
Volatile memory analysisHimanshu0734
 
日本OpenStackユーザ会 第37回勉強会
日本OpenStackユーザ会 第37回勉強会日本OpenStackユーザ会 第37回勉強会
日本OpenStackユーザ会 第37回勉強会Yushiro Furukawa
 
さわってみようTOPPERS/SSP
さわってみようTOPPERS/SSPさわってみようTOPPERS/SSP
さわってみようTOPPERS/SSPNSaitoNmiri
 
pg_trgmと全文検索
pg_trgmと全文検索pg_trgmと全文検索
pg_trgmと全文検索Masahiko Sawada
 
5分で分かるgitのrefspec
5分で分かるgitのrefspec5分で分かるgitのrefspec
5分で分かるgitのrefspecikdysfm
 
Stack Buffer OverFlow
Stack Buffer OverFlowStack Buffer OverFlow
Stack Buffer OverFlowsounakano
 
Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)Andriy Berestovskyy
 
Ccna Imp Guide
Ccna Imp GuideCcna Imp Guide
Ccna Imp Guideabhijitgnbbl
 
Introduction to tcpdump
Introduction to tcpdumpIntroduction to tcpdump
Introduction to tcpdumpLev Walkin
 
NUSE (Network Stack in Userspace) at #osio
NUSE (Network Stack in Userspace) at #osioNUSE (Network Stack in Userspace) at #osio
NUSE (Network Stack in Userspace) at #osioHajime Tazaki
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDKDenys Haryachyy
 
Practice
PracticePractice
PracticeAvinash Singal
 
introduction to linux kernel tcp/ip ptocotol stack
introduction to linux kernel tcp/ip ptocotol stack introduction to linux kernel tcp/ip ptocotol stack
introduction to linux kernel tcp/ip ptocotol stack monad bobo
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging RubyAman Gupta
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby SystemsEngine Yard
 
netLec5.pdf
netLec5.pdfnetLec5.pdf
netLec5.pdfMuthuramanElangovan
 
101 3.2 process text streams using filters
101 3.2 process text streams using filters101 3.2 process text streams using filters
101 3.2 process text streams using filtersAcácio Oliveira
 
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...Hsien-Hsin Sean Lee, Ph.D.
 
Ngrep commands
Ngrep commandsNgrep commands
Ngrep commandsRishu Seth
 

More Related Content

What's hot

RFC8071(NETCONF Call Home and RESTCONF Call Home)の勉強資料
RFC8071(NETCONF Call Home and RESTCONF Call Home)の勉強資料RFC8071(NETCONF Call Home and RESTCONF Call Home)の勉強資料
RFC8071(NETCONF Call Home and RESTCONF Call Home)の勉強資料Tetsuya Hasegawa
 
Enable DPDK and SR-IOV for containerized virtual network functions with zun
Enable DPDK and SR-IOV for containerized virtual network functions with zunEnable DPDK and SR-IOV for containerized virtual network functions with zun
Enable DPDK and SR-IOV for containerized virtual network functions with zunheut2008
 
Volatile memory analysis
Volatile memory analysisVolatile memory analysis
Volatile memory analysisHimanshu0734
 
日本OpenStackユーザ会 第37回勉強会
日本OpenStackユーザ会 第37回勉強会日本OpenStackユーザ会 第37回勉強会
日本OpenStackユーザ会 第37回勉強会Yushiro Furukawa
 
さわってみようTOPPERS/SSP
さわってみようTOPPERS/SSPさわってみようTOPPERS/SSP
さわってみようTOPPERS/SSPNSaitoNmiri
 
5分で分かるgitのrefspec
5分で分かるgitのrefspec5分で分かるgitのrefspec
5分で分かるgitのrefspecikdysfm
 
Stack Buffer OverFlow
Stack Buffer OverFlowStack Buffer OverFlow
Stack Buffer OverFlowsounakano
 

What's hot (9)

RFC8071(NETCONF Call Home and RESTCONF Call Home)の勉強資料
RFC8071(NETCONF Call Home and RESTCONF Call Home)の勉強資料RFC8071(NETCONF Call Home and RESTCONF Call Home)の勉強資料
RFC8071(NETCONF Call Home and RESTCONF Call Home)の勉強資料
 
Scaling DNS
Scaling DNSScaling DNS
Scaling DNS
 
Enable DPDK and SR-IOV for containerized virtual network functions with zun
Enable DPDK and SR-IOV for containerized virtual network functions with zunEnable DPDK and SR-IOV for containerized virtual network functions with zun
Enable DPDK and SR-IOV for containerized virtual network functions with zun
 
Volatile memory analysis
Volatile memory analysisVolatile memory analysis
Volatile memory analysis
 
日本OpenStackユーザ会 第37回勉強会
日本OpenStackユーザ会 第37回勉強会日本OpenStackユーザ会 第37回勉強会
日本OpenStackユーザ会 第37回勉強会
 
さわってみようTOPPERS/SSP
さわってみようTOPPERS/SSPさわってみようTOPPERS/SSP
さわってみようTOPPERS/SSP
 
pg_trgmと全文検索
pg_trgmと全文検索pg_trgmと全文検索
pg_trgmと全文検索
 
5分で分かるgitのrefspec
5分で分かるgitのrefspec5分で分かるgitのrefspec
5分で分かるgitのrefspec
 
Stack Buffer OverFlow
Stack Buffer OverFlowStack Buffer OverFlow
Stack Buffer OverFlow
 

Similar to Pf: the OpenBSD packet filter

Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)Andriy Berestovskyy
 
Introduction to tcpdump
Introduction to tcpdumpIntroduction to tcpdump
Introduction to tcpdumpLev Walkin
 
NUSE (Network Stack in Userspace) at #osio
NUSE (Network Stack in Userspace) at #osioNUSE (Network Stack in Userspace) at #osio
NUSE (Network Stack in Userspace) at #osioHajime Tazaki
 
introduction to linux kernel tcp/ip ptocotol stack
introduction to linux kernel tcp/ip ptocotol stack introduction to linux kernel tcp/ip ptocotol stack
introduction to linux kernel tcp/ip ptocotol stack monad bobo
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging RubyAman Gupta
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby SystemsEngine Yard
 
101 3.2 process text streams using filters
101 3.2 process text streams using filters101 3.2 process text streams using filters
101 3.2 process text streams using filtersAcácio Oliveira
 
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...Hsien-Hsin Sean Lee, Ph.D.
 
Ngrep commands
Ngrep commandsNgrep commands
Ngrep commandsRishu Seth
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debuggingHao-Ran Liu
 
Вопросы балансировки трафика
Вопросы балансировки трафикаВопросы балансировки трафика
Вопросы балансировки трафикаSkillFactory
 
Tomasz P from Poland
Tomasz P from PolandTomasz P from Poland
Tomasz P from Polandirenazd
 
[Webinar Slides] Programming the Network Dataplane in P4
[Webinar Slides] Programming the Network Dataplane in P4[Webinar Slides] Programming the Network Dataplane in P4
[Webinar Slides] Programming the Network Dataplane in P4Open Networking Summits
 
PLNOG 13: P. Kupisiewicz, O. Pelerin: Make IOS-XE Troubleshooting Easy – Pack...
PLNOG 13: P. Kupisiewicz, O. Pelerin: Make IOS-XE Troubleshooting Easy – Pack...PLNOG 13: P. Kupisiewicz, O. Pelerin: Make IOS-XE Troubleshooting Easy – Pack...
PLNOG 13: P. Kupisiewicz, O. Pelerin: Make IOS-XE Troubleshooting Easy – Pack...PROIDEA
 

Similar to Pf: the OpenBSD packet filter (20)

Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)Network Programming: Data Plane Development Kit (DPDK)
Network Programming: Data Plane Development Kit (DPDK)
 
Ccna Imp Guide
Ccna Imp GuideCcna Imp Guide
Ccna Imp Guide
 
Introduction to tcpdump
Introduction to tcpdumpIntroduction to tcpdump
Introduction to tcpdump
 
NUSE (Network Stack in Userspace) at #osio
NUSE (Network Stack in Userspace) at #osioNUSE (Network Stack in Userspace) at #osio
NUSE (Network Stack in Userspace) at #osio
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDK
 
Practice
PracticePractice
Practice
 
introduction to linux kernel tcp/ip ptocotol stack
introduction to linux kernel tcp/ip ptocotol stack introduction to linux kernel tcp/ip ptocotol stack
introduction to linux kernel tcp/ip ptocotol stack
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging Ruby
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby Systems
 
netLec5.pdf
netLec5.pdfnetLec5.pdf
netLec5.pdf
 
101 3.2 process text streams using filters
101 3.2 process text streams using filters101 3.2 process text streams using filters
101 3.2 process text streams using filters
 
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...
Lec12 Computer Architecture by Hsien-Hsin Sean Lee Georgia Tech -- P6, Netbur...
 
Ngrep commands
Ngrep commandsNgrep commands
Ngrep commands
 
Ui disk & terminal drivers
Ui disk & terminal driversUi disk & terminal drivers
Ui disk & terminal drivers
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
 
Вопросы балансировки трафика
Вопросы балансировки трафикаВопросы балансировки трафика
Вопросы балансировки трафика
 
Tomasz P from Poland
Tomasz P from PolandTomasz P from Poland
Tomasz P from Poland
 
[Webinar Slides] Programming the Network Dataplane in P4
[Webinar Slides] Programming the Network Dataplane in P4[Webinar Slides] Programming the Network Dataplane in P4
[Webinar Slides] Programming the Network Dataplane in P4
 
Day2
Day2Day2
Day2
 
PLNOG 13: P. Kupisiewicz, O. Pelerin: Make IOS-XE Troubleshooting Easy – Pack...
PLNOG 13: P. Kupisiewicz, O. Pelerin: Make IOS-XE Troubleshooting Easy – Pack...PLNOG 13: P. Kupisiewicz, O. Pelerin: Make IOS-XE Troubleshooting Easy – Pack...
PLNOG 13: P. Kupisiewicz, O. Pelerin: Make IOS-XE Troubleshooting Easy – Pack...
 

More from Giovanni Bechis

SpamAssassin 4.0 new features
SpamAssassin 4.0 new featuresSpamAssassin 4.0 new features
SpamAssassin 4.0 new featuresGiovanni Bechis
 
ACME and mod_md: tls certificates made easy
ACME and mod_md: tls certificates made easyACME and mod_md: tls certificates made easy
ACME and mod_md: tls certificates made easyGiovanni Bechis
 
Scaling antispam solutions with Puppet
Scaling antispam solutions with PuppetScaling antispam solutions with Puppet
Scaling antispam solutions with PuppetGiovanni Bechis
 
What's new in SpamAssassin 3.4.3
What's new in SpamAssassin 3.4.3What's new in SpamAssassin 3.4.3
What's new in SpamAssassin 3.4.3Giovanni Bechis
 
Fighting Spam for fun and profit
Fighting Spam for fun and profitFighting Spam for fun and profit
Fighting Spam for fun and profitGiovanni Bechis
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Giovanni Bechis
 
ELK: a log management framework
ELK: a log management frameworkELK: a log management framework
ELK: a log management frameworkGiovanni Bechis
 
OpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeOpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeGiovanni Bechis
 
OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!Giovanni Bechis
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year laterGiovanni Bechis
 
SOGo: sostituire Microsoft Exchange con software Open Source
SOGo: sostituire Microsoft Exchange con software Open SourceSOGo: sostituire Microsoft Exchange con software Open Source
SOGo: sostituire Microsoft Exchange con software Open SourceGiovanni Bechis
 
Cloud storage, i tuoi files, ovunque con te
Cloud storage, i tuoi files, ovunque con teCloud storage, i tuoi files, ovunque con te
Cloud storage, i tuoi files, ovunque con teGiovanni Bechis
 
Npppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSDNpppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSDGiovanni Bechis
 
Openssh: comunicare in sicurezza
Openssh: comunicare in sicurezzaOpenssh: comunicare in sicurezza
Openssh: comunicare in sicurezzaGiovanni Bechis
 
Ipv6: il futuro di internet
Ipv6: il futuro di internetIpv6: il futuro di internet
Ipv6: il futuro di internetGiovanni Bechis
 
L'ABC della crittografia
L'ABC della crittografiaL'ABC della crittografia
L'ABC della crittografiaGiovanni Bechis
 
Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD Giovanni Bechis
 

More from Giovanni Bechis (20)

the Apache way
the Apache waythe Apache way
the Apache way
 
SpamAssassin 4.0 new features
SpamAssassin 4.0 new featuresSpamAssassin 4.0 new features
SpamAssassin 4.0 new features
 
ACME and mod_md: tls certificates made easy
ACME and mod_md: tls certificates made easyACME and mod_md: tls certificates made easy
ACME and mod_md: tls certificates made easy
 
Scaling antispam solutions with Puppet
Scaling antispam solutions with PuppetScaling antispam solutions with Puppet
Scaling antispam solutions with Puppet
 
What's new in SpamAssassin 3.4.3
What's new in SpamAssassin 3.4.3What's new in SpamAssassin 3.4.3
What's new in SpamAssassin 3.4.3
 
Fighting Spam for fun and profit
Fighting Spam for fun and profitFighting Spam for fun and profit
Fighting Spam for fun and profit
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)
 
Pledge in OpenBSD
Pledge in OpenBSDPledge in OpenBSD
Pledge in OpenBSD
 
ELK: a log management framework
ELK: a log management frameworkELK: a log management framework
ELK: a log management framework
 
OpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeOpenSSH: keep your secrets safe
OpenSSH: keep your secrets safe
 
OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year later
 
LibreSSL
LibreSSLLibreSSL
LibreSSL
 
SOGo: sostituire Microsoft Exchange con software Open Source
SOGo: sostituire Microsoft Exchange con software Open SourceSOGo: sostituire Microsoft Exchange con software Open Source
SOGo: sostituire Microsoft Exchange con software Open Source
 
Cloud storage, i tuoi files, ovunque con te
Cloud storage, i tuoi files, ovunque con teCloud storage, i tuoi files, ovunque con te
Cloud storage, i tuoi files, ovunque con te
 
Npppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSDNpppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSD
 
Openssh: comunicare in sicurezza
Openssh: comunicare in sicurezzaOpenssh: comunicare in sicurezza
Openssh: comunicare in sicurezza
 
Ipv6: il futuro di internet
Ipv6: il futuro di internetIpv6: il futuro di internet
Ipv6: il futuro di internet
 
L'ABC della crittografia
L'ABC della crittografiaL'ABC della crittografia
L'ABC della crittografia
 
Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD
 

Recently uploaded

Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.soniya singh
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...tanu pandey
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Servicegwenoracqe6
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Servicesexy call girls service in goa
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceDelhi Call girls
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
Radiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsRadiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsstephieert
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 

Recently uploaded (20)

Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
Radiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsRadiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girls
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 

Pf: the OpenBSD packet filter

  • 1. pf(4): the OpenBSD packet filter Giovanni Bechis <giovanni@openbsd.org>
  • 2. What is pf ? Packet filtering is the selective passing or blocking of data packets as they pass through a network interface The criteria that pf(4) uses when inspecting packets are based on the Layer 3 (IPv4 and IPv6) and Layer 4 (TCP, UDP, ICMP, and ICMPv6) headers last rule wins
  • 3. Why you should use pf ? syntax (not a pain with lot of rules; macros, tables, interface groups) atomic rule set commit integrated traffic shaper log files in tcpdump(8) format carp(4) spamd(8) and relayd(8) integration proxies in user space, not in kernel space
  • 4. pf(4) story OpenBSD up to 2.9 used Darren Reed’s IPFilter IPFilter was almost, but not quite BSD licensed - no right to distribute changed versions IPFilter removed on May 29th, 2001 First commit of the new PF code June 24, 2001
  • 5. Who uses pf(4) ? OpenBSD (upstream development) FreeBSD, NetBSD and DragonflyBSD Apple MacOSX and IOS (via FreeBSD) Oracle in Solaris 11.3 and 12 (IPF replaced) Blackberry (via NetBSD)
  • 6. network interfaces in *BSD world interface name is similar to the driver’s name and has some ”properties” all interfaces can be part of a group (enc,pppx,trunk,vlan,wlan, ...) the group egress is automatically set to the interface you are using for outbound connections
  • 7. network interfaces in *BSD world lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768 index 4 priority 0 llprio 3 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff000000 em0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500 lladdr b8:6b:23:7a:3c:8a index 1 priority 0 llprio 3 trunk: trunkdev trunk0 media: Ethernet autoselect (none) status: no carrier iwm0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 lladdr b8:6b:23:7a:3c:8a index 2 priority 4 llprio 3 trunk: trunkdev trunk0 groups: wlan media: IEEE802.11 autoselect (HT-MCS14 mode 11n) status: active ieee80211: nwid XXX chan 112 bssid XXX 79% wpakey <not displayed> wpaprotos wpa2 wpaakms psk ... enc0: flags=0<> index 3 priority 0 llprio 3 groups: enc status: active trunk0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr b8:6b:23:7a:3c:8a index 5 priority 0 llprio 3 trunk: trunkproto failover trunkport iwm0 active trunkport em0 master groups: trunk egress media: Ethernet autoselect status: active inet 192.168.11.32 netmask 0xffffff00 broadcast 192.168.11.255 pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33144 index 6 priority 0 llprio 3 groups: pflog
  • 8. pf.conf(5) macros tables (can be used with pfctl -t $table -T add $addr) divert(4) to pass packets to userland for further inspection ftp-proxy(8) squid(8) spamd(8) anchors tags
  • 9. pf.conf(5) clients = "192.168.11/24" tcp_ports = "{ ftp, ssh, domain, ntp, whois, www, https, auth, nntp, imaps, rtsp, submission, 8080:8082 }" udp_ports = "{domain, ntp}" match out on egress inet nat-to (egress) block log all pass inet proto tcp from $clients to port $tcp_ports pass inet proto udp from $clients to port $udp_ports
  • 10. pf.conf(5) queue rootq on $ext_if bandwidth 20M queue main parent rootq bandwidth 20479K min 1M max 20479K qlimit 100 queue qdef parent main bandwidth 9600K min 6000K max 18M default queue qweb parent main bandwidth 9600K min 6000K max 18M queue qpri parent main bandwidth 700K min 100K max 1200K queue qdns parent main bandwidth 200K min 12K burst 600K for 3000ms queue spamd parent rootq bandwidth 1K min 0K max 1K qlimit 300 match out on $ext_if proto tcp to port { www https } set queue (qweb, qpri) set prio (5,6) match out on $ext_if proto { tcp udp } to port domain set queue (qdns, qpri) set prio (6,7) match out on $ext_if proto icmp set queue (qdns, qpri) set prio (6,7) pass in log on egress proto tcp to port smtp divert-to 127.0.0.1 port spamd set queue spamd set prio 0
  • 11. spamd(8) table <spamd-white> persist table <nospamd> persist file "/etc/mail/nospamd" pass in log on egress proto tcp to port smtp divert-to 127.0.0.1 port spamd pass in log on egress proto tcp from <nospamd> to port smtp pass in log on egress proto tcp from <spamd-white> to port smtp pass out log on egress proto tcp to port smtp
  • 12. spamd(8) Aug 8 09:08:35 home spamd[77105]: 114.36.210.200: connected (1/0) Aug 8 09:08:47 home spamd[2758]: new entry 114.36.210.200 from <support@microsoft.com> to <support@microsoft.com>, helo 79.22.69.186 Aug 8 09:08:47 home spamd[77105]: 114.36.210.200: disconnected after 12 seconds. Aug 8 09:48:20 home spamd[77105]: 186.225.243.130: connected (1/1), lists: nixspam Aug 8 09:49:16 home spamd[77105]: 186.225.243.130: disconnected after 56 seconds. lists: nixspam Aug 8 09:50:25 home spamd[77105]: 47.89.53.55: connected (1/0) Aug 8 09:50:38 home spamd[2758]: new entry 47.89.53.55 from <cycnvoeyildos@163.com> to <gogo@linwayedm.com.tw>, helo 79.22.69.186 Aug 8 09:50:38 home spamd[77105]: 47.89.53.55: disconnected after 13 seconds. Aug 8 09:50:39 home spamd[77105]: 47.89.53.55: connected (1/0) Aug 8 09:50:46 home spamd[77105]: 121.228.209.208: connected (2/0) Aug 8 09:50:51 home spamd[2758]: new entry 47.89.53.55 from <mfjtuaukmnuj@163.com> to <gogo@linwayedm.com.tw>, helo 79.22.69.186 Aug 8 09:50:51 home spamd[77105]: 47.89.53.55: disconnected after 12 seconds. Aug 8 09:50:52 home spamd[77105]: 47.89.53.55: connected (2/0) Aug 8 09:51:04 home spamd[2758]: new entry 47.89.53.55 from <bhuehnlslwiaw@163.com> to <gogo@linwayedm.com.tw>, helo 79.22.69.186 Aug 8 09:51:05 home spamd[77105]: 47.89.53.55: disconnected after 13 seconds.
  • 14. log files log files in binary, tcpdump(8) readable format pflog(4) is a cloneable interface, rules can log to a specific interface pass log (all, to pflog2) inet proto tcp from $mailserver to port smtp
  • 15. log files Mar 12 15:33:49.592419 rule 0/(match) [uid 0, pid 8015] block out on trunk0: [uid 4294967295, pid 100000] 192.168.11.32.43849 > 216.58.205.165.25: S 1629842603:1629842603(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 6,nop,nop,timestamp 1140560815[|tcp]> (DF) (ttl 64, id 13397, len 64, bad ip cksum 14! -> 94ba)
  • 17. pfctl(8) Status: Enabled for 0 days 01:24:26 Debug: err State Table Total Rate current entries 23 searches 24884 4.9/s inserts 2078 0.4/s removals 2055 0.4/s Counters match 2240 0.4/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 159 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s translate 0 0.0/s no-route 0 0.0/s
  • 18. systat(8) 4 users Load 1.39 1.60 1.58 fw.domain.net 15:47:44 LOCAL ADDRESS FOREIGN ADDRESS PROTO RECV-Q SEND-Q STATE 192.168.11.32:48285 mil04s28-in-f161.1e100.net:443 tcp 0 0 ESTABLISHED 192.168.11.32:33012 mil04s28-in-f163.1e100.net:443 tcp 0 0 ESTABLISHED 192.168.11.32:46466 mil04s26-in-f14.1e100.net:443 tcp 0 0 ESTABLISHED 192.168.11.32:19338 mil04s28-in-f174.1e100.net:443 tcp 0 0 ESTABLISHED 192.168.11.32:23282 74.125.111.135:443 tcp 0 0 ESTABLISHED 192.168.11.32:8453 server-54-192-25-25.mxp4.r.cloudfront.net:www tcp 0 0 TIME_WAIT 192.168.11.32:45682 host33-137-dynamic.26-79-r.retail.telecomital tcp 0 0 ESTABLISHED 192.168.11.32:43126 weber.freenode.net:6667 tcp 0 0 ESTABLISHED 192.168.11.32:22989 host69-172-177-94.serverdedicati.aruba.it:ntp udp 0 0 192.168.11.32:42148 213.251.52.250:ntp udp 0 0
  • 19. pf(4) #include <sys/types.h> #include <sys/socket.h> #include <sys/ioctl.h> #include <sys/fcntl.h> #include <net/if.h> #include <net/pfvar.h> #include <stdio.h> #include <err.h> int main(int argc, char *argv[]) { int dev; dev = open("/dev/pf", O_RDWR); if (dev == -1) err(1, "open("/dev/pf") failed"); if (ioctl(dev, DIOCSTOP)) err(1, "DIOCSTOP"); else printf("pf disabledn"); return 0; }
  • 20. Need some more info ? man pages about pf(4), pfctl(8) and pf.conf(5) man pages about tcpdump(8) and pcap-filter(3) https://www.openbsd.org/faq/pf/index.html https://home.nuug.no/˜peter/pf/newest/ https://www.freebsd.org/doc/en/books/handbook/firewalls-pf.html