Packet Filter (pf) -
Transcript of Packet Filter (pf) -
![Page 1: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/1.jpg)
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 1/32
Packet Filter (pf)
An Extended Introduction
Max Laierhttp://people.freebsd.org/ mlaier/
FreeBSD.ORG
http://www.FreeBSD.ORG/
![Page 2: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/2.jpg)
pf - Historyv How it startedv Portsv Releases
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 2/32
pf - History
![Page 3: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/3.jpg)
pf - Historyv How it startedv Portsv Releases
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 3/32
How it started
l OpenBSD’s desire to improve it’s firewall capabilites
l License issues with ipfilter (ipf)l Solution:
F Rewrite from scratchF At least 3 competting solutionsF Daniel Hartmeier’s pf choosen due to:
n ipf-compatible syntax (almost)n Simplicityn Ease of extension
F Ideas from the other approaches were mergedl OpenBSD 3.0 (December 1, 2001) first release with pf
![Page 4: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/4.jpg)
pf - Historyv How it startedv Portsv Releases
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 3/32
How it started
l OpenBSD’s desire to improve it’s firewall capabilitesl License issues with ipfilter (ipf)
l Solution:F Rewrite from scratchF At least 3 competting solutionsF Daniel Hartmeier’s pf choosen due to:
n ipf-compatible syntax (almost)n Simplicityn Ease of extension
F Ideas from the other approaches were mergedl OpenBSD 3.0 (December 1, 2001) first release with pf
![Page 5: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/5.jpg)
pf - Historyv How it startedv Portsv Releases
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 3/32
How it started
l OpenBSD’s desire to improve it’s firewall capabilitesl License issues with ipfilter (ipf)l Solution:
F Rewrite from scratchF At least 3 competting solutions
F Daniel Hartmeier’s pf choosen due to:n ipf-compatible syntax (almost)n Simplicityn Ease of extension
F Ideas from the other approaches were mergedl OpenBSD 3.0 (December 1, 2001) first release with pf
![Page 6: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/6.jpg)
pf - Historyv How it startedv Portsv Releases
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 3/32
How it started
l OpenBSD’s desire to improve it’s firewall capabilitesl License issues with ipfilter (ipf)l Solution:
F Rewrite from scratchF At least 3 competting solutionsF Daniel Hartmeier’s pf choosen due to:
n ipf-compatible syntax (almost)n Simplicityn Ease of extension
F Ideas from the other approaches were mergedl OpenBSD 3.0 (December 1, 2001) first release with pf
![Page 7: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/7.jpg)
pf - Historyv How it startedv Portsv Releases
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 3/32
How it started
l OpenBSD’s desire to improve it’s firewall capabilitesl License issues with ipfilter (ipf)l Solution:
F Rewrite from scratchF At least 3 competting solutionsF Daniel Hartmeier’s pf choosen due to:
n ipf-compatible syntax (almost)n Simplicityn Ease of extension
F Ideas from the other approaches were merged
l OpenBSD 3.0 (December 1, 2001) first release with pf
![Page 8: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/8.jpg)
pf - Historyv How it startedv Portsv Releases
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 3/32
How it started
l OpenBSD’s desire to improve it’s firewall capabilitesl License issues with ipfilter (ipf)l Solution:
F Rewrite from scratchF At least 3 competting solutionsF Daniel Hartmeier’s pf choosen due to:
n ipf-compatible syntax (almost)n Simplicityn Ease of extension
F Ideas from the other approaches were mergedl OpenBSD 3.0 (December 1, 2001) first release with pf
![Page 9: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/9.jpg)
pf - Historyv How it startedv Portsv Releases
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 4/32
Ports
l November 5, 2002 – Joel Wilsson to NetBSDl March 25, 2003 – Pyun YongHyeon to FreeBSDl June 27, 2003 – KAME integrates source from OpenBSD
currentl February 26, 2004 – FreeBSD integrates the port into the
base systeml June 22, 2004 – NetBSD integrates the port into the base
systeml Ongoing work to port to DragonFlyBSD
l Ports might behave differently!F FreeBSD 5-STABLE will be compatible to OpenBSD 3.5F NetBSD is level with OpenBSD 3.5 at the momentF KAME seems to track OpenBSD-current (on and off)
![Page 10: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/10.jpg)
pf - Historyv How it startedv Portsv Releases
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 4/32
Ports
l November 5, 2002 – Joel Wilsson to NetBSDl March 25, 2003 – Pyun YongHyeon to FreeBSDl June 27, 2003 – KAME integrates source from OpenBSD
currentl February 26, 2004 – FreeBSD integrates the port into the
base systeml June 22, 2004 – NetBSD integrates the port into the base
systeml Ongoing work to port to DragonFlyBSD
l Ports might behave differently!F FreeBSD 5-STABLE will be compatible to OpenBSD 3.5F NetBSD is level with OpenBSD 3.5 at the momentF KAME seems to track OpenBSD-current (on and off)
![Page 11: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/11.jpg)
pf - Historyv How it startedv Portsv Releases
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 5/32
Releases
l OpenBSD makes a relase aprox. every 6 monthl pf still gains a lot of features with every releasel Overlapping release cycles might cause considerable deltas
between OpenBSD and the various portsl Most of the porting efforts follow OpenBSD’s lead when it
comes to new features, but divergence might occure whererequired.
l Check the documentation!
![Page 12: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/12.jpg)
pf - Historyv How it startedv Portsv Releases
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 5/32
Releases
l OpenBSD makes a relase aprox. every 6 monthl pf still gains a lot of features with every releasel Overlapping release cycles might cause considerable deltas
between OpenBSD and the various portsl Most of the porting efforts follow OpenBSD’s lead when it
comes to new features, but divergence might occure whererequired.
l Check the documentation!
![Page 13: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/13.jpg)
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 6/32
pf - Features
![Page 14: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/14.jpg)
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 7/32
Basics
l Ruleset based configurationF Anchors allow nesting a
F Tables allow dynamic adaption of rules a
F Interface address management b
l Default (logical) order required1. Macro and table definitions2. (Global) Options3. Traffic Normalization (scrub)4. Network address translation (NAT ) and redirection5. Filtering rules
l Last matching rule winsF This can be changed with the ‘quick’ keyword
l Macros allow easier reading/writing and understanding ofrulesa introduced in OpenBSD 3.3b introduced in OpenBSD 3.2
![Page 15: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/15.jpg)
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 7/32
Basics
l Ruleset based configurationF Anchors allow nesting a
F Tables allow dynamic adaption of rules a
F Interface address management b
l Default (logical) order required1. Macro and table definitions2. (Global) Options3. Traffic Normalization (scrub)4. Network address translation (NAT ) and redirection5. Filtering rules
l Last matching rule winsF This can be changed with the ‘quick’ keyword
l Macros allow easier reading/writing and understanding ofrulesa introduced in OpenBSD 3.3b introduced in OpenBSD 3.2
![Page 16: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/16.jpg)
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 7/32
Basics
l Ruleset based configurationF Anchors allow nesting a
F Tables allow dynamic adaption of rules a
F Interface address management b
l Default (logical) order required1. Macro and table definitions2. (Global) Options3. Traffic Normalization (scrub)4. Network address translation (NAT ) and redirection5. Filtering rules
l Last matching rule winsF This can be changed with the ‘quick’ keyword
l Macros allow easier reading/writing and understanding ofrulesa introduced in OpenBSD 3.3b introduced in OpenBSD 3.2
![Page 17: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/17.jpg)
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 7/32
Basics
l Ruleset based configurationF Anchors allow nesting a
F Tables allow dynamic adaption of rules a
F Interface address management b
l Default (logical) order required1. Macro and table definitions2. (Global) Options3. Traffic Normalization (scrub)4. Network address translation (NAT ) and redirection5. Filtering rules
l Last matching rule winsF This can be changed with the ‘quick’ keyword
l Macros allow easier reading/writing and understanding ofrulesa introduced in OpenBSD 3.3b introduced in OpenBSD 3.2
![Page 18: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/18.jpg)
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 8/32
Traffic Normalization
Normalization or “scrubbing” summarises a couple of packetsanity checks to protect against evildoer and information leaksand some rewrites to improve security for weak(er) peers
l IP normalizationl IP fragment reassemblyl Random IP ID rewritel TCP normalization
F TCP reassemblyF Illegal flag combinations (nmap)F TCP optionsF PAWS (Protection Against Wrapped Sequence Numbers)
l Enforce minimum TTL
Scrubbing also helps to hide peer uptimes and thus canprevent NAT detection
![Page 19: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/19.jpg)
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 8/32
Traffic Normalization
Normalization or “scrubbing” summarises a couple of packetsanity checks to protect against evildoer and information leaksand some rewrites to improve security for weak(er) peers
l IP normalizationl IP fragment reassemblyl Random IP ID rewritel TCP normalization
F TCP reassemblyF Illegal flag combinations (nmap)F TCP optionsF PAWS (Protection Against Wrapped Sequence Numbers)
l Enforce minimum TTL
Scrubbing also helps to hide peer uptimes and thus canprevent NAT detection
![Page 20: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/20.jpg)
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 8/32
Traffic Normalization
Normalization or “scrubbing” summarises a couple of packetsanity checks to protect against evildoer and information leaksand some rewrites to improve security for weak(er) peers
l IP normalizationl IP fragment reassemblyl Random IP ID rewritel TCP normalization
F TCP reassemblyF Illegal flag combinations (nmap)F TCP optionsF PAWS (Protection Against Wrapped Sequence Numbers)
l Enforce minimum TTL
Scrubbing also helps to hide peer uptimes and thus canprevent NAT detection
![Page 21: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/21.jpg)
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 8/32
Traffic Normalization
Normalization or “scrubbing” summarises a couple of packetsanity checks to protect against evildoer and information leaksand some rewrites to improve security for weak(er) peers
l IP normalizationl IP fragment reassemblyl Random IP ID rewritel TCP normalization
F TCP reassemblyF Illegal flag combinations (nmap)F TCP optionsF PAWS (Protection Against Wrapped Sequence Numbers)
l Enforce minimum TTL
Scrubbing also helps to hide peer uptimes and thus canprevent NAT detection
![Page 22: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/22.jpg)
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 8/32
Traffic Normalization
Normalization or “scrubbing” summarises a couple of packetsanity checks to protect against evildoer and information leaksand some rewrites to improve security for weak(er) peers
l IP normalizationl IP fragment reassemblyl Random IP ID rewritel TCP normalization
F TCP reassemblyF Illegal flag combinations (nmap)F TCP optionsF PAWS (Protection Against Wrapped Sequence Numbers)
l Enforce minimum TTL
Scrubbing also helps to hide peer uptimes and thus canprevent NAT detection
![Page 23: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/23.jpg)
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 8/32
Traffic Normalization
Normalization or “scrubbing” summarises a couple of packetsanity checks to protect against evildoer and information leaksand some rewrites to improve security for weak(er) peers
l IP normalizationl IP fragment reassemblyl Random IP ID rewritel TCP normalization
F TCP reassemblyF Illegal flag combinations (nmap)F TCP optionsF PAWS (Protection Against Wrapped Sequence Numbers)
l Enforce minimum TTL
Scrubbing also helps to hide peer uptimes and thus canprevent NAT detection
![Page 24: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/24.jpg)
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 8/32
Traffic Normalization
Normalization or “scrubbing” summarises a couple of packetsanity checks to protect against evildoer and information leaksand some rewrites to improve security for weak(er) peers
l IP normalizationl IP fragment reassemblyl Random IP ID rewritel TCP normalization
F TCP reassemblyF Illegal flag combinations (nmap)F TCP optionsF PAWS (Protection Against Wrapped Sequence Numbers)
l Enforce minimum TTL
Scrubbing also helps to hide peer uptimes and thus canprevent NAT detection
![Page 25: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/25.jpg)
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 9/32
NAT and redirection
l BINAT – bidirectional address translationl NAT – source address translation
F static port – prevents sourceport rewritel RDR – destination address translation
NAT and especially RDR can be combined with addressloadbalancing. The following disciplines to choose an addressfrom the pool are available:l randoml round-robinl bitmaskl source-hash
The sticky-address-option can be applied to random andround-robin to improve the redirection mapping
![Page 26: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/26.jpg)
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 9/32
NAT and redirection
l BINAT – bidirectional address translationl NAT – source address translation
F static port – prevents sourceport rewritel RDR – destination address translation
NAT and especially RDR can be combined with addressloadbalancing. The following disciplines to choose an addressfrom the pool are available:l randoml round-robinl bitmaskl source-hash
The sticky-address-option can be applied to random andround-robin to improve the redirection mapping
![Page 27: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/27.jpg)
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 9/32
NAT and redirection
l BINAT – bidirectional address translationl NAT – source address translation
F static port – prevents sourceport rewritel RDR – destination address translation
NAT and especially RDR can be combined with addressloadbalancing. The following disciplines to choose an addressfrom the pool are available:l randoml round-robinl bitmaskl source-hash
The sticky-address-option can be applied to random andround-robin to improve the redirection mapping
![Page 28: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/28.jpg)
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 10/32
Filtering - Attributes
pf is an IP-level (OSI Layer 3) firewall, but also keeps track of TCP and UDP(OSI Layer 4) . . .
l Interfacel Directionl Address familyl Source/Destination
IP(-range)l Protocoll ToSl IP optionsl ICMP/ICMP6l TCPl UDP
pf filters on everything and provides understandable syntax
![Page 29: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/29.jpg)
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 10/32
Filtering - Attributes
pf is an IP-level (OSI Layer 3) firewall, but also keeps track of TCP and UDP(OSI Layer 4) . . .
l Interfacel Directionl Address familyl Source/Destination
IP(-range)l Protocoll ToSl IP optionsl ICMP/ICMP6l TCPl UDP
l Incomming
l Outgoing
pf filters on everything and provides understandable syntax
![Page 30: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/30.jpg)
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 10/32
Filtering - Attributes
pf is an IP-level (OSI Layer 3) firewall, but also keeps track of TCP and UDP(OSI Layer 4) . . .
l Interfacel Directionl Address familyl Source/Destination
IP(-range)l Protocoll ToSl IP optionsl ICMP/ICMP6l TCPl UDP
l IPv4 “inet”
l IPv6 “inet6”
pf filters on everything and provides understandable syntax
![Page 31: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/31.jpg)
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 10/32
Filtering - Attributes
pf is an IP-level (OSI Layer 3) firewall, but also keeps track of TCP and UDP(OSI Layer 4) . . .
l Interfacel Directionl Address familyl Source/Destination
IP(-range)l Protocoll ToSl IP optionsl ICMP/ICMP6l TCPl UDP
l “any”
l “no-route”
l “self”
l IPv4 dotted quad (127.0.0.1)
l IPv6 coloned hex(2001:200:0:8002:203:47ff:fea5:3085)
l CIDR compatible since OpenBSD 3.3
l Hostname (freebsd.org)
l Netmasks can be applied
l pf can (dynamically) extract addressesfrom a local interface
pf filters on everything and provides understandable syntax
![Page 32: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/32.jpg)
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 10/32
Filtering - Attributes
pf is an IP-level (OSI Layer 3) firewall, but also keeps track of TCP and UDP(OSI Layer 4) . . .
l Interfacel Directionl Address familyl Source/Destination
IP(-range)l Protocoll ToSl IP optionsl ICMP/ICMP6l TCPl UDP
l (IP)Protocol number
l Protocol name/alias (etc/protocols)
pf filters on everything and provides understandable syntax
![Page 33: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/33.jpg)
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 10/32
Filtering - Attributes
pf is an IP-level (OSI Layer 3) firewall, but also keeps track of TCP and UDP(OSI Layer 4) . . .
l Interfacel Directionl Address familyl Source/Destination
IP(-range)l Protocoll ToSl IP optionsl ICMP/ICMP6l TCPl UDP
l ‘lowdelay’
l ‘throughput’
l ‘reliability’
l Explicit hex-code
pf filters on everything and provides understandable syntax
![Page 34: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/34.jpg)
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 10/32
Filtering - Attributes
pf is an IP-level (OSI Layer 3) firewall, but also keeps track of TCP and UDP(OSI Layer 4) . . .
l Interfacel Directionl Address familyl Source/Destination
IP(-range)l Protocoll ToSl IP optionsl ICMP/ICMP6l TCPl UDP
l Disallow (default)
l Allow
pf filters on everything and provides understandable syntax
![Page 35: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/35.jpg)
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 10/32
Filtering - Attributes
pf is an IP-level (OSI Layer 3) firewall, but also keeps track of TCP and UDP(OSI Layer 4) . . .
l Interfacel Directionl Address familyl Source/Destination
IP(-range)l Protocoll ToSl IP optionsl ICMP/ICMP6l TCPl UDP
l Type
l Code
pf filters on everything and provides understandable syntax
![Page 36: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/36.jpg)
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 10/32
Filtering - Attributes
pf is an IP-level (OSI Layer 3) firewall, but also keeps track of TCP and UDP(OSI Layer 4) . . .
l Interfacel Directionl Address familyl Source/Destination
IP(-range)l Protocoll ToSl IP optionsl ICMP/ICMP6l TCPl UDP
l Source/Destination port(-range)
l Flags
l Socket credentials (‘owner’ of thesending/receiving application)
l OS type (passiv fingerprinting of theinitial SYN packet)
pf filters on everything and provides understandable syntax
![Page 37: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/37.jpg)
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 10/32
Filtering - Attributes
pf is an IP-level (OSI Layer 3) firewall, but also keeps track of TCP and UDP(OSI Layer 4) . . .
l Interfacel Directionl Address familyl Source/Destination
IP(-range)l Protocoll ToSl IP optionsl ICMP/ICMP6l TCPl UDP
l Source/Destination port(-range)
l Socket credentials (‘owner’ of thesending/receiving application)
pf filters on everything and provides understandable syntax
![Page 38: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/38.jpg)
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 10/32
Filtering - Attributes
pf is an IP-level (OSI Layer 3) firewall, but also keeps track of TCP and UDP(OSI Layer 4) . . .
l Interfacel Directionl Address familyl Source/Destination
IP(-range)l Protocoll ToSl IP optionsl ICMP/ICMP6l TCPl UDP
l Source/Destination port(-range)
l Socket credentials (‘owner’ of thesending/receiving application)
pf filters on everything and provides understandable syntax
![Page 39: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/39.jpg)
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 11/32
Filtering - Stateful
States are fast:l Indexed in a reb-black tree => fast lookup (O(lg(n)))l State lookup is much faster than ruleset evaluation
States increase security:l Control who initiates a connectionl Apply additional sanity checks to TCP connections
F Segments must be in the windowF Restes must be on the edge of the windowF Window scaling availableF pf must ‘see’ the initial handshake (flags S/SA)
l Help to gather accounting information (pfflowd e.g.)l Additional peer protection against ISN prediction attacks
available with modulate state and synproxy
States are also used to keep track of address translations.
![Page 40: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/40.jpg)
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 11/32
Filtering - Stateful
States are fast:l Indexed in a reb-black tree => fast lookup (O(lg(n)))l State lookup is much faster than ruleset evaluation
States increase security:l Control who initiates a connectionl Apply additional sanity checks to TCP connections
F Segments must be in the windowF Restes must be on the edge of the windowF Window scaling availableF pf must ‘see’ the initial handshake (flags S/SA)
l Help to gather accounting information (pfflowd e.g.)l Additional peer protection against ISN prediction attacks
available with modulate state and synproxy
States are also used to keep track of address translations.
![Page 41: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/41.jpg)
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 11/32
Filtering - Stateful
States are fast:l Indexed in a reb-black tree => fast lookup (O(lg(n)))l State lookup is much faster than ruleset evaluation
States increase security:l Control who initiates a connectionl Apply additional sanity checks to TCP connections
F Segments must be in the windowF Restes must be on the edge of the windowF Window scaling availableF pf must ‘see’ the initial handshake (flags S/SA)
l Help to gather accounting information (pfflowd e.g.)l Additional peer protection against ISN prediction attacks
available with modulate state and synproxy
States are also used to keep track of address translations.
![Page 42: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/42.jpg)
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 12/32
Filtering - Tables
Tables provide sophisticated means to manage large, sparseaddress lists.l Can take hosts and networksl Most specific match is returnedl ‘Not’ modifierl Implemented as radix tree => fast lookups (as known from
routing tables)l 64Bit statistics counters for every table entry (easy
accounting)
l Can be changed with pfctll Can be read from a file (spam lists)
Short example
![Page 43: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/43.jpg)
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 12/32
Filtering - Tables
Tables provide sophisticated means to manage large, sparseaddress lists.l Can take hosts and networksl Most specific match is returnedl ‘Not’ modifierl Implemented as radix tree => fast lookups (as known from
routing tables)l 64Bit statistics counters for every table entry (easy
accounting)
l Can be changed with pfctll Can be read from a file (spam lists)
Short example
![Page 44: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/44.jpg)
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 12/32
Filtering - Tables
Tables provide sophisticated means to manage large, sparseaddress lists.l Can take hosts and networksl Most specific match is returnedl ‘Not’ modifierl Implemented as radix tree => fast lookups (as known from
routing tables)l 64Bit statistics counters for every table entry (easy
accounting)
l Can be changed with pfctll Can be read from a file (spam lists)
Short example
![Page 45: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/45.jpg)
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 12/32
Filtering - Tables
Tables provide sophisticated means to manage large, sparseaddress lists.l Can take hosts and networksl Most specific match is returnedl ‘Not’ modifierl Implemented as radix tree => fast lookups (as known from
routing tables)l 64Bit statistics counters for every table entry (easy
accounting)
l Can be changed with pfctll Can be read from a file (spam lists)
Short example
![Page 46: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/46.jpg)
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 12/32
Filtering - Tables
Tables provide sophisticated means to manage large, sparseaddress lists.l Can take hosts and networksl Most specific match is returnedl ‘Not’ modifierl Implemented as radix tree => fast lookups (as known from
routing tables)l 64Bit statistics counters for every table entry (easy
accounting)
l Can be changed with pfctll Can be read from a file (spam lists)
Short example
![Page 47: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/47.jpg)
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 12/32
Filtering - Tables
Tables provide sophisticated means to manage large, sparseaddress lists.l Can take hosts and networksl Most specific match is returnedl ‘Not’ modifierl Implemented as radix tree => fast lookups (as known from
routing tables)l 64Bit statistics counters for every table entry (easy
accounting)
l Can be changed with pfctll Can be read from a file (spam lists)
Short example
![Page 48: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/48.jpg)
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 12/32
Filtering - Tables
Tables provide sophisticated means to manage large, sparseaddress lists.l Can take hosts and networksl Most specific match is returnedl ‘Not’ modifierl Implemented as radix tree => fast lookups (as known from
routing tables)l 64Bit statistics counters for every table entry (easy
accounting)
l Can be changed with pfctll Can be read from a file (spam lists)
Short example
![Page 49: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/49.jpg)
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 13/32
pf - Advanced notes
![Page 50: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/50.jpg)
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 14/32
Interesting options
l timeoutsF Set fragment cache timeF Set cleanup intervalsF Finetune TCP handshake timeoutsF Finetune UDP/ICMP/other state hold timeF adaptive.start adaptive.end
Used to scale timeouts according to current state load. Asthe total number of states increase, unused states diemore quickly.
l limitsF StatesF FragementsF Source-tracking nodes
![Page 51: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/51.jpg)
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 14/32
Interesting options
l timeoutsF Set fragment cache timeF Set cleanup intervalsF Finetune TCP handshake timeoutsF Finetune UDP/ICMP/other state hold timeF adaptive.start adaptive.end
Used to scale timeouts according to current state load. Asthe total number of states increase, unused states diemore quickly.
l limitsF StatesF FragementsF Source-tracking nodes
![Page 52: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/52.jpg)
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 15/32
Stateful I
Stateful rule options:l Per-rule timeoutsl Per-rule limitsl source-track
F Per-client limitsF Maximum number of peersF Maximum connections per peer
Modulate state:l Randomize the initial sequence numbers of a (TCP)
connectionl Store original ISN the client in a statel Rewrite packets of that connection using the better
sequence numbers
![Page 53: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/53.jpg)
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 15/32
Stateful I
Stateful rule options:l Per-rule timeoutsl Per-rule limitsl source-track
F Per-client limitsF Maximum number of peersF Maximum connections per peer
Modulate state:l Randomize the initial sequence numbers of a (TCP)
connectionl Store original ISN the client in a statel Rewrite packets of that connection using the better
sequence numbers
![Page 54: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/54.jpg)
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 15/32
Stateful I
Stateful rule options:l Per-rule timeoutsl Per-rule limitsl source-track
F Per-client limitsF Maximum number of peersF Maximum connections per peer
Modulate state:l Randomize the initial sequence numbers of a (TCP)
connectionl Store original ISN the client in a statel Rewrite packets of that connection using the better
sequence numbers
![Page 55: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/55.jpg)
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 15/32
Stateful I
Stateful rule options:l Per-rule timeoutsl Per-rule limitsl source-track
F Per-client limitsF Maximum number of peersF Maximum connections per peer
Modulate state:l Randomize the initial sequence numbers of a (TCP)
connectionl Store original ISN the client in a statel Rewrite packets of that connection using the better
sequence numbers
![Page 56: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/56.jpg)
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 15/32
Stateful I
Stateful rule options:l Per-rule timeoutsl Per-rule limitsl source-track
F Per-client limitsF Maximum number of peersF Maximum connections per peer
Modulate state:l Randomize the initial sequence numbers of a (TCP)
connectionl Store original ISN the client in a statel Rewrite packets of that connection using the better
sequence numbers
![Page 57: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/57.jpg)
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 15/32
Stateful I
Stateful rule options:l Per-rule timeoutsl Per-rule limitsl source-track
F Per-client limitsF Maximum number of peersF Maximum connections per peer
Modulate state:l Randomize the initial sequence numbers of a (TCP)
connectionl Store original ISN the client in a statel Rewrite packets of that connection using the better
sequence numbers
![Page 58: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/58.jpg)
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 16/32
Stateful II
Synproxy states:l Gateway completes the 3-way handshakel Gateway initiates connection with the destinationl Further traffic is a normal stateful connection
Same mechanisms used as for modulate-state connections
Useful to protect web- and DB-server against SYN-floodattacks.
![Page 59: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/59.jpg)
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 16/32
Stateful II
Synproxy states:l Gateway completes the 3-way handshakel Gateway initiates connection with the destinationl Further traffic is a normal stateful connection
Same mechanisms used as for modulate-state connections
Useful to protect web- and DB-server against SYN-floodattacks.
![Page 60: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/60.jpg)
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 16/32
Stateful II
Synproxy states:l Gateway completes the 3-way handshakel Gateway initiates connection with the destinationl Further traffic is a normal stateful connection
Same mechanisms used as for modulate-state connections
Useful to protect web- and DB-server against SYN-floodattacks.
![Page 61: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/61.jpg)
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 16/32
Stateful II
Synproxy states:l Gateway completes the 3-way handshakel Gateway initiates connection with the destinationl Further traffic is a normal stateful connection
Same mechanisms used as for modulate-state connections
Useful to protect web- and DB-server against SYN-floodattacks.
![Page 62: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/62.jpg)
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 17/32
Anchors
l Structure rulesetsl Easily changeablel Good for script actionsl Used by authpfl Can be ‘limited’ to:
F Direction (in/out)F InterfaceF Address familyF ProtocolF Host definition
F Plan: per-jail rulesets managed by jail-root (in FreeBSD)l New in 3.6: Recursive anchors
![Page 63: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/63.jpg)
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 17/32
Anchors
l Structure rulesetsl Easily changeablel Good for script actionsl Used by authpfl Can be ‘limited’ to:
F Direction (in/out)F InterfaceF Address familyF ProtocolF Host definition
F Plan: per-jail rulesets managed by jail-root (in FreeBSD)l New in 3.6: Recursive anchors
![Page 64: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/64.jpg)
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 17/32
Anchors
l Structure rulesetsl Easily changeablel Good for script actionsl Used by authpfl Can be ‘limited’ to:
F Direction (in/out)F InterfaceF Address familyF ProtocolF Host definition
F Plan: per-jail rulesets managed by jail-root (in FreeBSD)l New in 3.6: Recursive anchors
![Page 65: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/65.jpg)
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 17/32
Anchors
l Structure rulesetsl Easily changeablel Good for script actionsl Used by authpfl Can be ‘limited’ to:
F Direction (in/out)F InterfaceF Address familyF ProtocolF Host definition
F Plan: per-jail rulesets managed by jail-root (in FreeBSD)l New in 3.6: Recursive anchors
![Page 66: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/66.jpg)
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 17/32
Anchors
l Structure rulesetsl Easily changeablel Good for script actionsl Used by authpfl Can be ‘limited’ to:
F Direction (in/out)F InterfaceF Address familyF ProtocolF Host definition
F Plan: per-jail rulesets managed by jail-root (in FreeBSD)l New in 3.6: Recursive anchors
![Page 67: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/67.jpg)
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 17/32
Anchors
l Structure rulesetsl Easily changeablel Good for script actionsl Used by authpfl Can be ‘limited’ to:
F Direction (in/out)F InterfaceF Address familyF ProtocolF Host definitionF Plan: per-jail rulesets managed by jail-root (in FreeBSD)
l New in 3.6: Recursive anchors
![Page 68: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/68.jpg)
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 17/32
Anchors
l Structure rulesetsl Easily changeablel Good for script actionsl Used by authpfl Can be ‘limited’ to:
F Direction (in/out)F InterfaceF Address familyF ProtocolF Host definitionF Plan: per-jail rulesets managed by jail-root (in FreeBSD)
l New in 3.6: Recursive anchors
![Page 69: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/69.jpg)
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 18/32
Misc
l Skip-stepsF Jump over rules that cannot matchF Optimize ruleset evaluationF New in 3.6: Ruleset optimization
l TaggingF Only with stateful rulesF Allows to seperate classification and policyF Used to support layer 2 filtering
l OS FingerprintsF Base on p0fF Only for the initial SYN packet
F This can be spoofed! Not a security tool
![Page 70: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/70.jpg)
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 18/32
Misc
l Skip-stepsF Jump over rules that cannot matchF Optimize ruleset evaluationF New in 3.6: Ruleset optimization
l TaggingF Only with stateful rulesF Allows to seperate classification and policyF Used to support layer 2 filtering
l OS FingerprintsF Base on p0fF Only for the initial SYN packet
F This can be spoofed! Not a security tool
![Page 71: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/71.jpg)
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 18/32
Misc
l Skip-stepsF Jump over rules that cannot matchF Optimize ruleset evaluationF New in 3.6: Ruleset optimization
l TaggingF Only with stateful rulesF Allows to seperate classification and policyF Used to support layer 2 filtering
l OS FingerprintsF Base on p0fF Only for the initial SYN packet
F This can be spoofed! Not a security tool
![Page 72: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/72.jpg)
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 18/32
Misc
l Skip-stepsF Jump over rules that cannot matchF Optimize ruleset evaluationF New in 3.6: Ruleset optimization
l TaggingF Only with stateful rulesF Allows to seperate classification and policyF Used to support layer 2 filtering
l OS FingerprintsF Base on p0fF Only for the initial SYN packetF This can be spoofed! Not a security tool
![Page 73: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/73.jpg)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)v Basicsv ALTQ and pf
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 19/32
ALTQ (short)
![Page 74: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/74.jpg)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)v Basicsv ALTQ and pf
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 20/32
Basics
l ALTQ provides several disciplies to queue packetsl Can be used to control bandwidth allocation and packet
priorizationl Most effective in front of a bandwidth bottleneck (i.e. on the
uplink gateway)
Detailated per-application evaluation is required toimplement ALTQ
![Page 75: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/75.jpg)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)v Basicsv ALTQ and pf
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 20/32
Basics
l ALTQ provides several disciplies to queue packetsl Can be used to control bandwidth allocation and packet
priorizationl Most effective in front of a bandwidth bottleneck (i.e. on the
uplink gateway)
Detailated per-application evaluation is required toimplement ALTQ
![Page 76: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/76.jpg)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)v Basicsv ALTQ and pf
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 20/32
Basics
l ALTQ provides several disciplies to queue packetsl Can be used to control bandwidth allocation and packet
priorizationl Most effective in front of a bandwidth bottleneck (i.e. on the
uplink gateway)
Detailated per-application evaluation is required toimplement ALTQ
![Page 77: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/77.jpg)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)v Basicsv ALTQ and pf
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 20/32
Basics
l ALTQ provides several disciplies to queue packetsl Can be used to control bandwidth allocation and packet
priorizationl Most effective in front of a bandwidth bottleneck (i.e. on the
uplink gateway)Detailated per-application evaluation is required toimplement ALTQ
![Page 78: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/78.jpg)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)v Basicsv ALTQ and pf
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 21/32
ALTQ and pf
l pf gained ALTQ linkage in OpenBSD 3.3l Stateful pass rules assign thier traffic to a queuel ‘Lowdelay’ and empty ACKs can be treated speciallyl Queues are setup from the ruleset directly
![Page 79: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/79.jpg)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)v Basicsv ALTQ and pf
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 21/32
ALTQ and pf
l pf gained ALTQ linkage in OpenBSD 3.3l Stateful pass rules assign thier traffic to a queuel ‘Lowdelay’ and empty ACKs can be treated speciallyl Queues are setup from the ruleset directly
![Page 80: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/80.jpg)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)v Basicsv ALTQ and pf
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 21/32
ALTQ and pf
l pf gained ALTQ linkage in OpenBSD 3.3l Stateful pass rules assign thier traffic to a queuel ‘Lowdelay’ and empty ACKs can be treated speciallyl Queues are setup from the ruleset directly
![Page 81: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/81.jpg)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)v Basicsv ALTQ and pf
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 21/32
ALTQ and pf
l pf gained ALTQ linkage in OpenBSD 3.3l Stateful pass rules assign thier traffic to a queuel ‘Lowdelay’ and empty ACKs can be treated speciallyl Queues are setup from the ruleset directly
![Page 82: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/82.jpg)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARPv Basicsv CARP and
pf(sync)v More CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 22/32
CARP
![Page 83: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/83.jpg)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARPv Basicsv CARP and
pf(sync)v More CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 23/32
Basics
The Common Address Redundancy Protocol is a freereplacement for VRRPl Multiple hosts share a common MAC address (but only the
master replys)l The master advertises via multicastl Variable advertisement intervals
F Most frequent advertiser becomes masterF Failover after (3 * advertisement interval)
l Advertisement protected by SHA1 HMACF HMAC covers logical addresses (which are not part of the
advertisement)F Pending: Replay protection
l Supports IPv4 and IPv6l Supports layer 2 load balancing (ARP based)
![Page 84: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/84.jpg)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARPv Basicsv CARP and
pf(sync)v More CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 23/32
Basics
The Common Address Redundancy Protocol is a freereplacement for VRRPl Multiple hosts share a common MAC address (but only the
master replys)l The master advertises via multicastl Variable advertisement intervals
F Most frequent advertiser becomes masterF Failover after (3 * advertisement interval)
l Advertisement protected by SHA1 HMACF HMAC covers logical addresses (which are not part of the
advertisement)F Pending: Replay protection
l Supports IPv4 and IPv6l Supports layer 2 load balancing (ARP based)
![Page 85: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/85.jpg)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARPv Basicsv CARP and
pf(sync)v More CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 23/32
Basics
The Common Address Redundancy Protocol is a freereplacement for VRRPl Multiple hosts share a common MAC address (but only the
master replys)l The master advertises via multicastl Variable advertisement intervals
F Most frequent advertiser becomes masterF Failover after (3 * advertisement interval)
l Advertisement protected by SHA1 HMACF HMAC covers logical addresses (which are not part of the
advertisement)F Pending: Replay protection
l Supports IPv4 and IPv6l Supports layer 2 load balancing (ARP based)
![Page 86: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/86.jpg)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARPv Basicsv CARP and
pf(sync)v More CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 23/32
Basics
The Common Address Redundancy Protocol is a freereplacement for VRRPl Multiple hosts share a common MAC address (but only the
master replys)l The master advertises via multicastl Variable advertisement intervals
F Most frequent advertiser becomes masterF Failover after (3 * advertisement interval)
l Advertisement protected by SHA1 HMACF HMAC covers logical addresses (which are not part of the
advertisement)F Pending: Replay protection
l Supports IPv4 and IPv6l Supports layer 2 load balancing (ARP based)
![Page 87: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/87.jpg)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARPv Basicsv CARP and
pf(sync)v More CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 23/32
Basics
The Common Address Redundancy Protocol is a freereplacement for VRRPl Multiple hosts share a common MAC address (but only the
master replys)l The master advertises via multicastl Variable advertisement intervals
F Most frequent advertiser becomes masterF Failover after (3 * advertisement interval)
l Advertisement protected by SHA1 HMACF HMAC covers logical addresses (which are not part of the
advertisement)F Pending: Replay protection
l Supports IPv4 and IPv6l Supports layer 2 load balancing (ARP based)
![Page 88: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/88.jpg)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARPv Basicsv CARP and
pf(sync)v More CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 23/32
Basics
The Common Address Redundancy Protocol is a freereplacement for VRRPl Multiple hosts share a common MAC address (but only the
master replys)l The master advertises via multicastl Variable advertisement intervals
F Most frequent advertiser becomes masterF Failover after (3 * advertisement interval)
l Advertisement protected by SHA1 HMACF HMAC covers logical addresses (which are not part of the
advertisement)F Pending: Replay protection
l Supports IPv4 and IPv6l Supports layer 2 load balancing (ARP based)
![Page 89: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/89.jpg)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARPv Basicsv CARP and
pf(sync)v More CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 24/32
CARP and pf(sync)
In order to support firewall/gateway redundancy every firewallmust know about open connections (=states). The pfsyncpseudo interface enables state synchronization:l Each Firewall send out state changes via multicast
F InsertF UpdateF Delete
l States have an unique IDl Best effort synchronization
Tends towards complete state view on every firewalll Mechanisms to limit bandwidth and processing overhead
F Updates contain only the changing informationF Multiple updates are merged into one transfer
l pfsync prevents CARP preemption until states aresynchronized
Example setup
![Page 90: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/90.jpg)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARPv Basicsv CARP and
pf(sync)v More CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 24/32
CARP and pf(sync)
In order to support firewall/gateway redundancy every firewallmust know about open connections (=states). The pfsyncpseudo interface enables state synchronization:l Each Firewall send out state changes via multicast
F InsertF UpdateF Delete
l States have an unique IDl Best effort synchronization
Tends towards complete state view on every firewalll Mechanisms to limit bandwidth and processing overhead
F Updates contain only the changing informationF Multiple updates are merged into one transfer
l pfsync prevents CARP preemption until states aresynchronized
Example setup
![Page 91: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/91.jpg)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARPv Basicsv CARP and
pf(sync)v More CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 24/32
CARP and pf(sync)
In order to support firewall/gateway redundancy every firewallmust know about open connections (=states). The pfsyncpseudo interface enables state synchronization:l Each Firewall send out state changes via multicast
F InsertF UpdateF Delete
l States have an unique IDl Best effort synchronization
Tends towards complete state view on every firewalll Mechanisms to limit bandwidth and processing overhead
F Updates contain only the changing informationF Multiple updates are merged into one transfer
l pfsync prevents CARP preemption until states aresynchronized
Example setup
![Page 92: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/92.jpg)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARPv Basicsv CARP and
pf(sync)v More CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 24/32
CARP and pf(sync)
In order to support firewall/gateway redundancy every firewallmust know about open connections (=states). The pfsyncpseudo interface enables state synchronization:l Each Firewall send out state changes via multicast
F InsertF UpdateF Delete
l States have an unique IDl Best effort synchronization
Tends towards complete state view on every firewalll Mechanisms to limit bandwidth and processing overhead
F Updates contain only the changing informationF Multiple updates are merged into one transfer
l pfsync prevents CARP preemption until states aresynchronized
Example setup
![Page 93: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/93.jpg)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARPv Basicsv CARP and
pf(sync)v More CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 24/32
CARP and pf(sync)
In order to support firewall/gateway redundancy every firewallmust know about open connections (=states). The pfsyncpseudo interface enables state synchronization:l Each Firewall send out state changes via multicast
F InsertF UpdateF Delete
l States have an unique IDl Best effort synchronization
Tends towards complete state view on every firewalll Mechanisms to limit bandwidth and processing overhead
F Updates contain only the changing informationF Multiple updates are merged into one transfer
l pfsync prevents CARP preemption until states aresynchronized
Example setup
![Page 94: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/94.jpg)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARPv Basicsv CARP and
pf(sync)v More CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 25/32
More CARP
But CARP can not only do ‘simple’ firewall failover.l Load balancing
F Built-in ARP source-hashF pf and RDR/NATF DNS round-robin
l Use it on serversl . . .
More complicated example
![Page 95: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/95.jpg)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARPv Basicsv CARP and
pf(sync)v More CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 25/32
More CARP
But CARP can not only do ‘simple’ firewall failover.l Load balancing
F Built-in ARP source-hashF pf and RDR/NATF DNS round-robin
l Use it on serversl . . .
More complicated example
![Page 96: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/96.jpg)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARPv Basicsv CARP and
pf(sync)v More CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 25/32
More CARP
But CARP can not only do ‘simple’ firewall failover.l Load balancing
F Built-in ARP source-hashF pf and RDR/NATF DNS round-robin
l Use it on serversl . . .
More complicated example
![Page 97: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/97.jpg)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Questionsv Linksv Support
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 26/32
Questions
![Page 98: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/98.jpg)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Questionsv Linksv Support
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 27/32
Links
These slides are at: http://people.freebsd.org/ mlaier/sucon.pdf
l OpenBSDl OpenBSD pfl FreeBSDl FreeBSD pfl NetBSDl NetBSD pfl DragonFly BSDl DragonFly BSDl p0fl ALTQ additional readingl CARP additional reading
![Page 99: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/99.jpg)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Questionsv Linksv Support
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 28/32
Support
If you like pf, please
Buy OpenBSD CD-Sets! Support the developers!
![Page 100: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/100.jpg)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Examplesv Table - Examplev CARP - Simplev CARP - Advanced
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 29/32
Examples
![Page 101: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/101.jpg)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Examplesv Table - Examplev CARP - Simplev CARP - Advanced
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 30/32
Table - Example
pf.test:
table <test> persist { 10/8, 10.0.10/24, !10.0.10.1 }
block all
pass out to <test> keep state
# pfctl -ef pf.test
# ping -c 1 10.0.0.10 && ping -c 2 10.0.10.10
# ping -c 1 10.0.10.1
PING 10.0.10.1 (10.0.10.1): 56 data bytes
ping: sendto: Operation not permitted
ˆC
# pfctl -t test -vTshow
10.0.0.0/8
Cleared: Wed Sep 1 19:57:38 2004
In/Block: [ Packets: 0 Bytes: 0 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 1 Bytes: 84 ]
10.0.10.0/24
<...>
Out/Pass: [ Packets: 2 Bytes: 168 ]
!10.0.10.1
Cleared: Wed Sep 1 19:57:38 2004
In/Block: [ Packets: 0 Bytes: 0 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 0 Bytes: 0 ]
. . . back
![Page 102: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/102.jpg)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Examplesv Table - Examplev CARP - Simplev CARP - Advanced
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 31/32
CARP - Simple
. . . back
![Page 103: Packet Filter (pf) -](https://reader030.fdocuments.us/reader030/viewer/2022032721/623d5b5215af2b3a877cfee8/html5/thumbnails/103.jpg)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Examplesv Table - Examplev CARP - Simplev CARP - Advanced
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 32/32
CARP - Advanced
. . . back