Packet Filter

Based on Chris’s “Falling in love with pf(4)” google status, I decided to take the plunge and move off of ipfw(4) to pf(4). I’m not at the point where I could write my one filter, however, I do feel I at least understand what is happening here. I also took the time to update all my ports, so I’m even running PHP 5.3.2, the latest WP release and about 600 other installed ports (Yikes, I’ve got a LOT of stuff on this server!).

I’ve always built my own kernel, at least on my home server, so the first thing to do is sync my /usr/src tree:

$ sudo su -
root# csup ~/bin/src-supfile
...
root# vim /usr/src/sys/amd64/conf/BLACKHOLE
# pf
device          pf
device          pflog
# pf's QoS - ALTQ
options         ALTQ
options         ALTQ_CBQ        # Class Bases Queuing (CBQ)
options         ALTQ_RED        # Random Early Detection (RED)
options         ALTQ_RIO        # RED In/Out
options         ALTQ_HFSC       # Hierarchical Packet Scheduler (HFSC)
options         ALTQ_PRIQ       # Priority Queuing (PRIQ)
options         ALTQ_NOPCC      # Required for SMP build

root# cd /usr/src ; make -j8 buildkernel && make installkernel && reboot

I use tcsh, a C Shell variant, and I find the AND (&&) operator really useful to chain commands together but I require that they succeed. This way, if my build fails, it will abort and not proceed with the install and reboot.

Now that I have a updated kernel with PF enabled, I had to steal Chris’s configuration:

/etc/rc.conf

root# vim /etc/rc.conf
#
# Packet Filter
#
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"

#
# Unused, pf replaces all of this
#
#natd_program="/sbin/natd"       # path to natd, if you want a different one.
#natd_enable="YES"                # Enable natd (if firewall_enable == YES).
#natd_interface="em0"               # Public interface or IPaddress to use.
#natd_flags="-u -s -m"                   # Additional flags for natd.
#firewall_enable="YES"
#firewall_script="/usr/local/etc/rc.firewall"
#firewall_logging="YES"

/etc/pf.conf

root# vim /etc/pf.conf
# ----------------------------------------------------------------------------
# "THE BEER-WARE LICENSE" (Revision 42):
# cshumway@titan-project.org wrote this file. As long as you retain this notice you
# can do whatever you want with this stuff. If we meet some day, and you think
# this stuff is worth it, you can buy me a beer in return Christopher Shumway
# ----------------------------------------------------------------------------
#
# pf.conf
ext_if="em0"
int_if="em1"
lan_net="192.168.2.0/24"
open_ports="{ domain, ssh, http, https }"

# options
set skip on lo0
set skip on $int_if
set limit states 25000
set loginterface $ext_if
set state-policy if-bound

# scrub traffic
scrub in all

# NAT
nat on $ext_if from $lan_net to any -> ($ext_if)

# upnp redirection
rdr-anchor "miniupnpd"
anchor "miniupnpd"

# antispoofing
antispoof for $ext_if

# rules start here
block in
pass out on $ext_if keep state
pass in on $ext_if inet proto { tcp, udp } from any to ($ext_if) port $open_ports flags S/SA keep state
pass in on $ext_if inet proto icmp

Pretty simple, and after a reboot my top process is java, and not natd(8). I can almost feel the internet becoming faster

Rock n Roll Owen

Unlike me, Owen still looks like a nice guy with shades on. I look like someone who would drive a black acura and cut you off...

Owen doesn't like the Paparazzi treatment!

We’ve made up, and did a publicity photo-op together

Caralyne’s Garden

Caralyne is skillful with both tending plants, and stapling things.

Dogs

Zoey and Coal sharing the morning sun

Pretend you are a dog, specifically my dog (oh if only you could be so lucky!) Coal. You’ve got that cute little muzzle with a cute button nose; but since you are such a smart little aussie, your brain-pan is bigger than your mouth. This gives your head a particular triangular shape, the kind of shape that will let you easily shove you head into a tight spot. Well, you better hope you can squeeze your whole body through, because if not, there is no way your head is backing out at this point.

Oh, you can’t? Well, better call the fire department…

He can almost taste the freedom!

Fixed, but now our cat cannot slip through

This is unrelated, I just wanted to post how funny he looks when that hair is flattened

We used warm water, he's not really cold.