Stuff and Things
I don’t have a central theme with this post, but I wanted to at least do something (it has been a while).
Packet Filter
Based on Chris’s “Falling in love with pf(4)” google status, I decided to take the plunge and move off of ipfw(4) to pf(4). I’m not at the point where I could write my one filter, however, I do feel I at least understand what is happening here. I also took the time to update all my ports, so I’m even running PHP 5.3.2, the latest WP release and about 600 other installed ports (Yikes, I’ve got a LOT of stuff on this server!).
I’ve always built my own kernel, at least on my home server, so the first thing to do is sync my /usr/src tree:
$ sudo su - root# csup ~/bin/src-supfile ... root# vim /usr/src/sys/amd64/conf/BLACKHOLE # pf device pf device pflog # pf's QoS - ALTQ options ALTQ options ALTQ_CBQ # Class Bases Queuing (CBQ) options ALTQ_RED # Random Early Detection (RED) options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) options ALTQ_PRIQ # Priority Queuing (PRIQ) options ALTQ_NOPCC # Required for SMP build root# cd /usr/src ; make -j8 buildkernel && make installkernel && reboot
I use tcsh, a C Shell variant, and I find the AND (&&) operator really useful to chain commands together but I require that they succeed. This way, if my build fails, it will abort and not proceed with the install and reboot.
Now that I have a updated kernel with PF enabled, I had to steal Chris’s configuration:
/etc/rc.conf
root# vim /etc/rc.conf # # Packet Filter # pf_enable="YES" pf_rules="/etc/pf.conf" pflog_enable="YES" # # Unused, pf replaces all of this # #natd_program="/sbin/natd" # path to natd, if you want a different one. #natd_enable="YES" # Enable natd (if firewall_enable == YES). #natd_interface="em0" # Public interface or IPaddress to use. #natd_flags="-u -s -m" # Additional flags for natd. #firewall_enable="YES" #firewall_script="/usr/local/etc/rc.firewall" #firewall_logging="YES"
/etc/pf.conf
root# vim /etc/pf.conf
# ----------------------------------------------------------------------------
# "THE BEER-WARE LICENSE" (Revision 42):
# cshumway@titan-project.org wrote this file. As long as you retain this notice you
# can do whatever you want with this stuff. If we meet some day, and you think
# this stuff is worth it, you can buy me a beer in return Christopher Shumway
# ----------------------------------------------------------------------------
#
# pf.conf
ext_if="em0"
int_if="em1"
lan_net="192.168.2.0/24"
open_ports="{ domain, ssh, http, https }"
# options
set skip on lo0
set skip on $int_if
set limit states 25000
set loginterface $ext_if
set state-policy if-bound
# scrub traffic
scrub in all
# NAT
nat on $ext_if from $lan_net to any -> ($ext_if)
# upnp redirection
rdr-anchor "miniupnpd"
anchor "miniupnpd"
# antispoofing
antispoof for $ext_if
# rules start here
block in
pass out on $ext_if keep state
pass in on $ext_if inet proto { tcp, udp } from any to ($ext_if) port $open_ports flags S/SA keep state
pass in on $ext_if inet proto icmp
Pretty simple, and after a reboot my top process is java, and not natd(8). I can almost feel the internet becoming faster 
Rock n Roll Owen
Unlike me, Owen still looks like a nice guy with shades on. I look like someone who would drive a black acura and cut you off...
Owen doesn't like the Paparazzi treatment!
We’ve made up, and did a publicity photo-op together
Caralyne’s Garden
Caralyne is skillful with both tending plants, and stapling things.
Dogs
Zoey and Coal sharing the morning sun