Packet Filter

Based on Chris’s “Falling in love with pf(4)” google status, I decided to take the plunge and move off of ipfw(4) to pf(4). I’m not at the point where I could write my one filter, however, I do feel I at least understand what is happening here. I also took the time to update all my ports, so I’m even running PHP 5.3.2, the latest WP release and about 600 other installed ports (Yikes, I’ve got a LOT of stuff on this server!).

I’ve always built my own kernel, at least on my home server, so the first thing to do is sync my /usr/src tree:

$ sudo su -
root# csup ~/bin/src-supfile
...
root# vim /usr/src/sys/amd64/conf/BLACKHOLE
# pf
device          pf
device          pflog
# pf's QoS - ALTQ
options         ALTQ
options         ALTQ_CBQ        # Class Bases Queuing (CBQ)
options         ALTQ_RED        # Random Early Detection (RED)
options         ALTQ_RIO        # RED In/Out
options         ALTQ_HFSC       # Hierarchical Packet Scheduler (HFSC)
options         ALTQ_PRIQ       # Priority Queuing (PRIQ)
options         ALTQ_NOPCC      # Required for SMP build

root# cd /usr/src ; make -j8 buildkernel && make installkernel && reboot

I use tcsh, a C Shell variant, and I find the AND (&&) operator really useful to chain commands together but I require that they succeed. This way, if my build fails, it will abort and not proceed with the install and reboot.

Now that I have a updated kernel with PF enabled, I had to steal Chris’s configuration:

/etc/rc.conf

root# vim /etc/rc.conf
#
# Packet Filter
#
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"

#
# Unused, pf replaces all of this
#
#natd_program="/sbin/natd"       # path to natd, if you want a different one.
#natd_enable="YES"                # Enable natd (if firewall_enable == YES).
#natd_interface="em0"               # Public interface or IPaddress to use.
#natd_flags="-u -s -m"                   # Additional flags for natd.
#firewall_enable="YES"
#firewall_script="/usr/local/etc/rc.firewall"
#firewall_logging="YES"

/etc/pf.conf

root# vim /etc/pf.conf
# ----------------------------------------------------------------------------
# "THE BEER-WARE LICENSE" (Revision 42):
# cshumway@titan-project.org wrote this file. As long as you retain this notice you
# can do whatever you want with this stuff. If we meet some day, and you think
# this stuff is worth it, you can buy me a beer in return Christopher Shumway
# ----------------------------------------------------------------------------
#
# pf.conf
ext_if="em0"
int_if="em1"
lan_net="192.168.2.0/24"
open_ports="{ domain, ssh, http, https }"

# options
set skip on lo0
set skip on $int_if
set limit states 25000
set loginterface $ext_if
set state-policy if-bound

# scrub traffic
scrub in all

# NAT
nat on $ext_if from $lan_net to any -> ($ext_if)

# upnp redirection
rdr-anchor "miniupnpd"
anchor "miniupnpd"

# antispoofing
antispoof for $ext_if

# rules start here
block in
pass out on $ext_if keep state
pass in on $ext_if inet proto { tcp, udp } from any to ($ext_if) port $open_ports flags S/SA keep state
pass in on $ext_if inet proto icmp

Pretty simple, and after a reboot my top process is java, and not natd(8). I can almost feel the internet becoming faster :)

Rock n Roll Owen

Unlike me, Owen still looks like a nice guy with shades on. I look like someone who would drive a black acura and cut you off...

Owen doesn't like the Paparazzi treatment!

We’ve made up, and did a publicity photo-op together

Caralyne’s Garden

Caralyne is skillful with both tending plants, and stapling things.

Dogs

Zoey and Coal sharing the morning sun

Here is a link to the gallery on my other site, m87-blackhole.org:
http://www.m87-blackhole.org/photos/2009-04-12-easter/

I also took some pictures of my parents house in the making. It is starting to shape up nicely, my step dad is a pretty talented carpenter.