Tomorrow 2025-09-25 at 10:30 CEST, the refreshed "Network Management with the OpenBSD Packet Filter Toolset" https://events.eurobsdcon.org/2025/talk/FW39CX/ by yours truly, @stucchimax and Tom Smyth will start at #eurobsdcon.

We will put the updated slides online just before the session starts.

#openbsd #freebsd #pf #packetfilter #networking #firewall #trickery #security

🐨 Firewall upgrade at telco linked to deaths in Australia

｢ Australian telco Optus says its staff may not have followed established processes when a firewall upgrade they conducted resulted in customers not being able to call emergency services for 14 hours – a period during which it is thought three of the carrier’s customers died after trying to seek help, according to the company's CEO ｣

https://www.theregister.com/2025/09/21/optus_emergency_call_incident/

#australia #firewall #cybersecurity

Tomorrow 2025-09-25 at 10:30 CEST, the refreshed "Network Management with the OpenBSD Packet Filter Toolset" https://events.eurobsdcon.org/2025/talk/FW39CX/ by yours truly, @stucchimax and Tom Smyth will start at #eurobsdcon.

We will put the updated slides online just before the session starts.

#openbsd #freebsd #pf #packetfilter #networking #firewall #trickery #security

🐨 Firewall upgrade at telco linked to deaths in Australia

｢ Australian telco Optus says its staff may not have followed established processes when a firewall upgrade they conducted resulted in customers not being able to call emergency services for 14 hours – a period during which it is thought three of the carrier’s customers died after trying to seek help, according to the company's CEO ｣

https://www.theregister.com/2025/09/21/optus_emergency_call_incident/

#australia #firewall #cybersecurity

Does anyone know of a public set of ModSecurity exceptions for the fediverse/ActivityPub I can take a look at? I'm setting it up for GoToSocial and Mastodon now and manually doing this is pain.

Update, @cloudymax and I started a plugin here:
https://github.com/small-hack/argocd-apps/blob/2b7995c6fae5ecbb3944c6c6f4b139d98b76e67f/ingress-nginx/modsecurity_plugins_configmap.yaml#L177

Still happy to collaborate on it, but also wanted to note there was a mention a year ago about making an ActivityPub plugin over at the OWASP CRS repo, so maybe we could donate to that if its ever created:
https://github.com/coreruleset/coreruleset/issues/3497#issuecomment-1902181156

#WAF #modsecurity #nginx #apache #firewall #webApplicationFirewall #mastodon #gotosocial #activitypub

Does anyone know of a public set of ModSecurity exceptions for the fediverse/ActivityPub I can take a look at? I'm setting it up for GoToSocial and Mastodon now and manually doing this is pain.

Update, @cloudymax and I started a plugin here:
https://github.com/small-hack/argocd-apps/blob/2b7995c6fae5ecbb3944c6c6f4b139d98b76e67f/ingress-nginx/modsecurity_plugins_configmap.yaml#L177

Still happy to collaborate on it, but also wanted to note there was a mention a year ago about making an ActivityPub plugin over at the OWASP CRS repo, so maybe we could donate to that if its ever created:
https://github.com/coreruleset/coreruleset/issues/3497#issuecomment-1902181156

#WAF #modsecurity #nginx #apache #firewall #webApplicationFirewall #mastodon #gotosocial #activitypub

Burning it in for 12 hours now. It consumes 17W at idle running #OpenBSD 7.7 without apmd and ramps to 35W during KARL. Firmware was updated to the latest supported for the model and VT-x extensions have been turned off, this is just a firewall.

Thermals are good with the case back together. In 20 degrees ambient, they are reporting:
hw.sensors.cpu0.temp0=39.00 degC
hw.sensors.acpitz0.temp0=27.80 degC (zone temperature)
hw.sensors.nvme0.temp0=40.00 degC, OK

I did clean the heat sink and CPU, then applied new thermal paste. Time to build some ansible playbooks for management and then apply them, ready for production. #firewall#IPv6

Burning it in for 12 hours now. It consumes 17W at idle running #OpenBSD 7.7 without apmd and ramps to 35W during KARL. Firmware was updated to the latest supported for the model and VT-x extensions have been turned off, this is just a firewall.

Thermals are good with the case back together. In 20 degrees ambient, they are reporting:
hw.sensors.cpu0.temp0=39.00 degC
hw.sensors.acpitz0.temp0=27.80 degC (zone temperature)
hw.sensors.nvme0.temp0=40.00 degC, OK

I did clean the heat sink and CPU, then applied new thermal paste. Time to build some ansible playbooks for management and then apply them, ready for production. #firewall#IPv6

Id love to see some #solaris #illumos examples

Id love to see some #solaris #illumos examples

Long rumored, eagerly anticipated by some, you can now PREORDER "The Book of PF, 4th edition" https://nostarch.com/book-of-pf-4th-edition for the most up to date guide to the OpenBSD and FreeBSD networking toolset #openbsd #freebsd #networking #pf #packetfilter #firewall #preorder #security

Long rumored, eagerly anticipated by some, you can now PREORDER "The Book of PF, 4th edition" https://nostarch.com/book-of-pf-4th-edition for the most up to date guide to the OpenBSD and FreeBSD networking toolset #openbsd #freebsd #networking #pf #packetfilter #firewall #preorder #security

Unfortunately, public wifi and other badly configured #firewalls killed the concept of TCP ports. There is only one port left, that's 443 for everything.

Some people argue, it is a blessing for #privacy, because all our criminal #Jabber usage is hidden now.

Comparing firewall syntax for SSH (port 22) with default-deny:
================================================

#iptables (Linux)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -P INPUT DROP

#nftables (Linux)
nft add rule inet my_filter input tcp dport 22 accept
nft add rule inet my_filter input drop

#ufw (Linux - simplified frontend to iptables)
ufw allow 22/tcp
ufw default deny incoming

#pf (OpenBSD)
pass in proto tcp to port 22
block all

pf’s syntax feels so elegant, human-readable, & minimal!

After 20years scripting iptables, I’m ready to try UFW on my laptop.
#firewall #sysadmin #pf #iptables #ufw #nftables