#Tag · bonfire.cafe

The af-to in #OpenBSD #PF is so flexible that it allows you to host IPv4 services within a #IPv6 only network, only requiring dual-stack on the firewall/router. The 'pass' rule even allows for selective port decisions on where the IPv4 address might be used for other IPv4 only services #BSD:

pass in on $ext_if inet proto tcp to (egress:0) port 12345 af-to inet6 from 2001:db8:dead:beef::1 to 2001:db8:dead:beef::/96 port ssh

AkkomaFediTime Socials

Jason Tubnor 🇦🇺

@Tubsta@soc.feditime.com · 4 weeks ago

AkkomaFediTime Socials

Stefano Marinelli boosted

Peter N. M. Hansteen

@pitrh@mastodon.social · last month

If you are looking for #PF resources for #openbsd and #freebsd alike, the up to date slides for the #tutorial are at https://nxdomain.no/~peter/pf_fullday.pdf with updates for each session.

In addition, we (the good people at @nostarch and yours truly) are working to get the 4th edition of The Book PF ready and available as soon as possible (see https://nxdomain.no/~peter/yes_the_book_of_pf_4th_ed_is_coming.html or tracked https://bsdly.blogspot.com/2025/07/yes-book-of-pf-4th-edition-is-coming.html)

View (PDF)

Yes, The Book of PF, 4th Edition Is Coming Soon

Peter N. M. Hansteen

@pitrh@mastodon.social · last month

If you are looking for #PF resources for #openbsd and #freebsd alike, the up to date slides for the #tutorial are at https://nxdomain.no/~peter/pf_fullday.pdf with updates for each session.

View (PDF)

Yes, The Book of PF, 4th Edition Is Coming Soon

Stefano Marinelli boosted

Peter N. M. Hansteen

@pitrh@mastodon.social · last month

Source and state limiters introduced in pf

https://www.undeadly.org/cgi?action=article;sid=20251112132639 #openbsd #pf #networking #statelimiters #sourcelimiters #statetracking #packetfilter #security #freesoftware #libressoftware

"This change has our resident packet manglers quite excited, and they think it will likely be a signature feature that will make the not-too-distant OpenBSD 7.9 release even more of an Internet favorite."

Source and state limiters introduced in pf

Peter N. M. Hansteen

@pitrh@mastodon.social · last month

Source and state limiters introduced in pf

https://www.undeadly.org/cgi?action=article;sid=20251112132639 #openbsd #pf #networking #statelimiters #sourcelimiters #statetracking #packetfilter #security #freesoftware #libressoftware

Source and state limiters introduced in pf

Michael Dexter and 1 other boosted

Larvitz

@Larvitz@mastodon.bsd.cafe · 2 months ago

Hot take: pf's built-in connection tracking beats fail2ban/sshguard hands down.

One simple ruleset gives you automatic brute-force protection with ZERO userland daemons. No log parsing, no reaction delays, no additional attack surface.

table <bruteforce> persist
pass in proto tcp to port 22 flags S/SA (max-src-conn 5, max-src-conn-rate 3/30, overload <bruteforce> flush global)

Kernel-level enforcement, instant blocking, survives reboots with persist.

Why spawn Python processes when your firewall already knows?

#bsd #freebsd #runbsd #firewall #pf #sysadmin

Larvitz

@Larvitz@mastodon.bsd.cafe · 2 months ago

Hot take: pf's built-in connection tracking beats fail2ban/sshguard hands down.

One simple ruleset gives you automatic brute-force protection with ZERO userland daemons. No log parsing, no reaction delays, no additional attack surface.

table <bruteforce> persist
pass in proto tcp to port 22 flags S/SA (max-src-conn 5, max-src-conn-rate 3/30, overload <bruteforce> flush global)

Kernel-level enforcement, instant blocking, survives reboots with persist.

Why spawn Python processes when your firewall already knows?

#bsd #freebsd #runbsd #firewall #pf #sysadmin

Stefano Marinelli boosted

Peter N. M. Hansteen

@pitrh@mastodon.social · 3 months ago

We are about five minutes from starting the "Network management with PF" https://events.eurobsdcon.org/2025/talk/FW39CX/ tutorial at #eurobsdcon in #zagreb. Slides at https://nxdomain.no/~peter/pf_fullday.pdf as usual #pf #openbsd #freebsd #packetfilter #networking

View (PDF)

Network Management with the OpenBSD Packet Filter Toolset (T5) EuroBSDCon 2025

The OpenBSD Packet Filter (PF) is at the core of the network management toolset available to professionals working with the OpenBSD and FreeBSD operating systems. Understanding the PF subsystem and the set of networking tools that interact with it is essential to building and maintaining a functional environment. The present session will both teach networking and security principles and provide opportunity for hands-on operation of the extensive network tools available on OpenBSD and FreeBSD in a lab environment. Basic to intermediate understanding of TCP/IP networking is expected and required for this session. Topics covered include The basics of and network design and taking it a bit further Building rulesets Keeping your configurations readable and maintainable Seeing what your traffic is really about with your friend tcpdump(8) Filtering, diversion, redirection, Network Address Translation Handling services that require proxying (ftp-proxy and others) Address tables and daemons that interact with your setup through them The whys and hows of network segmentation, DMZs and other separation techniques Tackling noisy attacks and other pattern recognition and learning tricks Annoying spammers with spamd Basics of and not-so basic traffic shaping Monitoring your traffic Resilience, High Availability with CARP and pfsync Troubleshooting: Discovering and correcting errors and faults (tcpdump is your friend) Your network and its interactions with the Internet at large Common mistakes in internetworking and peering Keeping the old IPv4 world in touch with the new of IPv6 The tutorial is lab centered and fast paced. Time allowing and to the extent necessary, we will cover recent developments in the networking tools and variations between the implementations in the OpenBSD and FreeBSD operating systems. Participants should bring a laptop for the hands on labs part and for note taking. The format of the session will be compact lectures interspersed with hands-on lab excercises based directly on the theory covered in the lecture parts. This session is an evolutionary successor to previous sessions. Slides for the most recent version of the PF tutorial session are up at https://nxdomain.no/~peter/pf_fullday.pdf, to be updated with the present version when the session opens.

Stefano Marinelli boosted

Peter N. M. Hansteen

@pitrh@mastodon.social · 3 months ago

Tomorrow 2025-09-25 at 10:30 CEST, the refreshed "Network Management with the OpenBSD Packet Filter Toolset" https://events.eurobsdcon.org/2025/talk/FW39CX/ by yours truly, @stucchimax and Tom Smyth will start at #eurobsdcon.

We will put the updated slides online just before the session starts.

#openbsd #freebsd #pf #packetfilter #networking #firewall #trickery #security

Network Management with the OpenBSD Packet Filter Toolset (T5) EuroBSDCon 2025

Peter N. M. Hansteen

@pitrh@mastodon.social · 3 months ago

View (PDF)

Network Management with the OpenBSD Packet Filter Toolset (T5) EuroBSDCon 2025