pf: Make af-to less magical
Michael Dexter
and 1 other
boosted
New blog post: GeoIP-Aware Firewalling with PF on FreeBSD
Running a mail server means constant brute-force attempts. My solution: geographic filtering. SMTP stays open for global mail delivery, but client ports (IMAP, Submission, webmail) are restricted to Central European IP ranges only.
Result: ~90% reduction in attack logs, cleaner signal-to-noise ratio, smaller attack surface.
Using MaxMind GeoLite2 + PF tables with ~273k CIDR blocks.
https://blog.hofstede.it/geoip-aware-firewalling-with-pf-on-freebsd/
New blog post: GeoIP-Aware Firewalling with PF on FreeBSD
Running a mail server means constant brute-force attempts. My solution: geographic filtering. SMTP stays open for global mail delivery, but client ports (IMAP, Submission, webmail) are restricted to Central European IP ranges only.
Result: ~90% reduction in attack logs, cleaner signal-to-noise ratio, smaller attack surface.
Using MaxMind GeoLite2 + PF tables with ~273k CIDR blocks.
https://blog.hofstede.it/geoip-aware-firewalling-with-pf-on-freebsd/
Michael Dexter
boosted
ICYMI: NYC*BUG had a bonus video meeting over the weekend:
Video meeting - upcoming 4th edition of The Book of PF, CRA and more, by Peter Hansteen
Meeting Sldies
* https://www.nycbug.org/media/sbom.pdf
* https://www.nycbug.org/media/nycbug_20260110.pdf
Event Video
* Peertube / Toobnix.org:
https://toobnix.org/wbQPtKXKqJMdeYDbzhrrkEa
* Youtube:
https://youtu.be/HOCsvcCm1Ec
Please visit https://www.nycbug.org/ for more details.
#runbsd #pf #cra #informingthesuits
ICYMI: NYC*BUG had a bonus video meeting over the weekend:
Video meeting - upcoming 4th edition of The Book of PF, CRA and more, by Peter Hansteen
Meeting Sldies
* https://www.nycbug.org/media/sbom.pdf
* https://www.nycbug.org/media/nycbug_20260110.pdf
Event Video
* Peertube / Toobnix.org:
https://toobnix.org/wbQPtKXKqJMdeYDbzhrrkEa
* Youtube:
https://youtu.be/HOCsvcCm1Ec
Please visit https://www.nycbug.org/ for more details.
#runbsd #pf #cra #informingthesuits
Stefano Marinelli
boosted
The latest Valuable News by @vermaden https://vermaden.wordpress.com/2025/12/08/valuable-news-2025-12-08/ notes that The Book of PF, 4th edition is coming soon (also https://nxdomain.no/~peter/yes_the_book_of_pf_4th_ed_is_coming.html, https://bsdly.blogspot.com/2025/07/yes-book-of-pf-4th-edition-is-coming.html) @nostarch #freebsd #openbsd #pf #packetfilter #bookofpf #4thedition
The latest Valuable News by @vermaden https://vermaden.wordpress.com/2025/12/08/valuable-news-2025-12-08/ notes that The Book of PF, 4th edition is coming soon (also https://nxdomain.no/~peter/yes_the_book_of_pf_4th_ed_is_coming.html, https://bsdly.blogspot.com/2025/07/yes-book-of-pf-4th-edition-is-coming.html) @nostarch #freebsd #openbsd #pf #packetfilter #bookofpf #4thedition
Stefano Marinelli
boosted
FreeBSD + BastilleBSD + Mastodon = ❤️
I wrote about running burningboard.net in a fully dual‑stack, multi‑jail FreeBSD deployment.
Clean design, central PF firewall, zero Docker.
https://blog.hofstede.it/migrating-burningboardnet-mastodon-instance-to-a-multi-jail-freebsd-setup/
Michael Dexter
and 1 other
boosted
Long rumored and eagerly anticipated by some, the fourth edition of The Book of PF is now available for preorder
More: https://nxdomain.no/~peter/yes_the_book_of_pf_4th_ed_is_coming.html (https://bsdly.blogspot.com/2025/07/yes-book-of-pf-4th-edition-is-coming.html), https://nostarch.com/book-of-pf-4th-edition @nostarch #openbsd #freebsd #pf #networking #bookofpf #freesoftware #firewalls
FreeBSD + BastilleBSD + Mastodon = ❤️
I wrote about running burningboard.net in a fully dual‑stack, multi‑jail FreeBSD deployment.
Clean design, central PF firewall, zero Docker.
https://blog.hofstede.it/migrating-burningboardnet-mastodon-instance-to-a-multi-jail-freebsd-setup/
Long rumored and eagerly anticipated by some, the fourth edition of The Book of PF is now available for preorder
More: https://nxdomain.no/~peter/yes_the_book_of_pf_4th_ed_is_coming.html (https://bsdly.blogspot.com/2025/07/yes-book-of-pf-4th-edition-is-coming.html), https://nostarch.com/book-of-pf-4th-edition @nostarch #openbsd #freebsd #pf #networking #bookofpf #freesoftware #firewalls
Stefano Marinelli
boosted
The af-to in #OpenBSD #PF is so flexible that it allows you to host IPv4 services within a #IPv6 only network, only requiring dual-stack on the firewall/router. The 'pass' rule even allows for selective port decisions on where the IPv4 address might be used for other IPv4 only services #BSD:
pass in on $ext_if inet proto tcp to (egress:0) port 12345 af-to inet6 from 2001:db8:dead:beef::1 to 2001:db8:dead:beef::/96 port ssh
The af-to in #OpenBSD #PF is so flexible that it allows you to host IPv4 services within a #IPv6 only network, only requiring dual-stack on the firewall/router. The 'pass' rule even allows for selective port decisions on where the IPv4 address might be used for other IPv4 only services #BSD:
pass in on $ext_if inet proto tcp to (egress:0) port 12345 af-to inet6 from 2001:db8:dead:beef::1 to 2001:db8:dead:beef::/96 port ssh
Stefano Marinelli
boosted
If you are looking for #PF resources for #openbsd and #freebsd alike, the up to date slides for the #tutorial are at https://nxdomain.no/~peter/pf_fullday.pdf with updates for each session.
In addition, we (the good people at @nostarch and yours truly) are working to get the 4th edition of The Book PF ready and available as soon as possible (see https://nxdomain.no/~peter/yes_the_book_of_pf_4th_ed_is_coming.html or tracked https://bsdly.blogspot.com/2025/07/yes-book-of-pf-4th-edition-is-coming.html)
If you are looking for #PF resources for #openbsd and #freebsd alike, the up to date slides for the #tutorial are at https://nxdomain.no/~peter/pf_fullday.pdf with updates for each session.
In addition, we (the good people at @nostarch and yours truly) are working to get the 4th edition of The Book PF ready and available as soon as possible (see https://nxdomain.no/~peter/yes_the_book_of_pf_4th_ed_is_coming.html or tracked https://bsdly.blogspot.com/2025/07/yes-book-of-pf-4th-edition-is-coming.html)
Stefano Marinelli
boosted
Source and state limiters introduced in pf
https://www.undeadly.org/cgi?action=article;sid=20251112132639 #openbsd #pf #networking #statelimiters #sourcelimiters #statetracking #packetfilter #security #freesoftware #libressoftware
"This change has our resident packet manglers quite excited, and they think it will likely be a signature feature that will make the not-too-distant OpenBSD 7.9 release even more of an Internet favorite."
Source and state limiters introduced in pf
https://www.undeadly.org/cgi?action=article;sid=20251112132639 #openbsd #pf #networking #statelimiters #sourcelimiters #statetracking #packetfilter #security #freesoftware #libressoftware
"This change has our resident packet manglers quite excited, and they think it will likely be a signature feature that will make the not-too-distant OpenBSD 7.9 release even more of an Internet favorite."
Michael Dexter
boosted
Hot take: pf's built-in connection tracking beats fail2ban/sshguard hands down.
One simple ruleset gives you automatic brute-force protection with ZERO userland daemons. No log parsing, no reaction delays, no additional attack surface.
table <bruteforce> persist
pass in proto tcp to port 22 flags S/SA (max-src-conn 5, max-src-conn-rate 3/30, overload <bruteforce> flush global)
Kernel-level enforcement, instant blocking, survives reboots with persist.
Why spawn Python processes when your firewall already knows?