Category: pf

Restarting pf

I may have mentioned this in part before, but Matthew Dillon has a brief script to reload pf when an interface IP changes.  I’m linking it here in case it’s useful in the future.

In Other BSDs for 2015/05/23

A calmer week, probably because of the U.S. holiday.

Posted by     Categories: Books, BSD, FreeBSD, OpenBSD, PC-BSD, pf, pkgsrc     0 Comments

BSDNow 072: Common *Sense Approach

As promised last week, the BSDNow show has an interview with Jos Schellevis of OPNSense, along with the normal array of stories and links.

Posted by     Categories: BSD, Periodicals, pf, pfSense     0 Comments

BSDNow 071: System Disaster

I managed to miss this last week because of issues with my RSS feeds, but the 71st episode of BSDNow is/has been up.  It’s “systemd isaster”, cause the interview is with Ian Sutton talking about BSD replacements for systemd dependencies.  There’s a number of at-least-slightly DragonFly-related things in there, including OPNSense, pkgng, and Hammer mentions.

Posted by     Categories: BSD, DragonFly, Periodicals, pf, pfSense     0 Comments

In Other BSDs for 2015/01/03

Remembered to do this all at the last minute, after I got the new server up.


Posted by     Categories: BSD, FreeBSD, NetBSD, OpenBSD, pf, pkgsrc     0 Comments

Book Review: The Book of PF, 3rd edition

I’m going to dive right in with an anecdote: As is normal for anyone in systems administration, I’m busy at work.  I’ve been short an employee for some time, and I brought in a managed service provider to do some work.  This included a revamping of the network equipment and layout, as it has been growing organically rather than in a planned fashion.

I received the formal assessment from the provider a few weeks ago, and it mentioned that we were using a non ICSA-certified firewall: pf, in the form of pfSense.  This was accompanied by some rather drastic warnings about how open source was targeted by hackers! and implied that ICSA certification was a mark of quality rather than a purchasable certification.  All bogus, of course.

The reason I’m starting this review with this little story is to note that while open source has become well-accepted for system and application software, there’s still a lot of people that expect commercial hardware to be exclusively handling data once it leaves the server.  That’s been valid for a long time, but software like pf represents a realistic option, or even an improvement, over many commercial and proprietary options.  Since pf exists in one form or another on all the BSDs, it’s a tool you should be at least somewhat familiar with.

Peter N. M. Hansteen has written about pf first online, and then in printed form, for some time.  The Book of PF is in its third edition, and that’s what I have to read.  (Disclosure: No Starch Press gave me the book free, without requirements)

The book is excellent, and easier to read than I expected for a book about network processing.  It can be read in linear form, as it takes the reader from simple to more complex network layouts.  It works as a reference book, too, as it focuses on different tools around pf and what they are used for.

It covers the different pf version in OpenBSD, NetBSD, and FreeBSD, and DragonFly gets at least a partial mention in some portions of the book.  For example, OpenBSD recently removed ALTQ, but the other BSDs still use it.  With- and without-ALTQ scenarios are covered every place it applies.  You’re going to get the most mileage out of an OpenBSD setup with it, though.

The parts where the book shines are the later chapters; the descriptions of greylisting and spamd, the traffic shaping notes, and the information on monitoring pf will be useful for most anyone.  It’s quite readable; similar in tone to Peter’s blog.  If you enjoy his indepth online articles, the book will be a pleasant read.

It’s available now from Amazon and directly from No Starch Press.  It’s linked in the book slider currently running on the right side of this site, too.

Posted by     Categories: Books, OpenBSD, pf     0 Comments

BSDNow 063: A man’s man(1)

BSDNow 063 has the normal news articles and links, and an interview of Kristaps Džonsons, one of the people working on mandoc.  There’s also a tutorial on bandwidth throttling with pf.

Posted by     Categories: BSD, Periodicals, pf     0 Comments

In Other BSDs for 2014/11/01

Hardly any source commits to point at this week, but there’s still lots of stuff happening in BSD-land.

Posted by     Categories: BSD, Conventions, FreeBSD, NetBSD, OpenBSD, pf     1 Comment

BSDNow 035: Puffy Firewall

BSDNow 035 is up with a whole lot of pf content, including an interview of Peter Hansteen, of “Book of PF” fame.  There’s a 3rd version of that book coming out soon.

Posted by     Categories: BSD, pf     0 Comments

In Other BSDs for 2014/04/26

Another active week.

Posted by     Categories: BSD, NetBSD, OpenBSD, pf, pfSense, pkgsrc, RetroBSD     3 Comments

In Other BSDs for 2014/01/25

Back to relatively normal volume, this week.

Posted by     Categories: BSD, FreeBSD, OpenBSD, pf, pfSense     0 Comments

In Other BSDs for 2013/09/21

Finally, a quieter week.

Posted by     Categories: BSD, FreeBSD, NetBSD, OpenBSD, pf, pkgsrc     2 Comments

Avoiding non-routeable IPs

It’s possible your Internet service provider uses a non-routeable IP range (like 10.*) and occasionally your border device picks that up via DHCP by accident instead of an Internet address.  If that happens to you, and you’re using DragonFly as your border gateway, it’s possible to prevent it with PF dhclient.

Posted by     Categories: DragonFly, pf, Someday you will need this     2 Comments

BSD Magazine in May: PF and more

The May issue of BSD Magazine is out with a number of pf articles, plus others.

Posted by     Categories: BSD, Periodicals, pf     0 Comments

Matching configs with ipsets, except when you don’t need to

I am somewhat entertained by Michael W. Lucas’s most recent blog post about IP Sets. This is mostly because, as he points out, he could use one pf config file across multiple machines and BSDs for network management, but has to fiddle with ipsets to get different Linux machines to match.

Posted by     Categories: BSD, pf     0 Comments

NAT with pf, redux

DragonFly versions >=2.6 and ipfw don’t seem to get along for doing network address translations.  I’ve posted about this before, but I’m linking again because this time I have the explicit config lines written out.

I should probably create a pf category…

Posted by     Categories: DragonFly, Goings-on, pf     0 Comments