%deffont "text" tfont "Arial.ttf" %deffont "mono" tfont "luximr.ttf" %deffont "title" tfont "Arial.ttf", size 7 %deffont "code" tfont "mono", size 3 %deffont "typewriter" xfont "courier-medium-r", tfont "typewriter.ttf", tmfont "hoso6.ttf", size 3 %default 1 area 90 90, leftfill, font "text", size 5, fore "white", back "black", charset "iso8859-1", bgrad %default 2 bar "green" 3, vgap 90 %tab 1 size 5, vgap 40, prefix " ", icon box "green" 40 %tab 2 size 5, vgap 40, prefix " ", icon arc "yellow" 30 %tab 3 size 5, vgap 40, prefix " ", icon box "yellow" 20 %page %font "text", size 8, fore "white", back "black" %bgrad %center Protecting your World with pf %font "mono", size 4 Jon Hart %font "text" April 29, 2003 %page %font "title" Overview %font "text" Intro What is the problem? Background Crash course in pf Technological overview of pf Why should you use pf? Why you shouldn't use pf Conclusions Questions Page 'o Links %page %font "title" # intro 1 The Problem %font "text" Simple or advanced firewalling/filtering Stateless vs. stateful Restrict access to/from sensitive or untrusted hosts: DMZ or hostile hosts Many internal hosts, one external IP: How can I give all these hosts Internet access? Many external services, one external IP: How can I make all services appear to originate from one host/IP? Queuing, bandwidth/traffic shaping, load balancing %page %font "title" # intro 2 Common Solutions %font "text" Dedicated devices: Cisco PIX firewall, router ACLs SOHO devices (Linksys, Netgear, etc) SysMaster Software firewalls: Checkpoint ZoneAlarm BlackIce OS Specific firewalling: ipchains, iptables (Linux) ipfilter (Solaris, *BSD, Tru64) ipfw (FreeBSD) pf (OpenBSD) %page %font "title" # intro 3 Limitations with these solutions %font "text" Cost Licensing Dedicated, vendor specific hardware and OS New and unfamiliar syntax/interface/terminology New and unfamiliar OS Manageability Flexibility %page %font "title" # background 1 pf -- a free and powerful solution %font "text" pf == 'packet filter' Started by Daniel Hartmeier as "humble attempt at hacking with the OpenBSD kernel" Written as replacement for OpenBSD's ipf because of licensing issues Code based on ipf, started in June 2001 Shipping with OpenBSD since 3.0 (December 2001) Currently maintained and developed by the OpenBSD team %page %font "title" # background 2 pf -- a free and powerful solution (cont.) %font "text" A packet filter is a mechanism that allows you to block or pass \ incoming and outgoing TCP/IP packets based on a set of criteria: Source and destination address Source and destination port IP protocol TCP flags Fragmentation pf is much more than just a "packet filter": Stateless and stateful filtering Network address translation (NAT) Port address translation (PAT) Load balancing, queuing, traffic shaping Plus, a fully functional and secure OS! %font "text" %page %font "title" # tech 1 pf innards %font "text" /dev/pf Packet filter pseudo-device that allows userland processes to manipulate in-kernel packet-filtering pfctl Communicates with the packet filter via /dev/pf and allows ruleset and configuration manipulation pf.conf Configuration file for pf. Clearly described by a BNF grammar in the pf.conf(5) man page. READ THIS. pflogd Handles all logging for pf in tcpdump binary format. Compare to plain text logging... %page %font "title" Examples %font "text" Stateless filtering: %font "code" pass in on $EXT_IFACE proto tcp from any to $WEBSERVER_IP port = $WEB_PORTS %font "text" Stateful filtering: %font "code" pass in on $EXT_IFACE proto tcp from any to $WEBSERVER_IP port = $WEB_PORTS flags S/SA modulate state %font "text" NAT: %font "code" nat on $EXT_IFACE from $LAN_RANGE to any -> ($EXT_IFACE) %font "text" PAT: %font "code" rdr on $EXT_IFACE from any to $EXT_IP port 80 -> $DMZ_WEBSERVER_IP 80 %font "text" Inbound load balancing: %font "code" rdr on $EXT_IFACE proto tcp from any to any port 80 -> { 192.168.0.2, 192.168.0.3, 192.168.0.4 } round-robin %page %font "title" Why pf? %font "text" Code developed by a well-respected community Code constantly evolving and maturing Widely used and abused in various environments: Government Military Educational Research Fun and miscelaneous Its free and hardware is cheap: $6k PIX can be replaced by a $1k OpenBSD box w/ pf Will run on almost all architectures, supporting most hardware Example: my Co-op %page %font "title" Why pf? (cont.) %font "text" Very fast, very efficient Even an outdated system beats most competition: Duron 700, 128M RAM, 3 interfaces easily handles: 1000+ rules 10000 Packets/s on _each_ interface 40000 states All at 89% CPU idle Compare to NU's current firewall: Cannot handle more than 20000 states Costs several thousand $$ %page %font "title" Why pf? (cont.) %font "text" Human readable syntax! Lets you focus more on the design of your firewall and less on cryptic command syntax Virtually no restrictions! Full control over nearly all aspects of firewalling/filtering and your design: State restrictions and control Memory and resource limiting Environment optimization If you can design it, pf can help you implement it Compare this to, say, a PIX or a Watchguard firewall %page %font "title" Why not pf? %font "text" Another OS to learn Another syntax to master Doesn't do layer 2 filtering Doesn't do layer 5 filtering Gigabit+ speeds, x86 hardware limitations %page %font "title" Conclusions %font "text" Firewalling/filtering is a complex and important task Many popular solutions, often problematic: Cost, flexibility pf is a free and powerful solution: Well documented Extremely flexible "Free, functional, secure. Choose three" %page %font "title" %center %image "Barbarian.gif" Questions? %page %font "title" Page 'o Links %font "typewriter" http://www.openbsd.org http://www.benzedrine.cx/pf http://coombs.anu.edu.au/~avalon/ip-filter.html http://www.benzedrine.cx/henning.txt