stuff and things

 2010-06-20

I don’t have a central theme with this post, but I wanted to at least do something (it has been a while).

Packet Filter

Based on Chris’s “Falling in love with pf(4)” google status, I decided to take the plunge and move off of ipfw(4) to pf(4). I’m not at the point where I could write my one filter, however, I do feel I at least understand what is happening here. I also took the time to update all my ports, so I’m even running PHP 5.3.2, the latest WP release and about 600 other installed ports (Yikes, I’ve got a LOT of stuff on this server!).

I’ve always built my own kernel, at least on my home server, so the first thing to do is sync my /usr/src tree:

    
    $ sudo su -
    root# csup ~/bin/src-supfile
    ...
    root# vim /usr/src/sys/amd64/conf/BLACKHOLE
    # pf
    device          pf
    device          pflog
    # pf's QoS - ALTQ
    options         ALTQ
    options         ALTQ_CBQ        # Class Bases Queuing (CBQ)
    options         ALTQ_RED        # Random Early Detection (RED)
    options         ALTQ_RIO        # RED In/Out
    options         ALTQ_HFSC       # Hierarchical Packet Scheduler (HFSC)
    options         ALTQ_PRIQ       # Priority Queuing (PRIQ)
    options         ALTQ_NOPCC      # Required for SMP build
    
    root# cd /usr/src ; make -j8 buildkernel && make installkernel && reboot

I use tcsh, a C Shell variant, and I find the AND (&&) operator really useful to chain commands together but I require that they succeed. This way, if my build fails, it will abort and not proceed with the install and reboot.

Now that I have a updated kernel with PF enabled, I had to steal Chris’s configuration:

/etc/rc.conf

    
    root# vim /etc/rc.conf
    #
    # Packet Filter
    #
    pf_enable="YES"
    pf_rules="/etc/pf.conf"
    pflog_enable="YES"
    
    #
    # Unused, pf replaces all of this
    #
    #natd_program="/sbin/natd"       # path to natd, if you want a different one.
    #natd_enable="YES"                # Enable natd (if firewall_enable == YES).
    #natd_interface="em0"               # Public interface or IPaddress to use.
    #natd_flags="-u -s -m"                   # Additional flags for natd.
    #firewall_enable="YES"
    #firewall_script="/usr/local/etc/rc.firewall"
    #firewall_logging="YES"

/etc/pf.conf

    
    root# vim /etc/pf.conf
    # ----------------------------------------------------------------------------
    # "THE BEER-WARE LICENSE" (Revision 42):
    # cshumway@titan-project.org wrote this file. As long as you retain this notice you
    # can do whatever you want with this stuff. If we meet some day, and you think
    # this stuff is worth it, you can buy me a beer in return Christopher Shumway
    # ----------------------------------------------------------------------------
    #
    # pf.conf
    ext_if="em0"
    int_if="em1"
    lan_net="192.168.2.0/24"
    open_ports="{ domain, ssh, http, https }"
    
    # options
    set skip on lo0
    set skip on $int_if
    set limit states 25000
    set loginterface $ext_if
    set state-policy if-bound
    
    # scrub traffic
    scrub in all
    
    # NAT
    nat on $ext_if from $lan_net to any -> ($ext_if)
    
    # upnp redirection
    rdr-anchor "miniupnpd"
    anchor "miniupnpd"
    
    # antispoofing
    antispoof for $ext_if
    
    # rules start here
    block in
    pass out on $ext_if keep state
    pass in on $ext_if inet proto { tcp, udp } from any to ($ext_if) port $open_ports flags S/SA keep state
    pass in on $ext_if inet proto icmp