DOCSLIB.ORG

The Book of Pf

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
The Book of Pf THE BOOK OF PF A No-Nonsense Guide to the OpenBSD Firewall by Peter N.M. Hansteen ® San Francisco THE BOOK OF PF. Copyright © 2008 by Peter N.M. Hansteen. All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher. Printed on recycled paper in the United States of America 11 10 09 08 07 1 2 3 4 5 6 7 8 9 ISBN-10: 1-59327-165-4 ISBN-13: 978-1-59327-165-7 Publisher: William Pollock Production Editor: Megan Dunchak Cover and Interior Design: Octopod Studios Developmental Editor: Adam Wright Technical Reviewer: Henning Brauer Copyeditor: Linda Recktenwald Compositor: Riley Hoffman Proofreader: Alina Kirsanova Indexers: Karin Arrigoni and Peter N.M. Hansteen For information on book distributors or translations, please contact No Starch Press, Inc. directly: No Starch Press, Inc. 555 De Haro Street, Suite 250, San Francisco, CA 94107 phone: 415.863.9900; fax: 415.863.9950; [email protected]; www.nostarch.com Library of Congress Cataloging-in-Publication Data Hansteen, Peter N. M. The book of PF : a no-nonsense guide to the OpenBSD firewall / Peter N.M. Hansteen. p. cm. Includes index. ISBN-13: 978-1-59327-165-7 ISBN-10: 1-59327-165-4 1. OpenBSD (Electronic resource) 2. TCP/IP (Computer network protocol) 3. Firewalls (Computer security) I. Title. TK5105.585.H385 2008 005.8--dc22 2007042929 No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The information in this book is distributed on an “As Is” basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it. To Gene Scharmann, who all those years ago nudged me in the direction of free software BRIEF CONTENTS Foreword by Bob Beck.................................................................................................... xi Preface ....................................................................................................................... xiii Chapter 1: What PF Is .....................................................................................................1 Chapter 2: Let’s Get On With It ........................................................................................7 Chapter 3: Into the Real World.......................................................................................17 Chapter 4: Wireless Networks Made Easy .......................................................................33 Chapter 5: Bigger or Trickier Networks............................................................................45 Chapter 6: Turning the Tables for Proactive Defense ..........................................................67 Chapter 7: Queues, Shaping, and Redundancy ................................................................87 Chapter 8: Logging, Monitoring, and Statistics ...............................................................107 Chapter 9: Getting Your Setup Just Right........................................................................121 Appendix A: Resources................................................................................................135 Appendix B: A Note on Hardware Support ....................................................................141 Index .........................................................................................................................147 CONTENTS IN DETAIL FOREWORD by Bob Beck xi PREFACE xiii About the Book and Thanks ..................................................................................... xiv If You Came from Elsewhere .................................................................................... xvi PF looks really cool. Can I run PF on my Linux machine? ................................ xvi I know some Linux, but I need to learn some BSD. Any pointers? ..................... xvi Can you recommend a GUI tool for managing my PF rule set? ........................xvii Is there a tool I can use to convert my OtherProduct ® setup to a PF configuration? ........................................................................xviii Where can I find out more? .......................................................................xviii A Little Encouragement: A PF Haiku .......................................................................... xix 1 WHAT PF IS 1 Packet Filter? Firewall? A Few Important Terms Explained .............................................. 3 Network Address Translation ..................................................................................... 3 Why the Internet Lives on a Few White Lies .................................................... 4 Internet Protocol, Version 6 on the Far Horizon ............................................... 4 The Temporary Masquerade Solution Called NAT ........................................... 5 PF Today ................................................................................................................. 6 2 LET’S GET ON WITH IT 7 Simplest Possible PF Setup on OpenBSD ..................................................................... 8 Simplest Possible PF Setup on FreeBSD ....................................................................... 9 Simplest Possible PF Setup on NetBSD ...................................................................... 10 First Rule Set—A Single, Stand-Alone Machine .......................................................... 11 Slightly Stricter, with Lists and Macros ....................................................................... 13 Statistics from pfctl .................................................................................................. 15 3 INTO THE REAL WORLD 17 A Simple Gateway, NAT If You Need It .................................................................... 17 Gateways and the Pitfalls of in, out, and on ................................................ 18 What Is Your Local Network, Anyway? ........................................................ 19 Setting Up ................................................................................................ 19 Testing Your Rule Set ................................................................................. 23 That Sad Old FTP Thing .......................................................................................... 24 FTP Through NAT: ftp-proxy ..................................................................................... 25 FTP, PF, and Routable Addresses: ftpsesame, pftpx, and ftp-proxy ................... 26 New-Style FTP: ftp-proxy ............................................................................. 26 Making Your Network Troubleshooting Friendly ......................................................... 28 Then, Do We Let It All Through? .................................................................. 28 The Easy Way Out: The Buck Stops Here ..................................................... 29 Letting ping Through .................................................................................. 29 Helping traceroute ..................................................................................... 29 Path MTU Discovery .................................................................................. 30 Tables Make Your Life Easier ................................................................................... 31 4 WIRELESS NETWORKS MADE EASY 33 A Little IEEE 802.11 Background .............................................................................. 33 MAC Address Filtering ............................................................................... 34 WEP ........................................................................................................ 35 WPA ....................................................................................................... 35 Picking the Right Hardware for the Task ....................................................... 35 Setting Up a Simple Wireless Network ..................................................................... 36 The Access Point’s PF Rule Set ..................................................................... 38 If Your Access Point Has Three or More Interfaces ......................................... 38 Handling IPsec, VPN Solutions .................................................................... 39 The Client Side ......................................................................................... 40 Guarding Your Wireless Network with authpf ............................................................ 40 A Basic Authenticating Gateway ................................................................. 41 Wide Open but Actually Shut ..................................................................... 43 5 BIGGER OR TRICKIER NETWORKS 45 When Others Need Something in Your Network: Filtering Services
Load more

Recommended publications
  • The Eleventh Annual
    BSDCan 2014 The Eleventh Annual “I love my job” - Dan Langille About this session a few points then the auction then beer Sponsors! Sponsors (II) Sponsors (III) Sponsors (IV) food voting boxes or buffets? How many? year - # 250 237.5 2012 - 205 225 2013 - 221 212.5 200 2014 - 241 2012 2013 2014 How many? 2012 - 205 (2 + 1 +2 = 5) 2013 - 221 (2 + 2 + 1 = 5) 2014 - 241 (2 + 0 + 1 + 4 = 2 + 4 + 1) Program Committee Bob Beck - OpenBSD Project Dru Lavigne - BSD Events Greg Lehey - LEMIS Pty Ltd. Michael W. Lucas - Consultant and BSD Author David Maxwell - NetBSD Project George Neville-Neil - FreeBSD Project Volunteers Jennifer Russell - travel coordinator and speaker herder Dru Lavigne - registration desk Those of you pressed into service Insert AsiaBSDCon Here BSDP Lab Exam Sun 10am-2pm, UC 206 Beta period of the BSD Professional Lab Exam first “hands-on" exam for BSD system administrators users educators developers generally anyone who loves BSD Seats may still be available. Check with Dru Lavigne ! "C'mon - give it a try!" Insert EuroBSDCon Here Insert FreeBSD Foundation here ` Funding for OpenBSD and related Projects. The OpenBSD Foundation We fund OpenBSD, OpenSSH, OpenSMTPD, PF/Carp, etc. etc. - And hopefully LibreSSL. Financial crisis this year averted through crowdsourcing. Actively pursuing sustainable, repeated donations, especially corporate We primarily fund project infrastructure, membership and developer events. We have occasionally provided support for sponsored development (KMS Intel/Radeon) and we wish to continue that in the right situations. We are seeking a temporary increase in commitment for LibreSSL. http://www.openbsdfoundation.org/ Random giveaways Insert Auction Here Goodbye.
    [Show full text]
  • Aktuelles in Openbsd
    Aktuelles in OpenBSD Sebastian Benoit <[email protected]> Stefan Sperling <[email protected]> Schwerpunkte des Projekts UNIX-artiges Betriebssystem 1 offener Quellcode freie Lizenz (ISC) Fokus auf Korrektheit und Sicherheit hochwertige Dokumentation auf dem laufenden System 1basierend auf 4.4BSD-lite von UC Berkeley Aktuelles in OpenBSD 2/18 Aktuelle Daten Oktober 2015: 20 Jahre OpenBSD, Release 5.8 Aktueller Release: 6.2 Wir bringen 2 Releases im Jahr raus. Wir patchen Bugs in den letzten 2 Releases. -current ist derzeit bereits 6.3-beta ca. 70 aktive bis semi-aktive Entwickler (base + ports) ca. 5 Hackathons jedes Jahr, einer davon gross (ca. 40 Entwickler) Aktuelles in OpenBSD 3/18 Entwicklergemeinschaft Aktuelles in OpenBSD 4/18 Anwendergemeinschaft https://xkcd.com/349/ Technische Experten Individuen Firmen und Konzerne Spenden an die OpenBSD Foundation (Geld) Reisekosten Hackathons, Stromrechnung Infrastruktur, Hardware Spenden an individuelle Entwickler (Hardware, Bier, ...) Aktuelles in OpenBSD 5/18 Releasezyklus zwei Releases im Jahr (ca. alle 6 Monate) Sicherheits-Patches f¨ur1 Jahr Fokus auf Stabilit¨atbevor ein Release geschnitten wird Invasive und experimentelle Anderungen¨ warten bis nach dem Release Snapshots Zum Release passende Bildmaterialien und Lieder Aktuelles in OpenBSD 6/18 Basissystem versus Ports vollfunktionales und konsistentes Basissystem vern¨unftigeVoreinstellungen vereinfachen die Systemkonfiguration Der Quellcode des Basissystems wird kontinuierlich gesichtet Applikationen von Dritten werden separat verpackt Desktop Umgebungen, Firefox, LibreOffice, ... Programmiersprachen, Datenbanken, wissentschaftliche Werkzeuge, ... Multimedia, Videospiele, ... Aktuelles in OpenBSD 7/18 Hardwareunterst¨utzung Architekturen (amd64, i386, sparc64, arm, powerpc, ...) Clang als Compiler f¨urarm64 importiert inzwischen auch amd64, sparc64 und i386. aktuelle Laptops Grafikkarten (Intel und AMD, kein Nvidia Treiber) Netzwerk Ger¨ate(Ethernet, WLAN, UMTS) ACPI inkl.
    [Show full text]
  • Katalog Elektronskih Knjiga
    KATALOG ELEKTRONSKIH KNJIGA Br Autor Naziv Godina ISBN Str. Porijeklo izdavanja 1 Peter Kent Pay Per Click Search 2006 0-471-74594-3 130 Kupovina Engine Marketing for Dummies 2 Terry Large Access 1 2007 Internet Freeware 3 Kevin Smith Excel Lassons & Tutorials 2004 Internet Freeware 4 Terry Michael Photografy Tutorials 2006 Internet Freeware Janine Peterson Phil Pivnick 5 Jake Ludington Converting Vinyl LPs 2003 Internet Freeware to CD 6 Allen Wyatt Cleaning Windows XP 2004 0-7645-7311-X Poklon for Dummies 7 Peter Kent Sarch Engine Optimization 2006 0-4717-5441-2 Kupovina for Dummies 8 Terry Large Access 2 2007 Internet Freeware 9 Dirk Dupon How to write, create, 2005 Internet Freeware promote and sell E-books on the Internet 10 Chayden Bates eBook Marketing 2000 Internet Freeware Explained 11 Kevin Sinclair How To Choose A 1999 Internet Freeware Homebased Bussines 12 Bob McElwain 101 Newbie-Frendly Tips 2001 Internet Freeware 13 Windows Basics 2004 Poklon 14 Michael Abrash Zen of Graphic 2005 Poklon Programming, 2. izdanje 15 13 Hot Internet 2000 Internet Freeware Moneymaking Methods 16 K. Williams The Complete HTML 1998 Poklon Teacher 17 C. Darwin On the Origin of Species Internet Freeware 2/175 Br Autor Naziv Godina ISBN Str. Porijeklo izdavanja 18 C. Darwin The Variation of Animals Internet Freeware 19 Bruce Eckel Thinking in C++, Vol 1 2000 Internet Freeware 20 Bruce Eckel Thinking in C++, Vol 2 2000 Internet Freeware 21 James Parton Captains of Industry 1890 399 Internet Freeware 22 Bruno R. Preiss Data Structures and 1998 Internet
    [Show full text]
  • Técnicas E Ferramentas De Código Aberto Para Combate Ao Spam
    UNIVERSIDADE DE CAXIAS DO SUL DEPARTAMENTO DE INFORMATICA´ CURSO DE BACHARELADO EM CIENCIAˆ DA COMPUTAC¸ AO˜ T´ecnicase Ferramentas de C´odigo Aberto Para Combate ao Spam por JERONIMO CLEBERSON ZUCCO Projeto de Diploma¸c˜ao Prof. Ms. Edgar Athayde Meneghetti Orientador Caxias do Sul, julho de 2005. 2 “I’m doing a (free) operating system (just a hobby, won’t be big and professional like gnu) for 386(486) AT clones.” — Linus Benedict Torvalds, when he launched Linux 3 Agradecimentos Agrade¸coa minha fam´ılia,minha m˜aeRosa e minha irm˜aFabiana, que tanto insistiram e incentivaram para a minha conclus˜aodo curso. Agrade¸cotamb´emao meu falecido pai, por ter me dado condi¸c˜oesde estudo que me trouxeram at´eaqui. A Elisˆangela,pelo seu afeto e carinho, al´emde sua compreens˜aoquando tive que ficar afastado para a realiza¸c˜aodo trabalho. Ao meu orientador Edgar Meneghetti, que sempre demonstrou confian¸cana minha capacidade e me ajudou em algumas decis˜oescruciais para realiza¸c˜aodo trabalho. Agrade¸cotamb´emao meu amigo Delcino Picinin pela sua grande ajuda no caminho das pedras do mundo LATEX. Aos professores do Departamento de Inform´aticada UCS, em especial Ricardo Dornelles, Vanius Gava, Andr´eMartinotto, Heitor Strogulsky e Alex Pellin, pelos ensinamentos e apoio sempre quando precisei. Ao amigo Fernando Reginatto, que me ajudou na corre¸c˜aodo trabalho. Aos meus colegas de trabalho e amigos, que de uma forma ou outra me ajudaram e fazem parte da minha vida. Agrade¸cotamb´em`atodos os desenvolvedores de software livre, que com prazer realizam o seu trabalho e compartilham o seu conhecimento, dando oportunidade `a pessoas como eu de encontrar a sua voca¸c˜ao.
    [Show full text]
  • Free, Functional, and Secure
    Free, Functional, and Secure Dante Catalfamo What is OpenBSD? Not Linux? ● Unix-like ● Similar layout ● Similar tools ● POSIX ● NOT the same History ● Originated at AT&T, who were unable to compete in the industry (1970s) ● Given to Universities for educational purposes ● Universities improved the code under the BSD license The License The license: ● Retain the copyright notice ● No warranty ● Don’t use the author's name to promote the product History Cont’d ● After 15 years, the partnership ended ● Almost the entire OS had been rewritten ● The university released the (now mostly BSD licensed) code for free History Cont’d ● AT&T launching Unix System Labories (USL) ● Sued UC Berkeley ● Berkeley fought back, claiming the code didn’t belong to AT&T ● 2 year lawsuit ● AT&T lost, and was found guilty of violating the BSD license History Cont’d ● BSD4.4-Lite released ● The only operating system ever released incomplete ● This became the base of FreeBSD and NetBSD, and eventually OpenBSD and MacOS History Cont’d ● Theo DeRaadt ○ Originally a NetBSD developer ○ Forked NetBSD into OpenBSD after disagreement the direction of the project *fork* Innovations W^X ● Pioneered by the OpenBSD project in 3.3 in 2002, strictly enforced in 6.0 ● Memory can either be write or execute, but but both (XOR) ● Similar to PaX Linux kernel extension (developed later) AnonCVS ● First project with a public source tree featuring version control (1995) ● Now an extremely popular model of software development anonymous anonymous anonymous anonymous anonymous IPSec ● First free operating system to implement an IPSec VPN stack Privilege Separation ● First implemented in 3.2 ● Split a program into processes performing different sub-functions ● Now used in almost all privileged programs in OpenBSD like httpd, bgpd, dhcpd, syslog, sndio, etc.
    [Show full text]
  • Bsdcan 2004 by Bill Moran Bsdcan Conference Roundup This Is a Description of My Trip to Bsdcan 2004 in Ottawa, by Chris Coleman Canada
    Daemon News: May 2004 http://ezine.daemonnews.org/200405/ Mirrors Issues April 2004 May 2004 Get BSD Contact Us Search BSD FAQ New to BSD? DN Print Magazine BSD News BSD Mall BSD Support Join Us 1 of 4 26.05.2004 08:14 Daemon News: May 2004 http://ezine.daemonnews.org/200405/ T H I S M O N T H ' S F E A T U R E S From the Editor BSDCan 2004 by Bill Moran BSDCan Conference Roundup This is a description of my trip to BSDCan 2004 in Ottawa, by Chris Coleman Canada. If you're interested in BSD or computers in general and Didn't make it to BSDCan? did not go to BSDCan, then you made a huge mistake. The Here are all the things you conference was tremendiously educational, and the trip was a missed so you can start great opportunity to meet a number of great people, and visit a feeling guilty. beatiful city. The conference was also very affordable, and there were more than a few who attended on a shoestring budget (I tried to do this, but ended up drinking far too much beer). A Get BSD Stuff number of people also visited from tremendious distances ... attendees arrived from all over the world, so anyone who didn't make it really has no excuse. Read More Bosko's Adventures at BSDCan 2004 by Bosko Milekic It's Sunday, May 16, 2004. 5:30PM. BSDCan has come to a formal close late last night at around 2:00AM, when George, other NYCBUGers, myself, and a friend decided to finally give the poor waitresses tending on us a break, and leave the pub once and for all.
    [Show full text]
  • A Bibliography of O'reilly & Associates and O
    A Bibliography of O'Reilly & Associates and O'Reilly Media. Inc. Publishers Nelson H. F. Beebe University of Utah Department of Mathematics, 110 LCB 155 S 1400 E RM 233 Salt Lake City, UT 84112-0090 USA Tel: +1 801 581 5254 FAX: +1 801 581 4148 E-mail: [email protected], [email protected], [email protected] (Internet) WWW URL: http://www.math.utah.edu/~beebe/ 08 February 2021 Version 3.67 Title word cross-reference #70 [1263, 1264]. #70-059 [1263]. #70-068 [1264]. 2 [949]. 2 + 2 = 5986 [1456]. 3 [1149, 1570]. *# [1221]. .Mac [1940]. .NET [1860, 22, 186, 342, 441, 503, 591, 714, 716, 721, 730, 753, 786, 998, 1034, 1037, 1038, 1043, 1049, 1089, 1090, 1091, 1119, 1256, 1468, 1858, 1859, 1863, 1899, 1900, 1901, 1917, 1997, 2029]. '05 [461, 1532]. 08 [1541]. 1 [1414]. 1.0 [1009]. 1.1 [59]. 1.2 [1582]. 1000 [1511]. 1000D [1073]. 10g [711, 710]. 10th [2109]. 11 [1385]. 1 2 2 [53, 209, 269, 581, 2134, 919, 940, 1515, 1521, 1530, 2023, 2045]. 2.0 [2, 55, 203, 394, 666, 941, 1000, 1044, 1239, 1276, 1504, 1744, 1801, 2073]. 2.1 [501]. 2.2 [201]. 2000 [38, 202, 604, 610, 669, 927, 986, 1087, 1266, 1358, 1359, 1656, 1751, 1781, 1874, 1959, 2069]. 2001 [96]. 2003 [70, 71, 72, 73, 74, 279, 353, 364, 365, 789, 790, 856, 987, 1146, 1960, 2026]. 2003-2013 [1746]. 2004 [1195]. 2005 [84, 151, 755, 756, 1001, 1041, 1042, 1119, 1122, 1467, 2120, 2018, 2056]. 2006 [152, 153]. 2007 [618, 726, 727, 728, 1123, 1125, 1126, 1127, 2122, 1973, 1974, 2030].
    [Show full text]
  • The Design of the Openbsd Cryptographic Framework
    The Design of the OpenBSD Cryptographic Framework Angelos D. Keromytis Jason L. Wright Theo de Raadt Columbia University OpenBSD Project OpenBSD Project [email protected] [email protected] [email protected] Abstract the design of these systems is intended to impede sim- ple, brute-force, computational attacks. This complexity drives the belief that strong security is fundamentally in- Cryptographic transformations are a fundamental build- imical to good performance. ing block in many security applications and protocols. To improve performance, several vendors market hard- This belief has led to the common predilection to avoid ware accelerator cards. However, until now no operating cryptography in favor of performance [22]. However, system provided a mechanism that allowed both uniform the foundation for this belief is often software imple- and efficient use of this new type of resource. mentation [8] of algorithms intended for efficient hard- ware implementation. To address this issue, vendors We present the OpenBSD Cryptographic Framework have been marketing hardware cryptographic acceler- (OCF), a service virtualization layer implemented in- ators that implement several cryptographic algorithms side the kernel, that provides uniform access to accel- used by security protocols and applications. However, erator functionality by hiding card-specific details be- modern operating systems lack the necessary support hind a carefully-designed API. We evaluate the impact to provide efficient access to such functionality to ap- of the OCF in a variety of benchmarks, measuring over- plications and the operating system itself through a all system performance, application throughput and la- uniform API that abstracts away device details. As tency, and aggregate throughput when multiple applica- a result, accelerators are often used directly through tions make use of it.
    [Show full text]
  • The Book of PF Covers the Most • Stay in Control of Your Traffic with Monitoring and Up-To-Date Developments in PF, Including New Content PETER N.M
    EDITION3RD BUILD A Covers OpenBSD 5.6, MORE SECURE FreeBSD 10.x, and NETWORK EDITION NETWORK 3RD NetBSD 6.x WITH PF THETHE BOOKBOOK THE BOOK OF PF OF THE BOOK THE BOOK OF PF OF THE BOOK OFOF PFPF OpenBSD’s stateful packet filter, PF, is the heart of • Build adaptive firewalls to proactively defend against A GUIDE TO THE the OpenBSD firewall. With more and more services attackers and spammers NO-NONSENSE placing high demands on bandwidth and an increas- OPENBSD FIREWALL • Harness OpenBSD’s latest traffic-shaping system ingly hostile Internet environment, no sysadmin can to keep your network responsive, and convert your afford to be without PF expertise. existing ALTQ configurations to the new system The third edition of The Book of PF covers the most • Stay in control of your traffic with monitoring and up-to-date developments in PF, including new content PETER N.M. HANSTEEN visualization tools (including NetFlow) on IPv6, dual stack configurations, the “queues and priorities” traffic-shaping system, NAT and redirection, The Book of PF is the essential guide to building a secure wireless networking, spam fighting, failover provision- network with PF. With a little effort and this book, you’ll ing, logging, and more. be well prepared to unlock PF’s full potential. You’ll also learn how to: ABOUT THE AUTHOR • Create rule sets for all kinds of network traffic, whether Peter N.M. Hansteen is a consultant, writer, and crossing a simple LAN, hiding behind NAT, traversing sysadmin based in Bergen, Norway. A longtime DMZs, or spanning bridges or wider networks Freenix advocate, Hansteen is a frequent lecturer on OpenBSD and FreeBSD topics, an occasional • Set up wireless networks with access points, and contributor to BSD Magazine, and the author of an lock them down using authpf and special access often-slashdotted blog (http://bsdly.blogspot.com/ ).
    [Show full text]
  • An Overview of Security in the Freebsd Kernel 131 Dr
    AsiaBSDCon 2014 Proceedings March 13-16, 2014 Tokyo, Japan Copyright c 2014 BSD Research. All rights reserved. Unauthorized republication is prohibited. Published in Japan, March 2014 INDEX P1A: Bold, fast optimizing linker for BSD — Luba Tang P1B: Visualizing Unix: Graphing bhyve, ZFS and PF with Graphite 007 Michael Dexter P2A: LLVM in the FreeBSD Toolchain 013 David Chisnall P2B: NPF - progress and perspective 021 Mindaugas Rasiukevicius K1: OpenZFS: a Community of Open Source ZFS Developers 027 Matthew Ahrens K2: Bambi Meets Godzilla: They Elope 033 Eric Allman P3A: Snapshots, Replication, and Boot-Environments—How new ZFS utilities are changing FreeBSD & PC-BSD 045 Kris Moore P3B: Netmap as a core networking technology 055 Luigi Rizzo, Giuseppe Lettieri, and Michio Honda P4A: ZFS for the Masses: Management Tools Provided by the PC-BSD and FreeNAS Projects 065 Dru Lavigne P4B: OpenBGPD turns 10 years - Design, Implementation, Lessons learned 077 Henning Brauer P5A: Introduction to FreeNAS development 083 John Hixson P5B: VXLAN and Cloud-based networking with OpenBSD 091 Reyk Floeter INDEX P6A: Nested Paging in bhyve 097 Neel Natu and Peter Grehan P6B: Developing CPE Routers based on NetBSD: Fifteen Years of SEIL 107 Masanobu SAITOH and Hiroki SUENAGA P7A: Deploying FreeBSD systems with Foreman and mfsBSD 115 Martin Matuška P7B: Implementation and Modification for CPE Routers: Filter Rule Optimization, IPsec Interface and Ethernet Switch 119 Masanobu SAITOH and Hiroki SUENAGA K3: Modifying the FreeBSD kernel Netflix streaming servers — Scott Long K4: An Overview of Security in the FreeBSD Kernel 131 Dr. Marshall Kirk McKusick P8A: Transparent Superpages for FreeBSD on ARM 151 Zbigniew Bodek P8B: Carve your NetBSD 165 Pierre Pronchery and Guillaume Lasmayous P9A: How FreeBSD Boots: a soft-core MIPS perspective 179 Brooks Davis, Robert Norton, Jonathan Woodruff, and Robert N.
    [Show full text]
  • Global-Scale Anti-Spam Testing in Your Own Back Yard
    Global-scale Anti-spam Testing in Your Own Back Yard Margaret Nielsen Dane Bertram Sampson Pun [email protected] [email protected] [email protected] John Aycock∗ Nathan Friess [email protected] [email protected] Department of Computer Science University of Calgary 2500 University Drive N.W. Calgary, Alberta, Canada T2N 1N4 Abstract is a realistic nonspam (ham) corpus collected while ob- serving privacy concerns? What is really meant by The effectiveness of anti-spam techniques is “effective,” when some anti-spam users may want to an important question: after all, spam has a avoid false positives even at the cost of receiving more real cost to legitimate users in terms of time spam? and resources. The problem is how we deter- We focus on a different testing problem in this work. mine effectiveness, especially for anti-spam A number of anti-spam techniques are local, in the techniques that are distributed, and require sense that they can be tested in isolation. Other anti- global scale to function. A scientific approach spam techniques are global, however, and only work on would suggest that we conduct controlled ex- a very large scale, in a distributed fashion. It would periments to evaluate global-scale anti-spam seem that to test global-scale anti-spam techniques, we techniques, but that requires controlling the need our own internet. Internet. Or does it? In fact, the problem is even worse than that. The In this paper, we describe a system we have real Internet is a complex and constantly-changing en- constructed to test global anti-spam tech- vironment.
    [Show full text]
  • Firewalling with Openbsd's PF Packet Filter
    Firewalling with OpenBSD’s PF packet filter Peter N. M. Hansteen [email protected] Copyright © 2005 - 2012 Peter N. M. Hansteen This document is © Copyright 2005 - 2012, Peter N. M. Hansteen. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The document is a ’work in progress’, based on a manuscript prepared for a lecture at the BLUG (see http://www.blug.linux.no/) meeting of January 27th, 2005. Along the way it has spawned several conference tutorials as well as The Book of PF (http://nostarch.com/pf2.htm) (second edition, No Starch Press November 2010), which expands on all topics mentioned in this document presents several topics that are only hinted at here.
    [Show full text]