Index

/etc/authpf/authpf.allow, address alias, 17 128 address family, 30, 41 /etc/authpf/authpf.conf, address pool, 99 126 addresses, 16, 27 /etc/authpf/authpf.message, addresses, dynamic, 16, 129 53 /etc/authpf/authpf.rules, ADSL, 87, 88 127, 131 af (address family), 30 /etc/authpf/banned/, 128 alias, 17 /etc/inetd.conf, 62 all, 17 /etc/login.conf, 129, 130 allow-opts, 45 /etc/.boot.conf, 8 allowing traffic, 31 /etc/pf.conf, 10, 11, 15, Alternate Queueing 131 (ALTQ), 82 /etc/pf.os, 44, 66 ALTQ, 82, 83 /etc/protocols, 18 , 83, 86 /etc/rc.conf, 10, 11 anchor, 125, 127 /etc/rc.conf.local, 5 anchors, 73, 74 /etc/rc.d/pf, 9, 11 anchors, loading, 74 /etc/rc.d/pf_boot, 8 angle brackets, 26 /etc/services, 17 antispoof, 40–42 /etc/sysctl.conf, 51 any, 17 /etc/syslog.conf, 115 ARP requests, 149 /var/log/pflog, 111, 113 asymmetric connections, 3-way handshake, 37 87 ACK flag, 31 Auth, 160 action, 29 authenticating PF, activating PF, 5 125–130, 132

175 Index authpf, 125–130, 132 commas, 20 authpf configuration, 126 comments, 16 authpf login message, configuration file, 15 129 congestion, 81 authpf_users table, 128 connection limiting, 37 connection redirection, 57 backup firewalls, 149 connections, asymmetric, backups, 149 87 balancing load, 99 const, 25 bandwidth, 84, 85 controlling PF, 12 banned users, 128 cron, 115 benchmarking, 118 crossover cable, 155 BGP, 101 bidirectional mapping, 54 debugging, 65 binat, 54 default deny, 31, 42 binat-anchor, 73 default filter, 31 block, 29 defragment, 15 block-policy, 30 Demilitarized Zone, 60 blocking packets, 31 destination address, 30 blocking spoofed destination port, 30 packets, 40 DHCP, 16 borrow, 85 dial-up, 16 brconfig(8), 110 direction, packet, 30 bridge, 7, 35, 110 DMZ, 60, 92 broadcast address, 17 DNS, 16, 61 DNS, split-horizon, 61 CARP, 149, 157, 158 DragonFly, 2, 3, 10–12, 51, carp, 158 83, 122, 137 CARP and , 155 drop, 65 carp password, 151 dynamic addresses, 16, CBQ, 78, 80, 82, 84 53 cbq, 83 dynamically assigned CIDR, 16, 17, 100 address, 160 Class Based Queueing (CBQ), 78 ECE, 39 classes, 78 ECN, 82, 83, 85, 86 classifying packets, 108 enabling PF, 5

176 Index ethernet frames, 110 gateway, authenticating, expansion, 23 125 Explicit Congestion global synchronization, Notification 81 (ECN), 82 grammar, 19, 42 greylist, 143 failover, 157, 158 greylisting, 140, 141 fdescfs, 127, 136 greytrapping, 142 features, 15 FIFO queue, 78 handshake proxy, 35 filtering, 107 hardware, 117 fingerprinting, passive Hartmeier, Daniel, 1 OS, 66 HFSC (Hierarchical Fair flags, 39 Service Curve), 83 flags, packet, 31, 38, 82 high availability, 149 floating, 67 hostname, 27 flush, 38 Hot Standby flushing rules, 76 Protocol (HSPR), forwarding, 51 149 fragment crop, 71 HSRP, 149 fragment drop-ovl, 71 fragment reassemble, 70 ICMP, 34, 50, 160, 165 fragment, don’t, 70 icmp, 18 fragment, unassembled icmp6, 18 timeout, 68 Ident, 160 fragmented packets, 69 ifconfig, 150, 153, 154, 156 fragments, duplicate, 71 IGMP, 45 fragments, overlapping, in, 30 71 inet, 30 FreeBSD, 2, 3, 9, 10, 51, inet6, 30 83, 122, 127, 136, inetd, 62 137, 151 Initial Sequence Number, FTP, 120, 122, 163 31, 34 FTP proxy, 120 interface group, 30 ftp-proxy, 120, 163 interface, network, 16, 21, 30 gateway, 50, 58, 88 inverse matching, 107

177 Index

IP forwarding, 5, 51 macros, predefined, 105, IP options, 45 128 IPF, 1 macros, recursive, 21 ipsec, 154 managing PF, 12 IPv4, 30 marking packets, 105 IPv6, 27, 30 master, 149, 158 ISN, 31, 34 max-mss, 70 Maximum Segment Size KAME, 82 (MSS), 70 keep state, 30, 31, 33, 39 memory, 25, 26, 67, 68, 70, kldload, 9 113 memory pool, 66 list, 17, 19 min-ttl, 70 lists, 22, 23 modload, 6 lists, negated, 20 modulate state, 30, 31, 34 LKM, 6 MSS, 70 load balancing, 99, 101, multi-path routing 102, 152 protocol, 101 loading rules, 12 log, 30, 40, 52 log analysis, 112 named rulesets, 73 log-all, 111 NAT, 100, 122, 162 logging, 111, 115 nat, 52, 100 logging packets, 111 NAT and redirection, 62 logging, statistics, 162 NAT and state, 34 login, 125 NAT exceptions, 54 long lines, 16 NAT gateway, 50 loopback, 41, 62, 67, 162 NAT status, 54 low-delay TOS, 87 nat-anchor, 73, 127 negated, 28 MAC address, 110 negated address, 17 macro, 105 negation, 26 macros, 20–23, 27, 106, NetBSD, 3, 6–8, 83, 110, 161, 165 122, 137 macros and quotes, 21 netmask, 16 macros in anchors, 75 network, 16

178 Index

Network Address pf.conf sections, 15 Translation, 162 pf_rules, 7, 10, 11 network block, 17 pfctl, 12, 13, 15, 19, 26, 44, network interface card 54, 55, 74, 76 (NIC), 117 pfctl(8), 5 nmap, 45 pfil(9), 7, 110 no rdr, 146 pflkm, 6 no-df, 70 pflog0 interface, 111, 112 normalization, 15, 40, 69, pflogd, 7, 30, 52, 111, 113 71 pfsync, 153, 154 pfsync0 device, 154 OpenBSD, 1, 5, 51, 82, physical interface, 158 110, 122, 137, 157, ping, 160 173 , 6, 9, 12 point-to-point link, 17 detection, 44 policy filtering, 107 optimization, 32, 66 policy-based filtering, options, 30, 36, 37, 65–67, 105, 107, 108 69, 70, 162 pool, 99 ordering of pf.conf, 15 port, 52 OSFP, 44, 45 port forwarding, 57 out, 30 port range, inclusive, 18 packet logging, 111 port range, inverse, 18 packet normalization, 69 ports, 17 packet payloads, 112 ports, FreeBSD, 9, 10 packet tagging, 105 ppp, 30 packets, malformed, 69 PPPoE, 161 parentheses, 16, 17, 53 prioritization, 15 parenthesis, 111, 163 priority level, 79 pass, 29, 32 Priority Queueing, 80 passing traffic, 31 PRIQ, 80–82 Passive OS priq, 83 Fingerprinting, 44 Private Service Network, peer, 17 60 persist, 26 protocols, 18, 30 pf.conf, 15, 83 proxy, 120

179 Index

PSN, 60 RFC 1631, 49 RFC 1918, 22, 49 qlimit, 84 RFC 2281, 149 Quality of Service, 85 RFC 3168, 82 queue, 78, 83, 84, 87, 88 RFC 3768, 149 queue and keep state, 88 RIO, 83, 85 queue name, 84 round-robin, 80, 99–102 queue priority, 79, 85 route-to, 101, 102 queue, assigning traffic routing, 5, 51 to, 83 RST flag, 38 queueing, 78, 87, 88 rule, last, 29 queueing, configuring, 83 ruleset, 5, 19, 20, 29, 31, queues, 79, 81 41, 74, 128, 132 quick, 30, 32, 33, 41 ruleset processing, 74 Random Early Detection, ruleset, simplifying, 43 81 ruleset, viewing, 13 random-id, 70 rulesets, sub, 73 rate limiting, 37 rdr, 57, 59, 60, 101, 120, scheduler, 83, 85 121, 163 scheduler, queueing, 83 rdr-anchor, 73 schedulers, 78, 83 reassemble tcp, 71 scrub, 40, 66, 69, 71, 162 RED, 81–83, 85, 86 scrubbing, 40, 69, 162 redirection, 57, 60, 120, securelevel, 25 121, 163 self, 27 redundancy, 149 set block-policy, 65, 162 redundancy group, 149 set debug, 65 redundant firewalls, 149 set fingerprints, 66 reload, 10, 11 set limit, 66 reserved words, 20 set loginterface, 66, 162 restart, 10, 11 set optimization, 66 resync, 10, 11 set skip, 162 return, 43, 65 set skip on, 67 return-icmp, 43 set state-policy, 67 return-rst, 43 set timeout, 68 RFC 1323, 71, 113 shortcuts, 42

180 Index

SMTP, 143 syntax highlighting, 15 source address, 30 sysctl, 51, 152, 161 source port, 30 syslog, 114, 126 source-hash, 100 source-quench, 34 table, 20, 25, 26, 28, 127, source-track, 36 128 table file, 26 spam, 26 tables, 142, 146 spam trap, 143 tables, manipulating, 26 SpamAssassin, 135 tagged, 107 , 9, 10, 12, 107, 135, tagging, 106, 110 141–143, 146, 172, tagging packets, 105 173 tags, 106 spamd, installing, 136 tail-drop, 78 spamd-setup, 144, 145 tarpit, 135 spamd.conf, 144 tbrsize, 84 spamdb, 141, 143 TCP, 33 spamlogd, 146, 147 tcp, 18 spoofed TCP SYN floods, TCP flags, 31, 38, 40 31, 35 TCP packet headers, 70 spoofing, 40 TCP proxy, 62 SSH, 160 TCP Syn Proxy, 165 sshd, 129 tcpdump, 44, 112–114, state, 31, 33, 67 153 state and queue, 88 Time to Live (TTL), 70 state limits, 66 timeout, 35 state lookups, 33 timeouts, 68 state table, 153 token bucket regulator, 84 stateful connections, 125 ToS, 87 stateful inspection, 33 translation, 59 statistics, 27, 66, 162 TTL, 70, 71 sticky connection, 101 Type of Service (ToS), 87 sticky-address, 100 substitution of variables, UDP, 34 20 udp, 18 SYN flag, 31 UDP and state, 35 synproxy state, 30, 31, 35 uptime, 71

181 Index user logins, 125, 130 variables, 20 variables substitution, 20 viewing ruleset, 13 Virtual Router Redundancy Protocol (VRRP), 149 VRRP, 149

Zalewski, Michal, 45

182