Dave Polaschek (he/him)<p>Spent an hour this morning updating blocklists and my (draft) webpage. Thanks again to all the folks who’ve offered suggestions. I appreciate them, even if I don’t use them, because I’m trying to learn. I look through most of the suggestions and borrow any ideas that seem new and useful.</p><p>Today, I reduced the number of password-gropers from ~1000 attempts/day to about 800/day, with a blocklist of 80IPs and one /24 range. <a href="https://writing.exchange/tags/OpenBSD" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenBSD</span></a> <a href="https://writing.exchange/tags/PasswordGropers" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PasswordGropers</span></a> <a href="https://writing.exchange/tags/pf" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pf</span></a>… (1/3)</p>
#pf
0 posts0 participants0 posts today
At EuroBSDcon 2025 in Zagreb: "Network Management with the OpenBSD Packet Filter Toolset" by Peter N. M. Hansteen, Tom Smyth, Max Stucchi, see https://events.eurobsdcon.org/2025/talk/FW39CX/
Schedule at https://events.eurobsdcon.org/2025/schedule/
To register https://2025.eurobsdcon.org/registration.html
oh, my "Yes, The Book of PF, 4th Edition Is Coming Soon" blog post https://bsdly.blogspot.com/2025/07/yes-book-of-pf-4th-edition-is-coming.html is on hackernews: https://news.ycombinator.com/item?id=44657803 #bookofpf #pf #packetfilter #openbsd #freebsd #networking (non-tracked: https://nxdomain.no/~peter/yes_the_book_of_pf_4th_ed_is_coming.html)
bsdly.blogspot.comYes, The Book of PF, 4th Edition Is Coming Soon © 2025 Peter N. M. Hansteen Long rumored and eagerly anticipated by some, the fourth edition of The Book of PF is now available for p...
Today, early access reader feedback for The Book of PF, 4th edition proved to me that early access is worth doing.
Get yours at https://nostarch.com/book-of-pf-4th-edition, or read about the work at https://nxdomain.no/~peter/yes_the_book_of_pf_4th_ed_is_coming.html #bookofpf #newedition #freebsdd #openbsd #pf #packetfilter #networking #security #freesoftware #libresoftware
nostarch.com · The Book of PF, 4th EditionBuild a more secure network with PF.
Fellow network nerds, at EuroBSDcon 2025 in Zagreb, there will be a Network Management with the OpenBSD Packet Filter Toolset" https://events.eurobsdcon.org/2025/talk/FW39CX/ session, a full day tutorial starting at 2025-09-25 10:30 CET. You can register for the conference and tutorial by following the links from the conference Registration and Prices https://2025.eurobsdcon.org/registration.html page. #openbsd #freebsd #networking #security #eurobsdcon #conference #pf #packetfilter #freesoftware #libresoftware #zagreb
events.eurobsdcon.orgNetwork Management with the OpenBSD Packet Filter Toolset EuroBSDCon 2025The OpenBSD Packet Filter (PF) is at the core of the network management toolset available to professionals working with the OpenBSD and FreeBSD operating systems.
Understanding the PF subsystem and the set of networking tools that interact with it is essential to building and maintaining a functional environment.
The present session will both teach networking and security principles and provide opportunity for hands-on operation of the extensive network tools available on OpenBSD and FreeBSD in a lab environment.
Basic to intermediate understanding of TCP/IP networking is expected and required for this session.
Topics covered include
The basics of and network design and taking it a bit further
Building rulesets
Keeping your configurations readable and maintainable
Seeing what your traffic is really about with your friend tcpdump(8)
Filtering, diversion, redirection, Network Address Translation
Handling services that require proxying (ftp-proxy and others)
Address tables and daemons that interact with your setup through them
The whys and hows of network segmentation, DMZs and other separation techniques
Tackling noisy attacks and other pattern recognition and learning tricks
Annoying spammers with spamd
Basics of and not-so basic traffic shaping
Monitoring your traffic
Resilience, High Availability with CARP and pfsync
Troubleshooting: Discovering and correcting errors and faults (tcpdump is your friend)
Your network and its interactions with the Internet at large
Common mistakes in internetworking and peering
Keeping the old IPv4 world in touch with the new of IPv6
The tutorial is lab centered and fast paced. Time allowing and to the extent necessary, we will cover recent developments in the networking tools and variations between the implementations in the OpenBSD and FreeBSD operating systems.
Participants should bring a laptop for the hands on labs part and for note taking. The format of the session will be compact lectures interspersed with hands-on lab excercises based directly on the theory covered in the lecture parts.
This session is an evolutionary successor to previous sessions. Slides for the most recent version of the PF tutorial session are up at https://nxdomain.no/~peter/pf_fullday.pdf, to be updated with the present version when the session opens.
Yes, The Book of PF, 4th Edition Is Coming Soon https://nxdomain.no/~peter/yes_the_book_of_pf_4th_ed_is_coming.html
Long rumored and eagerly anticipated by some, the fourth edition of The Book of PF is now available for preorder https://nostarch.com/book-of-pf-4th-edition #openbsd #pf #packetfilter #freebsd #networking #security #tcpip #ipv6 #ipv4 #bookofpf
... and of course somebody had to ask, "when can we expect a fifth edition", to which the answer was "let's get this one out the door first"
That said, watch this space for further announcements!
nxdomain.noYes, The Book of PF, 4th Edition Is Coming Soon
Long rumored, eagerly anticipated by some, "The Book of PF, 4th edition" https://nostarch.com/book-of-pf-4th-edition is now available for PREORDER. The most up to date guide to the OpenBSD and FreeBSD networking toolset #openbsd #freebsd #networking #pf #packetfilter #firewall #preorder #security (again for the CEST-ish crowd)
nostarch.com · The Book of PF, 4th EditionBuild a more secure network with PF.
Confirmed: There will be a full day PF tutorial "Network Management with the OpenBSD Packet Filter Toolset" at #eurobsdcon 2025 in #zagreb.
Details to emerge via https://2025.eurobsdcon.org/, and expect more goodies to be announced!
2025.eurobsdcon.orgEuroBSDCon 2025 — EuroBSDCon 2025
Network Management with the OpenBSD Packet Filter Toolset https://www.bsdcan.org/2025/timetable/timetable-Network-Management-with.html at #bsdcan starts in 5 minutes, new slides up at https://nxdomain.no/~peter/pf_fullday.pdf (labs available for attendees only, sorry)
www.bsdcan.orgNetwork Management with the OpenBSD Packet Filter
Toolset
After 20 years of using #pf on #BSD and only dabbling in iptables when I absolutely had to in #Linux, nftables looks like an unreadable, incomprehensible shitshow; A crayon scrawl by a toddler of weird nat and mangle chains that make no sense.
The Linux developers would have been much better off porting pf to Linux.
Over the past few weeks I have been switching off of NixOS and going back to the previous OSes and distros I was using. Last week I migrated my VPS back to OpenBSD and I now feel like I can appreciate its simplicity even more. That's not the point of this though.
When migrating I was reminded of something @nemo@camp.crates.im previously said about only allowing ssh access to the IP addresses he know he uses. I thought I should try doing something similar especially because to me pf is way saner to use and manage than iptables.
The addresses I know I'll use are my home IPv4 address and the IPv4+6 addresses of the Mullvad enpoints I am likely to use.
Unfortunately I don't know what those public addresses are before connecting.
A quick script containing something like below (I didn't save it >_<) later, I was able to get all the addresses I needed for passing to pf.
ssh_whitelist_ipv6 = "{
...
port ssh flags S/SA keep state
pass in log on $ext_if inet6 proto tcp from $ssh_whitelist_ipv6 to ($ext_if) \
port ssh flags S/SA keep state
3918
saklas$ grep preauth /var/log/authlog | grep -v vin | wc -l
1
When migrating I was reminded of something @nemo@camp.crates.im previously said about only allowing ssh access to the IP addresses he know he uses. I thought I should try doing something similar especially because to me pf is way saner to use and manage than iptables.
The addresses I know I'll use are my home IPv4 address and the IPv4+6 addresses of the Mullvad enpoints I am likely to use.
Unfortunately I don't know what those public addresses are before connecting.
A quick script containing something like below (I didn't save it >_<) later, I was able to get all the addresses I needed for passing to pf.
for i in *.conf; do
wg-quick up $i
curl -s4 https://zx2c4.com/ip | sed 1q
# the connect timeout is there because a few of the endpoints had a not-working IPv6 address
curl --connect-timeout -s6 https://zx2c4.com/ip | sed 1q
wg-quick down $i
done
```
Now in my pf.conf I just had to do something like this which didn't seem that complicated after all. I just modelled it after my existing rule that I used for opening ports (I removed ssh from that rule in favour of this one). This can most definitely be made better, but at least it works!
explicitly allow home and vpn ip addresses
ssh_whitelist_ipv4 = "{ipv4 addresses here
I put my home address at the top as is and then /24 ranges for the mullvad IPs because I was told they may change frequently
}"ssh_whitelist_ipv6 = "{
ipv6 addresses here from mullvad
I figured that they won't change often so I simply pasted them as is without specifying prefix
}"...
allow public ssh only to my normal home address and mullvad ips
pass in log on $ext_if inet proto tcp from $ssh_whitelist_ipv4 to ($ext_if) \port ssh flags S/SA keep state
pass in log on $ext_if inet6 proto tcp from $ssh_whitelist_ipv6 to ($ext_if) \
port ssh flags S/SA keep state
saklas$ zgrep preauth /var/log/authlog.0.gz | grep -v vin | wc -l
After running for over a day, my /var/log/authlog still only shows my own connections and not some people across the globe spamming connections to invalid users.
3918
saklas$ grep preauth /var/log/authlog | grep -v vin | wc -l
1
I was previously using pf-badhost in place of fail2ban due to the latter not being available on OpenBSD, but pf-badhost didn't prevent active attacks while both of them still allowed those (initial) connections in the first place.
There's a much smaller likelihood of an attacker using the same Mullvad endpoints I use, and if they do I probably have bigger problems to worry about. I'm also pretty much always connected to my Wireguard VPN (separate post on my website for this later) and that would let me bypass this anyways. This setup is more of a failsafe if I'm unable to connect through the VPN, and a failsafe of that failsafe if things really go wrong is just using the Hetzner web console I guess.
After writing all this, I think it's better to just post this on my website and syndicate here.
#openbsd #mullvad #pf
That Grumpy BSD Guy: A Short Reading List https://nxdomain.no/~peter/the_short_reading_list.html A collection of pointers to things I have written and that I think may be of value to you too (with conference teasers) #openbsd #packetfilter #pf #cybercrime #antispam #security #networking #freesoftware #libresoftware #eurobsdcon #bsdcan
nxdomain.noThat Grumpy BSD Guy: A Short Reading List
As previously announced, there will be a PF tutorial at BSDCan 2025 -
For Upcoming PF Tutorials, We Welcome Your Questions
https://nxdomain.no/~peter/pf_tutorial_upcoming_questions_welcome.html
Registration: https://www.bsdcan.org/2025/registration.html
#BSDCan #EuroBSDcon #OpenBSD #PF #tutorial, #packetfilter #Ottawa #BookofPF #BSDCan #conferences #networking #security
nxdomain.noFor Upcoming PF Tutorials, We Welcome Your Questions
With #bsdcan now less than a month away https://www.bsdcan.org/2025/index.html we invite your questions and input on the upcoming PF tutorials, see
"For Upcoming PF Tutorials, We Welcome Your Questions" https://nxdomain.no/~peter/pf_tutorial_upcoming_questions_welcome.html
#EuroBSDCon #OpenBSD #PF #tutorial, #packetfilter #Ottawa #BookofPF #BSDCan #conferences #networking #security
www.bsdcan.orgBSDCan ConferenceBSDCan is a technical BSD conference held in Ottawa, Ontario, Canada.
Comparing firewall syntax for SSH (port 22) with default-deny:
================================================
#iptables (Linux)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -P INPUT DROP
#nftables (Linux)
nft add rule inet my_filter input tcp dport 22 accept
nft add rule inet my_filter input drop
#ufw (Linux - simplified frontend to iptables)
ufw allow 22/tcp
ufw default deny incoming
#pf (OpenBSD)
pass in proto tcp to port 22
block all
pf’s syntax feels so elegant, human-readable, & minimal!
After 20years scripting iptables, I’m ready to try UFW on my laptop.
#firewall #sysadmin #pf #iptables #ufw #nftables
================================================
#iptables (Linux)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -P INPUT DROP
#nftables (Linux)
nft add rule inet my_filter input tcp dport 22 accept
nft add rule inet my_filter input drop
#ufw (Linux - simplified frontend to iptables)
ufw allow 22/tcp
ufw default deny incoming
#pf (OpenBSD)
pass in proto tcp to port 22
block all
pf’s syntax feels so elegant, human-readable, & minimal!
After 20years scripting iptables, I’m ready to try UFW on my laptop.
#firewall #sysadmin #pf #iptables #ufw #nftables