1 files changed, 151 insertions, 0 deletions
diff --git a/openbsd/pf.html b/openbsd/pf.html
new file mode 100644
index 0000000..88ec76a
--- /dev/null
+++ b/openbsd/pf.html
@@ -0,0 +1,151 @@
+<!DOCTYPE html>
+<html dir="ltr" lang="en">
+    <head>
+        <meta charset='utf-8'>
+        <title>1.1. Install OpenBSD notes</title>
+    </head>
+    <body>
+
+        <a href="index.html">OpenBSD Index</a>
+
+        <h1>1.1. Install OpenBSD notes</h1>
+
+        <p>Quick introduction to Packet Filter</p>
+
+        <h2>Packet filter</h2>
+
+        <p>Packet filter or pf is the  system that controls the flow of packets, read more about it on OpenBSD faq and it's man page.</p>
+
+        <p>As a service can be enable or disable with rcctl or by pfctl program. PF uses /etc/pf.conf as it's main configuration file, after boot can load more rules from other files if needed.</p>
+
+
+        <h2>Configuration</h2>
+
+        <p>To setup a simple  firewall edit /etc/pf.conf, default comes with very simple rules;</p>
+
+        <pre>
+        # $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
+        #
+        # See pf.conf(5) and /etc/examples/pf.conf
+
+        set skip on lo
+
+        block return	# block stateless traffic
+        pass		# establish keep-state
+
+        # By default, do not permit remote connections to X11
+        block return in on ! lo0 proto tcp to port 6000:6010
+
+        # Port build user does not need network
+        block return out log proto {tcp udp} user _pbuild
+        </pre>
+
+        <p>This configuration allows incoming connections and outgoing connections except for was is commented such as X11 or user that port system runs under when building.</p>
+
+        <h2>Control</h2>
+
+        <p>After boot PF operation can be managed using pfctl;</p>
+
+        <pre>
+        pfctl -f  /etc/pf.conf    Load the pf.conf file
+        pfctl -nf /etc/pf.conf    Parse the file, but don't load it
+        pfctl -sr                 Show the current ruleset
+        pfctl -ss                 Show the current state table
+        pfctl -si                 Show filter stats and counters
+        pfctl -sa                 Show EVERYTHING it can show
+        </pre>
+
+        <h2>Logs</h2>
+
+        <p>Documentation tells that when logging a packet a copy of it's header is sent to pflog interface with additional data such as the interface, action pf took, etc.</p>
+
+        <p>pflog interface allows user space applications to receive this data from the kernel. At boot when pf is enabled pflogd is also started and by default listens on pflog0 and writes to /var/log/pflog file.</p>
+
+        <p>To read log file;</p>
+
+        <pre>
+        # tcpdum -n -e -ttt -r /var/log/pflog
+        </pre>
+
+        <p>To read log in real time;</p>
+
+        <pre>
+        # tcpdump -n -e -ttt -i pflog0
+        </pre>
+
+
+        <h2>Simple firewall</h2>
+
+        <p>Simplified syntax for filter rules is;</p>
+
+        <pre>
+        action [direction] [log] [quick] [on interface] [af]
+        [proto protocol] [from src_addr [port src_port]]
+        [to dst_addr [port dst_port]] [flags tcp_flags] [state]
+        </pre>
+
+        <p>Start changing default configuration by setting "default policy to deny" and to log all packets. Change configuration file to contain first filter rule;</p>
+
+        <pre>
+        int_if  = "re0"
+        lan_net = "10.0.0.0/24"
+
+        set skip on lo
+
+        # scrub incoming packets
+        match in all scrub (no-df)
+
+        set block-policy drop # block silenty 
+        block drop log all    # block and log everything
+
+        # activate spoofing protection for all interfaces
+        block in quick from urpf-failed
+
+        # allow out dns
+        pass out on $int_if proto udp to 10.0.0.254 port domain
+
+        # allow out ntp
+        pass out on $int_if proto udp to any port ntp
+
+        # allow out https
+        pass out on $int_if proto tcp to any port 443
+
+        # allow out ssh
+        pass out on $int_if proto tcp to any port { 22, 2222 }
+
+        # allow in ssh
+        pass in log on $int_if proto tcp from any to 10.0.0.10 port 22
+
+        # do not permit remote connections to X11
+        block in on ! lo0 proto tcp to port 6000:6010
+
+        # port build user does not need network
+        block out log proto {tcp udp} user _pbuild    
+        </pre>
+
+        <p>To reload configuration file;</p>
+
+        <pre>
+        # pfctl -f /etc/pf.conf
+        </pre>
+
+        <p>See what ports are open;</p>
+
+        <pre>
+        # netstat -na -f inet | grep LISTEN
+        </pre>
+
+        <p>Check rules;</p>
+
+        <pre>
+        # pfctl -sr
+        </pre>
+
+        <a href="index.html">OpenBSD Index</a>
+        <p>This is part of the LeetIO System Documentation.
+        Copyright (C) 2021
+        LeetIO Team.
+        See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
+        for copying conditions.</p>
+    </body>
+</html>