It is time to get security conscious! Installing and using pf for your firewall is a breeze, so this post will mostly be describing my firewall configuration and some of the awesome things you can do.
Warning: This is another long one.
I use the OpenBSD Packet Filter, or pf, for my server-level firewall. Why? Based originally on ipf, I find it to be much simpler and more powerful than the usual tools like iptables. How powerful? One line will normalise all incoming traffic. Normalisation is the process of cleaning up bad or invalid packets that can wreak havoc in poorly written server software.
It has the usual port filtering and Network Address Translation (NAT) features, plus traffic redirection (port forwarding), Operating System-based filtering, packet queuing, prioritisation, address pools, and load balancing. Yep, when paired with CARP (the Common Address Redundancy Protocol), pf can bring you the same level of redundancy and load balancing as enterprise level Cisco gear. I had a series of four servers setup in an old workplace, each was redundant for the other using CARP + pf. You could even control the order of failover across all four servers.
Anyway, pf is installed by default, we just need to setup our rules and enable it. The first thing you need to know though, is don’t turn it on with untested rules. If you do you’re more than likely to lock yourself out of the server, at which point you’d better hope your console access is working.
Before we dive into my configuration, an overview of the configuration file is probably in order. A pf.conf file is generally broken into several sections.
|Macros||Variables that you can set to be re-used later on.|
|Tables||Variables that can hold a list of data, like a list of IP Addresses|
|Options||Options that control how pf functions.|
|Queuing||Rules and options to support queuing and prioritisation|
|Filter Rules||The bulk of your firewall ruleset, providing port filtering, NAT and traffic redirection.|
Now, while my general configuration has a few interesting things you can do with pf, it is actually rather boring compared to some setups I’ve done in the past. I don’t use traffic redirection, queuing, prioritisation or load balancing. It’s just a server firewall.
The most useful resource you will find for pf is the OpenBSD FAQ page on the topic.
Read on for my configuration and the step by step instructions to set it up.
READ MORE »