- Advance Praise for Absolute OpenBSD, 2nd Edition
- Dedication
- About the Author
- About the Technical Reviewer
- Foreword
- Acknowledgments
- Introduction
- 1. Getting Additional Help
- 2. Installation Preparations
- 3. Installation Walk-Through
- 4. Post-Install Setup
- 5. The Boot Process
- 6. User Management
- 7. Root, and How to Avoid It
- The Root Password
- Using Groups
- Hiding Root with sudo
- Using sudo
- sudoedit
- The Biggest sudo Mistake: Exclusions
- sudo Logs
- 8. Disks and Filesystems
- Device Nodes
- DUIDs and /etc/fstab
- MBR Partitions and fdisk(8)
- Labeling Disks
- The Fast File System
- What’s Currently Mounted?
- Mounting and Unmounting Partitions
- How Full Is That Partition?
- Adding New Hard Disks
- 9. More Filesystems
- 10. Securing Your System
- 11. Overview of TCP/IP
- 12. Connecting to the Network
- 13. Software Management
- 14. Everything /etc
- /etc Across Unix Variants
- The /etc Files
- /etc/adduser.conf
- /etc/amd
- /etc/authpf
- /etc/bgpd.conf
- /etc/boot.conf
- /etc/changelist
- /etc/chio.conf
- /etc/csh.*
- /etc/daily and /etc/daily.local
- /etc/dhclient.conf
- /etc/dhcpd.conf
- /etc/disklabels/
- /etc/disktab
- /etc/dumpdates
- /etc/dvmrpd.conf
- /etc/exports
- /etc/fbtab
- /etc/firmware
- /etc/fonts/
- /etc/fstab
- /etc/ftpchroot
- /etc/ftpusers
- /etc/gettytab
- /etc/group
- /etc/hostapd.conf
- /etc/hostname.*
- /etc/hosts
- /etc/hosts.equiv
- /etc/hosts.lpd
- /etc/hotplug/
- /etc/ifstated.conf
- /etc/iked/, /etc/iked.conf, /etc/ipsec.conf, and /etc/isakmpd
- /etc/inetd.conf
- /etc/kbdtype
- /etc/kerberosV/
- /etc/ksh.kshrc
- /etc/ldap/ and /etc/ldapd.conf
- /etc/localtime
- /etc/locate.rc
- /etc/login.conf
- /etc/lynx.cfg
- /etc/magic
- /etc/mail/
- /etc/mail.rc
- /etc/mailer.conf
- /etc/man.conf
- /etc/master.passwd, /etc/passwd, /etc/spwd.db, and /etc/pwd.db
- /etc/mixerctl.conf
- /etc/mk.conf
- /etc/moduli
- /etc/monthly and /etc/monthly.local
- /etc/motd
- /etc/mrouted.conf
- /etc/mtree/
- /etc/mygate
- /etc/myname
- /etc/netstart
- /etc/networks
- /etc/newsyslog.conf
- /etc/nginx/
- /etc/nsd.conf
- /etc/ntpd.conf
- /etc/ospf6d.conf and /etc/ospfd.conf
- /etc/pf.conf and /etc/pf.os
- /etc/ppp/
- /etc/printcap
- /etc/protocols
- /etc/rbootd.conf
- /etc/rc.*
- /etc/relayd.conf
- /etc/remote
- /etc/resolv.conf and /etc/resolv.conf.tail
- /etc/ripd.conf
- /etc/rmt
- /etc/rpc
- /etc/sasyncd.conf
- /etc/sensorsd.conf
- /etc/services
- /etc/shells
- /etc/skel/
- /etc/sliphome/
- /etc/snmpd.conf
- /etc/ssh/
- /etc/ssl/
- /etc/sudoers
- /etc/sysctl.conf
- /etc/syslog.conf
- /etc/systrace/
- /etc/termcap
- /etc/ttys
- /etc/weekly and /etc/weekly.local
- /etc/wsconsctl.conf
- /etc/X11
- /etc/ypldap.conf
- 15. System Maintenance
- 16. Network Servers
- 17. Desktop OpenBSD
- 18. Kernel Configuration
- 19. Building Custom Kernels
- 20. Upgrading
- 21. Packet Filtering
- 22. Advanced PF
- 23. Customizing OpenBSD
- A. Afterword
- Index
- About the Author
- Copyright
Chapter 22. Advanced PF
Office net seems slow
thanks to bootleg film swapping.
Let’s stop that right quick!
The previous chapter covered the basics of the OpenBSD packet filter pf(4). But, as I mentioned, PF can manipulate packets in all kinds of ways beyond just permitting or denying them, including the following:
-
You can dynamically change the list of addresses to pass or block through outside software, such as
dhcpd(8)orspamd(8). -
You can dynamically create sub-rulesets that let you set up very specific rules for troublesome protocols without allowing more access than necessary.
-
PF can provide NAT, letting you offer an entire network Internet access without public IP addresses.
-
You can redirect incoming traffic arbitrarily, and control how much bandwidth you will let a service use.
-
You can use PF logging.
This chapter covers each of these topics.
-
No Comment