PF, the OpenBSD Packet Filter subsystem, is one of the finest tools available for taking control of your network. Before diving into the specifics of how to make your network the fine-tuned machinery of your dreams, please read this chapter. It introduces basic networking terminology and concepts, provides some PF history, and gives you an overview of what you can expect to find in this book.
If this heading accurately describes your network, you’re most likely reading this for pure entertainment, and I hope you will enjoy the rest of the book. If, on the other hand, you’re still learning how to build networks or you’re not quite confident of your skills yet, a short recap of basic network security concepts can be useful.
Information technology (IT) security is a large, complex and sometimes confusing subject. Even if we limit ourselves to thinking only in terms of network security, there is a perception that we haven’t really narrowed down the field much or eliminated enough of the inherently confusing terminology. Matters became significantly worse some years ago when personal computers started joining the networked world, equipped with system software and applications that were clearly not designed for a networked environment.
The result was rather predictable. Even before the small computers became networked, they had become home to malicious software such as viruses (semiautonomous software that is able to “infect” other files in order to deliver its payload and make further copies of itself) and trojans (originally trojan horses, software or documents with code embedded that if activated would cause the victim’s computer to perform actions that the user did not intend). When the small computers became networked, they were introduced to yet another kind of malicious software called a worm, a class of software that uses the network to propagate its payload.[1] Along the way, the networked versions of various kinds of frauds made it onto the network security horizon as well, and today a significant part of computer security activity (possibly the largest segment of the industry) centers on threat management, with emphasis on fighting and cataloging malicious software, or malware.
The futility of enumerating badness has been argued convincingly elsewhere (see Appendix A for references, such as Marcus Ranum’s excellent essay “The Six Dumbest Ideas in Computer Security”). The OpenBSD approach is to design and code properly in the first place. Then if you later discover mistakes, and the bugs turn out to be exploitable, fix those bugs everywhere similar code turns up in the tree, even if it could mean a radical overhaul of the design and, at worst, a loss of backward compatibility[2]
In PF, and by extension in this book, the focus is narrower, concentrated on network traffic at the network level. The introduction of divert(4) sockets in OpenBSD 4.7 made it incrementally easier to set up a system where PF contributes to deep packet inspection, much like some fiercely marketed products. However, no widely used free software yet uses the interface, and we will instead focus on some techniques based on pure network-level behavior (most evident in the example configurations in Chapter 6) that will help ease the load on the content-inspecting products if you have them in place. As you will see in the following chapters, the network level offers a lot of fun and excitement, in addition to the blocking or passing packets.
[1] The famous worms before the Windows era were the IBM Christmas Tree EXEC worm (1987) and the first Internet worm, the Morris worm (1988), both within easy reach of your favorite search engine. The Windows era of networked worms is considered to have started with the ILOVEYOU worm in May 2000.
[2] Several presentations on OpenBSD’s approach to security can be found via http://www.openbsd.org/papers/. Some of my favorites are Theo de Raadt’s “Exploit Mitigation Techniques,” Damien Miller’s “Security Measures in OpenSSH,” and “Puffy at Work—Getting Code Right and Secure, the OpenBSD Way,” by Henning Brauer and Sven Dehmlow.