After 20 years of using #pf on #BSD and only dabbling in iptables when I absolutely had to in #Linux, nftables looks like an unreadable, incomprehensible shitshow; A crayon scrawl by a toddler of weird nat and mangle chains that make no sense.
The Linux developers would have been much better off porting pf to Linux.
for i in *.conf; do
wg-quick up $i
curl -s4 https://zx2c4.com/ip | sed 1q
# the connect timeout is there because a few of the endpoints had a not-working IPv6 address
curl --connect-timeout -s6 https://zx2c4.com/ip | sed 1q
wg-quick down $i
done
```
Now in my pf.conf I just had to do something like this which didn't seem that complicated after all. I just modelled it after my existing rule that I used for opening ports (I removed ssh from that rule in favour of this one). This can most definitely be made better, but at least it works!
explicitly allow home and vpn ip addresses
ssh_whitelist_ipv4 = "{ipv4 addresses here
I put my home address at the top as is and then /24 ranges for the mullvad IPs because I was told they may change frequently
}"ipv6 addresses here from mullvad
I figured that they won't change often so I simply pasted them as is without specifying prefix
}"allow public ssh only to my normal home address and mullvad ips
pass in log on $ext_if inet proto tcp from $ssh_whitelist_ipv4 to ($ext_if) \saklas$ zgrep preauth /var/log/authlog.0.gz | grep -v vin | wc -l
After running for over a day, my /var/log/authlog still only shows my own connections and not some people across the globe spamming connections to invalid users.
I was previously using pf-badhost in place of fail2ban due to the latter not being available on OpenBSD, but pf-badhost didn't prevent active attacks while both of them still allowed those (initial) connections in the first place.
There's a much smaller likelihood of an attacker using the same Mullvad endpoints I use, and if they do I probably have bigger problems to worry about. I'm also pretty much always connected to my Wireguard VPN (separate post on my website for this later) and that would let me bypass this anyways. This setup is more of a failsafe if I'm unable to connect through the VPN, and a failsafe of that failsafe if things really go wrong is just using the Hetzner web console I guess.
After writing all this, I think it's better to just post this on my website and syndicate here.
#openbsd #mullvad #pf
As previously announced, there will be a PF tutorial at BSDCan 2025 -
For Upcoming PF Tutorials, We Welcome Your Questions
https://nxdomain.no/~peter/pf_tutorial_upcoming_questions_welcome.html
Registration: https://www.bsdcan.org/2025/registration.html
#BSDCan #EuroBSDcon #OpenBSD #PF #tutorial, #packetfilter #Ottawa #BookofPF #BSDCan #conferences #networking #security
With #bsdcan now less than a month away https://www.bsdcan.org/2025/index.html we invite your questions and input on the upcoming PF tutorials, see
"For Upcoming PF Tutorials, We Welcome Your Questions" https://nxdomain.no/~peter/pf_tutorial_upcoming_questions_welcome.html
#EuroBSDCon #OpenBSD #PF #tutorial, #packetfilter #Ottawa #BookofPF #BSDCan #conferences #networking #security
"A good tutorial should sound to passersby much like an intense but amicable discussion between colleagues"
For Upcoming PF Tutorials, We Welcome Your Questions
https://nxdomain.no/~peter/pf_tutorial_upcoming_questions_welcome.html
#EuroBSDCon #OpenBSD #PF #tutorial, #packetfilter #Ottawa #BookofPF #BSDCan #conferences #networking #security
É o governo Lula combatendo a corrupção! #inss #pf #políciafederal #fraude #temer #bolsonaro #lula
Fresh out of the Oven.
I was searching for the best replacement of my Lenovo X1 Carbon 8th Gen's Wirreless Card (...not found yet - anyone?), and found this instead, which may be my 2morrows read:
A #beginners Guide To #Firewalling with #pf #pfsense
Maybe also interesting site for @vermaden s BSD-News? §8-)
@YVioujard
Ce n'est pas sans rappeler le sort fait à Pouvanaa A Oopa sous le Tahiti des essais nucléaires de De Gaulle.
Même méthode, mêmes objectifs, "On ne change pas un colonialisme qui gagne."
What do the clever OpenBSD firewall folks use to put up a reasonable defence against known bad actors?
I have an SSH bastion host that gest spammed with connection attempts (it only accepts key authentication but even so...) as well as web server for my blog that gets requests for dot files, PHP, cpanel, etc...
On both I'm currently running a shell script that greps the logs for keywords and feeds those IP's into a temporary blocklist but I'm sure there must be a better way, plus some way to feed in a reputable source of bad IP's before they become a problem would be nice.
Toc-toc #freebsd guys ! I created a bridge0 and Vnet running tailscale into #bastillebsd jail. Bridge and Vnet are connected using epair. I read on forum that rules from #pf operate on epair and not bridge, so I need to skip bridge0 in #pf rules ? Bridge0 is 193.168.42.1 connected with re0. Another thing, I want to separate/isolate my local network (192.168.1.0) from jails vnet network 192.168.42.0/24. Actually when I ping a local network address like 193.168.1.80 from the tailscale jail with epair 192.168.42.2, ping works... Isolation between networks don't work by default, and I search the good pf rules to isolate 192.168.42.0 from local network ... Any help appreciated.
Very useful cheat sheet on #pf 
Finally run debian12 with gui thanks to vm-bhyve on freebsd14 after several month of tweaking and learning. Really big thank to @vermaden and his article https://vermaden.wordpress.com/2023/08/18/freebsd-bhyve-virtualization/ 
But one thing I still dont get it. I have a problem with resolving a DNS on the VM. IP addreses works well but domain names like google.com not at all. I solved it by adding "nameserver 8.8.8.8" in /etc/resolv.conf in VM, but I am not sure if I solve it well and dont understabd why I have to solve it anyway, I do not remeber that I would have to set it.
I se vm-bhyve with host wifi wlan interface so I had to set NAT in PF, in article it is a section laptop wifi nat. Is it normal to set resolv.conf file in VM?
It continues in my article series: #FreeBSD as a server. I went through all the previous articles again and made minor adjustments here and there. Network settings and preparations and #pf Firewall added.
https://bsdbox.de/en/blog/2024-12-01-freebsd-server-teil3
Part 4 offers finally Bastille. Stay tuned.
Es geht weiter in meiner Artikelreihe: #FreeBSD als Server. Alle bisherigen Artikel wurden nochmal an einer frischen Installation durchgespielt und hier und da kleinere Anpassungen vorgenommen. Netzwerk Einstellungen und #pf Firewall hinzugefügt.
https://bsdbox.de/blog/2024-12-01-freebsd-server-teil3
Mit Teil 4 kommt dann offiziell Bastille dazu. Bleibt dran.
A piece of oft-repeated #openbsd #pf advice, from this morning on openbsd-misc:
In addition to the official resources such as the PF FAQ (https://www.openbsd.org/faq/pf/index.html) I think my own writings such as "A Few of My Favorite Things About The OpenBSD Packet Filter Tools" https://nxdomain.no/~peter/better_off_with_pf.html (or with G's trackers
as the cost for slightly nicer formatting https://bsdly.blogspot.com/2022/09/a-few-of-my-favorite-things-about.html)
which has a few useful links at the end including to a certain book that *might*
be worth looking into.
