Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 1/32
Packet Filter (pf)
An Extended Introduction
Max Laierhttp://people.freebsd.org/ mlaier/
FreeBSD.ORG
http://www.FreeBSD.ORG/
pf - Historyv How it startedv Portsv Releases
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 2/32
pf - History
pf - Historyv How it startedv Portsv Releases
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 3/32
How it started
l OpenBSD’s desire to improve it’s firewall capabilites
l License issues with ipfilter (ipf)l Solution:
F Rewrite from scratchF At least 3 competting solutionsF Daniel Hartmeier’s pf choosen due to:
n ipf-compatible syntax (almost)n Simplicityn Ease of extension
F Ideas from the other approaches were mergedl OpenBSD 3.0 (December 1, 2001) first release with pf
pf - Historyv How it startedv Portsv Releases
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 3/32
How it started
l OpenBSD’s desire to improve it’s firewall capabilitesl License issues with ipfilter (ipf)
l Solution:F Rewrite from scratchF At least 3 competting solutionsF Daniel Hartmeier’s pf choosen due to:
n ipf-compatible syntax (almost)n Simplicityn Ease of extension
F Ideas from the other approaches were mergedl OpenBSD 3.0 (December 1, 2001) first release with pf
pf - Historyv How it startedv Portsv Releases
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 3/32
How it started
l OpenBSD’s desire to improve it’s firewall capabilitesl License issues with ipfilter (ipf)l Solution:
F Rewrite from scratchF At least 3 competting solutions
F Daniel Hartmeier’s pf choosen due to:n ipf-compatible syntax (almost)n Simplicityn Ease of extension
F Ideas from the other approaches were mergedl OpenBSD 3.0 (December 1, 2001) first release with pf
pf - Historyv How it startedv Portsv Releases
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 3/32
How it started
l OpenBSD’s desire to improve it’s firewall capabilitesl License issues with ipfilter (ipf)l Solution:
F Rewrite from scratchF At least 3 competting solutionsF Daniel Hartmeier’s pf choosen due to:
n ipf-compatible syntax (almost)n Simplicityn Ease of extension
F Ideas from the other approaches were mergedl OpenBSD 3.0 (December 1, 2001) first release with pf
pf - Historyv How it startedv Portsv Releases
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 3/32
How it started
l OpenBSD’s desire to improve it’s firewall capabilitesl License issues with ipfilter (ipf)l Solution:
F Rewrite from scratchF At least 3 competting solutionsF Daniel Hartmeier’s pf choosen due to:
n ipf-compatible syntax (almost)n Simplicityn Ease of extension
F Ideas from the other approaches were merged
l OpenBSD 3.0 (December 1, 2001) first release with pf
pf - Historyv How it startedv Portsv Releases
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 3/32
How it started
l OpenBSD’s desire to improve it’s firewall capabilitesl License issues with ipfilter (ipf)l Solution:
F Rewrite from scratchF At least 3 competting solutionsF Daniel Hartmeier’s pf choosen due to:
n ipf-compatible syntax (almost)n Simplicityn Ease of extension
F Ideas from the other approaches were mergedl OpenBSD 3.0 (December 1, 2001) first release with pf
pf - Historyv How it startedv Portsv Releases
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 4/32
Ports
l November 5, 2002 – Joel Wilsson to NetBSDl March 25, 2003 – Pyun YongHyeon to FreeBSDl June 27, 2003 – KAME integrates source from OpenBSD
currentl February 26, 2004 – FreeBSD integrates the port into the
base systeml June 22, 2004 – NetBSD integrates the port into the base
systeml Ongoing work to port to DragonFlyBSD
l Ports might behave differently!F FreeBSD 5-STABLE will be compatible to OpenBSD 3.5F NetBSD is level with OpenBSD 3.5 at the momentF KAME seems to track OpenBSD-current (on and off)
pf - Historyv How it startedv Portsv Releases
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 4/32
Ports
l November 5, 2002 – Joel Wilsson to NetBSDl March 25, 2003 – Pyun YongHyeon to FreeBSDl June 27, 2003 – KAME integrates source from OpenBSD
currentl February 26, 2004 – FreeBSD integrates the port into the
base systeml June 22, 2004 – NetBSD integrates the port into the base
systeml Ongoing work to port to DragonFlyBSD
l Ports might behave differently!F FreeBSD 5-STABLE will be compatible to OpenBSD 3.5F NetBSD is level with OpenBSD 3.5 at the momentF KAME seems to track OpenBSD-current (on and off)
pf - Historyv How it startedv Portsv Releases
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 5/32
Releases
l OpenBSD makes a relase aprox. every 6 monthl pf still gains a lot of features with every releasel Overlapping release cycles might cause considerable deltas
between OpenBSD and the various portsl Most of the porting efforts follow OpenBSD’s lead when it
comes to new features, but divergence might occure whererequired.
l Check the documentation!
pf - Historyv How it startedv Portsv Releases
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 5/32
Releases
l OpenBSD makes a relase aprox. every 6 monthl pf still gains a lot of features with every releasel Overlapping release cycles might cause considerable deltas
between OpenBSD and the various portsl Most of the porting efforts follow OpenBSD’s lead when it
comes to new features, but divergence might occure whererequired.
l Check the documentation!
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 6/32
pf - Features
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 7/32
Basics
l Ruleset based configurationF Anchors allow nesting a
F Tables allow dynamic adaption of rules a
F Interface address management b
l Default (logical) order required1. Macro and table definitions2. (Global) Options3. Traffic Normalization (scrub)4. Network address translation (NAT ) and redirection5. Filtering rules
l Last matching rule winsF This can be changed with the ‘quick’ keyword
l Macros allow easier reading/writing and understanding ofrulesa introduced in OpenBSD 3.3b introduced in OpenBSD 3.2
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 7/32
Basics
l Ruleset based configurationF Anchors allow nesting a
F Tables allow dynamic adaption of rules a
F Interface address management b
l Default (logical) order required1. Macro and table definitions2. (Global) Options3. Traffic Normalization (scrub)4. Network address translation (NAT ) and redirection5. Filtering rules
l Last matching rule winsF This can be changed with the ‘quick’ keyword
l Macros allow easier reading/writing and understanding ofrulesa introduced in OpenBSD 3.3b introduced in OpenBSD 3.2
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 7/32
Basics
l Ruleset based configurationF Anchors allow nesting a
F Tables allow dynamic adaption of rules a
F Interface address management b
l Default (logical) order required1. Macro and table definitions2. (Global) Options3. Traffic Normalization (scrub)4. Network address translation (NAT ) and redirection5. Filtering rules
l Last matching rule winsF This can be changed with the ‘quick’ keyword
l Macros allow easier reading/writing and understanding ofrulesa introduced in OpenBSD 3.3b introduced in OpenBSD 3.2
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 7/32
Basics
l Ruleset based configurationF Anchors allow nesting a
F Tables allow dynamic adaption of rules a
F Interface address management b
l Default (logical) order required1. Macro and table definitions2. (Global) Options3. Traffic Normalization (scrub)4. Network address translation (NAT ) and redirection5. Filtering rules
l Last matching rule winsF This can be changed with the ‘quick’ keyword
l Macros allow easier reading/writing and understanding ofrulesa introduced in OpenBSD 3.3b introduced in OpenBSD 3.2
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 8/32
Traffic Normalization
Normalization or “scrubbing” summarises a couple of packetsanity checks to protect against evildoer and information leaksand some rewrites to improve security for weak(er) peers
l IP normalizationl IP fragment reassemblyl Random IP ID rewritel TCP normalization
F TCP reassemblyF Illegal flag combinations (nmap)F TCP optionsF PAWS (Protection Against Wrapped Sequence Numbers)
l Enforce minimum TTL
Scrubbing also helps to hide peer uptimes and thus canprevent NAT detection
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 8/32
Traffic Normalization
Normalization or “scrubbing” summarises a couple of packetsanity checks to protect against evildoer and information leaksand some rewrites to improve security for weak(er) peers
l IP normalizationl IP fragment reassemblyl Random IP ID rewritel TCP normalization
F TCP reassemblyF Illegal flag combinations (nmap)F TCP optionsF PAWS (Protection Against Wrapped Sequence Numbers)
l Enforce minimum TTL
Scrubbing also helps to hide peer uptimes and thus canprevent NAT detection
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 8/32
Traffic Normalization
Normalization or “scrubbing” summarises a couple of packetsanity checks to protect against evildoer and information leaksand some rewrites to improve security for weak(er) peers
l IP normalizationl IP fragment reassemblyl Random IP ID rewritel TCP normalization
F TCP reassemblyF Illegal flag combinations (nmap)F TCP optionsF PAWS (Protection Against Wrapped Sequence Numbers)
l Enforce minimum TTL
Scrubbing also helps to hide peer uptimes and thus canprevent NAT detection
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 8/32
Traffic Normalization
Normalization or “scrubbing” summarises a couple of packetsanity checks to protect against evildoer and information leaksand some rewrites to improve security for weak(er) peers
l IP normalizationl IP fragment reassemblyl Random IP ID rewritel TCP normalization
F TCP reassemblyF Illegal flag combinations (nmap)F TCP optionsF PAWS (Protection Against Wrapped Sequence Numbers)
l Enforce minimum TTL
Scrubbing also helps to hide peer uptimes and thus canprevent NAT detection
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 8/32
Traffic Normalization
Normalization or “scrubbing” summarises a couple of packetsanity checks to protect against evildoer and information leaksand some rewrites to improve security for weak(er) peers
l IP normalizationl IP fragment reassemblyl Random IP ID rewritel TCP normalization
F TCP reassemblyF Illegal flag combinations (nmap)F TCP optionsF PAWS (Protection Against Wrapped Sequence Numbers)
l Enforce minimum TTL
Scrubbing also helps to hide peer uptimes and thus canprevent NAT detection
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 8/32
Traffic Normalization
Normalization or “scrubbing” summarises a couple of packetsanity checks to protect against evildoer and information leaksand some rewrites to improve security for weak(er) peers
l IP normalizationl IP fragment reassemblyl Random IP ID rewritel TCP normalization
F TCP reassemblyF Illegal flag combinations (nmap)F TCP optionsF PAWS (Protection Against Wrapped Sequence Numbers)
l Enforce minimum TTL
Scrubbing also helps to hide peer uptimes and thus canprevent NAT detection
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 8/32
Traffic Normalization
Normalization or “scrubbing” summarises a couple of packetsanity checks to protect against evildoer and information leaksand some rewrites to improve security for weak(er) peers
l IP normalizationl IP fragment reassemblyl Random IP ID rewritel TCP normalization
F TCP reassemblyF Illegal flag combinations (nmap)F TCP optionsF PAWS (Protection Against Wrapped Sequence Numbers)
l Enforce minimum TTL
Scrubbing also helps to hide peer uptimes and thus canprevent NAT detection
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 9/32
NAT and redirection
l BINAT – bidirectional address translationl NAT – source address translation
F static port – prevents sourceport rewritel RDR – destination address translation
NAT and especially RDR can be combined with addressloadbalancing. The following disciplines to choose an addressfrom the pool are available:l randoml round-robinl bitmaskl source-hash
The sticky-address-option can be applied to random andround-robin to improve the redirection mapping
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 9/32
NAT and redirection
l BINAT – bidirectional address translationl NAT – source address translation
F static port – prevents sourceport rewritel RDR – destination address translation
NAT and especially RDR can be combined with addressloadbalancing. The following disciplines to choose an addressfrom the pool are available:l randoml round-robinl bitmaskl source-hash
The sticky-address-option can be applied to random andround-robin to improve the redirection mapping
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 9/32
NAT and redirection
l BINAT – bidirectional address translationl NAT – source address translation
F static port – prevents sourceport rewritel RDR – destination address translation
NAT and especially RDR can be combined with addressloadbalancing. The following disciplines to choose an addressfrom the pool are available:l randoml round-robinl bitmaskl source-hash
The sticky-address-option can be applied to random andround-robin to improve the redirection mapping
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 10/32
Filtering - Attributes
pf is an IP-level (OSI Layer 3) firewall, but also keeps track of TCP and UDP(OSI Layer 4) . . .
l Interfacel Directionl Address familyl Source/Destination
IP(-range)l Protocoll ToSl IP optionsl ICMP/ICMP6l TCPl UDP
pf filters on everything and provides understandable syntax
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 10/32
Filtering - Attributes
pf is an IP-level (OSI Layer 3) firewall, but also keeps track of TCP and UDP(OSI Layer 4) . . .
l Interfacel Directionl Address familyl Source/Destination
IP(-range)l Protocoll ToSl IP optionsl ICMP/ICMP6l TCPl UDP
l Incomming
l Outgoing
pf filters on everything and provides understandable syntax
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 10/32
Filtering - Attributes
pf is an IP-level (OSI Layer 3) firewall, but also keeps track of TCP and UDP(OSI Layer 4) . . .
l Interfacel Directionl Address familyl Source/Destination
IP(-range)l Protocoll ToSl IP optionsl ICMP/ICMP6l TCPl UDP
l IPv4 “inet”
l IPv6 “inet6”
pf filters on everything and provides understandable syntax
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 10/32
Filtering - Attributes
pf is an IP-level (OSI Layer 3) firewall, but also keeps track of TCP and UDP(OSI Layer 4) . . .
l Interfacel Directionl Address familyl Source/Destination
IP(-range)l Protocoll ToSl IP optionsl ICMP/ICMP6l TCPl UDP
l “any”
l “no-route”
l “self”
l IPv4 dotted quad (127.0.0.1)
l IPv6 coloned hex(2001:200:0:8002:203:47ff:fea5:3085)
l CIDR compatible since OpenBSD 3.3
l Hostname (freebsd.org)
l Netmasks can be applied
l pf can (dynamically) extract addressesfrom a local interface
pf filters on everything and provides understandable syntax
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 10/32
Filtering - Attributes
pf is an IP-level (OSI Layer 3) firewall, but also keeps track of TCP and UDP(OSI Layer 4) . . .
l Interfacel Directionl Address familyl Source/Destination
IP(-range)l Protocoll ToSl IP optionsl ICMP/ICMP6l TCPl UDP
l (IP)Protocol number
l Protocol name/alias (etc/protocols)
pf filters on everything and provides understandable syntax
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 10/32
Filtering - Attributes
pf is an IP-level (OSI Layer 3) firewall, but also keeps track of TCP and UDP(OSI Layer 4) . . .
l Interfacel Directionl Address familyl Source/Destination
IP(-range)l Protocoll ToSl IP optionsl ICMP/ICMP6l TCPl UDP
l ‘lowdelay’
l ‘throughput’
l ‘reliability’
l Explicit hex-code
pf filters on everything and provides understandable syntax
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 10/32
Filtering - Attributes
pf is an IP-level (OSI Layer 3) firewall, but also keeps track of TCP and UDP(OSI Layer 4) . . .
l Interfacel Directionl Address familyl Source/Destination
IP(-range)l Protocoll ToSl IP optionsl ICMP/ICMP6l TCPl UDP
l Disallow (default)
l Allow
pf filters on everything and provides understandable syntax
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 10/32
Filtering - Attributes
pf is an IP-level (OSI Layer 3) firewall, but also keeps track of TCP and UDP(OSI Layer 4) . . .
l Interfacel Directionl Address familyl Source/Destination
IP(-range)l Protocoll ToSl IP optionsl ICMP/ICMP6l TCPl UDP
l Type
l Code
pf filters on everything and provides understandable syntax
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 10/32
Filtering - Attributes
pf is an IP-level (OSI Layer 3) firewall, but also keeps track of TCP and UDP(OSI Layer 4) . . .
l Interfacel Directionl Address familyl Source/Destination
IP(-range)l Protocoll ToSl IP optionsl ICMP/ICMP6l TCPl UDP
l Source/Destination port(-range)
l Flags
l Socket credentials (‘owner’ of thesending/receiving application)
l OS type (passiv fingerprinting of theinitial SYN packet)
pf filters on everything and provides understandable syntax
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 10/32
Filtering - Attributes
pf is an IP-level (OSI Layer 3) firewall, but also keeps track of TCP and UDP(OSI Layer 4) . . .
l Interfacel Directionl Address familyl Source/Destination
IP(-range)l Protocoll ToSl IP optionsl ICMP/ICMP6l TCPl UDP
l Source/Destination port(-range)
l Socket credentials (‘owner’ of thesending/receiving application)
pf filters on everything and provides understandable syntax
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 10/32
Filtering - Attributes
pf is an IP-level (OSI Layer 3) firewall, but also keeps track of TCP and UDP(OSI Layer 4) . . .
l Interfacel Directionl Address familyl Source/Destination
IP(-range)l Protocoll ToSl IP optionsl ICMP/ICMP6l TCPl UDP
l Source/Destination port(-range)
l Socket credentials (‘owner’ of thesending/receiving application)
pf filters on everything and provides understandable syntax
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 11/32
Filtering - Stateful
States are fast:l Indexed in a reb-black tree => fast lookup (O(lg(n)))l State lookup is much faster than ruleset evaluation
States increase security:l Control who initiates a connectionl Apply additional sanity checks to TCP connections
F Segments must be in the windowF Restes must be on the edge of the windowF Window scaling availableF pf must ‘see’ the initial handshake (flags S/SA)
l Help to gather accounting information (pfflowd e.g.)l Additional peer protection against ISN prediction attacks
available with modulate state and synproxy
States are also used to keep track of address translations.
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 11/32
Filtering - Stateful
States are fast:l Indexed in a reb-black tree => fast lookup (O(lg(n)))l State lookup is much faster than ruleset evaluation
States increase security:l Control who initiates a connectionl Apply additional sanity checks to TCP connections
F Segments must be in the windowF Restes must be on the edge of the windowF Window scaling availableF pf must ‘see’ the initial handshake (flags S/SA)
l Help to gather accounting information (pfflowd e.g.)l Additional peer protection against ISN prediction attacks
available with modulate state and synproxy
States are also used to keep track of address translations.
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 11/32
Filtering - Stateful
States are fast:l Indexed in a reb-black tree => fast lookup (O(lg(n)))l State lookup is much faster than ruleset evaluation
States increase security:l Control who initiates a connectionl Apply additional sanity checks to TCP connections
F Segments must be in the windowF Restes must be on the edge of the windowF Window scaling availableF pf must ‘see’ the initial handshake (flags S/SA)
l Help to gather accounting information (pfflowd e.g.)l Additional peer protection against ISN prediction attacks
available with modulate state and synproxy
States are also used to keep track of address translations.
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 12/32
Filtering - Tables
Tables provide sophisticated means to manage large, sparseaddress lists.l Can take hosts and networksl Most specific match is returnedl ‘Not’ modifierl Implemented as radix tree => fast lookups (as known from
routing tables)l 64Bit statistics counters for every table entry (easy
accounting)
l Can be changed with pfctll Can be read from a file (spam lists)
Short example
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 12/32
Filtering - Tables
Tables provide sophisticated means to manage large, sparseaddress lists.l Can take hosts and networksl Most specific match is returnedl ‘Not’ modifierl Implemented as radix tree => fast lookups (as known from
routing tables)l 64Bit statistics counters for every table entry (easy
accounting)
l Can be changed with pfctll Can be read from a file (spam lists)
Short example
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 12/32
Filtering - Tables
Tables provide sophisticated means to manage large, sparseaddress lists.l Can take hosts and networksl Most specific match is returnedl ‘Not’ modifierl Implemented as radix tree => fast lookups (as known from
routing tables)l 64Bit statistics counters for every table entry (easy
accounting)
l Can be changed with pfctll Can be read from a file (spam lists)
Short example
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 12/32
Filtering - Tables
Tables provide sophisticated means to manage large, sparseaddress lists.l Can take hosts and networksl Most specific match is returnedl ‘Not’ modifierl Implemented as radix tree => fast lookups (as known from
routing tables)l 64Bit statistics counters for every table entry (easy
accounting)
l Can be changed with pfctll Can be read from a file (spam lists)
Short example
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 12/32
Filtering - Tables
Tables provide sophisticated means to manage large, sparseaddress lists.l Can take hosts and networksl Most specific match is returnedl ‘Not’ modifierl Implemented as radix tree => fast lookups (as known from
routing tables)l 64Bit statistics counters for every table entry (easy
accounting)
l Can be changed with pfctll Can be read from a file (spam lists)
Short example
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 12/32
Filtering - Tables
Tables provide sophisticated means to manage large, sparseaddress lists.l Can take hosts and networksl Most specific match is returnedl ‘Not’ modifierl Implemented as radix tree => fast lookups (as known from
routing tables)l 64Bit statistics counters for every table entry (easy
accounting)
l Can be changed with pfctll Can be read from a file (spam lists)
Short example
pf - History
pf - Featuresv Basicsv Traffic
Normalizationv NAT and
redirectionv Filtering -
Attributesv Filtering - Statefulv Filtering - Tables
pf - Advanced notes
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 12/32
Filtering - Tables
Tables provide sophisticated means to manage large, sparseaddress lists.l Can take hosts and networksl Most specific match is returnedl ‘Not’ modifierl Implemented as radix tree => fast lookups (as known from
routing tables)l 64Bit statistics counters for every table entry (easy
accounting)
l Can be changed with pfctll Can be read from a file (spam lists)
Short example
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 13/32
pf - Advanced notes
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 14/32
Interesting options
l timeoutsF Set fragment cache timeF Set cleanup intervalsF Finetune TCP handshake timeoutsF Finetune UDP/ICMP/other state hold timeF adaptive.start adaptive.end
Used to scale timeouts according to current state load. Asthe total number of states increase, unused states diemore quickly.
l limitsF StatesF FragementsF Source-tracking nodes
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 14/32
Interesting options
l timeoutsF Set fragment cache timeF Set cleanup intervalsF Finetune TCP handshake timeoutsF Finetune UDP/ICMP/other state hold timeF adaptive.start adaptive.end
Used to scale timeouts according to current state load. Asthe total number of states increase, unused states diemore quickly.
l limitsF StatesF FragementsF Source-tracking nodes
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 15/32
Stateful I
Stateful rule options:l Per-rule timeoutsl Per-rule limitsl source-track
F Per-client limitsF Maximum number of peersF Maximum connections per peer
Modulate state:l Randomize the initial sequence numbers of a (TCP)
connectionl Store original ISN the client in a statel Rewrite packets of that connection using the better
sequence numbers
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 15/32
Stateful I
Stateful rule options:l Per-rule timeoutsl Per-rule limitsl source-track
F Per-client limitsF Maximum number of peersF Maximum connections per peer
Modulate state:l Randomize the initial sequence numbers of a (TCP)
connectionl Store original ISN the client in a statel Rewrite packets of that connection using the better
sequence numbers
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 15/32
Stateful I
Stateful rule options:l Per-rule timeoutsl Per-rule limitsl source-track
F Per-client limitsF Maximum number of peersF Maximum connections per peer
Modulate state:l Randomize the initial sequence numbers of a (TCP)
connectionl Store original ISN the client in a statel Rewrite packets of that connection using the better
sequence numbers
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 15/32
Stateful I
Stateful rule options:l Per-rule timeoutsl Per-rule limitsl source-track
F Per-client limitsF Maximum number of peersF Maximum connections per peer
Modulate state:l Randomize the initial sequence numbers of a (TCP)
connectionl Store original ISN the client in a statel Rewrite packets of that connection using the better
sequence numbers
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 15/32
Stateful I
Stateful rule options:l Per-rule timeoutsl Per-rule limitsl source-track
F Per-client limitsF Maximum number of peersF Maximum connections per peer
Modulate state:l Randomize the initial sequence numbers of a (TCP)
connectionl Store original ISN the client in a statel Rewrite packets of that connection using the better
sequence numbers
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 15/32
Stateful I
Stateful rule options:l Per-rule timeoutsl Per-rule limitsl source-track
F Per-client limitsF Maximum number of peersF Maximum connections per peer
Modulate state:l Randomize the initial sequence numbers of a (TCP)
connectionl Store original ISN the client in a statel Rewrite packets of that connection using the better
sequence numbers
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 16/32
Stateful II
Synproxy states:l Gateway completes the 3-way handshakel Gateway initiates connection with the destinationl Further traffic is a normal stateful connection
Same mechanisms used as for modulate-state connections
Useful to protect web- and DB-server against SYN-floodattacks.
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 16/32
Stateful II
Synproxy states:l Gateway completes the 3-way handshakel Gateway initiates connection with the destinationl Further traffic is a normal stateful connection
Same mechanisms used as for modulate-state connections
Useful to protect web- and DB-server against SYN-floodattacks.
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 16/32
Stateful II
Synproxy states:l Gateway completes the 3-way handshakel Gateway initiates connection with the destinationl Further traffic is a normal stateful connection
Same mechanisms used as for modulate-state connections
Useful to protect web- and DB-server against SYN-floodattacks.
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 16/32
Stateful II
Synproxy states:l Gateway completes the 3-way handshakel Gateway initiates connection with the destinationl Further traffic is a normal stateful connection
Same mechanisms used as for modulate-state connections
Useful to protect web- and DB-server against SYN-floodattacks.
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 17/32
Anchors
l Structure rulesetsl Easily changeablel Good for script actionsl Used by authpfl Can be ‘limited’ to:
F Direction (in/out)F InterfaceF Address familyF ProtocolF Host definition
F Plan: per-jail rulesets managed by jail-root (in FreeBSD)l New in 3.6: Recursive anchors
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 17/32
Anchors
l Structure rulesetsl Easily changeablel Good for script actionsl Used by authpfl Can be ‘limited’ to:
F Direction (in/out)F InterfaceF Address familyF ProtocolF Host definition
F Plan: per-jail rulesets managed by jail-root (in FreeBSD)l New in 3.6: Recursive anchors
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 17/32
Anchors
l Structure rulesetsl Easily changeablel Good for script actionsl Used by authpfl Can be ‘limited’ to:
F Direction (in/out)F InterfaceF Address familyF ProtocolF Host definition
F Plan: per-jail rulesets managed by jail-root (in FreeBSD)l New in 3.6: Recursive anchors
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 17/32
Anchors
l Structure rulesetsl Easily changeablel Good for script actionsl Used by authpfl Can be ‘limited’ to:
F Direction (in/out)F InterfaceF Address familyF ProtocolF Host definition
F Plan: per-jail rulesets managed by jail-root (in FreeBSD)l New in 3.6: Recursive anchors
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 17/32
Anchors
l Structure rulesetsl Easily changeablel Good for script actionsl Used by authpfl Can be ‘limited’ to:
F Direction (in/out)F InterfaceF Address familyF ProtocolF Host definition
F Plan: per-jail rulesets managed by jail-root (in FreeBSD)l New in 3.6: Recursive anchors
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 17/32
Anchors
l Structure rulesetsl Easily changeablel Good for script actionsl Used by authpfl Can be ‘limited’ to:
F Direction (in/out)F InterfaceF Address familyF ProtocolF Host definitionF Plan: per-jail rulesets managed by jail-root (in FreeBSD)
l New in 3.6: Recursive anchors
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 17/32
Anchors
l Structure rulesetsl Easily changeablel Good for script actionsl Used by authpfl Can be ‘limited’ to:
F Direction (in/out)F InterfaceF Address familyF ProtocolF Host definitionF Plan: per-jail rulesets managed by jail-root (in FreeBSD)
l New in 3.6: Recursive anchors
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 18/32
Misc
l Skip-stepsF Jump over rules that cannot matchF Optimize ruleset evaluationF New in 3.6: Ruleset optimization
l TaggingF Only with stateful rulesF Allows to seperate classification and policyF Used to support layer 2 filtering
l OS FingerprintsF Base on p0fF Only for the initial SYN packet
F This can be spoofed! Not a security tool
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 18/32
Misc
l Skip-stepsF Jump over rules that cannot matchF Optimize ruleset evaluationF New in 3.6: Ruleset optimization
l TaggingF Only with stateful rulesF Allows to seperate classification and policyF Used to support layer 2 filtering
l OS FingerprintsF Base on p0fF Only for the initial SYN packet
F This can be spoofed! Not a security tool
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 18/32
Misc
l Skip-stepsF Jump over rules that cannot matchF Optimize ruleset evaluationF New in 3.6: Ruleset optimization
l TaggingF Only with stateful rulesF Allows to seperate classification and policyF Used to support layer 2 filtering
l OS FingerprintsF Base on p0fF Only for the initial SYN packet
F This can be spoofed! Not a security tool
pf - History
pf - Features
pf - Advanced notesv Interesting
optionsv Stateful Iv Stateful IIv Anchorsv Misc
ALTQ (short)
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 18/32
Misc
l Skip-stepsF Jump over rules that cannot matchF Optimize ruleset evaluationF New in 3.6: Ruleset optimization
l TaggingF Only with stateful rulesF Allows to seperate classification and policyF Used to support layer 2 filtering
l OS FingerprintsF Base on p0fF Only for the initial SYN packetF This can be spoofed! Not a security tool
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)v Basicsv ALTQ and pf
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 19/32
ALTQ (short)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)v Basicsv ALTQ and pf
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 20/32
Basics
l ALTQ provides several disciplies to queue packetsl Can be used to control bandwidth allocation and packet
priorizationl Most effective in front of a bandwidth bottleneck (i.e. on the
uplink gateway)
Detailated per-application evaluation is required toimplement ALTQ
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)v Basicsv ALTQ and pf
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 20/32
Basics
l ALTQ provides several disciplies to queue packetsl Can be used to control bandwidth allocation and packet
priorizationl Most effective in front of a bandwidth bottleneck (i.e. on the
uplink gateway)
Detailated per-application evaluation is required toimplement ALTQ
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)v Basicsv ALTQ and pf
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 20/32
Basics
l ALTQ provides several disciplies to queue packetsl Can be used to control bandwidth allocation and packet
priorizationl Most effective in front of a bandwidth bottleneck (i.e. on the
uplink gateway)
Detailated per-application evaluation is required toimplement ALTQ
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)v Basicsv ALTQ and pf
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 20/32
Basics
l ALTQ provides several disciplies to queue packetsl Can be used to control bandwidth allocation and packet
priorizationl Most effective in front of a bandwidth bottleneck (i.e. on the
uplink gateway)Detailated per-application evaluation is required toimplement ALTQ
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)v Basicsv ALTQ and pf
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 21/32
ALTQ and pf
l pf gained ALTQ linkage in OpenBSD 3.3l Stateful pass rules assign thier traffic to a queuel ‘Lowdelay’ and empty ACKs can be treated speciallyl Queues are setup from the ruleset directly
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)v Basicsv ALTQ and pf
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 21/32
ALTQ and pf
l pf gained ALTQ linkage in OpenBSD 3.3l Stateful pass rules assign thier traffic to a queuel ‘Lowdelay’ and empty ACKs can be treated speciallyl Queues are setup from the ruleset directly
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)v Basicsv ALTQ and pf
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 21/32
ALTQ and pf
l pf gained ALTQ linkage in OpenBSD 3.3l Stateful pass rules assign thier traffic to a queuel ‘Lowdelay’ and empty ACKs can be treated speciallyl Queues are setup from the ruleset directly
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)v Basicsv ALTQ and pf
CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 21/32
ALTQ and pf
l pf gained ALTQ linkage in OpenBSD 3.3l Stateful pass rules assign thier traffic to a queuel ‘Lowdelay’ and empty ACKs can be treated speciallyl Queues are setup from the ruleset directly
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARPv Basicsv CARP and
pf(sync)v More CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 22/32
CARP
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARPv Basicsv CARP and
pf(sync)v More CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 23/32
Basics
The Common Address Redundancy Protocol is a freereplacement for VRRPl Multiple hosts share a common MAC address (but only the
master replys)l The master advertises via multicastl Variable advertisement intervals
F Most frequent advertiser becomes masterF Failover after (3 * advertisement interval)
l Advertisement protected by SHA1 HMACF HMAC covers logical addresses (which are not part of the
advertisement)F Pending: Replay protection
l Supports IPv4 and IPv6l Supports layer 2 load balancing (ARP based)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARPv Basicsv CARP and
pf(sync)v More CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 23/32
Basics
The Common Address Redundancy Protocol is a freereplacement for VRRPl Multiple hosts share a common MAC address (but only the
master replys)l The master advertises via multicastl Variable advertisement intervals
F Most frequent advertiser becomes masterF Failover after (3 * advertisement interval)
l Advertisement protected by SHA1 HMACF HMAC covers logical addresses (which are not part of the
advertisement)F Pending: Replay protection
l Supports IPv4 and IPv6l Supports layer 2 load balancing (ARP based)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARPv Basicsv CARP and
pf(sync)v More CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 23/32
Basics
The Common Address Redundancy Protocol is a freereplacement for VRRPl Multiple hosts share a common MAC address (but only the
master replys)l The master advertises via multicastl Variable advertisement intervals
F Most frequent advertiser becomes masterF Failover after (3 * advertisement interval)
l Advertisement protected by SHA1 HMACF HMAC covers logical addresses (which are not part of the
advertisement)F Pending: Replay protection
l Supports IPv4 and IPv6l Supports layer 2 load balancing (ARP based)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARPv Basicsv CARP and
pf(sync)v More CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 23/32
Basics
The Common Address Redundancy Protocol is a freereplacement for VRRPl Multiple hosts share a common MAC address (but only the
master replys)l The master advertises via multicastl Variable advertisement intervals
F Most frequent advertiser becomes masterF Failover after (3 * advertisement interval)
l Advertisement protected by SHA1 HMACF HMAC covers logical addresses (which are not part of the
advertisement)F Pending: Replay protection
l Supports IPv4 and IPv6l Supports layer 2 load balancing (ARP based)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARPv Basicsv CARP and
pf(sync)v More CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 23/32
Basics
The Common Address Redundancy Protocol is a freereplacement for VRRPl Multiple hosts share a common MAC address (but only the
master replys)l The master advertises via multicastl Variable advertisement intervals
F Most frequent advertiser becomes masterF Failover after (3 * advertisement interval)
l Advertisement protected by SHA1 HMACF HMAC covers logical addresses (which are not part of the
advertisement)F Pending: Replay protection
l Supports IPv4 and IPv6l Supports layer 2 load balancing (ARP based)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARPv Basicsv CARP and
pf(sync)v More CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 23/32
Basics
The Common Address Redundancy Protocol is a freereplacement for VRRPl Multiple hosts share a common MAC address (but only the
master replys)l The master advertises via multicastl Variable advertisement intervals
F Most frequent advertiser becomes masterF Failover after (3 * advertisement interval)
l Advertisement protected by SHA1 HMACF HMAC covers logical addresses (which are not part of the
advertisement)F Pending: Replay protection
l Supports IPv4 and IPv6l Supports layer 2 load balancing (ARP based)
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARPv Basicsv CARP and
pf(sync)v More CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 24/32
CARP and pf(sync)
In order to support firewall/gateway redundancy every firewallmust know about open connections (=states). The pfsyncpseudo interface enables state synchronization:l Each Firewall send out state changes via multicast
F InsertF UpdateF Delete
l States have an unique IDl Best effort synchronization
Tends towards complete state view on every firewalll Mechanisms to limit bandwidth and processing overhead
F Updates contain only the changing informationF Multiple updates are merged into one transfer
l pfsync prevents CARP preemption until states aresynchronized
Example setup
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARPv Basicsv CARP and
pf(sync)v More CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 24/32
CARP and pf(sync)
In order to support firewall/gateway redundancy every firewallmust know about open connections (=states). The pfsyncpseudo interface enables state synchronization:l Each Firewall send out state changes via multicast
F InsertF UpdateF Delete
l States have an unique IDl Best effort synchronization
Tends towards complete state view on every firewalll Mechanisms to limit bandwidth and processing overhead
F Updates contain only the changing informationF Multiple updates are merged into one transfer
l pfsync prevents CARP preemption until states aresynchronized
Example setup
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARPv Basicsv CARP and
pf(sync)v More CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 24/32
CARP and pf(sync)
In order to support firewall/gateway redundancy every firewallmust know about open connections (=states). The pfsyncpseudo interface enables state synchronization:l Each Firewall send out state changes via multicast
F InsertF UpdateF Delete
l States have an unique IDl Best effort synchronization
Tends towards complete state view on every firewalll Mechanisms to limit bandwidth and processing overhead
F Updates contain only the changing informationF Multiple updates are merged into one transfer
l pfsync prevents CARP preemption until states aresynchronized
Example setup
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARPv Basicsv CARP and
pf(sync)v More CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 24/32
CARP and pf(sync)
In order to support firewall/gateway redundancy every firewallmust know about open connections (=states). The pfsyncpseudo interface enables state synchronization:l Each Firewall send out state changes via multicast
F InsertF UpdateF Delete
l States have an unique IDl Best effort synchronization
Tends towards complete state view on every firewalll Mechanisms to limit bandwidth and processing overhead
F Updates contain only the changing informationF Multiple updates are merged into one transfer
l pfsync prevents CARP preemption until states aresynchronized
Example setup
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARPv Basicsv CARP and
pf(sync)v More CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 24/32
CARP and pf(sync)
In order to support firewall/gateway redundancy every firewallmust know about open connections (=states). The pfsyncpseudo interface enables state synchronization:l Each Firewall send out state changes via multicast
F InsertF UpdateF Delete
l States have an unique IDl Best effort synchronization
Tends towards complete state view on every firewalll Mechanisms to limit bandwidth and processing overhead
F Updates contain only the changing informationF Multiple updates are merged into one transfer
l pfsync prevents CARP preemption until states aresynchronized
Example setup
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARPv Basicsv CARP and
pf(sync)v More CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 25/32
More CARP
But CARP can not only do ‘simple’ firewall failover.l Load balancing
F Built-in ARP source-hashF pf and RDR/NATF DNS round-robin
l Use it on serversl . . .
More complicated example
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARPv Basicsv CARP and
pf(sync)v More CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 25/32
More CARP
But CARP can not only do ‘simple’ firewall failover.l Load balancing
F Built-in ARP source-hashF pf and RDR/NATF DNS round-robin
l Use it on serversl . . .
More complicated example
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARPv Basicsv CARP and
pf(sync)v More CARP
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 25/32
More CARP
But CARP can not only do ‘simple’ firewall failover.l Load balancing
F Built-in ARP source-hashF pf and RDR/NATF DNS round-robin
l Use it on serversl . . .
More complicated example
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Questionsv Linksv Support
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 26/32
Questions
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Questionsv Linksv Support
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 27/32
Links
These slides are at: http://people.freebsd.org/ mlaier/sucon.pdf
l OpenBSDl OpenBSD pfl FreeBSDl FreeBSD pfl NetBSDl NetBSD pfl DragonFly BSDl DragonFly BSDl p0fl ALTQ additional readingl CARP additional reading
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Questionsv Linksv Support
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 28/32
Support
If you like pf, please
Buy OpenBSD CD-Sets! Support the developers!
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Examplesv Table - Examplev CARP - Simplev CARP - Advanced
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 29/32
Examples
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Examplesv Table - Examplev CARP - Simplev CARP - Advanced
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 30/32
Table - Example
pf.test:
table <test> persist { 10/8, 10.0.10/24, !10.0.10.1 }
block all
pass out to <test> keep state
# pfctl -ef pf.test
# ping -c 1 10.0.0.10 && ping -c 2 10.0.10.10
# ping -c 1 10.0.10.1
PING 10.0.10.1 (10.0.10.1): 56 data bytes
ping: sendto: Operation not permitted
ˆC
# pfctl -t test -vTshow
10.0.0.0/8
Cleared: Wed Sep 1 19:57:38 2004
In/Block: [ Packets: 0 Bytes: 0 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 1 Bytes: 84 ]
10.0.10.0/24
<...>
Out/Pass: [ Packets: 2 Bytes: 168 ]
!10.0.10.1
Cleared: Wed Sep 1 19:57:38 2004
In/Block: [ Packets: 0 Bytes: 0 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 0 Bytes: 0 ]
. . . back
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Examplesv Table - Examplev CARP - Simplev CARP - Advanced
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 31/32
CARP - Simple
. . . back
pf - History
pf - Features
pf - Advanced notes
ALTQ (short)
CARP
Examplesv Table - Examplev CARP - Simplev CARP - Advanced
Max Laier, September 2, 2004 pf - An Extended Introduction - p. 32/32
CARP - Advanced
. . . back