New video out!

Setting up a basic #firewall with #pf on #FreeBSD

Enjoy

#freebsd #bsd #pf #firewall

On #youtube
https://youtu.be/W3LLuCb8VAs

On #Odysee
https://odysee.com/@YetanotherSysAdmin:0/Setting-up-a-basic-firewall-with-pf-on-FreeBSD:d

What do the clever OpenBSD firewall folks use to put up a reasonable defence against known bad actors?

I have an SSH bastion host that gest spammed with connection attempts (it only accepts key authentication but even so...) as well as web server for my blog that gets requests for dot files, PHP, cpanel, etc...

On both I'm currently running a shell script that greps the logs for keywords and feeds those IP's into a temporary blocklist but I'm sure there must be a better way, plus some way to feed in a reputable source of bad IP's before they become a problem would be nice.

Recent and not so recent changes in OpenBSD that make life better (and may turn up elsewhere too) https://nxdomain.no/~peter/blogposts/recent-and-not-so-recent_changes_in_openbsd_that_make_life_better.html from 2021 but has aged surprisingly well #openbsd #freesoftware #libresoftware #libressl #ssh #pf #laptops

#pf #photos @photography #prettyflowers #images #pretty #flowers

Very useful cheat sheet on #pf

https://www.openbsdhandbook.com/pf/cheat_sheet/

Finally run debian12 with gui thanks to vm-bhyve on freebsd14 after several month of tweaking and learning. Really big thank to @vermaden and his article https://vermaden.wordpress.com/2023/08/18/freebsd-bhyve-virtualization/

But one thing I still dont get it. I have a problem with resolving a DNS on the VM. IP addreses works well but domain names like google.com not at all. I solved it by adding "nameserver 8.8.8.8" in /etc/resolv.conf in VM, but I am not sure if I solve it well and dont understabd why I have to solve it anyway, I do not remeber that I would have to set it.
I se vm-bhyve with host wifi wlan interface so I had to set NAT in PF, in article it is a section laptop wifi nat. Is it normal to set resolv.conf file in VM?

For some reason I just looked up my now just over 2 year old piece "The Things Spammers Believe - A Tale of 300,000 Imaginary Friends" https://nxdomain.no/~peter/spammers_believe_in_300k_imaginary_friends.html (prettified, tracked https://bsdly.blogspot.com/2022/09/the-things-spammers-believe-tale-of.html) and realized that number will soon roll past the next big round marker. #spamtraps #traplist #spam #antispam #openbsd #pf #spamd #cybercrime #bottomfeeders #imaginaryfriends

A piece of oft-repeated #openbsd #pf advice, from this morning on openbsd-misc:

In addition to the official resources such as the PF FAQ (https://www.openbsd.org/faq/pf/index.html) I think my own writings such as "A Few of My Favorite Things About The OpenBSD Packet Filter Tools" https://nxdomain.no/~peter/better_off_with_pf.html (or with G's trackers
as the cost for slightly nicer formatting https://bsdly.blogspot.com/2022/09/a-few-of-my-favorite-things-about.html)
which has a few useful links at the end including to a certain book that *might*
be worth looking into.

#pf #images #flowers #prettyflowers #photos @photography #pretty

#pf #pretty #flowers #photos @photography #prettyflowers #images

#pf #flowers @photography #prettyflowers #photos #images #pretty

There was a "Network Management with the OpenBSD Packet Filter Toolset" tutorial session at @EuroBSDCon 2024, here are the updated slides: https://nxdomain.no/~peter/pf_fullday.pdf #openbsd #pf #networking #security #tcpip #ipv6 #ipv4 #ssh #spam #packetfilter #eurobsdcon

Surely port-forwarding UDP and TCP packets to a #Minecraft (Debian) server using #relayd on #OpenBSD should be straightforward?

Spent quite a bit of time on this yesterday and didn't manage it. I'm a relative newb when it comes to networking, #pf, etc but even #AI couldn't get me through it.

Has anyone done this? Grateful for any tips.

authlog

(ft. the tome of pf: https://nostarch.com/pf3 by @pitrh )

Whenever I see the a "How to protect your #SSH server against #bruteforce attacks" post or article centered on some #Linux woodo, I always think to post about how easy it is to deal with those on #OpenBSD and #FreeBSD with #PF add #statetracking options: As in https://home.nuug.no/~peter/pf/en/bruteforce.html, supplemented with https://nxdomain.no/~peter/forcing_the_password_gropers_through_a_smaller_hole.html, alternatively the PF tutorial https://nxdomain.no/~peter/pf_fullday.pdf and of course The Book of PF, https://nostarch.com/pf3

Also the slowpoke version: https://nxdomain.no/~peter/hailmary_lessons_learned.html

Ten years plus on "Effective Spam and Malware Countermeasures - Network Noise Reduction Using Free Tools" https://nxdomain.no/~peter/effective_spam_and_malware_countermeasures.html still seems to be relevant (mod that we never got #IPv6 greylisting done) #malware #networksecurity #antispam #OpenBSD #internetsecurity, #networking #mailsecurity #packetfilter #countermeasures #networkmail #PF #greylisting #spam #FreeBSD

The 2014 article "Effective Spam and Malware Countermeasures - Network Noise Reduction Using Free Tools" has been liberated as https://nxdomain.no/~peter/effective_spam_and_malware_countermeasures.html - previsously only available tracked as https://bsdly.blogspot.com/2014/02/effective-spam-and-malware.html.

Likely still useful if you follow keywords like #malware #networksecurity #antispam #OpenBSD #internetsecurity, #networking #mailsecurity #packetfilter #countermeasures #networkmail #PF #greylisting #spam #FreeBSD (and now all #tracked links to my stuff have an untracked equivalent)

#openbsd #pf has passive OS detection but it doesn't look like the database has been updated since 2016.

Are there any active projects working to update or maintain that database?

[drm] Fence fallback timer expired on ring comp_1.0.0
amdgpu 0000:04:00.0: amdgpu: recover vram bo from shadow start
BUG: kernel NULL pointer dereference, address: 0000000000000010
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0

#pf @photography #images #flowers #prettyflowers #pretty #photos