PF
From OpenBSD-Wiki
| Written for: OpenBSD Version ? |
Contents |
[edit] Examples
[edit] Tips
[edit] No route to host... under average/high load
Sometimes, you'll experience some spuring "no route to host" message while your OpenBSD is facing average to high loads.
This started annoying some of my firewalls with 3.9, but I saw reports stating some peoples faced that since 3.7.
In fact, you must know that default state table is 10.000 entries, why can be pretty little for highly loaded firewalls. For example, the default CheckPoint VPN-1 start with 100.000 max entries in state table.
To set up a large state table, have a look on man pf.conf and place some things like the following in your /etc/pf.conf :
set limit { states 100000, frags 100000, src-nodes 50000 }
set optimization aggressive
Of course, you should read the pf.conf' man page to set up values according to your site needs.
Additionnaly, use pfctl -si -v to see what exactly is flowing thru your firewall, and adjust your tables size accordingly.
[edit] UPnP
miniupnpd is the most reliable one to use. UPnP is horribly insecure however some need for whatever reasons. For example, Microsoft Live Messenger's webcam needs it. Without this the application will go slow and occasionally the feed will crash / lock up. So far the only reliable place to test UPnP is Microsoft's website. Anyone know of elsewhere else?
To get it working add an anchor in your PF ("rdr-anchor miniupnpd"). Open up /etc/miniupnpd.conf. All you should need to configure is: ext_ifname (interface, such as pppoe0) listening_ip (firewall IP)
comment out all the rules on the bottom Add the following, replacing 192.168.1.1/24 with the subnet where potential UPnP clients are :
allow 1024-65535 192.168.1.1/24 1024-65535
That means that only external ports 1024 to 65535 are allowed to be redirected to an ip 192.168.1.xx on a port from 1024 to 65535. You could also further restrict UPnP usage with a xx/32 allow rule :
allow 1024-65535 192.168.1.xx/32 1024-65535
[edit] Links
- www.openbsd.org/faq/pf/index.html -- PF User's Guide
- www.benzedrine.cx/pf.html -- Developer's PF home page.
- pftop -- pftop is an OpenbSD pf state viewer. It's very similar in top, except used for pf. It does, however, seem to not track connections that don't close themselves properly correctly (archive on the connection issue)
