 Yeah, it's easy to step on the wrong train, so. I don't need the screen. Now, let's see. The resolution of the screen is, well, my screen is a lot bigger, so. And anyway, I was going to show you, as you probably know, I've written a book. And for this session, there is a special discount code. It will go away. It will go away a few days after conference, but if you go on to Nostarge.com and go to the book's website, you will get 40% off with that code. I was really hoping to have physical copies with me here, but that was not possible for logistical reasons. So anyway, I'll keep that slide open for a little while. So, good morning. Welcome to your abuse decon. Welcome to Sofia. I only arrived here last yesterday afternoon myself, so as a little I was disoriented enough that I got on the wrong train coming here. That's why I'm a little late. I'm actually going in the wrong direction and the wrong line, so. Gotta get a full bonus for that, I guess. The setup of this session really is we have way too many slides, and I need to go by your questions, so. Very right. Well, we've had it would be interesting to have a little poll of how many, well what's your experience with the firewalls or specifically PF so far on OpenBSD? Yeah, so basically, you know all this already then. There are some tricks that are interesting. So you, sir? Yes, we use it on FreeBSD, traffic shape. Yeah, so the new traffic shaping will be interesting to you, but not available. Oh, you, sir? So you're an active user now. Alright, so that means we'll probably need to do some of the start slides anyway. You, sir? Maybe you'll pick up some tricks then. You, sir? You, sir? Good to hear there's so many OpenBSD users. You, sir? Yeah, so this is the guy you got to blame for all this, you know. You, sir? Alright, so we'll go for something. You, sir? So let's start at the top here. Just to get a feel of the experience. What's your experience so far? Okay. Yeah, you're quite fresh. I use it on one engine just for viable. So, you, sir? Okay. You, sir? And you're back there here. Right, thank you. Right. Right. This sounds like we should at least take some of these slides and, well, the formula of this session is as I said, we have two damn many slides. And the other thing to be aware of is I tend to start mumbling for no reason. If I do that, shout at me. Please. Because we do not have you do not want me wondering off into mumbling. So, please shout at me. Now, after this session is complete you will find the slides online at the NUG site. Actually, the one that works slightly better is if you take the home NUG NOG slash PF newest, that will always be the newest version of the slides. Well, thank you. And, yeah, at least after the session, they'll be on there. I anticipated being here like half an hour earlier or a little more than that, but as I said, stepped on the wrong train. So, I'll put them out there hopefully not eating into your lunch break too much. Now, okay, I messed up the fonts again. This is a ceremony Henning's been through quite a few times before. I wanted to raise to his left hand and say, this is my network. It is mine, or technically my employers. It is my responsibility and I care for it all my heart. There are many other networks out there that are a lot like mine, but none just like it. And I saw this where that I will not mindlessly paste from how tos. I received so many questions from people, like a number of the samples in this tutorial and in the book are actually complete, like you would have something string it needs, something like that, and I would get questions like, why doesn't this work? It's written like that on purpose, because purpose of the session and purpose of the book is to get people getting into the mindset of writing a rule that says properly. Yes, sir? So, let's get on with, well, history of IP. You probably already know this. There used to be an IP filter that still retained a Solaris for some reason. IP filter was the historical predecessor of a PF. Turned out it wasn't actually a BSD licensed and Darren Reid had written it all with starting to act up, so we needed a solution. So, basically the code was removed at one point, and the most secure operating system on the internet was without a firewall for about four weeks. At least in current. Well, and with a marathon coding, that was actually one of the first hackathons, wasn't it? Yeah, it was. Yeah. Yeah. Yeah. Sorry. But anyway, this incident led to, well, for one thing, we got a new packet filter that's being still actively developed. The other one was that Theo set everybody else off on actually reading, well, auditing the source tree again for whatever license any file was under, and we actually turned up a few instances of, oh, is that code still in use? Of course, you can use it under BSD license, and a few problems that needed to be rewritten. And after that, well, somebody set out on the source tree as well, so basically we got a lot more licensed questions to clarify, like either it's BSD or not, and I think the body of BSD license code actually grew quite a bit after this. So we're good with that. In most cases, it was a question of making the author and asking you to trace this license, right? Yes. And, well, there were a few. Oh, is this actually in use still? So anyway, the first design goals of PF was, well, basically we needed a firewall. And we needed one that didn't break people's setup so much. So as Henning once famously said, IPF was written by an RC, so everything was upside down. Last match wins. That's where it comes from. Anyway, our early goals were, yeah, beef fairly compatible, beef well-featured, and yeah, after 3.1, well, with 3.1, we could actually filter everything in your as protocols. And then, which is a non-interactive shell for loading actually loads per user, per group rules. Henning committed old Q traffic shaping in 3.3, which is committed in several ways. Anchors, which is named several sets, also turned out in 3.3. We got also in 3.3 tables for faster IP address lookup and sort of lists. Relatively fast, yes. That's being hacked on at the moment, isn't it? Yeah, okay, so I think one of my favorite spam D, the spam deferral demon turned up in 3.0.3, well, if you want to, we'll get back to that at some point. 3.4 turned up packet tagging, which is useful for policy filtering. 3.4 also turned up a few, well, what do you call network hygiene, scrubbing, well, normalization techniques, we'll get back to those. We also have operating system detection, so you can do evil things to Windows machines. Synproxy turned up in 3.4. Well, basically, if you're back ends too weak, we can get back to that as well. Adaptive state timeouts, pretty useful for whenever people are trying to flood you to turn up in 3.4. Actually, atomic rules that commit, which means you're never in an intermediate state between your old rule set and your new one that turned up in 3.5. There are still guys out there that are somewhat wishy-washy about that. We got state tracking per source address at one point, which means we can play with a few options. Cruella balancing with the round robbing stick address, and we got Karp, which is our redundancy solution in 3.5. From 3.7 we were able to label routes. And for one, turned up, which is actually a pretty much a revolution, multiple routing tables. It's a subject that is very rarely touched on in literature, so maybe we'll fix that at some point. For one, also turned up, will pf log and pf sync become cloneable, so you can have several of these interfaces for synchronization or logging different interfaces. Keep state became the default mode from 4.1, which is just because it makes sense. In most situations you want state fulfilling anyway. Relate you turned up for better load balancing in 4.2. It does a lot of stuff, and it's been recently upgraded to actually be even more pf-like in the syntax. One of my favorites, Pflow, an actual export, turned up in 4.5, and that would turn out to be so useful that we could actually set as a state option. So setting state defaults because Pflow in 4.5. We got match rules in 4.6. This is something you're missing in FreeBSD. FreeBSD's pf is roughly equal to 4.5. So anything beyond this point, sorry, it's not in FreeBSD yet, and God knows when it will be. Anyway, in 4.6 we got match rules, which what you do with a match rule is, well, you match criteria, you can perform actions other than blocking or passing. Which is extremely useful. All sorts of some confusion in some rulesets. And it was for that. Scrub was rewritten to be, well, make more sense. And in OpenBSD, pf was on by default in 4.6. It had not been on by default before that. And then there was the thing that was while Henning's monster diff was a diff of 4,000 lines or so. Anyway, because the code behind it changed, it made sense to make not to RDR2, but to basically options on whatever match or pass rules you have, instead of being little separate verbs. Also RDR2, quite in dub 2, and fast drive became filtering options in the same way. And we landed routing domain translation, which is I do not have samples of that in this tutorial, sorry, we'll have to dig up some if we need them. Okay, but it turned out in 4.7. Anyway, the word sockets are local only slightly more efficient than the redirection. And after 4.7, okay, this slide grew too much. Now, it was quite for a while. The next big thing, which is, well, the reason why there was additional, the old book of PF was the traffic shaping system, which we probably will turn to. We saw the first inklings of that in 5.0 with the priority only shaping. FTP proxy, the proxy changed to dirt instead of redirections. We got 5.6.4, which is evil, and basically incremental improvements of 5.2, 5.3, 5.4 until we had in 5.5 a new traffic shaping system that's got a standard syntax load queue and actually in 5.6, old queue has been removed. So traffic shaping on OpenBSD is new queue or no queue. So, well, 5.6 is actually a year relatively unexciting release for PF stuff. We, well, slightly related this that we did some IP version 6. Pardon? So, for PF's purpose is a, you know, it's a stabilization release, really. So, here's the where you can find PF today. Of course, an OpenBSD, FreeBSD has this ancient version. That BSD has roughly the same ancient version. DragonflyBSD also inherits the same ancient version. Apple's Mac OSX and I think the PhonoS also has PF in some form by FreeBSD. They actually did some evil hacks to it. That would be, would have been useful, but are under an incompatible license. And BlackBerry, actually BlackBerry, some BlackBerry's run a bastardized form of NetBSD and has PF in it. And you will probably find it in locations you, well, just poke under the hood and yeah, well, there's BSD there, probably as PF as well. So, and then again, given a license you don't actually have to advertise what you're using, so it could turn up a number of places. Now, oh, QNX. Okay, I'll, I'll update the slides. So, at one point, anyone here using Linux at the moment for firewalling IP tables? Yes. Now, this was Jason Dixon on OpenBSD on the PF mailing list at one point, after somebody stumbled in saying, well, I got into this real problem of converting, converting my stuff from my Linux IP tables to PF. I don't see what's happening, and Jason turned up with this, compared to working with IP tables, PF is like this high queue, which actually isn't. Breath of fresh air, floating on white rose petals, eating strawberries. Now I'm getting carried away. Hot mic out now. Heading notes, not why it fails. Fails only for newbie. Tables load my list, target for the asshole spammer that threw his mail store. Carp due to Cisco redundant plastic packet license feed for me. I keep that in there, because, well, it's not a high queue, but it's, well, anytime I look at an IP table set up, yeah, this comes back really strongly. Now, what is the, we're talking about here, well it's, basically it's a kernel level. We do packet filtering and the kernel, and previous is a separate module, which is loadable, and we of course have the, basically the PF control admin program that interfaces will be with your setup, and keep in mind that whatever, oh sorry, what we're talking about here is, oops, this is the first time I use this laptop in the presentation, sorry. Our world consists of packets, protocols, connections, ports, keep in mind. And I actually don't like the term firewall a lot, but again, for marketing reasons, we keep using it. Well, of course you can stop and deserve traffic. I tend to leave people at, well, stopping that's one property, what you're, this is a tool for policy enforcement. Whatever policy is, whatever traffic, whatever you want to do with traffic, all you enforce is using PF. And I wonder should we take the little subsequence here? One question that almost turns up is, kind of on PF on Linux, the answer is no. I think there have been five different people turning up on some mailing list saying, well, I've started reporting PF to Linux. Never heard from one again. PF is primarily developed as a deeply integrated part of BSD. Remains portable to other BSDs because, well, a number of the interfaces are, even after 20 years of this parallel development, we're still fairly, well, fairly compatible in some ways. Anyway, if you want cool new features, you go to BSD. Well, if you want free BSD, we'll go free BSD. And for Linux just out there, there are some, well, we don't have system D, and we, our interfaces are actually, our interfaces don't renumber. So you have the tips here. Even if some versions of, in some cases, on free BSD, you actually get the pseudo interface WLAN or so forth. But it still has mainly driver name plus sequence number, and those sequence numbers don't change unless you actually start moving cards around. Most of your configuration goes in our rc.com for BSD rc.com.local. On free BSD rc.com is your own creation and it has defaults elsewhere. And of course the pf.com, which is this, mainly the topic of this presentation. There are, one other question that turns up way too much is oh, is there a GUI tool like MUSE? There have been several, several attempts at making those. The other, only one that survived for more than a year or so is PFSense, which is free BSD based and I think it's basically PHP shell on top of a lot of other stuff. And well, it's people use it. Some people love it. I've been I've been doing some mud rustling with it when I had to. I still prefer my favorite editor and my pf.com. So I will not be touching on these things. Now the automatic conversion there are. There are tools to claim to do automatic conversion. Some of the some of them are in the previous divorce tree at least. As soon as results and they look horrible, it's possible that they actually work. I would not vouch for them. In any way, in almost any setting if you're going from say a Cisco firewall or a Linux firewall whatever, please for your own sanity go back to specification. Write your specification and implement that as your pf.com. It will you'll be really happy you did those steps in the future. And probably your old IP tables set up has a lot of junk in it. They don't need it anymore. And for the next one well, there are good sources of information elsewhere. As I was flashing to you, you can go by the book. Now 40% off. Yeah, I was hoping to have physical copies, but this should apply to the paper and ebook versions. And if you buy the paper version, you will get the ebook straight away if you buy it from no starch. So now let's get back to our normal. Oops. Yes, okay. That was not this. So now please again, if I wonder if this gets boring or you have a question, please just yell. On OpenBSD is on. You can check whether it's on or not by doing something like this. Or anyway, let's have a look at what OpenBSD system looks like. And you can see it's already enabled, which you would expect on OpenBSD. I can try to do that. Yeah, it was a lot better. And I guess we didn't actually have a network here, did we? Now I've got a network. Excellent. Now, meet my own machine. We'll get back to that a little later. So anyway, on OpenBSD it's already on and you will be able to tell what it actually is on by running basically any piff control minus e is enable f for whatever file you want to read from. And that's basically it. On FreeBSD, unfortunately it does not come with a default piff rule set. So you can turn it on by say something like well piff control minus e but then it will be default to open. You probably want, at least before you reboot, you want to enable these settings. See my font is not large enough here. piff enable yes and piff log enable because you probably want some logging as well. And you will need to create a pf.conf. You can create a 0 by pf.conf with touch if you like because if you don't have one your srcd pf start will actually fail because there is no pf.conf. Any netpc users here, I don't think so. Anyway, they keep going on about the npf anyway. The simplest rule set which is fairly close to the default anyway is pass. Yes, well anything passes. The good thing about this is that well actually this expands to now if we say what it expands to is pass all and flags basically my window is too big again. Sorry I'll fix that. And then you see all the wonderful anyway with the net rule set you have actually expands to pass all and this flag set so anything that does not have the proper flag set will be discarded and new connections will create state. Now I used to say that the simple secure rule set is this one. I just add one byte block and none shall pass and well if you're secure you can go now. And I got here, yeah we can actually then just for a hell of it I still need to do something about the window size. Thing is my local display is as you can probably tell already shows a lot more than you see on that little screen. Sorry about that. Hope it doesn't eat into your lunchtime too much. We're almost there. The lock drop all is what do you need? Do we need the font to be that big? We could possibly go back to something like 16. Is this still readable? Now important, yes I mentioned earlier early as PF was written by analysis so everything was upside down. Rule evaluation is as the matching rule wins. So the same version of the rule set is you go from the largest, the most restrictive which is block and then you pass whatever you want to pass. Now if you go on the Linux way and do a catchall at the end, well that's the catchall you get. In this case first version here you will actually get traffic from that network passed. The other one reverse it and you actually end up blocking everything because while anything that matches passed from 192.168.103. slash 24 will also match you block all. When a lot of people have actually messed up that fairly early on. If you have more than two rules you will appreciate that at some point that you can actually stop processing. Anything that matches this pass quick rule or for that matter block, quick for that connection the processing stops with a quick rule. So in this case here you would have a pass quick rule TCP port SSH to a specific address and anything else that tries to access the SSH port will just not pass. Be a little cautious about quick rules because well sometimes they mess up your logic. Now of course from 4.1 onwards we're stateful by default so as you would as you probably saw in the loads already we have to keep state and so forth. One of the reasons is that one of the reasons we do this is anything that matches an existing state will pass without a real set lookup. The state table is a fairly efficient data structure only if a packet does not match a state will go for a real set lookup which is slightly more expensive. A valid connection setup will create a state and basically it's a sensible default. If you really really want to be stateless you can use no state. I don't think I've done that ever but you can. Now even after this fairly short introduction there will be within six weeks of defending this tutorial you will at some point implement a real set change that locks you out of your system I guarantee it and you will insufficient to test a real set change and boot with an invalid configuration meaning that you're all open. Now if this does not happen please drop me a line in my email because I would like to keep tally of people who actually managed to not do these things within six weeks of my tutorial. This is not a joke. Please do. Now to keep you sane PF in addition to the same rule sets syntax it also has a few features that are specifically designed to keep your sanity. One of them is macros. You can name something say your network of clients here stays in your numradable in that network here and you can refer to those named macros later in your rule set. So you got your clients and you block everything but you pass from your clients. Now we can try and see what that looks like so that's our rule set and if you try to load that instead you see the macro is expanded in place and macros macros can also be for example port ranges so this one has all this typical port range for the enterprise backup solution which again expands to here we have since we have port range not individual ports this expands to just one rule with the macro here and a slightly more involved example we have our lists of services. These names are the same ones from your services file the names are taken directly from services or maintained separately I forget but you will find them in services so this rule set will expand to this is when I will regret having the big list here what you see here is that for each for each of these members of the list we get a new expanse to one rule per protocol here or per list number. Well this is what actually gets loaded into your configuration of course if you've been playing around with this last rule set well you really need to test you always need to test whenever you make a change and well basic things like well does the name resolution still work should it work well if you're set up to not allow port domain well great it doesn't work you probably want to SSH to somewhere else with the rule set we just presented you could and okay this slide is outdated because we don't have links in base anymore do we it used to be that we have links in base so we could just fire up links and we had OpenBSD org website load it's not there anymore but you should be able to tell that to port 80 or something check that it actually works or have a client in your network do something and anyway with the rule set we had right before here all these should work and connections from anywhere else to your network should not work except for in our previous rule set here we had these magical host called backup server and that should work and yeah well we have basically a variation on the same here where we block and pass for some TCP and UDP services and yeah well anyway we want to lower your rule set this is the this is the way to do it or you can go the way I've been doing with these rule sets here verbosely not load but from the file something and you get the listing of what's actually loaded which is my recommendation for actually getting to know what you're playing with and I think I just messed up my sequence of slides here because yeah well anyway you make a change to your rule set and unless you've rebooted you probably have the answer for last name resolution cache anyway so try looking up say netbeasty.org or well if you're really testing and you don't know if you really want to test whether the name resolution works try looking up the website of the party but consider voting for it because that's probably not new cache again go through your rule set and the important thing is well okay stuff that should work please test that stuff that should break please make sure they break because it's really easy to open doors that shouldn't be open so please test stuff that should not work if you've been running for a little while you probably have something like this well pf control minus s statistics and info for general information the actual display is a bit longer and this is from quite a while back when my home gateway did not yet have IP version 6 connectivity but still there were a few bytes passed on IP version 6 well these are neighbor solicitations go out before actually before the rule set is properly loaded so it's passed but then the text were passed and the rest were blocked in this case some details have changed since then so probably on a modern open BC they would all be blocked or you would probably if you don't have IP version 6 configured you probably won't be doing any of this stuff anyway yes but anyway before we did that change we had this little stream of IP version 6 packets going up anyway because well neighbor solicitation now stuff you don't have in free bc part 1 match match turn up in open bc 4.6 and I remember quite a few discussions on whether this would be useful because you can do everything with block or pass anyway except while your logic sometimes requires that you just match and you do stuff like apply that or redirect or maybe you do some tagging and match on the tag later there are a number of things you can do with match open bc has it free bc does not and I have a set example well let's look at that I had actually forgotten about that one and it looks like this baby actually introduces a feature we haven't talked about yet tables let's initialize to these networks except that one and let's see what happens when we try alone yes well basically the only match rule that was applied here was the not to and for some reason wrong robbing that probably means there is more than one address on the external interface but yeah well that will turn up in practice anyway now the useful tip is if there are interfaces where you really don't want to do filtering a little performance you're processing by just saying skip this interface, set skip on in this case low which is the loop back interface group you can set it on you can set all the interface groups or specific interfaces anyway it will just mean that well no filtering will happen on that interface so basically no filtering and no processing which helps possibly helps performance and possibly helps your real cell logic a bit now so far we've been setting up well for a single machine and this used to be the reason for this slide was a lot of questions and actually pretty much flame wars on why doesn't my rule set work and the thing is a single machine it's fairly a network interface and is anything that comes from somewhere else of course out is from me to the internet now on a gateway at least interfaces and well it's still you need to what a lot of people fail to understand was in means in to the gateway doesn't matter if you yourself are sitting on a host in a network behind that gateway and you're saying in well in is the direction in or out is our directions relative to your gateway not whatever you consider internal or external now so that's reason for this slide on the gateway you get in from one or several of several networks out from me to one or several networks and you actually have the situation where traffic will pass through you so yeah well there's always network behind you now concrete example and this is now this is too tiny isn't it a lot of people would end up writing something like the first rule here pass in INET for IP version 4 proto TCP on a specific interface from the directly attached network for that interface to network directly attached to some other interface for some ports and keep state yeah well that should work but what does that rule actually do well it does that's what you say which is anything in the address range for the directly attached network traffic matching those ports will pass to addresses in the other directly attached network problem is that you're getting very specific here because you're passing on that interface you're only mentioning that interface now anything that's actually connected to that interface in that network well it sort of doesn't get there because this filter is only on that interface that is of course if you have a default to block if you have default to pass this won't matter at all your next rule here would do the mirror image of you would actually let on the other interface you see the filtering the actual filtering logic here is the same but it's on the other interface in quite a few contexts you could probably keep your sanity by just saying well if you want to pass anything from that network to the other one or to anywhere you just roll into one rule saying well my network here to anywhere these ports and keep state keep state is actually redundant at the moment and has been for several years but there is a pitfall in being too specific and tying yourself to a specific interface certainly Lennox people do that in their first attempts and then again you can use your readability features macros the interface colon network is a fairly useful shorthand for a specific network you could do something like make a macro call local nets whatever your internal interface is and colon network for your local for the directed attach network basically you could put anything in there yes actually yeah the colon network is any directly connected network so if your setup is messy enough yes that would be so anyway for your macro you can be as specific as you like really if you want to if you need to differentiate you would just specify different lists maybe even a table for filtering purposes anyway reiterating whenever you have a macro you can use it in your filtering criteria so you have something like I need pro TCP from local network whatever ports keep state yeah well for your own sanity make things as simple for yourself as possible but there is such a thing as too simple anyway well you are setting up a gateway this is a lot of people forget this gatewaying is not on by default in any of the BSTs you actually need to enable it I'm just saying a lot of people do not remember to do this well Hilarity ensues on Open BST MISC and so forth unless somebody helpful just steps up and well which is his controls like Free BST tends to use the RST.con variables but under the hood it's actually the same CIS control commands that will be executed and again yeah well on Open BST and I believe that BST you just edit your CISCTL.con Free BST you do the other thing in RST.con anyway the slides smaller anyway we have been Open BST has had IP version 6 for a long time even if some of the developers actually hate this thing it used to be of course early versions of this class that would encounter people who would be would actually not know what NAT was but they would talk about internal and external addresses so this slide came from this well back in the day when I was a young man computers were room sized and had lots of users and there were people who put together networks and they would say well 4 billion addresses is enough for anybody but turns out it isn't like we have stuff like this one and I believe I most of the time I carry at least 4 devices anyway would need an IP address so well 4 billion less fewer than the number of people even when the IP version 4 was created so of course we needed more addresses and we went to 128 bit instead of 128 bit addresses and we were supposed to have been IP version 6 only for 20 years now by now by the original plans but yeah well it didn't quite happen so we needed a stop cap solution which is where all the 192.168 dot something that something addresses come from because well chuck off non-routable addresses look up your RFC 1918 and you will have your NAT addresses IP version 6 is supposed to be seamlessly compatible or at least you can have dual stack fairly easily there are issues but we support and again I don't know how many of you here are IP version 6 natively lucky you I don't, I tunnel from but again in the way we differentiate by the legacy IP version 4 versus the future protocol of the future IP version 6 is fairly simple INAT denotes IP version 4 traffic INAT 6, IP version 6 and you can as Sly here says you can have totally different sets of rules for your IP version 6 and IP version 4 traffic you do not have to have a separate configuration or a separate program for it as you do on Linux as detailed as you like and it's worth noting that we're on dual stack systems, if you do not specify whether there is INAT or INAT 6 your filtering rule will match both address families and yeah in the Sly here we have NAT 6.4 IP version 4 address translation it's fairly ugly and we'll get into it if we need to this is again an ancient slide on what my gateway looked like a long while back yours will be slightly somewhat different or somewhat similar now a simple pf.com for a gateway with NAT you define your macros for your world facing interface, external interface, internal interface and the clue here really is you match outgoing traffic on your external interface NAT to whatever the address is all the braces here parenthesis here is an attempt to compensate for dynamically allocated addresses so basically it will look up whatever the address of that interface is if you have an evil ISP that changes your IP address the filtering will still work and then again your basic block all and then pass whatever you want to pass and this is pass all anyway from your clients again just to just to repeat again goodies you can't have in free BST match rules you would do something you could do anything with match rules not just NAT you could do something like tag on incoming and use that tag for filtering later in your rule sets one thing to note though is that match rules the action is applied immediately if you have several match rules and a packet matches several match rules the last one well all the actions will be applied so this could lead to interesting situations well tags will be overwritten yes there have been some interesting discussions about that as well there is only place for one tag yeah I heard that already so basically you can tag a number of things but as always match last match wins in this context now for free BST and others this is the we still had NAT as a separate verb doesn't really look that different and again more reiterating really on the list of services we had in the earlier earlier sample here and again we have the also a quick rule rule of evaluation always from top to bottom here we block it first so only the stuff we explicitly say will pass passes and of course we really want these UDP services whatever they are these are name, service and NTP we want these to pass so we have a quick rule here and as in the slide quick means you exit rule of evaluation and basically a matching quick rule is the one that always wins and a useful way to break the logic of your rule set otherwise so again this is the last time I will talk about well you really need to test well this previous rule set well match it to the previous rule set that yes we have name, service, lookups they should work should be able to test as H out and yeah a few other services should work again test test again test stuff that should work but please also test stuff that should not work and make sure it does your possible thank you a lot now frequent question is can I put host names the main names not just IP addresses in my pf.com yes but you need to make sure those names resolve when your rule set is loaded and because well if the name does not resolve when your rule set is loaded the rule set is not loaded because it's not valid and you're back to the past all situation which you probably don't want unless of course you're a both beastie where they say default rule set that's loaded in place anyway which is for you to log in and fix your screw ups my recommendation is well you can do a lot of hacks like make sure you get name, service and then load your rule set after certain checks but stuff you really want to if you die hard enough well just put it in your host's file yeah if you have several addresses well the first one yeah you will have that problem so much to decide the future but you well so it's doable but not necessarily recommended now you need to use ftp you want to kill it yes and for the reasons that is probably the reasons it says here in the slide I'm surprised that not more people here actually need to use ftp because so many resources are available only by ftp really? there is ftps yes which is runs on a different board and may slide differently we have the point here ftp is of course no protocol it predates tcpip when I was doing the book I just counted the number of RFCs involved in the ftp protocol couldn't be bothered so there's more than 50 RFCs involved and it predates tcpip but again we have the ftp proxy which is actually it gives us the first taste of two features one is one is divert we have the pass rule that diverts to the local address on the specific port the other one is that you need to declare an anchor an anchor is a named sub rule set basically for stuff like the ftp proxy or other applications to dynamically insert their rules in a rule set for maybe even very short lived rules to match whenever the application needs is a useful interface you can populate anchors from the command line with the pf control if you like I have a sample of that but the more common use is you have an application like the ftp proxy that will there are a few others that will insert their own rules in a name rule set named anchor and delete them when they're no longer needed so basically on the yes, nobody uses an open beast that holds with us so it should probably die in this slide but anyway the modern version you put in the anchor and your user's poor souls can use their ftp as they like you will try to dissuade them but here's the free beast version we actually need two anchors one for the net and one for the redirection because in most cases the proxy will need to insert both kinds of rules and again it's a very small number of rules and you have your ftp you shouldn't be doing this now one of the more useful features we have hinted at tables are basically a little more efficient than you could make a list, a macro list of individual IP addresses when you have list items each list item will generate a new rule so tables were invented to be storage for IP addresses like your network addresses like this and you can have a few operators operating on these addresses this here negates that one so you have the network except this particular address and you refer to the address sorry the table has one item in a rule so it's a fairly flexible tool for maintaining lists of addresses and pfcontrol lets you manipulate addresses from the command line and you can load from a file for example so it's a fairly useful thing to have for several types of operations we probably will get back to at least one use of those later now it's local time 10.30 5 minute break is there a coffee source near? 5 minute break for coffee