 Okay. Sorry about that. Okay. Sorry about that. I'm sorry about the feedback. For our next trick, well, these are our blacklists where you put them in your spamd.com. It's a very straightforward format here. Previously, it's a package you need to install, and you actually need to, well, read the package message and do what it says. It needs a file descriptor file system for some reason. And, of course, you can tweak things like the spamd flag. The g flag is the first number is the minimum number of minutes for retry. The next one is the number of hours a great list of entries lives, and the last one is the number of hours a white list of entry lives. And this number is a little more than one month, so your monthly password reminders will pass. And you can do a few more evil tricks. Now, we already mentioned the connections from our real mail servers. And I know that if you're having broken that in 4748, so, but that's fixed. Actually, one of my clients had a problem with one of these. We fixed that afterwards. Now, this is basically what it looks like when spam is connecting. That address has never been valid. And it's not. Here we managed to waste four seconds, which is quite a few minutes. This is a very old one. Riffing on. Here's another one that lasted for 32 minutes. But after a while, we had somebody actually hang on for 12 hours. So it's at least quite rare. We tried to try the graphing of how long people hang on. And I just needed to set a roof at about 1,000 seconds because you can reasonably graph something like 42,000 seconds. Essentially, all the data is anyway 3 to 300. But yeah, so it's a lot of fun to use. Now, I mentioned invalid addresses. I think we came up with the graphing. Graphing is like an extension of the gray listing technique. And what you do is, like I mentioned earlier, if you have, like, fished out of your reject logs, somebody has tried to send spam with a nonvalid address in your domain. Fished that out of your reject log. And you put that into your spam DB database as a great trap. So anybody who tries to deliver mail to that address is added to your local blacklist. I guess that's 24 hours. I've been evil to start. Over the years, I have something like 28,000 odd addresses like that fished out of my logs. And I export that the resulting blacklist every hour. It's been anything from a couple of hundred to roughly 40,000. But it varies a lot. And the slightly larger list that gets generated in this way is the UA traps list generated by Bob used to work at the University of Alberta. The UA traps are trappers that are generated there. Typically some tens of dialysis of addresses try to deliver junk to non-existent ULA addresses. You can supplement your trapping with that. And you're of course welcome to use mine, which is also in the slide. Yeah, well, several things that happen with spam DB over the years. One is you can sync graylists and whitelists between several instances. There's also work going on with the BGP spam, a slight abuse of BGP to exchange whitelists and blacklists by a BGP. I think Peter Hasler is coming here later. Anyway, he had a nice presentation on that last year, I think. So it's possible to participate in that network. Now, if you, well, your boss's boyfriend will probably not want to be bogged down by spam DB and people who do not correspond to you very often, or that probably matters the Google problem, as we used to call it. Yes, they retry, but they have a large farm of outgoing exes and they do not retry from the same address. That can lead to problems if you're small enough. If you're big enough, you'll probably have these mail servers in your automatic regenerating whitelists anyway. For the rest of us, spam, no spam DB basically do not expose those addresses to spam DB. Yeah, so basically spam DB. Spam DB is a lot of fun, easy to set up, cost you basically nothing. We'll save electricity and, yeah, I'll blog a bit about it the various times, so look up my blog if you're interested. There's also graphs somewhere in here with typical how long they hang on and so forth. Next up, what's your suggestion? We have lunch at 1.15, so we have one and a half, two hours to spam. Well, one thing you could do, it really depends on what your requirements are. You could do things like, well, you could do something like, say you have logical groups of rules that say apply to this interface or that interface, you could chuck them into separate anchors or just include five techniques with one possibility. Then again, there is no silver bullet, really, but you need to go back to specifications where your requirements see where you can optimize. There are tricks like, I did have a, well, you could do something like this where you say you have a set of rules that only apply to a certain interface like this one. You lump them together under common criteria like this. It's one way of grouping them anyway. Again, if you're starting from the 2000 rule set, you probably have quite complex criteria to start with. Again, look for logical groupings, things like that. We would really need to look into your specific configuration to see whether it's something we can optimize. Well, it's hard to say something in general. Well, the optimizer would be, well, anything else. Are you on open VST or free VST? Yeah, yeah, sorry. Well, there is no table like that one for ports. You could, well, port ranges are not expanded or actually included in the rules. You could use port ranges, but if your other criteria are equal, you use port ranges like that's possible. Again, that would be a port range from to larger than, smaller than and not equal to. You might compress your rules with some like port ranges, but I would need to look at your to see what's possible. Again, it's always, it's always useful to load verbosely to see what actually gets loaded. And once you, well, once you start debugging, you probably want to, well, let's forget what I put that in the slides here. It's definitely in the book that for debugging purposes, you can have a log, a match rule that matches log matches. So criteria, whatever match, match say your test posts log matches. What that does is that it will log whatever, whatever, whatever rules are matched in the rules by the traffic that matches your log matches within that rule. It becomes fairly interesting in case it's very well, 2000 rules and you don't know which one is matching. Well, log matches is your, is your friend. Well, again, your 2000 rules probably came from a, well, hopefully came from a specification. Yeah. So, well, yeah, yeah, well, port ranges is one thing. And as Hennig said, please optimize for readability performance is something that we're taking care of anyway. So now, now what's next? We got one by one and a half hours and I think still too many slides. So what do you want to hear about? Well, there are several ways. One would be the peer control, the ESR, which would, the ESR, which would, which will dump your rule set with all these counters in place. Yeah. Well, this would be an extremely simple rule set for this laptop. Yeah, it will look something like this. Where you have the number of packets, oh, yeah, well, this is the default rule set where you have a number of evaluations, packets passed, bytes passed, and a number of active states. Which is surprising. Practically passing a laptop. But then again, in your slightly longer rule set, each rule will expand like this. If you go to just one V, you will just get, you will get something, yeah, this is the just a rule set. There used to be this difference in the, yeah. So anyway, oh, DSR, we'll give you what you want. The other way to, if you want, there are specific rules you want to keep track of. There is, there's district labels. So you, you say, specific traffic you want to keep track of, but not others. Well, anything like this. This example here, two other from whatever the email server is. And you would, well, again, the PFDS, DSR would give you the output, but you can also do something like PFCuttle minus BSL, which dumps the number, the, the data for the, for the label. And this is, you know, the, if you want to, you want to script it on the feed it to your database or whatever, this, this is what you want to do. And so, yeah, I guess that's roughly clear of the question. You know, there used to be PFTOP, they're also actually, on OpenBSD, there's sysstaff rules, or sysstaff, sysstaff, sysstaff rules, and I think it used to be sysstaff in the state table in this, in this laptop. Yeah. So, let's see if we can fit it in here. Yeah, okay. So, this is a live view, we're updated every second or so of the, of your state table. This is what PFTOP does when operating the systems. Sysstaff has a number of other, a number of other views that are interesting as well. This is the, no, anyway, sysstaff on OpenBSD is a lot more, a lot more powerful than on OpenBSD. Now, again, for, if you want to track, if you want to track all the traffic, you probably want something like PPO, you want OpenBSD45 or newer. I forgot to check whether PPO actually made it into FreeBSD, I don't think so. Yeah, so, yeah. But anyway, it's, well, let me get on, yeah. But anyway, PPO, one of the, one of the good things that came out of Cisco was the net flow specification. Basically, what you record about your traffic is, well, any connection is, it consists of two flows, one in each direction. Each one has a certain destination address, starting on time, number of bytes, number of packets, protocol, record that, and for each, so you have all the interesting data about a connection, metadata in, what is it, 100 and maybe 200 bytes. So, basically, what you want to know is the metadata. This is a very, very cheap way of recording it. And there are a number of, well, you set up a sensor like this where you can, again, if there are only specific rules that interest you, you set up the exports or records the data in the PPO format, or if you want to set up a state default, you can do that. Again, this is probably not the previous day yet. And, well, before you actually get to recording the thing, you need to create the, configure the PPO interface. And what it needs is a source and where to send the data, which is where your collector is. There are a number of collectors. My favorite, and I believe, is the NFSEN, based on NFSEN, is basically packaged at NFSEN, read or read me, and within minutes you have nice graphs of your PPO data. And you can drill down. So that's another very, very nice interface for learning what your network actually does. Yeah, I'll get this. Yeah. If you want to look into NetFlow in general, Michael Lucas has a very nice book called NetFlow Analysis Out. I think he was not aware of the NFSEN when he wrote it because he wrote a book about the flow tools, which is a very useful book. Michael writes great books, so please buy all of them. Well, for free BCM probably, there are several NetFlow collectors. PFODI, written by Daniel Miller, is a fairly useful one, which will, yeah, it will do what you want if you don't have people again. Yes, what's the next thing we riff off? Do we go back to the menu? I was thinking, can we have traffic shaping? Well, in general, a cart doesn't do much damage to you inside, but there are things to be aware of. To the extent that traffic originates at the cart posts, it won't have the source address of that host, probably not the cart interface. That's a thing to keep in mind. But again, whenever the cart interface bounces between the host hosts, well, that would typically be that the cart interface address is something like your default gateway for other hosts. Again, keep in mind that the rule set probably needs to pass, or at least free traffic that has the host address appropriately. The stuff like cart announcements will go out with the real address, not the universal one. But for your general purpose traffic, well, a cart is intended to be as invisible as possible. So, well, you need to compensate for the fact that you will probably have more addresses involved, in source information traffic involving your cart hosts. So, you may need to work that into a rule set, say, well, of course, something like the first rule for your actual cart traffic to pass, and you may want to include even, say, a table or list of addresses that should be able to pass cart traffic. Other than that, there is, well, take care of the cart and PF sync to actually pass. Other than that, it should be almost invisible. You probably have more stories that are better in mind. So, well, again, stuff like, as you're probably aware, there is traffic that's not really useful to sync across, like in this example, SSHM to the specific host, well, the context gets lost when it's failed over anyway, so there's stuff you can just throw away. Again, for best practice purposes, well, your group of cart hosts will hopefully be identical, hard-cover, and wise, otherwise useful. You might actually do work-arounds with the interface groups to filter on the interface groups and get away with physical and non-identical cart hosts. That's a valid trick. If you really can't get identical boxes, interface groups are your friend. That's probably the problem. Yes, they're our friend anyway, so filtering on interface groups. You set them up if config. That's like something like this. If config, you know, and I believe it originated in OPVC, I believe it made it to OPVC, I'm sure it did, extremely useful. As Henning says here, it's possible to have a group with only one member. If you take a look at your if config output, at least in OPVC, you will have something like, yes, my wireless interface is in the group of WLAN. This one has my default route, so it's in the egress group. There are a few default groups, like while the PF log interface has the PF log group, but you can define your own, and you can have an arbitrary number of interfaces in them, as long as they have something in common. Which is actually a number of man-page examples, as well as I believe some in my presentation or in the book is you typically filter on egress, which makes sense your default route interface, which is probably, if you're a firewall, that's probably the interesting, at least one of the interesting places in the country. So that's probably the best tip you'll get. Now for practical, graphic-shaking thing, if you're interested, an experiment of less than 15 years was all cute. It came out of research paper, well, it's late 90s research paper, and it was a good paper. And basically they were exploring how to shape traffic, and they came up with a number of algorithms, not all of them were ever implemented, but somewhere in the old world of old Q, we had basically three of them. Adding here started replacing that because the experiment was over at the one point. Yeah, so... So, but anyway, the teaser was in OPDST 5.0, where, I guess I'm getting ahead of myself a little, but if you know, you can... The basic, always-on priorities were in OPDST, where priorities 0 through 7 are in general default to sensible value of 3, but you can tweak them. And what you could, with rule of matches, specific traffic, you can set two different priorities, basically to get your axe transferred. So your actual data doesn't need to wait quite as long as it needs to be, first in, first out. On low bandwidth or high latency links, this helps you a lot, because default in a Q-ing, well, if there is no Q-ing enabled, everything has to wait in line, first in, first out. The thing is, where TCP works is, well, you just keep sending, but you will expect an axe back and go, yeah, we've actually seen this stuff. Otherwise, it will resend, and that will clog up your dial-up line fairly quickly. So, there was this trick that was described in a nice little article by Daniel Hotmire, who used to be a main pf developer, where he used all Q for just to set up a system of two priority Qs, one with the high priority, one with the default priority, and basically the axe, which are low delay priority, will skip ahead, and you can tweak those a little. But basically just adding something like this, match out on the egress, set to the two priorities, you will, on a low bandwidth link, you probably won't see a difference. The two values is for, well, your bulk traffic and your higher priority traffic, the toss, low delay, will be the same for the higher priority Q. Now, this is the syntax for the new Q, the Q name on some interface bound with number, which is, well, actually I should say number, and optionally K kilobits, megabits, or gigabits, because the raw number is bits, just bits. So, let's remain Q, your Qs that are actually allocated traffic will be sub-Qs that name their parent, and of course they receive a, in most cases they receive a defined amount of bandwidth, and one of them needs to be the defaults. Moving on to a, relatively simple, yes, okay. Now, of course, what's your use of a bandwidth? Well, ask your ISP. There is always an overhead, and in, well, in your neural ethernet that's probably, so in the same digit percentage, some ADSL implementations can steal something like 20% if you will. If you get unpredictable results, well, you probably set your interface bandwidth to the high, and in a typical setup you will have, your egress interface will probably be something like a gigabit, but it's quite likely that it's not actually on a gigabit bandwidth, but it will still report it has a gigabit, so this is where you set your bandwidth to what you believe it is correct. If you set it to high, you will get strange results, but you might need to tune it. And anyway, what a lot of people forget is that for, wherever your queue is, you can only use with shape relative to long, the lowest bandwidth in the same path. So basically, if you flood too much, well, packets will get dropped anyways. So that's the basic truth of traffic shaping is that sooner or later you will start dropping packets. So we're going to get into a fixed bandwidth example. You have a, it could equally have said egress here, you probably only have one default route interface with bandwidth of 20 megabits. Actually, this is something I used on my home gateway at some point. So, you know, the default queue with defined bandwidth, FTP was once a favorite protocol, UDP, various, and something for web, something versus age. Versus age, we do the variation of the priorities trick here with one queue for, it's called interactive, and one queue called bulk. Now the assign here, using pass rules. But again, if you're not already shaping, and you're running off of these, you probably just tag a few over-match rules for a few assignments on top of your real set. Because when you probably have filtering in place and editing all your filtering rules gets old past. So if you're already having a real set in place and you want to do shaping by match rules, there's something like this. On the slightly more involved example, yes, this is probably the more interesting thing, this is what HFC looks like in real life. You have a gem in your loop queue here, and one that has patterns of several others. It has a fairly flexible allocation here that gets suballocated to the queues that have a grand queue minimum and maximum. And perhaps the more interesting thing here is for place queues, we have also a low bandwidth, but you can have burst activity for 3,000 milliseconds here. It can be allocated this much. And of course, we always get back to spam B where we get one, just to make it a little more able to our spammers. Only one K allocated, minimum zero, and a queue limit. Basically, you can backlog up to the package here, which is the max, I think. The problem with these small allocations is that you might actually end up giving them more because you're getting into conflict with the resolution for the timer that actually measures this. So let me again assign whatever traffic you have with the match rules. And you'll be good. You should be able to watch your queues live with your stat queues. Now, I'm wondering if I can get into my... Yes, this is what it looks like. You can see that, as you can see, that's the exact configuration from those lines on my home gateway here, where we have... We're not nice to spammers. And you can see the other one. Looks like my daughter has been surfing the web a lot lately. So it's either her or the cats. This is a live stat. You can get something like this. It's a beautiful version. It's sort of precious every couple of seconds. And we really would want a little more display, to have it displayed properly. Now, converting from old queue to... Yeah, this is converting to old queue from the old school. Well, in of these 25.5, you still have the option of running an old queue. Old queue queue is a little sad. That's probably because you're German. Old queue became old queue. Anyway, if you have an existing old queue setup, that's something like this. You will be able to, with a very quick search replace, make this work on OpenBeast.5 as well. This will just not load on OpenBeast.5 as well. But you only have the one release to make the adjustment to the new one, because somebody in this room was too lazy to maintain two code bases. But anyway, the old queue is gone in 5.6. And, yes, as I said on the slide, OpenBeast.5 will stay supported for another 6 months. 5.5 will stay supported until 5.7 is out. So, yes, you have another 6 months, roughly, or 7.5. After that, while you're on your own with old queue on OpenBeast. Basically, you will want to convert it's, well, the new syntax is more readable. And, well, you can go by the old queue trick, I did that experimentally, but in a few cases. Anyway, the new queue is so much more readable, you will want to convert. Unfortunately, FreeBSD people don't have that option yet. I'm not sure whose arms we need to twist. Now, for our next tricks. Well, I'll do the... I'm going to call it right after and want to connect from whatever line, for example, and make the time delay from like a... Well, the dropping pack, as you could do, will pass or drop with probability. It's less fairly easy. Of course, well, squeezing bandwidth, well, you have traffic shaping in place. Latency, we don't have a trick for latency. And it would... Well, it would take some effort to create. I love it. So, I think Dominat has that on FreeBSD, right? Dominat has that on FreeBSD, right? Or latency simulation. Yeah, so... So, I think for dropping packets, well, what I showed is the evil trick of passing or dropping the probability. So, the latency, we haven't really played with. It would be... It might be evil ways to drop the probability. Yes. Yes. Divert to some user landing and that does its evil tricks and diverts back. That might work. Well, then you would need to supply the data. Yeah, so, basically, use divert into base to whatever evil tricks you want. That would work. But, again, it's a bit of work to actually write that demon. But it might be an interesting project. Yeah, well, for example... NXAD, yes. So, we've gotten through an amazing amount of materials already. Now, we might want to... Let's say, actually, a non-interactive shell. We can take a look at that. What you do is you create users with the off-PF, with the off-PF as their shell. And what happens... Well, the way you use it is user SSH is in and whatever is defined for that user or that group of users gets loaded for... It gets loaded. So, basically, you supply the rules for that configuration. So, yeah, in your basics, you would need to... Well, you need a table that has to have the name off-PF for the other school users. You also need to have the anchor where off-PF inserts the rules. And, well, from there, well, the sky's the limit, really. Something like, well, if you want something to apply to everybody, you put it in the general off-PF.rules file, something like this, well, anything which would mean anybody who had authenticated, or any IP address belonging to a user who authenticated would have traffic pass to your UDP services or whatever these macros stand for. This is a basic example. You could use something... Well, for... If you want to differentiate for different users, you would have something like this where you reference the user IP arrival instead. A variation on your basic... No, the off-PF inserts in the off-PF anchor, but you would need to write the rules for whatever users you... It would be the IP address such as the IP address that the user authenticated from. So if that's a NAT address for a large network, well, you may have a separate problem. Yeah, you authenticate it from there. So... Let's see what we have here. Yeah, well, you have something like... Yeah, you have something like this, a user named Peter who should be severely limited here. Basically, this is... Let's actually take it from the home network as well, which is... This user is allowed to contact the web interface of our music server. Not much else. And the other one, well, anyone who comes from an OpenBSD... OpenBSD machine is basically allowed to do anything. You should be nice to OpenBSD users. Well, I haven't actually... I haven't actually tried to fool the OSL and OSD identification. It's supposed to be fairly solid, but... It would take a relatively smart attacker to exploit that. There is a favorite example of one who... Another use of the... Well, here's an example for somebody who actually run old Swarch, Merlin. In the early days of PF and old Q, he used this one for... During one of the bar's storms, well, most of the crap came from Windows machines. He was set up in his old Q with something or other, and a minimal Q for, let's say, mail from Windows machines, and anything that came from Windows machines to port 25 would be assigned to that Q. I can't believe I didn't see this earlier. I wanted a huge difference in my load, so it's usable for that moment. I think this possibly predates the Spam-D and the useful configuration. No, actually not. Yeah. But anyway, he may not have been aware of Spam-D realistic, but you can... It's fairly reliable as long as you don't get too... Nobody gets too smart at the other end of the OSD section. And you can use it. In some ways, such as these, we had an example of... Well, here we go. ...a first-party example for actually kind of mindset of his... of his home gateway. Well, it's a totally open network, but anyone who had not... basically anyone who is not authenticated and tries to access the web will be redirected to a... a web server that says, well, you tried to use my network, but I don't know you. Contact me. So, and in principle, these timelines or so, configuration, on that web server, you could conceivably put something that accepts credit cards. So it's basically your... the start of the captive portal here. So, and your... that's all the other... useful things. I appreciate your touch on the troubleshooting network. I've seen several networks recently where I was not able to... to ping back home to check for latency. Probably comes from the... well, I think in 1994, 1995, the ping of the... a malformed ping packet to big payload would... would essentially kill the CCP stacks of... CCP stacks of several well-loan operating systems. Those bugs were fixed, but your early advisories said, well, turn off. Well, do not pass ICMP. The problem is that ICMP... Yeah. So... so... let me get... some of these rules are... well... if you want ping to work and a number of other things to work, you probably want to pass at least some ICMP. Now, there have been situations where I could not put that rule in there because, well, this reveals too much about your... could potentially reveal too much about the structure of your internal network. So... you do something like... well, limit... um... put some... some kinds of limit on it. For example, you will define a number of ICMP packet types to... be allowed to leave your network from... the local network, and you will... allow here certain ICMP types to your egress interface. That's... that's a limit somewhere and they were happy that, well, it will sort of work. Um... and again, for ping to work, echo rec is the one you need. And again, your pass rule will stay the same, even if you... even if you... um... expand the... micro trace route. The venerable trace route actually uses midi-tree on at least some unixs or... several other modern operating systems, including... including, I think, recent unixs use ICMP echo and Microsoft left-wing values. Uh... you can... specify a few things to trace route. Um... and again, one of the reasons why you do not want to block ICMP is... path MTU discovery. Well, send it off your packets, well, whatever... whatever size within your local links uh... uh... if that, for some reason, is so big somewhere on the route, along the way, you will get the answer. Uh... ICMP you apply, which destination and reachable fragmentation needed do not flag... flag set. Okay, so you... for that connection, you will... uh... adjust the MTU. This will not happen at all, of course, if you... if you block ICMP like the people who are scared by the thing of that. Yeah. Yeah. So, uh... yeah, well, if you... keep states, uh... most of us will take it back. Um... and, uh... well, you could do something like this to make sure everything uh... actually passes... uh... rid. Um... traffic will... will take it back, um... uh... on your... keep state, anyway. Now, ICMP... uh... ICMP6, for... uh... Hyperversion 6, they do no... they no longer have R. So, a lot of stuff passes over ICMP6 that... is important for stuff like, uh... uh... Hyperversion 6 auto-configuration, finding out where your router is, um... and, uh... stuff... oh, so... if you're on a reasonable sized ICMP... uh... Hyperversion 6 network, you probably want to... uh... probably want to at least be aware that you may need to pass certain types of ICMP6 through... through... through the gateways. You may or may not. Well, please... look into it as... uh... really depends on your local configuration and whatever you want to do with it. Some of these, uh... some of these have turned up in the wild as quite... quite useful. Um... but again, you can... by handing a beer, and he will tell you why uh... uh... uh... Hyperversion 6 is broken, anyways. So... um... um... So, how are we for... another half hour to go? What do we do? Um... Yeah, well, we can... actually... Wi-Fi is... Wi-Fi and support isn't that hot anymore. We don't have AC. We don't demand. It's a little... But anyway, um... historically, um... there was this... uh... one problem with wireless, of course, is that well, anybody... anybody can snoop you in principle. It goes out of over-the-air waves and... well, so... make it a little more... try some privacy. They tried for... well, WEP. What they call wired equivalent privacy. And that always reminds me of your plastic pal that's fun to be with. Well, and... well... Yeah? Yes, because anyone who can... Well, uh... better assumes that you... well, if your wireless exposed enough, people can tap them. Yes. So... Yeah, so basically you probably need some... some... That's true. Use... use probably protocols and... that will probably do a lot more for your security. But anyway, the... Well, the point is that WEP was broken fairly quickly because it was... well, they didn't actually have any cryptographers in their design committee. They found somebody who actually knew crypto for WPA. But WPA was so over-engineered that it actually took several years for it to arrive in several free operating systems. The only... well... List site which is run by a University of Bergen professor has a few good presentations about wireless security. I tend to just refer to that. But anyway, setting up on... on OpenBSD at least, you know, simple as well. Simple like this. You check that your card is actually recognized. And then you set it up like any other interface. Well, here we have a... Well, I forget why it was 11b for probably just to demonstrate that we can actually be this specific in... in the last few years so to not only really specify the media host app which makes this an access point, skip the mode because it's not interesting, you may want to specify a channel and this is a web you need a network ID and NWQ means it's a web set up. And again, you configure it like any other interface. Now you've got an access point. On FreeBSD it's a little more involved because well, at some point, I forget which version, but there was a push to virtualize the wishbone stack in FreeBSD and it led to several interesting consequences. So this is what I had to do to set up a FreeBSD access point at one point. Well, you make sure the driver for your wireless card is actually loaded and you have the several other modules that also need to be loaded by your loader.com so you just won't get anywhere that way. And then in addition to whatever you put in your I found the easiest way to configure a FreeBSD access point was to skip the rc.conf or this would normally be able to put this in your rc.conf only ever creates the reason I couldn't get it to work until I isolated it into the start underscore if not interface name. I still haven't got a good explanation of why but that's what worked for me, so that's what I put in the presentation here. Again, you can you have the create args well physical interface you create the virtual interface you set up the physical interface and the two come together to create an interface that you can actually configure or something. Again, we probably didn't need to specify the mode here but you can and after that it gets well, if you want WPA there is no way on FreeBSD to avoid host fd which is kind of bizarre but this is what it looks like the physical interface created roughly the same but you need the stanzaneerrc.conf to enable host fd because it won't start otherwise and you need to put a lot of goo in your host fd.conf this is the minimal configuration I managed to get working host fd will be able with a bit of prodding to actually play with most of the WPA's options and I must admit after getting this to work I was so sick of it I just put this in the book and in the slides so this will work if you want to do something otherwise, yeah, well first start host fd and it will it will load and you can play with a number of other I think actually the sample host fd.conf is not bad documentation it's just really really confusing so so basically that's how you were how to get started on the free beast and then again, yeah WPA, oh this is WPA on an open beast, right one line this is well this is if you want the more the more advanced options you will need to install the package called WPA supplicants which is well I as I I'm a little sick of it so yes it is possible now again it's fairly straightforward as long as you're on an open beast and of course what happens to your to your little set in most cases well in some cases your your access point will simply be well it will be talking to that to your network of wireless clients and whatever your upstream is in that case well hang on this you configure it like with any other of the gateway for a first ball network in some cases you have made a very bad decision in wireless interface to something that's already a B the gateway for a wire network and in that case well you will need to do something like well rules that also apply to the wireless interface or created like any other interface and again whatever policy you have useful properly to do something like well find a macro for it or even include that interface in a in a relevant interface group and anything to make your make your config more readable and of course all the PF was originally written to tame wireless networks so that's why this is the next slide in the presentation here we have for any wireless networks once you get get past the they can be real hassle to configure properly depending on whether for example well WPA can be a normal bitch to configure properly and you will find out fairly quickly whether your operating systems developers have paid attention to all the needs of your device sometimes there have been shouting matches and do we have anybody working specifically on concentrating on why these things down and left so yeah so that's kind of sort of a sort of point really because I used to build of these the access points and I could administer remotely and everybody was happy but then yeah crap happens so we're still thinking I think we've got something like half an hour to go any requests any questions I could go to the well if there are no requests we could break if you want or I could do the yeah well please any questions you probably you have notes already so you know roughly what the menu is or we can improvise something we haven't really covered logging that's probably one of the required things you know PF logs minor basically by copying packets and exporting them to the PF log interface and modern operating systems it's possible to have several PF log interfaces so you can do something like we do in this slide here I really need to do something about those phone sizes sorry anyway what you do is for you can make a log both past and blog match packets but most of my examples here have past log match log in this case we also specify that we log to a specific PF log interface typically you would do the way to read whatever PF logs is a little log interface you read it into clear text by a TCP dump something like this come out in line here which gives you reasonable resolution on your times and and it also gives you the crucial information which rules match for deep on your rule set you really well you can do straight TCP dump on your interface and see whatever passes there but if you want to deeper the rule set well whatever whatever passed here the second line here match rule 27 which you will find out what it is by PF control VSR so you want this information for deep button purposes and of course well you can TCP dump is your friend really if you haven't read the man page at all involved in network administration and I assume you keep a watch or if you haven't spent some time at TCP dump already please read the man page it's actually quite usable I've been trying to talk Michael Lucas into writing a TCP dump mastery book I have been thinking about that as the elder option but that's a lot more work and I don't get to heckle Michael for it so yeah well TCP dump mastery might be a project when some of the coverage from the present point yeah well another possible book I wanted to write was Saint Enail the Open Beast which is halfway written anyway so I now what you get is yes well again as we mentioned earlier if you once you read off the PF log interface you will get useful information like which rule actually matched you really want that information if you're something is happening but you don't know why that is I would have something like something like this now this one where you set up something like this match match log matches we mentioned this earlier you would in practice you would probably be a lot more specific match on say traffic from a specific host like you're a laptop you're testing with and what this does is well it matches in one match on the in by F that's probably this rule okay we match our match rule but it also matches something that blocks for whatever but it's passed anyway because it matches a different pass rule and finally the packet will eventually pass out on the external interface yes okay yeah I need to revise this slide yeah yeah well tcp tcp dump mastery or tcp dump is your friend yes but anyway this is functionality that's only and recent match matches was added a couple of releases back I thought it was more recent okay so it came in you know you know so but anyway for deepening purposes this is pure gold so as you correctly observed the source address changes as it will and networks with that so yeah all right yeah so yeah so yeah well it's actually been seven or eight releases so so basically that you match log matches is a really powerful perfect tool in your tool set sorry but we need to tackle somebody to actually get that problem another thing a common request is do we pipe this as log can we? yes we can something like either you just say pflog to debnull or you just kill pflogd I'm not sure which is the more useful one anyway what you could do is set up your syslog conf to actually receive something and in this example send it somewhere else and the magic, all the magic is here where you know how the TCP dump actually reads the pflog interface feeds it to logger and tags it with pftag now as you can probably imagine this might generate a lot of that so I'm not recommending you do this but if you need if you need to do it this is the way to do it increase the performance of the syslog set that up separate well it doesn't it will generate it will generate a lot of traffic it's possible it will generate a lot of that it will go to your local hard disk or over the network to your loghost so depending on how well it might actually it might be enough to perform the performance if your network is busy enough but if you really if you only want to know what your network is doing metadata is okay well people people well well well well well well this one but if you if you if you really only want to the metadata you do not actually want the payload people they only need the connection so the beginning so with something like this every connection will generate megabytes of that whatever really whatever how much you log with pflow it's on the order I think about 200 bytes per connection that could be wrong but it's not a lot more so so it will definitely take you take you further and I think they'll only cover yeah labels cover cover and of course you could well well for your purposes you would be meeting people for bandwidth bandwidth billing you would possibly use something like this for the label or you could probably also well you could usefully read that out of pflow as well so yes there are a number of strange ways to generate your label names but anyway the labels are generated at the start of the rule set load so some of these uh uh the variables are a little less interesting than they actually seem and yes here we have again just that states that we looked at yeah that's that's another one and of course if you really want to look at again nice graphs for your for your bosses pfstack it was broken briefly after after the new queue but it works again and yeah you can see you can tell this is a little slide by the date here but it's basically install a package of the example config file is actually quite usable and you just look around and pick your colors yeah it works we have you know well logging is definitely some of the issues we're looking into and I might actually come back to this as a friend I haven't yes yes a lot of things have happened recently do we have back to the propaganda transition from old queue to priorities and queues and yes this is basically it um anyone else wants coffee if that's it we're going to one last question from this side is if you enjoy this session if you enjoy this session the best way to support OpenBSD is to send the money you can get some items back such as CD sets t-shirts distribution is changing so the old site may or may not be sold out there will be a new one yeah but anyway Austin is retiring and his service for playing yeah something like that so Austin is a great guy but he's finally enough to buy a himself a farm to retire to somewhere in Alberta but anyway please buy OpenBSD stuff or just send them a donation grab your boss's credit card and some and buy yes if you want if your boss wants to have the proper the proper paper mill at least for North American organizations foundation as a Canadian nonprofit that will accept the nations and will supply the paperwork required I am not quite sure how that works for European corporations well anyway you can if you ask them they will give you lots of paperwork to make the tax man happy or so forth it's also possible well hey the best way to make sure PF and OpenBSD stays available and stays good is to send money to the OpenBSD project if you want to support me on the other hand the best way is to buy the book and you already not second edition third edition anyway if you're quick really quick go to the DSD Sofia 40% of it will live at least for this conference and probably a few days more but not a lot longer and it's been live for two weeks already I haven't checked if anybody have figured out how to use it yet but you can I will be showing it in my session tomorrow tomorrow anybody who wants to buy a book 40% off I had planned hoped for having physical copies available here unfortunately they're still being printed somewhere in North America I later heard they would probably be shipping them just after the conference but anyway if you cash up with me some later points I will sign it for you so right and I think we're possibly early for lunch but we do a lot of coffee I guess so I'm still here for questions but if we're okay yeah right anyway thanks for showing up