Securing OBSD with PF [was Re: Progress migrating to list]

Dave Bucklin dave.bucklin at gmail.com
Sun Sep 30 20:36:35 UTC 2018


On Sun, Sep 30, 2018 at 12:37:44PM -0500, Joe Nelson wrote:
> I learned that in true OpenBSD style, they have stateful packet
> filtering [1] built right into pf, which means I can implement similar
> functionality on this BSD box as we did on your machine, but without
> the extra moving parts of fail2ban. [2] This technique doesn't involve
> looking at log files for offending lines, but simply tracks how many
> connections a host is making in what time period, and adds the host to a
> block list above a threshold.
> 
> Luckily I haven't seen evil traffic in my logs yet... Probably only a
> matter of time.
> 
> 1: https://www.openbsd.org/faq/pf/filter.html#stateopts
> 2: https://www.reddit.com/r/openbsd/comments/5e6u61/fail2ban_on_openbsd_60/#thing_t1_daa58bg

It's a matter of time, for sure. Michael Lucas mentions PF in Absolute
OpenBSD, but I got the impression that PF needs its own book. For now,
I'm counting on the (mostly) out-of-the-box settings to be sufficiently
paranoid. On that note, there are a bunch of patches to 6.3 that need to
be applied. Another project!


More information about the Friends mailing list