Securing OBSD with PF [was Re: Progress migrating to list]

Dave Bucklin dave.bucklin at
Sun Sep 30 20:36:35 UTC 2018

On Sun, Sep 30, 2018 at 12:37:44PM -0500, Joe Nelson wrote:
> I learned that in true OpenBSD style, they have stateful packet
> filtering [1] built right into pf, which means I can implement similar
> functionality on this BSD box as we did on your machine, but without
> the extra moving parts of fail2ban. [2] This technique doesn't involve
> looking at log files for offending lines, but simply tracks how many
> connections a host is making in what time period, and adds the host to a
> block list above a threshold.
> Luckily I haven't seen evil traffic in my logs yet... Probably only a
> matter of time.
> 1:
> 2:

It's a matter of time, for sure. Michael Lucas mentions PF in Absolute
OpenBSD, but I got the impression that PF needs its own book. For now,
I'm counting on the (mostly) out-of-the-box settings to be sufficiently
paranoid. On that note, there are a bunch of patches to 6.3 that need to
be applied. Another project!

More information about the Friends mailing list