Dave Polaschek (he/him)<p>Spent an hour this morning updating blocklists and my (draft) webpage. Thanks again to all the folks who’ve offered suggestions. I appreciate them, even if I don’t use them, because I’m trying to learn. I look through most of the suggestions and borrow any ideas that seem new and useful.</p><p>Today, I reduced the number of password-gropers from ~1000 attempts/day to about 800/day, with a blocklist of 80IPs and one /24 range. <a href="https://writing.exchange/tags/OpenBSD" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenBSD</span></a> <a href="https://writing.exchange/tags/PasswordGropers" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PasswordGropers</span></a> <a href="https://writing.exchange/tags/pf" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pf</span></a>… (1/3)</p>
lingo.lol is one of the many independent Mastodon servers you can use to participate in the fediverse.
A place for linguists, philologists, and other lovers of languages.
Administered by:
Server stats:
54active users
lingo.lol: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.3
#pf
0 posts · 0 participants · 0 posts today
Dave Polaschek (he/him)<p>But I wish there was an easier way to add someone to one of my pf tables when they start banging on the door, trying ssh accounts that don't exist or hitting the server repeatedly. I'm using refuseconnection:1800s, but there are a few people who just keep coming back for more, every 30 minutes. For now, I think I'll probably end up with an awk script to add their ip addresses to my "gropers" table. </p><p><a href="https://writing.exchange/tags/OpenBSD" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenBSD</span></a> <a href="https://writing.exchange/tags/pf" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pf</span></a> <a href="https://writing.exchange/tags/sshd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>sshd</span></a></p>
BSDTV<p>A new BSDCan video has been posted:</p><p>A packet's journey through pf By Kristof Provost</p><p><a href="https://youtu.be/JtSg6ylDALo" rel="nofollow noopener" target="_blank"><span class="invisible">https://</span><span class="">youtu.be/JtSg6ylDALo</span><span class="invisible"></span></a></p><p>A walkthrough of a packet's journey through (FreeBSD's) pf, concentrating on the big picture and its implications.</p><p>We'll cover when packets are inspected, when rules are evaluated and how states are used. Along the way we'll cover what DTrace probes can show us, what some of pfctl's counters mean and just how many times pf can look at a single packet.</p><p>This talk is intended for firewall admins looking for a deeper understanding and aspiring pf developers. It is not a "How to use pf" talk.</p><p><a href="https://bsd.network/tags/pf" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pf</span></a> <a href="https://bsd.network/tags/runbsd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>runbsd</span></a> <a href="https://bsd.network/tags/freebsd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>freebsd</span></a></p>
Dave Polaschek (he/him)<p>Interesting. I've implemented the "canonical" brute-force protections on my <span class="h-card" translate="no"><a href="https://mastodon.bsd.cafe/@OpenBSDAms" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>OpenBSDAms</span></a></span> VPS, and now I'm getting things like:</p><p>Aug 1 00:19:29 hostname sshd-session[99727]: Unable to negotiate with 43.229.153.47 port 40969: no matching host key type found. Their offer: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth]</p><p>I'm not sure exactly what this means, but it's a new source of noise in the logs. Sigh.</p><p><a href="https://writing.exchange/tags/pf" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pf</span></a> <a href="https://writing.exchange/tags/OpenBSD" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenBSD</span></a> <a href="https://writing.exchange/tags/sshd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>sshd</span></a></p>
Peter N. M. Hansteen<p>Yes, The Book of PF, 4th Edition Is Coming Soon <a href="https://nxdomain.no/~peter/yes_the_book_of_pf_4th_ed_is_coming.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">nxdomain.no/~peter/yes_the_boo</span><span class="invisible">k_of_pf_4th_ed_is_coming.html</span></a> (also tracked <a href="https://bsdly.blogspot.com/2025/07/yes-book-of-pf-4th-edition-is-coming.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">bsdly.blogspot.com/2025/07/yes</span><span class="invisible">-book-of-pf-4th-edition-is-coming.html</span></a>) <a href="https://mastodon.social/tags/openbsd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>openbsd</span></a> <a href="https://mastodon.social/tags/freebsd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>freebsd</span></a> <a href="https://mastodon.social/tags/bookofpf" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bookofpf</span></a> <a href="https://mastodon.social/tags/pf" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pf</span></a> <a href="https://mastodon.social/tags/packetfilter" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>packetfilter</span></a> <a href="https://mastodon.social/tags/book" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>book</span></a> <a href="https://mastodon.social/tags/networking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>networking</span></a> <a href="https://mastodon.social/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://mastodon.social/tags/freesoftware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>freesoftware</span></a> <a href="https://mastodon.social/tags/libresoftware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>libresoftware</span></a> <a href="https://mastodon.social/tags/shamelessplug" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>shamelessplug</span></a></p>
Peter N. M. Hansteen<p>The long version of why you need key authentication for your SSH servers - "The Hail Mary Cloud and the lessons learned" <a href="https://nxdomain.no/~peter/hailmary_lessons_learned.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">nxdomain.no/~peter/hailmary_le</span><span class="invisible">ssons_learned.html</span></a> <a href="https://mastodon.social/tags/ssh" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ssh</span></a> <a href="https://mastodon.social/tags/keys" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>keys</span></a> <a href="https://mastodon.social/tags/passwordgroping" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>passwordgroping</span></a> <a href="https://mastodon.social/tags/unix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>unix</span></a> <a href="https://mastodon.social/tags/linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>linux</span></a> <a href="https://mastodon.social/tags/openbsd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>openbsd</span></a> <a href="https://mastodon.social/tags/freebsd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>freebsd</span></a> <a href="https://mastodon.social/tags/pf" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pf</span></a> <a href="https://mastodon.social/tags/packetfilter" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>packetfilter</span></a> <a href="https://mastodon.social/tags/statetracking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>statetracking</span></a> <a href="https://mastodon.social/tags/blocklists" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>blocklists</span></a> <a href="https://mastodon.social/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://mastodon.social/tags/hacking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hacking</span></a> </p><p>Also, The 4th edition of the Book of PF is coming soon: <a href="https://nxdomain.no/~peter/yes_the_book_of_pf_4th_ed_is_coming.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">nxdomain.no/~peter/yes_the_boo</span><span class="invisible">k_of_pf_4th_ed_is_coming.html</span></a></p>
Peter N. M. Hansteen<p>We are still working on The Book of PF, 4th ed. </p><p>Preorders are open at <a href="https://nostarch.com/book-of-pf-4th-edition" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">nostarch.com/book-of-pf-4th-ed</span><span class="invisible">ition</span></a>, read about the work at <a href="https://nxdomain.no/~peter/yes_the_book_of_pf_4th_ed_is_coming.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">nxdomain.no/~peter/yes_the_boo</span><span class="invisible">k_of_pf_4th_ed_is_coming.html</span></a> (also tracked at <a href="https://bsdly.blogspot.com/2025/07/yes-book-of-pf-4th-edition-is-coming.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">bsdly.blogspot.com/2025/07/yes</span><span class="invisible">-book-of-pf-4th-edition-is-coming.html</span></a>) <a href="https://mastodon.social/tags/bookofpf" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bookofpf</span></a> <a href="https://mastodon.social/tags/newedition" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>newedition</span></a> <a href="https://mastodon.social/tags/freebsdd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>freebsdd</span></a> <a href="https://mastodon.social/tags/openbsd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>openbsd</span></a> <a href="https://mastodon.social/tags/pf" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pf</span></a> <a href="https://mastodon.social/tags/packetfilter" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>packetfilter</span></a> <a href="https://mastodon.social/tags/networking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>networking</span></a> <a href="https://mastodon.social/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://mastodon.social/tags/freesoftware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>freesoftware</span></a> <a href="https://mastodon.social/tags/libresoftware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>libresoftware</span></a></p>
Peter N. M. Hansteen<p>At EuroBSDcon 2025 in Zagreb: "Network Management with the OpenBSD Packet Filter Toolset" by Peter N. M. Hansteen, Tom Smyth, Max Stucchi, see <a href="https://events.eurobsdcon.org/2025/talk/FW39CX/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">events.eurobsdcon.org/2025/tal</span><span class="invisible">k/FW39CX/</span></a></p><p>Schedule at <a href="https://events.eurobsdcon.org/2025/schedule/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">events.eurobsdcon.org/2025/sch</span><span class="invisible">edule/</span></a></p><p>To register <a href="https://2025.eurobsdcon.org/registration.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">2025.eurobsdcon.org/registrati</span><span class="invisible">on.html</span></a></p><p><a href="https://mastodon.social/tags/eurobsdcon" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>eurobsdcon</span></a> <a href="https://mastodon.social/tags/freebsd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>freebsd</span></a> <a href="https://mastodon.social/tags/openbsd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>openbsd</span></a> <a href="https://mastodon.social/tags/networking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>networking</span></a> <a href="https://mastodon.social/tags/packetfilter" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>packetfilter</span></a> <a href="https://mastodon.social/tags/pf" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pf</span></a> <a href="https://mastodon.social/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://mastodon.social/tags/devops" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>devops</span></a> <a href="https://mastodon.social/tags/sysadmin" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>sysadmin</span></a></p>
Peter N. M. Hansteen<p>oh, my "Yes, The Book of PF, 4th Edition Is Coming Soon" blog post <a href="https://bsdly.blogspot.com/2025/07/yes-book-of-pf-4th-edition-is-coming.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">bsdly.blogspot.com/2025/07/yes</span><span class="invisible">-book-of-pf-4th-edition-is-coming.html</span></a> is on hackernews: <a href="https://news.ycombinator.com/item?id=44657803" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">news.ycombinator.com/item?id=4</span><span class="invisible">4657803</span></a> <a href="https://mastodon.social/tags/bookofpf" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bookofpf</span></a> <a href="https://mastodon.social/tags/pf" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pf</span></a> <a href="https://mastodon.social/tags/packetfilter" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>packetfilter</span></a> <a href="https://mastodon.social/tags/openbsd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>openbsd</span></a> <a href="https://mastodon.social/tags/freebsd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>freebsd</span></a> <a href="https://mastodon.social/tags/networking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>networking</span></a> (non-tracked: <a href="https://nxdomain.no/~peter/yes_the_book_of_pf_4th_ed_is_coming.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">nxdomain.no/~peter/yes_the_boo</span><span class="invisible">k_of_pf_4th_ed_is_coming.html</span></a>)</p>
Peter N. M. Hansteen<p>Today, early access reader feedback for The Book of PF, 4th edition proved to me that early access is worth doing.</p><p>Get yours at <a href="https://nostarch.com/book-of-pf-4th-edition" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">nostarch.com/book-of-pf-4th-ed</span><span class="invisible">ition</span></a>, or read about the work at <a href="https://nxdomain.no/~peter/yes_the_book_of_pf_4th_ed_is_coming.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">nxdomain.no/~peter/yes_the_boo</span><span class="invisible">k_of_pf_4th_ed_is_coming.html</span></a> <a href="https://mastodon.social/tags/bookofpf" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bookofpf</span></a> <a href="https://mastodon.social/tags/newedition" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>newedition</span></a> <a href="https://mastodon.social/tags/freebsdd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>freebsdd</span></a> <a href="https://mastodon.social/tags/openbsd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>openbsd</span></a> <a href="https://mastodon.social/tags/pf" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pf</span></a> <a href="https://mastodon.social/tags/packetfilter" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>packetfilter</span></a> <a href="https://mastodon.social/tags/networking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>networking</span></a> <a href="https://mastodon.social/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://mastodon.social/tags/freesoftware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>freesoftware</span></a> <a href="https://mastodon.social/tags/libresoftware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>libresoftware</span></a></p>
Peter N. M. Hansteen<p>Fellow network nerds, at EuroBSDcon 2025 in Zagreb, there will be a Network Management with the OpenBSD Packet Filter Toolset" <a href="https://events.eurobsdcon.org/2025/talk/FW39CX/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">events.eurobsdcon.org/2025/tal</span><span class="invisible">k/FW39CX/</span></a> session, a full day tutorial starting at 2025-09-25 10:30 CET. You can register for the conference and tutorial by following the links from the conference Registration and Prices <a href="https://2025.eurobsdcon.org/registration.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">2025.eurobsdcon.org/registrati</span><span class="invisible">on.html</span></a> page. <a href="https://mastodon.social/tags/openbsd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>openbsd</span></a> <a href="https://mastodon.social/tags/freebsd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>freebsd</span></a> <a href="https://mastodon.social/tags/networking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>networking</span></a> <a href="https://mastodon.social/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://mastodon.social/tags/eurobsdcon" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>eurobsdcon</span></a> <a href="https://mastodon.social/tags/conference" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>conference</span></a> <a href="https://mastodon.social/tags/pf" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pf</span></a> <a href="https://mastodon.social/tags/packetfilter" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>packetfilter</span></a> <a href="https://mastodon.social/tags/freesoftware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>freesoftware</span></a> <a href="https://mastodon.social/tags/libresoftware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>libresoftware</span></a> <a href="https://mastodon.social/tags/zagreb" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>zagreb</span></a></p>
Peter N. M. Hansteen<p>Yes, The Book of PF, 4th Edition Is Coming Soon <a href="https://nxdomain.no/~peter/yes_the_book_of_pf_4th_ed_is_coming.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">nxdomain.no/~peter/yes_the_boo</span><span class="invisible">k_of_pf_4th_ed_is_coming.html</span></a> </p><p>Long rumored and eagerly anticipated by some, the fourth edition of The Book of PF is now available for preorder <a href="https://nostarch.com/book-of-pf-4th-edition" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">nostarch.com/book-of-pf-4th-ed</span><span class="invisible">ition</span></a> <a href="https://mastodon.social/tags/openbsd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>openbsd</span></a> <a href="https://mastodon.social/tags/pf" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pf</span></a> <a href="https://mastodon.social/tags/packetfilter" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>packetfilter</span></a> <a href="https://mastodon.social/tags/freebsd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>freebsd</span></a> <a href="https://mastodon.social/tags/networking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>networking</span></a> <a href="https://mastodon.social/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://mastodon.social/tags/tcpip" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tcpip</span></a> <a href="https://mastodon.social/tags/ipv6" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ipv6</span></a> <a href="https://mastodon.social/tags/ipv4" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ipv4</span></a> <a href="https://mastodon.social/tags/bookofpf" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bookofpf</span></a></p><p>... and of course somebody had to ask, "when can we expect a fifth edition", to which the answer was "let's get this one out the door first"</p><p>That said, watch this space for further announcements!</p>
Peter N. M. Hansteen<p>Long rumored, eagerly anticipated by some, "The Book of PF, 4th edition" <a href="https://nostarch.com/book-of-pf-4th-edition" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">nostarch.com/book-of-pf-4th-ed</span><span class="invisible">ition</span></a> is now available for PREORDER. The most up to date guide to the OpenBSD and FreeBSD networking toolset <a href="https://mastodon.social/tags/openbsd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>openbsd</span></a> <a href="https://mastodon.social/tags/freebsd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>freebsd</span></a> <a href="https://mastodon.social/tags/networking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>networking</span></a> <a href="https://mastodon.social/tags/pf" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pf</span></a> <a href="https://mastodon.social/tags/packetfilter" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>packetfilter</span></a> <a href="https://mastodon.social/tags/firewall" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>firewall</span></a> <a href="https://mastodon.social/tags/preorder" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>preorder</span></a> <a href="https://mastodon.social/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> (again for the CEST-ish crowd)</p>
Peter N. M. Hansteen<p>Confirmed: There will be a full day PF tutorial "Network Management with the OpenBSD Packet Filter Toolset" at <a href="https://mastodon.social/tags/eurobsdcon" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>eurobsdcon</span></a> 2025 in <a href="https://mastodon.social/tags/zagreb" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>zagreb</span></a>.</p><p>Details to emerge via <a href="https://2025.eurobsdcon.org/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">2025.eurobsdcon.org/</span><span class="invisible"></span></a>, and expect more goodies to be announced!</p><p><a href="https://mastodon.social/tags/openbsd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>openbsd</span></a> <a href="https://mastodon.social/tags/freebsd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>freebsd</span></a> <a href="https://mastodon.social/tags/pf" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pf</span></a> <a href="https://mastodon.social/tags/packetfilter" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>packetfilter</span></a> <a href="https://mastodon.social/tags/networking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>networking</span></a> <a href="https://mastodon.social/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://mastodon.social/tags/freesoftware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>freesoftware</span></a> <a href="https://mastodon.social/tags/libresoftware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>libresoftware</span></a> <a href="https://mastodon.social/tags/bsd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bsd</span></a></p>
Peter N. M. Hansteen<p>Network Management with the OpenBSD Packet Filter Toolset <a href="https://www.bsdcan.org/2025/timetable/timetable-Network-Management-with.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bsdcan.org/2025/timetable/time</span><span class="invisible">table-Network-Management-with.html</span></a> at <a href="https://mastodon.social/tags/bsdcan" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bsdcan</span></a> now concluded, new slides up at <a href="https://nxdomain.no/~peter/pf_fullday.pdf" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">nxdomain.no/~peter/pf_fullday.</span><span class="invisible">pdf</span></a> -- now with during-session updates (labs available for attendees only, sorry) </p><p><a href="https://mastodon.social/tags/openbsd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>openbsd</span></a> <a href="https://mastodon.social/tags/freebsd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>freebsd</span></a> <a href="https://mastodon.social/tags/pf" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pf</span></a> <a href="https://mastodon.social/tags/packetfilter" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>packetfilter</span></a> <a href="https://mastodon.social/tags/firewall" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>firewall</span></a> <a href="https://mastodon.social/tags/networking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>networking</span></a> <a href="https://mastodon.social/tags/devops" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>devops</span></a> <a href="https://mastodon.social/tags/sysadmin" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>sysadmin</span></a> <a href="https://mastodon.social/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://mastodon.social/tags/networktrickery" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>networktrickery</span></a></p>
Tom<p>After 20 years of using <a href="https://mastodon.bsd.cafe/tags/pf" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pf</span></a> on <a href="https://mastodon.bsd.cafe/tags/BSD" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BSD</span></a> and only dabbling in iptables when I absolutely had to in <a href="https://mastodon.bsd.cafe/tags/Linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Linux</span></a>, nftables looks like an unreadable, incomprehensible shitshow; A crayon scrawl by a toddler of weird nat and mangle chains that make no sense. </p><p>The Linux developers would have been much better off porting pf to Linux.</p>
karOver the past few weeks I have been switching off of NixOS and going back to the previous OSes and distros I was using. Last week I migrated my VPS back to OpenBSD and I now feel like I can appreciate its simplicity even more. That's not the point of this though.<br><br>When migrating I was reminded of something <span class="h-card"><a href="https://camp.crates.im/users/nemo" class="u-url mention" rel="nofollow noopener" target="_blank">@nemo@camp.crates.im</a></span> previously said about only allowing ssh access to the IP addresses he know he uses. I thought I should try doing something similar especially because to me pf is way saner to use and manage than iptables.<br><br>The addresses I know I'll use are my home IPv4 address and the IPv4+6 addresses of the Mullvad enpoints I am likely to use.<br>Unfortunately I don't know what those public addresses are before connecting.<br><br>A quick script containing something like below (I didn't save it >_<) later, I was able to get all the addresses I needed for passing to pf.<br><pre>for i in *.conf; do<br> wg-quick up $i<br> curl -s4 https://zx2c4.com/ip | sed 1q<br> # the connect timeout is there because a few of the endpoints had a not-working IPv6 address<br> curl --connect-timeout -s6 https://zx2c4.com/ip | sed 1q<br> wg-quick down $i<br>done<br>``` <br><br>Now in my pf.conf I just had to do something like this which didn't seem that complicated after all. I just modelled it after my existing rule that I used for opening ports (I removed ssh from that rule in favour of this one). This can most definitely be made better, but at least it works!<br><br></pre><p><strong>explicitly allow home and vpn ip addresses</strong></p>ssh_whitelist_ipv4 = "{<br><p><strong>ipv4 addresses here</strong></p><p><strong>I put my home address at the top as is and then /24 ranges for the mullvad IPs because I was told they may change frequently</strong></p>}"<br>ssh_whitelist_ipv6 = "{<br><p><strong>ipv6 addresses here from mullvad</strong></p><p><strong>I figured that they won't change often so I simply pasted them as is without specifying prefix</strong></p>}"<br><br>...<br><br><p><strong>allow public ssh only to my normal home address and mullvad ips</strong></p>pass in log on $ext_if inet proto tcp from $ssh_whitelist_ipv4 to ($ext_if) \<br>port ssh flags S/SA keep state<br>pass in log on $ext_if inet6 proto tcp from $ssh_whitelist_ipv6 to ($ext_if) \<br>port ssh flags S/SA keep state<br><pre><br>After running for over a day, my /var/log/authlog still only shows my own connections and not some people across the globe spamming connections to invalid users.<br><br></pre>saklas$ zgrep preauth /var/log/authlog.0.gz | grep -v vin | wc -l<br>3918<br>saklas$ grep preauth /var/log/authlog | grep -v vin | wc -l<br>1<br><pre><br>I was previously using pf-badhost in place of fail2ban due to the latter not being available on OpenBSD, but pf-badhost didn't prevent active attacks while both of them still allowed those (initial) connections in the first place.<br>There's a much smaller likelihood of an attacker using the same Mullvad endpoints I use, and if they do I probably have bigger problems to worry about. I'm also pretty much always connected to my Wireguard VPN (separate post on my website for this later) and that would let me bypass this anyways. This setup is more of a failsafe if I'm unable to connect through the VPN, and a failsafe of that failsafe if things really go wrong is just using the Hetzner web console I guess.<br><br>After writing all this, I think it's better to just post this on my website and syndicate here.<br><br><a href="https://snac.13f0.net?t=openbsd" class="mention hashtag" rel="nofollow noopener" target="_blank">#openbsd</a> <a href="https://snac.13f0.net?t=mullvad" class="mention hashtag" rel="nofollow noopener" target="_blank">#mullvad</a> <a href="https://snac.13f0.net?t=pf" class="mention hashtag" rel="nofollow noopener" target="_blank">#pf</a><br></pre>
thinkberg<p>Considering a <a href="https://tetrax.de/tags/vpn" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vpn</span></a> outlet server on <a href="https://tetrax.de/tags/OpenBSD" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenBSD</span></a>. What would you prevent network wise? <a href="https://tetrax.de/tags/pf" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pf</span></a></p>
Peter N. M. Hansteen<p>That Grumpy BSD Guy: A Short Reading List <a href="https://nxdomain.no/~peter/the_short_reading_list.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">nxdomain.no/~peter/the_short_r</span><span class="invisible">eading_list.html</span></a> A collection of pointers to things I have written and that I think may be of value to you too (with conference teasers) <a href="https://mastodon.social/tags/openbsd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>openbsd</span></a> <a href="https://mastodon.social/tags/packetfilter" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>packetfilter</span></a> <a href="https://mastodon.social/tags/pf" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pf</span></a> <a href="https://mastodon.social/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://mastodon.social/tags/antispam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>antispam</span></a> <a href="https://mastodon.social/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://mastodon.social/tags/networking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>networking</span></a> <a href="https://mastodon.social/tags/freesoftware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>freesoftware</span></a> <a href="https://mastodon.social/tags/libresoftware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>libresoftware</span></a> <a href="https://mastodon.social/tags/eurobsdcon" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>eurobsdcon</span></a> <a href="https://mastodon.social/tags/bsdcan" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bsdcan</span></a></p>
Peter N. M. Hansteen<p>As previously announced, there will be a PF tutorial at BSDCan 2025 - </p><p>For Upcoming PF Tutorials, We Welcome Your Questions <br><a href="https://nxdomain.no/~peter/pf_tutorial_upcoming_questions_welcome.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">nxdomain.no/~peter/pf_tutorial</span><span class="invisible">_upcoming_questions_welcome.html</span></a></p><p>Registration: <a href="https://www.bsdcan.org/2025/registration.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bsdcan.org/2025/registration.h</span><span class="invisible">tml</span></a></p><p><a href="https://mastodon.social/tags/BSDCan" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BSDCan</span></a> <a href="https://mastodon.social/tags/EuroBSDcon" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>EuroBSDcon</span></a> <a href="https://mastodon.social/tags/OpenBSD" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenBSD</span></a> <a href="https://mastodon.social/tags/PF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PF</span></a> <a href="https://mastodon.social/tags/tutorial" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tutorial</span></a>, <a href="https://mastodon.social/tags/packetfilter" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>packetfilter</span></a> <a href="https://mastodon.social/tags/Ottawa" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Ottawa</span></a> <a href="https://mastodon.social/tags/BookofPF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BookofPF</span></a> <a href="https://mastodon.social/tags/BSDCan" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BSDCan</span></a> <a href="https://mastodon.social/tags/conferences" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>conferences</span></a> <a href="https://mastodon.social/tags/networking" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>networking</span></a> <a href="https://mastodon.social/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a></p>
TrendingLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload