Discussion:
What would you like to see in upcoming PF tutorials?
(too old to reply)
Peter N. M. Hansteen
2017-12-14 20:27:17 UTC
Permalink
We're in the process of preparing for upcoming conferences with updates
to the ever-in-progress PF tutorial.

If you have thoughts on what you would like to see in a tutorial session
and would like to share them either with me or the list, we would love
to hear from you.

The slides from last year's session at BSDCan can be found here:
https://home.nuug.no/~peter/pftutorial/ - we're basically looking
for ways to make those sessions more useful (the last one wasn't
awful we hear, but there's always room for improvement).

- Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Steve Litt
2017-12-15 14:11:04 UTC
Permalink
On Thu, 14 Dec 2017 21:27:17 +0100
Post by Peter N. M. Hansteen
We're in the process of preparing for upcoming conferences with
updates to the ever-in-progress PF tutorial.
If you have thoughts on what you would like to see in a tutorial
session and would like to share them either with me or the list, we
would love to hear from you.
I'd love to see a step by step creation of a NATting firewall, with
exact explanations of each step.

I'd like to see a version with IPV4 on the Internet side, and one with
IPV6 on the Internet side. https://home.nuug.no/~peter/pftutorial/ does
a pretty good job of it, but is very lacking in explanations. Tutorials
are for people who currently know nothing, so a word by word
explanation should be given for both of these lines:

* match out on egress inet nat-to ($ext_if)
* pass proto tcp from { self, $int_if:network }

There are many other places needing explanations. If you could include
a few diagrams to make the point, that would help immensely.

SteveT

Steve Litt
December 2017 featured book: Thriving in Tough Times
http://www.troubleshooters.com/thrive
Peter N. M. Hansteen
2017-12-15 16:33:59 UTC
Permalink
Post by Steve Litt
a pretty good job of it, but is very lacking in explanations. Tutorials
are for people who currently know nothing, so a word by word
* match out on egress inet nat-to ($ext_if)
* pass proto tcp from { self, $int_if:network }
There are many other places needing explanations. If you could include
a few diagrams to make the point, that would help immensely.
Keep in mind that those are the slides only, those participating in the
session will hear a fuller explanation and have the option to interrupt
us with questions or even start discussions.

I do know of a PF presentation that was by increments turned into a
book, but this presentation is not quite at that stage yet (though you
never know what might happen at some point in the future). The book is
still reasonably useful, I hear ;)

- P
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
w***@bennettconstruction.us
2017-12-16 18:44:12 UTC
Permalink
-------- Original Message --------
Subject: What would you like to see in upcoming PF tutorials?
Date: Thu, December 14, 2017 2:27 pm
We're in the process of preparing for upcoming conferences with updates
to the ever-in-progress PF tutorial.
If you have thoughts on what you would like to see in a tutorial session
and would like to share them either with me or the list, we would love
to hear from you.
https://home.nuug.no/~peter/pftutorial/ - we're basically looking
for ways to make those sessions more useful (the last one wasn't
awful we hear, but there's always room for improvement).
- Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
I have to admit that I simply cannot follow the pf
guide at this point.
When I started using OpenBSD, I had no problems with
getting spamd and NAT to work. The guide uses variables instead of
example IP addresses and I get
confused which computer is inside, outside, etc.
I would really like something that makes it clear which connection is
where.
All of my recent attempts at NAT have just failed to work.
Spamd was working fine, but it stopped working completely.
It would also be nice to know if anything can't work and why.

This might be helpful for presentations, but I
sure would like it for the online guide.

Chris Bennett
Edgar Pettijohn
2017-12-16 19:17:57 UTC
Permalink
Post by w***@bennettconstruction.us
-------- Original Message --------
Subject: What would you like to see in upcoming PF tutorials?
Date: Thu, December 14, 2017 2:27 pm
We're in the process of preparing for upcoming conferences with updates
to the ever-in-progress PF tutorial.
If you have thoughts on what you would like to see in a tutorial session
and would like to share them either with me or the list, we would love
to hear from you.
https://home.nuug.no/~peter/pftutorial/ - we're basically looking
for ways to make those sessions more useful (the last one wasn't
awful we hear, but there's always room for improvement).
- Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
I have to admit that I simply cannot follow the pf
guide at this point.
When I started using OpenBSD, I had no problems with
getting spamd and NAT to work. The guide uses variables instead of
example IP addresses and I get
confused which computer is inside, outside, etc.
I would really like something that makes it clear which connection is
where.
All of my recent attempts at NAT have just failed to work.
Spamd was working fine, but it stopped working completely.
It would also be nice to know if anything can't work and why.
This might be helpful for presentations, but I
sure would like it for the online guide.
Chris Bennett
I would like to see more indepth discussion of queues, anchors, and
authpf. I suspect either of the three could probably fill an entire pf
tutorial.
Alex Waite
2017-12-18 07:40:52 UTC
Permalink
Post by Edgar Pettijohn
-------- Original Message --------
Subject: What would you like to see in upcoming PF tutorials?
Date: Thu, December 14, 2017 2:27 pm
We're in the process of preparing for upcoming conferences with updates
to the ever-in-progress PF tutorial.
If you have thoughts on what you would like to see in a tutorial session
and would like to share them either with me or the list, we would love
to hear from you.
I would like to see more indepth discussion of queues, anchors, and
authpf. I suspect either of the three could probably fill an entire pf
tutorial.
I second this in its entirety.

---Alex
Paolo Aglialoro
2017-12-18 08:36:19 UTC
Permalink
I would be glad to see a tutorial about creating a remote VPN bridge, so
that under a remote obsd router all traffic gets routed to some other
geolocated network in which another ibsd router receives it and that
geolocated network is used as a gateway.

e.g.: all traffic under and obsd machine inside a network in France gets
routed to another obsd box inside a network in Italy and travels to the
internet with an Italian IP, of course working in both directions, some
Italian IPs/ports could trigger access to the French machines,
transparently. This would have particular value referred to geographically
prohibited contents (e.g. censorship, etc.).

Thanks!
Post by Peter N. M. Hansteen
We're in the process of preparing for upcoming conferences with updates
to the ever-in-progress PF tutorial.
If you have thoughts on what you would like to see in a tutorial session
and would like to share them either with me or the list, we would love
to hear from you.
https://home.nuug.no/~peter/pftutorial/ - we're basically looking
for ways to make those sessions more useful (the last one wasn't
awful we hear, but there's always room for improvement).
- Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Harald Dunkel
2017-12-18 12:12:49 UTC
Permalink
Hi Peter,
Post by Peter N. M. Hansteen
If you have thoughts on what you would like to see in a tutorial session
and would like to share them either with me or the list, we would love
to hear from you.
What are the risks of ICMP and ICMP6? Is it reasonable to filter
these protocols at all?

BTW, icmp6_types is not defined on slide 89.

Would you suggest to use "pass" or "pass quick"?

These slides look great, but I'd love to see the new tutorial
on youtube.


Regards
Harri

Loading...