OpenBSD and other operating systems support the Packet Filter (PF) firewall.
- Three Way firewall - ruleset once used on sial.org to interface between the Internet, an insecure wireless network, and a private subnet for servers.
- expiretable - utility to expire pf(4) table entries by age.
- Slow Queue Setup - how to create a slow queue for spammers and other undesirable traffic sources.
Limit Connections
PF allows limits on connections via the source-track keyword. For example, Secure Shell (SSH) connections can be restricted to only several per source address, and the limit removed if the connecting host exists in an allowed hosts table.
# example pf.conf configuration to limit SSH connections
# declare variables, tables
ext_if = "fxp0"
table <allow_ssh> persist
# block all incoming, allow all outgoing and localhost traffic
block in all
pass out on $ext_if proto { tcp, udp, icmp } keep state
pass quick on lo
# limit number of SSH connections ...
pass in on $ext_if proto tcp to ($ext_if) port ssh keep state \
(max 100, source-track rule, max-src-nodes 75, max-src-states 3)
# ... except for the following hosts
pass in on $ext_if proto tcp from <allow_ssh> to ($ext_if) port ssh keep state
Use the pfctl command to list, add, and remove systems from the allow_ssh table.
$ sudo pfctl -t allow_ssh -T add 192.0.2.11
1/1 addresses added.
$ sudo pfctl -t allow_ssh -T show
192.0.2.11
$ sudo pfctl -t allow_ssh -T delete 192.0.2.11
1/1 addresses deleted.
Other options include authpf to adjust the firewall rulesets in response to a user logging in, or using log analysis to alter the firewall dynamically.
