Firewalls are one of the most essential tools in the security professionals arsenal of tools to defend networks and systems. Given the nature of the work firewalls, they are the first line of defense against attacks.

If you want to know why we use and recommend OpenBSD & PF, then please have a look here.

Why OpenBSD and PF?

PF was first introduced in OpenBSD in 2001. It is a modern and solid piece of security software. It has numerous features, some of which are detailed below. PF is known for ease of administration, richness of options, stability, and performance. Below are some of the technical abilities of an OpenBSD based firewall:

• Stateful Packet Inspection
• Highly Available configuration, stateful failover
• Very flexible, software based solution
• White/Black List support
• Full Packet Logging
• IPv4 and IPv6 packet filtering
• Network Address Translation - NAT / BINAT / RDR
• Packet Normalization
• Dynamic Rulesets
• Bandwidth Shaping (ALTQ)
• Load balancing
• Flexible software based solution
• Capable of acting as a transparent bridging firewall
• DDoS attack mitigation technologies
• Support for routing protocols like BGP, OSPF, and DVMRP
• Support for user authentication
• Synproxy - By default, the firewall passes packets that are part of a TCP handshake between the endpoints. The synproxy state option can be used to cause the firewall itself to complete the handshake with the active endpoint, perform a handshake with the passive endpoint, and then forward packets between the endpoints. No packets are sent to the passive endpoint before the active endpoint has completed the handshake, hence so-called SYN floods with spoofed source addresses will not reach the passive endpoint, as the sender can't complete the handshake.
• Block policy -- the firewall can silently drop the packet, or return a TCP RST for TCP packets and a ICMP UNREACHABLE for UDP packets.
• Tables - can hold a collection of addresses and networks. For example on our corporate firewall cluster we block all traffic to/from China and Korea. Why? For our network, the traffic was useless, most of the spam came from devices in those countries. While most of the time the spam would not reach our mail server, we figured why even bother to allow the traffic in the first place. Viewed from China and Korea, our network is a black hole, even DNS requests to our servers are denied.
• Logging -- the firewall can be configured to log not only that a packet was rejected/blocked/denied but also packets accepted/passed as well. It can also capture either part or all of the packet. The logging feature can also capture the entire network conversation, not just a few packets. Other firewalls provide you with text in a log file and you have to figure things out from there.
• Operating System fingerprint -- For example, if you only wanted to allow Linux machines to connect to your SSH port, then a rule could be written as such.
• A minimal TTL value can be set for matching IP packets
• A maximum MSS for matching TCP packets
• Random IP identification field -- can replace the IP identification field of servers behind the firewall with random values. This compensates for hosts with predictable values.
• Time stamp modulation -- modern TCP stacks will send a time stamp on every TCP packet and echo the other endpoint's time stamp back to them. Many operating systems will merely start the time stamp at zero when first booted, and increment it several times a second. The uptime of the host can be determined by looking at these values. Also observing several different time stamps can be used to count hosts behind a NAT device. These values can be randomized with the firewall, thereby making attacks harder to perform.
• Flags of the TCP header can be checked and acted upon as desired.
• Probability A probability attribute can be attached to a rule. In that case, the rule will be honored using the given probability. For example, the following rule will drop 20% of incoming ICMP packets:
  block in proto icmp probability 20%
• Much of the security derived from TCP is attributable to how well the initial sequence numbers (ISNs) are chosen. Some popular stack implementations choose very poor ISNs and thus are normally susceptible to ISN prediction exploits. By applying a modulate state rule to a TCP connection, pf will create a high quality random sequence number for each connection endpoint.
• Block infected internal computers --- If a machine on the inside network makes more than N requests to pass traffic through the firewall in X seconds or total connections, then its traffic can be automatically stopped. Often infected systems will make many connections out to the Internet, often attempting to spread the malware further. This feature can automatically stop it. The time limit as to when the machine is removed from this blocked state is configurable.
• Unlimited users/connections*

* - The maximum number of (connections, users, sessions) is limited by the hardware on which the system is deployed. There are no license restrictions.