I’ve recently been setting up a bunch of firewalls down here using the latest version of OpenBSD

I am so impressed with pf the included firewall. I’ve used it before as well as the earlier version ipf. But this version they have added so many new features it feals like an whole new product.

The most important new feature for me is tables . This is an internal lookup structure that can be used to store absolutely tons of addresses and ranges. These can be externally manipulated and are very fast. Before when you had a firewall rule with multiple ip’s or ranges you had to use sets which where expanded out on parsing. By changing the rules on one firewall to using tables where I used sets before, it reduced the internal amounts of rules from 500+ to less than 30.

One great new use for tables in pf is for spam filters. OpenBSD now comes with an integrated spam tarpit called spamd This can be configured in simple rule in your pf.conf file to catch smtp requests from any of the openrelay/spammer blacklists. Spamd looks and smells just like sendmail, but runs s l o w and fails after 20 minutes with an error message. This is ideal to stop spammers dead in their tracks and uses hardly any resources. I have a cron jub that downloads the latest blacklists daily and automatically updates the tables within pf. Sweet.

To configure it simply enable spamd in your rc.conf file, run spamd-setup once and add the required lines below to your pf.conf file:

table persist

rdr inet proto tcp from to any port smtp -> 127.0.0.1 port 8025