https://blog.apnic.net/2022/11/02/openbsd-packet-filter-tools/ Skip to content APNIC Home [icon-squar] MyAPNIC Academy Blog REx NetOX DASH Log in Home Blog search [ ] Search Advanced Whois Make a payment Close Search Blog search [ ] * Get IP + Get IP + Make a payment + Membership + FAQs * Manage IP + MyAPNIC + Using Whois + IPv4 exhaustion + Go IPv6 + Routing Registry + Make a payment * Training + About + Events + APNIC Academy + Community Trainers + Courses * Events + Conferences + Calendar + Sponsorship + Code of Conduct * Insights + APNIC Labs + DASH to secure your networks + Internet Directory + NetOX to solve routing issues + Raw Data * Community + Orbit + Community demographics + Policy Development + Fellowship + Addressing policies + Internet community + Code of Conduct + Technical Assistance + Root servers + Security at APNIC + ISIF Asia + APNIC Foundation + NRO Number Council (NC) * Blog * Help Centre * About + APNIC Region + APNIC Membership + Executive Council + Service updates + Team + Annual Reports + Transparency + APNIC Survey + Corporate Documents + Publications Archive + Careers + Glossary * Contact * Advanced Whois * Make a payment APNIC Home * Get IP + Get IP + Make a payment + Membership + FAQs * Manage IP + MyAPNIC + Using Whois + IPv4 exhaustion + Go IPv6 + Routing Registry + Make a payment * Training + About + Events + APNIC Academy + Community Trainers + Courses * Events + Conferences + Calendar + Sponsorship + Code of Conduct * Insights + APNIC Labs + DASH to secure your networks + Internet Directory + NetOX to solve routing issues + Raw Data * Community + Orbit + Community demographics + Policy Development + Fellowship + Addressing policies + Internet community + Code of Conduct + Technical Assistance + Root servers + Security at APNIC + ISIF Asia + APNIC Foundation + NRO Number Council (NC) * Blog * Help Centre * About + APNIC Region + APNIC Membership + Executive Council + Service updates + Team + Annual Reports + Transparency + APNIC Survey + Corporate Documents + Publications Archive + Careers + Glossary * Contact Skip to the article A few of my favourite things about the OpenBSD Packet Filter tools By Peter Hansteen on 2 Nov 2022 Category: Tech matters Tags: Guest Post, How to, history, open source, security, tools Tweet Blog home [BSD_PF_FT-555x202] The OpenBSD packet filter (PF) was introduced a little more than 20 years ago as part of OpenBSD 3.0. In a series of two posts, I invite you to take a short tour of PF features and tools that I have enjoyed using. At the time the OpenBSD project introduced its new packet filter subsystem in 2001, I was nowhere near the essentially full-time OpenBSD user I would soon become. I did, however, quickly recognize that even what was later dubbed 'the working prototype' was reported to perform better in most contexts than the code it replaced. The reason PF's predecessor needed to be replaced has been covered extensively by myself and others elsewhere, so I'll limit myself to noting that the reason was that several somebodies finally read and understood the code's license and decided that it was not, in fact, open source in any acceptable meaning of the term. Anyway, the initial PF release was very close in features and syntax to the code it replaced. And even at that time, the config syntax was a lot more human-readable than the alternative I had been handling up to then, which was Linux's IPtables. The less said about IPtables, the better. But soon visible improvements in user-friendliness, or at least admin friendliness, started appearing. With OpenBSD 3.2, the separate /etc/ nat.conf Network Address Translation (NAT) configuration file moved to the attic and the NAT and redirection options moved into the main PF config file /etc/pf.conf. The next version, OpenBSD 3.3, saw the ALTQ queueing configuration move into pf.conf as well, and the previously separate altq.conf file became obsolete. What did not change, however, was the syntax, which was to remain just bothersome enough that many of us put off playing with traffic shaping until some years later. Other PF news in that release included anchors, or named sub-rulesets, as well as tables, described as "a very efficient way for large address lists in rules" , and the initial release of spamd(8), the spam deferral daemon. More on these things later; I will not bore you with a detailed history of PF features introduced or changed in OpenBSD over the last twenty-some years. PF rulesets: The basics So how do we go about writing that perfect firewall config? I could go on about that at length, and I have been known to on occasion, but let us start with the simplest possible, yet absolutely secure PF ruleset: block With that in place, you are totally secure. No traffic will pass. Or as they say in the trade, you have virtually unplugged yourself from the rest of the world. That particular ruleset will expand to the following: block drop all But we are getting ahead of ourselves. To provide you with a few tools and some context, these are the basic building blocks of a PF rule: verb criteria action ... options Here are a few sample rules to put it into context, all lifted from configurations I have put into production: pass in on egress proto tcp to egress port ssh This first sample says that if a packet arrives on the egress -- an interface belonging to the group of interfaces that has a default route -- and that packet is a TCP packet with a destination service ssh, let the packet pass to the interfaces belonging to the egress interface group. Yes, when you write PF rulesets, you do not necessarily need to write port numbers for services and memorize what services hide behind port 80, 53 or 443. The common or standard services are known to the rules parsing part of pfctl(8), generally, and with the service names, you can look these up in the /etc/services file. The interface groups concept is, as far as I know, an OpenBSD innovation. You can put interfaces into logical groups and reference the group name in PF configurations. A few default interface groups exist without you doing anything; egress is one, and another common one is WLAN where all configured Wi-Fi interfaces are members by default. Keep in mind that you can create your own interface groups -- set them up using ifconfig(8). match out on egress nat-to egress This one matches outbound traffic, again on egress (which in the simpler cases consists of one interface) and applies the nat-to action on the packets, transforming them so that the next hops all the way to the destination will see packets where the source address is equal to the egress interface's address. If your network runs IPv4 and you have only one routable address assigned, you will more than likely have something like this configured on your Internet-facing gateway. It is worth noting that early PF versions did not have the matching verb. After a few years of PF practice, developers and practitioners alike saw the need for a way to apply actions such as nat-to or other transformations without making a decision on whether to pass or block the traffic. The match keyword arrived in OpenBSD 4.6, and in retrospect, seems like a prelude to more extensive changes that followed over the next few releases. Next up is a variation on the initial absolutely secure ruleset. block all I will tell you now so you will not be surprised later -- if you had made a configuration with those three rules in that order, your configuration would be functionally the same as the one-word one we started with. This is because, in PF configurations, the rules are evaluated from top to bottom, and the last matching rule wins. The only escape from this progression is to insert a quick modifier after the verb, as in: pass quick from (self) This will stop evaluation when a packet matches the criteria in the quick rule. Please use this sparingly, if at all. There is a specific reason why PF behaves like this. The system that PF replaced in OpenBSD had the top to bottom, last-match wins logic, and the developers did not want to break existing configurations too badly during the transition away from the old system. So, in practice, you would put them in this order for a more functional setup, but likely supplemented by a few other items. block all match out on egress nat-to egress pass in on egress proto tcp to egress port ssh For those supplementing items, we can examine some of the PF features that can help you write readable and maintainable rulesets. And while a readable ruleset is not automatically a more secure one, readability certainly helps spot errors in your logic that could put the systems and users in your care in reach of potential threats. To help that readability, it is important to be aware of these features: Options: General configuration options that set the parameters for the ruleset, such as set limit states 100000 set debug debug set loginterface dc0 set timeout tcp.first 120 set timeout tcp.established 86400 set timeout { adaptive.start 6000, adaptive.end 12000 } If the meaning of some of those does not seem terribly obvious to you at this point, that's fine. They are all extensively documented in the pf.conf man page. Macros: Content that will expand in place, such as lists of services, interface names or other items you feel useful. Below are some examples along with rules that use them: ext_if = "kue0" all_ifs = "{" $ext_if lo0 "}" pass out on $ext_if from any to any pass in on $ext_if proto tcp from any to any port 25 Keep in mind that if your macros expand to lists of either ports or IP addresses, the macro expansion will create several rules to cover your definitions in the ruleset that is eventually loaded. Tables: Data structures that are specifically designed to store IP addresses and networks. There were originally devised to be a more efficient way to store IP addresses than macros that contained IP addresses and expanded to several rules that needed to be evaluated separately. Rules can refer to tables so the rule will match any member of the table. table persist counters file "/home/peter/badhosts" # ... block from Here the table is loaded from a file. You can also initialize a table in pf.conf itself, and you can even manipulate table contents from the command line without reloading the rules: $ doas pfctl -t badhosts -T add 192.0.2.11 2001:db8::dead:beef:baad:f00d In addition, several of the daemons in the OpenBSD base system such as spamd, bgpd and dhcpd can be set up to interact with your PF rules. Rules: The rules with the verbs, criteria and actions that determine how your system handles network traffic. A very simple and reasonable baseline is one that blocks all incoming traffic but allows all traffic initiated on the local system: block pass from (self) The pass rule lets our traffic pass to elsewhere, and since PF is a stateful firewall by default, return traffic for the connections the local system sends out will be allowed back. You probably noticed the configuration here references something called (self). The string self is a default macro that expands to all configured local interfaces on the host. Here, self is set inside parentheses () indicating that one or more of the interfaces in self may have dynamically allocated addresses and that PF will detect any changes in the configured interface IP addresses. This exact ruleset expanded to this on my laptop in my home network at one point: $ doas pfctl -vnf /etc/pf.conf block drop all pass inet6 from ::1 to any flags S/SA pass on lo0 inet6 from fe80::1 to any flags S/SA pass on iwm0 inet6 from fe80::a2a8:cdff:fe63:abb9 to any flags S/SA pass inet6 from 2001:470:28:658:a2a8:cdff:fe63:abb9 to any flags S/SA pass inet6 from 2001:470:28:658:8c43:4c81:e110:9d83 to any flags S/SA pass inet from 127.0.0.1 to any flags S/SA pass inet from 192.168.103.126 to any flags S/SA The pfctl command here says to verbosely parse but do not load rules from the file /etc/pf.conf. This shows what the loaded ruleset will be, after any macro expansions or optimizations. For that exact reason, it is strongly recommended to review the output of the pfctl -vnf command on configurations you write before loading it as your running configuration. If you look closely at that command output, you will see both the inet and inet6 keywords. These designate IPv4 and IPv6 addresses respectively. Since the earliest days, PF has supported both, and if you do not specify which address family your rule applies to, it will apply to both. But this has all been on a boring single-host configuration. In my experience, the more interesting setting for PF use is when the configuration is for a host that handles traffic for other hosts, such as a gateway or other intermediate host. To forward traffic to and from other hosts, you need to enable forwarding. You can do that from the command line: # sysctl net.inet.ip.forwarding=1 # sysctl net.inet6.ip6.forwarding=1 But you will want to make the change permanent by putting the following lines in your /etc/sysctl.conf so the change survives reboots. net.inet.ip.forwarding=1 net.inet6.ip6.forwarding=1 With these settings in place, a configuration (/etc/pf.conf) like this might make sense if your system has two network interfaces that are both of the bge kind: ext_if=bge0 int_if=bge1 client_out = "{ ftp-data ftp ssh domain pop3, imaps nntp https }" udp_services = "{ domain ntp }" icmp_types = "echoreq unreach" match out on egress inet nat-to ($ext_if) block pass inet proto icmp all icmp-type $icmp_types keep state pass quick proto { tcp, udp } to port $udp_services keep state pass proto tcp from $int_if:network to port $client_out pass proto tcp to self port ssh Your network likely differs in one or more ways from this example. I'll put some references at the end of Part 2 for a more thorough treatment of all these options. And once again, please use the readability features of the PF syntax to keep you sane and safe. NOTE: If you are more of a slides person, the summary for the SEMIBUG user group meeting is available. A version without trackers but 'classical' formatting is also available. Peter N. M. Hansteen is a puffyist, daemon charmer, and penguin wrangler. Adapted from original post which appeared on BSDLY. Rate this article --------------------------------------------------------------------- The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog. Leave a Reply Cancel reply Your email address will not be published. Required fields are marked * [ ] [ ] [ ] [ ] [ ] [ ] [ ] Comment * [ ] Name * [ ] Email * [ ] [ ] Save my name and email in this browser for the next time I comment. [ ] Yes, add me to your mailing list [ ] [ ] Notify me of follow-up comments via email. You can also subscribe without commenting. [Post Comment] [ ] [ ] [ ] [ ] [ ] [ ] [ ] D[ ] Top Get Updates Please leave this field empty[ ] Email *[ ] Show options [Subscribe!] Select list(s):[ ] Daily[*] Weekly Thanks for subscribing! Check your inbox or spam folder to confirm your subscription. Latest Tweets APNIC * 40 minutes ago @apnic Zhuge is a novel router management mechanism that protects control signals from experiencing the full latency of full, often buffer-bloated queues. https://t.co/tprO6W4W3i #wifi6 #5G https:// t.co/cmiYPH2Sbd View on Twitter 0 0 APNIC * 1 hour ago @apnic How to actively fingerprint TLS servers: https://t.co/55rAjpem3V https://t.co/zZzqLiymOv View on Twitter 0 2 APNIC * 8 hours ago @apnic Confirmed puffyist Peter N. M. Hansteen ( @pitrh) walks us through the #OpenBSD #PacketFilter's features and tools: https://t.co/ 0BwcCbWsiD #OpenSource #PF @openbsd https://t.co/VAYFDwobPt View on Twitter 3 6 Authors * Adli Wahid * Aftab Siddiqui * Geoff Huston * George Michaelson * Jen Linkova * Job Snijders * Kathleen Moriarty * Paul Wilson * Ulrich Speidel * Vitaly Kamluk * A Khalil Azizi * AbdelRahman Abdou * Abhishek Jain * Achie Atienza * Adam Gosling * Adam McFillin * Adam Oest * Adeel Sadiq * Adiel Akplogan * Adisorn Lertsinsrubtavee * Adli Wahid * Adrian Farrel * Adrian Wan * Afifa Abbas * Afsheen Saadat * Aftab Siddiqui * Agustin Formoso * Ahmad Darki * Ajay Kumar * Akimichi Ogawa * Alan Mauldin * Albert Gran Alcoz * Alden Hilton * Alec Muffett * Alex Band * Alex Boten * Alex Turing * Alex Yen * Alexander Azimov * Alexander Kozlov * Alfred Arouna * Ali Abedi * Ali Norouzi * Amaury Van Bemten * Amrita Choudhury * Anand Buddhdev * Anant Shah * Andra Lutu * Andre Gelderblom * Andreas Dewes * Andreas Reuter * Andree Toonk * Andrei Robachevsky * Andrew Campling * Andrew Cormack * Andrew Cushen * Andrew Gray * Andrew Sullivan * Andrew Toimoana * Andy Mindnich * Andy Newton * Anju Mangal * Anna Maria Mandalari * Annaliza Mulingbayan * Anosh Khan * Anriette Esterhuysen * Anthony Lee * Anton Strydom * Anup Changaroth * Anurag Bhatia * APNIC * Apoorv Shukla * Arash Molavi Kakhki * Arian Niaki * Aris Tzermias * Arjuna Sathiaseelan * Arth Paulite * Artyom Gavrichenkov * Asad Ali * Asanka Sayakkara * Ashil Oogarah * Ashwin Kumar * Ashwin Rangan * Audrey Randall * Aurelien Aptel * Austin Hounsel * Austin Ruckstuhl * Avery Pennarun * Ayesha Iftikhar * Ayush Mishra * Azfar Adib * Azhar Khuwaja * Azura Mat Salim * Baojun Liu * Baptiste Jonglez * Barry Greene * Bart Hogeveen * Basileal Imana * Ben Cox * Ben Du * Ben Schwartz * Benjz Gerard Sevilla * Benno Overeinder * Bert Hubert * Bhadrika Magan * Bhumika Sapkota * Bikram Shrestha * Bill Hess * Bill Stearns * Bill Woodcock * Bjorn Teigen * Blake Anderson * Blas Trigueros * Brenda Buwu * Brenden Kuerbis * Brent Carey * Brian Carpenter * Brian Nisbet * Brian Trammell * Bruce Davie * Bruce Spang * Byambajargal Jamsran * Byron Ellacott * Byungjin Jun * Cameron Steel * Carsten Strotmann * Caspar Schutijser * Cecilia Testart * Cengiz Alaettinoglu * CF Chui * Champika Wijayatunga * Che-Hoo Cheng * Cheeyong Tay * Cherie Lagakali * Chia Ling (Jolin) Chan * Chika Yoshimura * Ching-Heng Ku * Chris Amin * Chris Ritzo * Chris Siebenmann * Christian Giese * Christoph Dietzel * Chuan Jiang * Ciprian Popoviciu * Clarence Filsfils * Claudio Jeker * Clemens Mosig * Colin Perkins * Constance Bommelaer * Constanze Dietrich * Craig Miller * Craig Ng * Craig Rowland * Dale Roberts * Dan Fidler * Dan Li * Daniel Dib * Daniel Kopp * Danilo Giordano * Danny Alex Lachos Perez * Danny Pinto * Daryll Swer * Dave Mill * Dave Phelan * David Anderson * David Burkett * David Dawson * David Holder * David Holsgrove * David Huberman * Dean Pemberton * Debashis Pal * Debopam Bhattacherjee * Deepak Vasisht * Denesh Bhabuta * Dennis Baaten * Desiree Miloshevic * Dewangga Alam * Dewole Ajao * Dhruv Dhody * Di Ma * Diego Pino Garcia * Dmytro Shypovalov * Donatas Abraitis * Doug Madory * Doug Montgomery * Dr Bahaa Al-Musawi * Dr Govind * Drikus Brits * Duane Wessels * Duncan Macintosh * E. Marie Brierley * Ed Horley * Edward Lewis * Edwin Sandys * Eliot Lear * Elizabeth Krumbach Joseph * Elly Tawhai * Elvin Prasad * Emile Aben * Emily Stark * Emir Beganovic * Eneken Tikk * Enno Rey * Enric Pujol * Eric Lawrence * Eric Loos * Eric Vyncke * Erik Hjelmvik * Erik Rye * Erin Scherer * Eshaan Bansal * Esteban Carisimo * Eunju Pak * Fabian Bustamante * Fakrul Alam * Farha Diba * Fenglu Zhang * Ferenc Fejes * Fernando Gont * Flavia Salutari * Flavio Luciani * Florentin Rochet * Florian Streibelt * Foy Shiver * Francesco Sassi * Franck Martin * Frane Maroevic * Frank Denis * Frank Herberg * Franziska Lichtblau * Fred Christopher * Fred Templin * Fredrik Lindenberg * Ganga R Dhungyel * Gaurab Raj Upadhaya * Gautam Akiwate * Gavin Reid * Geoff Huston * George Kuo * George Michaelson * George Odagi * George Sadowsky * Giacomo Giuliari * Gianmarco Pagani * Giovane Moura * Gonchig Altansukh * Gordon King * Greg Ferro * Gregory Mounier * Guangliang Pan * Guillermo Baltra * GZ Kabir * Ha Dao * Han Zhang * Hannah Durack * Hanno Bock * Harish Chowdhary * Haya Shulman * Helen Hollins * Hideyuki Sasaki * Hinne Hettema * Hiroki Kawabata * Hiroko Kamata * Hiromu Shiozawa * Hisham Ibrahim * Hoang Nguyen Phong * Houlin Zhao * Hyeonmin Lee * Hyojoon Kim * Ignacio Castro * Ihita Gangavarpu * Ike Kunze * Ilker Nadi Bozkurt * Imtiaz Rahman * Indya Bolton * Ioana Livadariu * Italo Cunha * Ivan Ristic * Ivana Tomic * Ivo A. Ivanov * Ivy Yip * Izumi Okutani * Jaclyn Knight * Jacob Davis * Jahangir Hossain * Jake Bauer * Jake Flint * Jake Holland * James Ah Wai * James Kettle * James Pavur * James Richards * James Shank * Jamie Gillespie * Jan Harm Kuipers * Jan Ruth * Jan Zorz * Jan-Piet Mens * Jari Arkko * Jason Livingood * Jason Smith * Jasper den Hertog * Jawad Ahmed * Jay Daley * Jay Ford * Jeff Chan * Jeff Fry * Jeff Man * Jen Linkova * Jenine Beekhuyzen * Jerry Lundstrom * Jessica Shen * Jessica Wei * Jethro Webston * Jia-Rong Low * Jim Forster * Jim Vella * Jimmy Lim * Jing Qiao * Joanna Kulesza * Joao L. Sobrinho * Joao Luis Silva Damas * Joao M. Ceron * Job Snijders * Joel Jaeggli * Johanna Amann * Johannes Krupp * Johannes Weber * Johannes Zirngibl * John Bambenek * John Garrity * John Jack * John Jason Brzozowski * John Kristoff * John Scudder * John Welborn * Jonathan Brewer * Jordan Carter * Jordan Jueckstock * Jordi Palet Martinez * Josef Gustafsson * Joseph Salowey * Joy Chan * Joyce Chen * Juan Ramon Santana * Juha Saarinen * Julia Evans * Julian Martin Del Fiore * Julien Gamba * Jun Murai * Justin Loye * Kaajal Kumar * Kaan Onarlioglu * Kanagaraj Krishna * Karel Hynek * Karl Lovink * Karla Skarda * Kasek Galgal * Kashyap Thimmaraju * Kathleen Moriarty * Katsuyasu Toyama * Kazunori Fujiwara * Ke Ma * Keisuke Kamata * Kemal Sanjta * Kenjiro Cho * Kenny Huang * Kenrick Lin * Kensuke Fukuda * Kevin Bock * Kevin Ku * Kevin Meynell * Kevin Vermeulen * Kevon Swift * Keyu Man * Khee Hong Loke * Khwaja Zubair Sediqi * Kiruthika Devaraj * Klee Aiken * Kobayashi Masayuki * Koen van Hove * Koichi Kunitake * Koki Nakagawa * Konrad Wolsing * Korian Edeline * Kostas Zorbadelos * Kris Shrishak * Kurt Lindqvist * Kyle Drake * Kyle Schomp * Lan Wei * Lari Huttunen * Lars Prehn * Lars-Johan Liman * Leandro Bertholdo * Leandro Navarro * Lee Howard * Leo Vegoda * Leonid Todorov * Leslie Daigle * Lia Hestina * Liang Wang * Liangcheng Yu * Linjian Song * Lisa Corness * Lisandro Ubiedo * Liz Izhikevich * Loba Olopade * Lorenzo Cogotti * Louise Tromp * Luca Sani * Luuk Hendriks * M. Yasir M. Haq * Maarten Botterman * Maciej Korczynski * Madeline Carr * Maemura Akinori * Mai Thu Thuy * Major Hayden * Manaf Gharaibeh * Mansour Ganji * Marc Bruyere * Marcin Nawrocki * Marco Chiesa * Marco Cilloni * Marco Hogewoning * Marcus Brinkmann * Marcus Keane * Maria Namestnikova * Maria Theresa Perez * Mariko Kobayashi * Marilyn Zhang * Mario Loffredo * Mark Andrews * Mark Karpilovskij * Mark Nottingham * Mark Prior * Mark Smith * Markus Dahlmanns * Markus Legner * Markus Sosnowski * Marten Porte * Martin Hannigan * Martin Hoffmann * Martin Langer * Martin Thomson * Martin Winter * Mary Rose Ofianga-Rontal * Masanori Yajima * Masataka Mawatari * Massimo Candela * Mat Ford * Matt Larson * Matt Oh * Matt Palmer * Matt Ringel * Matt Stith * Matthew Thomas * Matthias Wichtlhuber * Mattijs Jonker * Max von Hippel * Maxime Mouchet * Md Abdul Awal * Megan Baker * Melchior Aelmans * Merike Kaeo * Metin Acikalin * Michael Kende * Michael Patterson * Michael Rabinovich * Michael Schapira * Mika Kerttunen * Mike Kosek * Min Sung Jung * Minzhao Lyu * Miwa Fujii * Mohamad Dikshie Fauzie * Mohamed Boucadair * Mohammad Larosh Khan * Molay Ghosh * Moritz Muller * Mubashir Sargana * Muhammad Moinur Rahman * Muhammad Yasir Shamim * Muzamer Mohd Azalan * Nadir Hassan * Nafeez Islam * Nalini Elkins * Narayan G * Narelle Clark * Natale Bianchi * Nate Sales * Nathalie Romo Moreno * Nathalie Trenaman * Neta Rozen Schiff * Nick Buraglio * Nick Hilliard * Nick Janetakis * Nico Schottelius * Nicola Rustignoli * Nicole Wajer * Nihit Tandon * Nikolai Hampton * Nikos Kostopoulos * Nils Wisiol * Nirav Atre * Nooshin Eghbal * Nurul Islam Roman * Nusenu * Nyamkhand Buluukhuu * Oanh Nguyen * Oky Tria Saputra * Olafur Gudmundsson * Olamide Omolola * Oliver Gasser * Oliver Michel * Olivier Tilmans * Omar Alrawi * Ondrej Caletka * Ondrej Sury * Otto Moerbeek * Pablo Hinojosa * Paolo Lucente * Paresh Khatri * Parkpoom Tripatana * Pasan Lamahewa * Patrick McManus * Patrik Faltstrom * Paul Dale * Paul Grubbs * Paul Wilson * Pawel Foremski * Pawel Urbanek * Pedro Marcos * Pengxiong Zhu * Pete Sclafani * Pete Stevens * Peter Blee * Peter Hansteen * Peter Maynard * Peter Peele * Petr Spacek * Petros Gigis * Phil Lavin * Phil Mawson * Philip Homburg * Philip Paeps * Philip Smith * Philipp Jeitner * Philipp Richter * Pier Carlo Chiodi * Piotr Kijewski * Platon Kotzias * Pranav Kondala * Praneet Kaur * Pubudu Jayasinghe * Quincy Liao * Rachee Singh * Rafael Cintra * Raffaele Sommese * Raffaele Zullo * Rahul Makhija * Rajnesh Singh * Ralph Dolmans * Ralph Holz * Ram Sundara Raman * Ramakrishna Padmanabhan * Rami Al-Dalky * Ramin Yazdani * Ran Ben Basat * Ranysha Ware * Raphael Hiesgen * Raquel Rugani Lage * Raskia Nayanajith * Ray Bellis * Rebekah Houser * Remi Gacogne * Rene Bakker * Rene Wilhelm * Renee Burton * Richard Cziva * Richard Jimmerson * Richard Nelson * Richard Patterson * Richard Read * Rick McElroy * Rishabh Chhabra * Robbie Mitchell * Robert Kisteleki * Roderick Fanou * Rohana Palliyaguru * Roland Meier * Roland van Rijswijk-Deij * Romain Fontugne * Ron Bonica * Ron Winward * Ronald van Kleunen * Rowena Schoo * Roy Arends * Rudiger Birkner * Russ White * Ryan Beckett * Ryan Gerstenkorn * Ryo Nakamura * Sachin Ashok * Safiqul Islam * Said Jawad Saidi * Said Zazai * Salvatore Cuzzilla * Samaneh Tajalizadehkhoob * Samantha Douglas * Samit Jana * Samuel Steffen * Sandra Davey * Sandra Siby * Sangeetha Abdu Jyothi * Sanjaya * Sara Dickinson * Sarah Escandor-Tomas * Sarmad Hussain * Sarvesh Mathi * Sasha Romijn * Satoru Matsushima * Satoru Tsurumaki * Sayda Kamrun Jahan Ripa * Scott Hollenbeck * Scott Shenker * Sebastian Castro * Sebastian Zander * Seiichi Kawamura * Seluvaia Kauvaka * Seth Schoen * Shah Sahari * Shahee Mirza * Shahzeb Mustafa * Shamim Reza * Shamsullah Shams * Shane Alcock * Shane Kerr * Sharat Chandra Madanapalli * Sheetal Kumar * Sheikh Md Seum * Shermaine Yung * Sherry Shek * Sheryl Hermoso * Shian-Shyong Tseng * Shinoj Pittandavida * Shishio Tsuchiya * Shoko Nakai * Shuai Hao * Shucheng Liu * Shumon Huque * Shusei Tomonaga * Siena Perry * Simon Baroi * Simon Bauer * Simran Patil * Siva Kesava * Sivaram Ramanathan * Sofia Silva Berenguer * Sonam Keba * Song Bing * Spiros Thanasoulas * Srikanth Sundaresan * Srimal Andrahennadi * Stanley Osao * Stefan Mehner * Stefan Ubbink * Steinthor Bjarnason * Stephan Marwedel * Stephane Bortzmeyer * Stephen McQuistin * Stephen Ryan * Stephen Strowes * Steve Crocker * Steve Santorelli * Sue Graves * Suetena Faatuuala Loia * Suksit Sripitchayaphan * Sunny Chendi * Susan Forney * Svaradiva Devi * Swapneel Patnekar * Swaran Ravindra * Sylvain Cortes * Sylvia Cadena * Szymon Trocha * Taejoong Chung * Taiji Kimura * Talha Paracha * Tan Kean Siong * Tan Tin Wee * Tanya Shreedhar * Tashi Phuntsho * Teav Sovandara * Terry Sweetser * Teun Vink * Theo Jepsen * Theophilus A. Benson * Thomas Holterbach * Thomas Koch * Thomas Krenc * Thomas Millar * Thomas Patzke * Thomas Scheffler * Thomas Wirtgen * Thymen Wabeke * Tianxiang Dai * Tim Bruijnzeels * Tim Chown * Tim Fiola * Tim Raphael * Timm Bottger * Timothy Winters * Tiong Beng Ng * Tobias Fiebig * Todd Arnold * Tom Barbette * Tom Carpay * Tom Do * Tom Harrison * Tom Hollingsworth * Tom Krizek * Tom Perrine * Tomek Mrugalski * Tomoaki Tani * Tony Finch * Tony Li * Tony Scheid * Tony Smith * Tony Tauber * Torsten Zimmermann * Trinh Viet Doan * Truong Khanh Huyen * Tuan Nguyen * Tugsorshikh Badarch * Tushar Swamy * Ulrich Hauser * Ulrich Speidel * Usama Naseer * Uta Meier-Hahn * Vashkar Bhattacharjee * Vasileios Giotsas * Vasileios Kotronis * Vasilis Chryssos * Veronika McKillop * Vesna Manojlovic * Vicky Risk * Vijay Sivaraman * Vijay Varadharajan * Viktor Dukhovni * Vincent Bernat * Vitaly Kamluk * Vittorio Bertola * Vivek Nigam * W K Shiu * Wanqing Tu * Warren Finch * Warren Kumari * Wassie Goushe * Wayne Thayer * Werachart Muttitanon * Wes Hardaker * Wilaiwan Phanarin * Wilhelm Boeddinghaus * Willem Toorop * William Lu * Willy Sutrisno * Winfried Tilanus * Wita Laksono * Wout de Natris * Wouter de Vries * Xiao Zhang * Xiaohong Deng * Xiaoqi Chen * Xing Li * Xinlei Yang * Yali Liu * Yeo Lee Chin * Yi Cao * Yiming Zhang * Ying Tian * Ying-Chu Chen * Yoshibumi Suematsu * Yoshinori Takesako * Yoshitaka Aharen * Younghwan Choi * Yuedong Zhang * Yunfei Ma * Yurie Ito * Yuta Takata * Zachary Bischof * Zaid Ali Kahn * Zaifeng Zhang * Zain Shamsi * Zen Ng * Zhenyu Li * Zili Meng * Zinan Lin * Zolzaya Shagdar * MoreShow all Tags * APNIC Foundation * APNIC Training * ASNs * Australia * BGP * capacity development * CERTs * China * DNS * DNSSEC * Event Wrap * Guest Post * How to * IANA * ICANN * IETF * IGF * India * Indonesia * Internet Governance * Internet of Things * IPv4 * IPv6 * ISIF Asia * ITU * IXPs * Japan * measurement * networking * NOGs * NRO * Pacific * peering * RIPE NCC * RIRs * ROAs * routing * RPKI * security * South Asia * Taiwan * TCP * Thailand * Three of the best * Whois Related Articles * What every IT person needs to know about OpenBSD Part 3: That packet filterWhat every IT person needs to know about OpenBSD Part 3:... by Peter Hansteen November 11, 2021 Guest Post: Useful and fun features related to the OpenBSD packet filter. * What every IT person needs to know about OpenBSD Part 2: Why use OpenBSD?What every IT person needs to know about OpenBSD Part 2: Why... by Peter Hansteen November 5, 2021 Guest Post: What is OpenBSD like for a user or developer, and why is it better? * JSContact-toolsJSContact-tools by Mario Loffredo September 9, 2021 Guest Post: Java tools for JSContact creation, validation, serialization/deserialization, and conversion from vCard, xCard and jCard. * How RRDP was implemented for OpenBSD rpki-clientHow RRDP was implemented for OpenBSD rpki-client by Job Snijders May 18, 2021 Guest Post: OpenBSD has implemented RRDP in rpki-client. APNIC Home Connect with us * Facebook * Twitter * YouTube * Flickr * Weibo * Slideshare * LinkedIn * RSS (c) 2022 APNICABN 42 081 528 010 * Privacy * Contact * Help Centre * NRO News * Service Status * Careers