PF Diverters

A collection of daemons written for OpenBSD PF, that intercept and perform deep inspection on packets as they arrive on the system.

This synergy leaves plenty of space for innovation; matching packets from PF can be stopped from propagating through the IP stack, in order to be brought to our userspace daemons, and optionally be re-injected back into the kernel stack for normal processing.

Certainly, the daemons can perform additional checks on intercepted connections and, based on those checks, immediately enforce alternate firewall policies on those connections.

List of diverters currently available:

  • bofh-divert Divert connections to this daemon and add each src host to a predefined PF table (used for banning abusers).
  • dnsbl-divert Divert connections to this daemon and check if the source ip is on a dnsbl and drop packet, or else reinject packet to reach its original destination.

Source code and download details can be found at github.com/echothrust/pf-diverters