Firewall

Eight days. I’d had the new firewall running for eight days when I pulled up pfctl -s info and stared at the numbers: 61 million packets passed, 325 thousand blocked. Zero percent CPU. The APU3D2 was barely awake. Just sitting there, quietly dropping a quarter of a million packets that had no business being on my network, using roughly the same computational effort as breathing.

I’ve been writing pf rules on and off for about fifteen years, and the thing that still gets me is the syntax. If you’ve ever written iptables rules, you know the feeling of wrestling a language that was designed by committee and refined by people who actively enjoy suffering. pf isn’t like that. pf reads like prose. Not elegant prose, maybe, but clear, declarative, opinionated prose. You read a pf.conf and you can see what the firewall is doing. You don’t need to trace chains and jump targets and figure out which table is evaluated in which order. It’s just… there.

Last month I was reading through the privacy policy of my ISP here in Cyprus. Not for fun, obviously. Nobody reads those for fun. I was looking for something specific about data retention, and halfway down page eleven I found a sentence that made me put my coffee down.

It said, more or less: we may use DNS query data to improve our services and share aggregated data with third parties.