My home network observes bedtime with OpenBSD and pf

Summary

(Sketchbook ink and watercolor by the author: A fearsome Puffy determines which packets shall pass.) The centerpiece of my setup is the pf packet filter, which is built into the OpenBSD kernel and originated, like many good things, from OpenBSD. The bulk of pf configuration is done through /etc/pf.conf. I constructed mine from scratch while reading The Book of PF, 4th Ed. (see the references section at the bottom of this page). You can view my full conf in the repo here: pf.conf. (I like to thoroughly document things I won’t be touching frequently, so there are a lot of comments in that file, including instructions on updating pf after I make changes.) Anyway, I set this up in the recommended fashion: block all traffic and then let only selected traffic through. When it’s daytime, I use the rule: pass proto tcp from <leased_ips> When it’s bedtime, that rule changes to: pass proto tcp from <bedtime_exempt> There are two IP address tables being used: <leased_ips> is maintained by dhcpd when it leases addresses to clients on the local network. <bedtime_exempt> is maintained manually by me. I store the addresses in a text file and load them into the table with a script whenever I make a change. When it’s bedtime, I only explicitly allow traffic to the exempt computers. This blocks traffic to everything else because, as you may recall, the default is block all! You’ll notice that I’m only doing this for TCP traffic. I’m handling ICMP and UDP packets in a strict fashion in accordance with the wisdom of the book. We’ll see if I end up needing to make any exceptions. (Update: Sure enough, I’m going to need to experiment with the daytime rule - the above doesn’t allow Discord voice chat or Roblox to function, which…​was not appreciated by certain members of this house.) Updating tables Since this is all predicated on the two address tables, how do these tables get updated? The <leased_ips> table is initially created in pf.conf with this placeholder: table <leased_ips> persis...