The Book of PF

A No-Nonsense Guide to the OpenBSD Firewall

Larger Cover

The Book of PF

A No-Nonsense Guide to the OpenBSD Firewall

By Peter N.M. Hansteen

Publisher: No Starch Press

Released: December 2007

Pages: 184

OpenBSD's stateful packet filter, PF, offers an amazing feature set and support across the major BSD platforms. Like most firewall software though, unlocking PF's full potential takes a good teacher.Peter N.M. Hansteen's PF website and conference tutorials have helped thousands of users build the networks they need using PF. The Book of PF is the product of Hansteen's knowledge and experience, teaching good practices as well as bare facts and software options. Throughout the book, Hansteen emphasizes the importance of staying in control by having a written network specification, using macros to make rule sets more readable, and performing rigid testing when loading in new rules.

Today's system administrators face increasing challenges in the quest for network quality, and The Book of PF can help by demystifying the tools of modern *BSD network defense. But, perhaps more importantly, because we know you like to tinker, The Book of PF tackles a broad range of topics that will stimulate your mind and pad your resume, including how to:

Create rule sets for all kinds of network traffic, whether it is crossing a simple home LAN, hiding behind NAT, traversing DMZs, or spanning bridges
Use PF to create a wireless access point, and lock it down tight with authpf and special access restrictions
Maximize availability by using redirection rules for load balancing and CARP for failover
Use tables for proactive defense against would-be attackers and spammers
Set up queues and traffic shaping with ALTQ, so your network stays responsive
Master your logs with monitoring and visualization, because you can never be too paranoid

The Book of PF is written for BSD enthusiasts and network admins at any level of expertise. With more and more services placing high demands on bandwidth and increasing hostility coming from the Internet at-large, you can never be too skilled with PF.

Chapter 1 WHAT PF IS
1. Packet Filter? Firewall? A Few Important Terms Explained
2. Network Address Translation
3. PF Today
Chapter 2 LET'S GET ON WITH IT
1. Simplest Possible PF Setup on OpenBSD
2. Simplest Possible PF Setup on FreeBSD
3. Simplest Possible PF Setup on NetBSD
4. First Rule Set—A Single, Stand-Alone Machine
5. Slightly Stricter, with Lists and Macros
6. Statistics from pfctl
Chapter 3 INTO THE REAL WORLD
1. A Simple Gateway, NAT If You Need It
2. That Sad Old FTP Thing
3. FTP Through NAT: ftp-proxy
4. Making Your Network Troubleshooting Friendly
5. Tables Make Your Life Easier
Chapter 4 WIRELESS NETWORKS MADE EASY
1. A Little IEEE 802.11 Background
2. Setting Up a Simple Wireless Network
3. Guarding Your Wireless Network with authpf
Chapter 5 BIGGER OR TRICKIER NETWORKS
1. When Others Need Something in Your Network: Filtering Services
2. Back to the Single NATed Network
3. The Power of Tags
4. The Bridging Firewall
5. Handling Nonroutable Addresses from Elsewhere
Chapter 6 TURNING THE TABLES FOR PROACTIVE DEFENSE
1. Turning Away the Brutes
2. Giving Spammers a Hard Time with spamd
Chapter 7 QUEUES, SHAPING, AND REDUNDANCY
1. Directing Traffic with ALTQ
2. Redundancy and Failover: CARP and pfsync
Chapter 8 LOGGING, MONITORING, AND STATISTICS
1. PF Logs: The Basics
2. Some Additional Tools for PF Logs and Statistics
3. Remember, Useful Log Data Is the Basis for Effective Debugging
Chapter 9 GETTING YOUR SETUP JUST RIGHT
1. The Things You Can Tweak and What You Probably Should Leave Alone
2. Cleaning Up Your Traffic: scrub and antispoof
3. Testing Your Setup
4. Debugging Your Rule Set
5. Know Your Network, Stay in Control

Appendix RESOURCES
1. General Networking and BSD Resources on the Internet
2. Sample Configurations and Related Musings
3. PF on Other BSD Systems
4. BSD and Networking Books
5. Wireless Networking Resources
6. spamd and Greylisting-Related Resources
7. Book-Related Web Resources
8. If You Enjoyed This Book, Buy OpenBSD CDs and Donate!
Appendix A NOTE ON HARDWARE SUPPORT
1. A Case in Point: The Story of a Small Wireless Network
2. Getting the Right Hardware
3. Issues Facing Hardware-Support Developers
4. How to Help the Hardware-Support Efforts
COLOPHON

Title:

The Book of PF

By:

Peter N.M. Hansteen

Publisher:

No Starch Press

Formats:

Print
Ebook
Safari Books Online

Print:

December 2007

Ebook:

August 2009

Pages:

184

Print ISBN:

978-1-59327-165-7

| ISBN 10:

1-59327-165-4

Ebook ISBN:

978-1-59327-232-6

| ISBN 10:

1-59327-232-4

Description

Table of Contents

Product Details

About the Author

Recommended for You

Recently Viewed

My New Mac

52 Simple Projects to Get You Started

By Wallace Wang, Wallace Wang

April 2008

Hacking VoIP

Protocols, Attacks, and Countermeasures

By Himanshu Dwivedi

October 2008

Ebook: $35.95

Print & Ebook: $49.45

Print: $44.95

The Unofficial LEGO MINDSTORMS NXT Inventor's Guide

By David J. Perdue

November 2007

Print: $29.95

Customer Reviews

REVIEW SNAPSHOT®

by PowerReviews

oreilly The Book of PF

4.0

(based on 2 reviews)

Reviews

Reviewed by 2 customers

Sort by

Displaying reviews 1-2

10/6/2008

5.0

A very accessible book on OpenBSD's PF firewall

By Dave Walz-Burkett

from Undisclosed

Comments about oreilly The Book of PF:

If you're looking for information about the OpenBSD packet filter program "pf", you may have noticed a gaping hole on bookstore shelves. Two books that I have read on pf are "Building Firewalls with OpenBSD and PF, 2nd Edition" by Jacek Artymiak and the No Starch Press title, "The Book of PF", by Peter N.M. Hansteen.

"The Book of PF" is by far the easier of the two books to digest and will help you get up to speed very quickly. It's a short book, weighing in at 145 pages. The example rule sets are simple to follow and very thoroughly documented.

Hansteen helps you navigate through pf's basic configuration and then takes you through more advanced topics like wireless networks and how to deal with 'bigger or trickier networks'. There is also a treatment of OpenBSD's spamd program, designed to help you combat spam on your network.

You'll find a chapter on Alternate Queuing (ALTQ) and Common Address Redundancy Protocol (CARP). ALTQ provides a way to shape the traffic on your network and was integrated into pf for the OpenBSD 3.3 release. CARP was added to OpenBSD in release 3.5 to address the issue of high availability and uninterrupted service.

A chapter covering Logging, Monitoring, and Statistics helps bring it all together for the network administrator. Hansteen closes out the text with a chapter titled "Getting Your Setup Just Right" that provides a last-minute review of some of the most important configuration options.

If you're interested in "The Book of PF", most likely you're already familiar with OpenBSD - one of the most secure operating systems available today. If you're ready to enhance OpenBSD's default security, pick up a copy of this book and spend some time with the pf program.

3/8/2008

3.0

PF review by Pcola LUG

By Anonymous

from Undisclosed

Comments about oreilly The Book of PF:

Mr. Hansteen, Did a rather good job of putting this book together. The chapters flowed well and one led into the next in a very logical manner. I especially found useful the sections on Round-robin and setting up wireless (Chapter 4 and 7).

Although I make a business of building firewalls I will be keeping this book close at hand. Sadly I only gave 3 stars as I felt the editing could have been better I found several errors with the sample scripts and rules and found it lacking with one or two advanced areas for the professionals would have made this a 5 star easy.

Displaying reviews 1-2

Save a Tree - Go Digital what is this?

Ebook: $23.95

Formats: ePub, Mobi, PDF

Safari Books Online - Read now >

Chapter 1 WHAT PF IS

Packet Filter? Firewall? A Few Important Terms Explained

Network Address Translation

PF Today

Chapter 2 LET'S GET ON WITH IT

Simplest Possible PF Setup on OpenBSD

Simplest Possible PF Setup on FreeBSD

Simplest Possible PF Setup on NetBSD

First Rule Set—A Single, Stand-Alone Machine

Slightly Stricter, with Lists and Macros

Statistics from pfctl

Chapter 3 INTO THE REAL WORLD

A Simple Gateway, NAT If You Need It

That Sad Old FTP Thing

FTP Through NAT: ftp-proxy

Making Your Network Troubleshooting Friendly

Tables Make Your Life Easier

Chapter 4 WIRELESS NETWORKS MADE EASY

A Little IEEE 802.11 Background

Setting Up a Simple Wireless Network

Guarding Your Wireless Network with authpf

Chapter 5 BIGGER OR TRICKIER NETWORKS

When Others Need Something in Your Network: Filtering Services

Back to the Single NATed Network

The Power of Tags

The Bridging Firewall

Handling Nonroutable Addresses from Elsewhere

Chapter 6 TURNING THE TABLES FOR PROACTIVE DEFENSE

Turning Away the Brutes

Giving Spammers a Hard Time with spamd

Chapter 7 QUEUES, SHAPING, AND REDUNDANCY

Directing Traffic with ALTQ

Redundancy and Failover: CARP and pfsync

Chapter 8 LOGGING, MONITORING, AND STATISTICS

PF Logs: The Basics

Some Additional Tools for PF Logs and Statistics

Remember, Useful Log Data Is the Basis for Effective Debugging

Chapter 9 GETTING YOUR SETUP JUST RIGHT

The Things You Can Tweak and What You Probably Should Leave Alone

Cleaning Up Your Traffic: scrub and antispoof

Testing Your Setup

Debugging Your Rule Set

Know Your Network, Stay in Control

Appendix RESOURCES

General Networking and BSD Resources on the Internet

Sample Configurations and Related Musings

PF on Other BSD Systems

BSD and Networking Books

Wireless Networking Resources

spamd and Greylisting-Related Resources

Book-Related Web Resources

If You Enjoyed This Book, Buy OpenBSD CDs and Donate!

Appendix A NOTE ON HARDWARE SUPPORT

A Case in Point: The Story of a Small Wireless Network

Getting the Right Hardware

Issues Facing Hardware-Support Developers

How to Help the Hardware-Support Efforts

COLOPHON

Peter N.M. Hansteen

About O'Reilly

Community

More O'Reilly Sites

Partner Sites

Shop O'Reilly