OpenBSD's stateful packet filter, PF, offers an amazing feature set and support across the major BSD platforms. Like most firewall software though, unlocking PF's full potential takes a good teacher.Peter N.M. Hansteen's PF website and conference tutorials have helped thousands of users build the networks they need using PF. The Book of PF is the product of Hansteen's knowledge and experience, teaching good practices as well as bare facts and software options. Throughout the book, Hansteen emphasizes the importance of staying in control by having a written network specification, using macros to make rule sets more readable, and performing rigid testing when loading in new rules.
Today's system administrators face increasing challenges in the quest for network quality, and The Book of PF can help by demystifying the tools of modern *BSD network defense. But, perhaps more importantly, because we know you like to tinker, The Book of PF tackles a broad range of topics that will stimulate your mind and pad your resume, including how to:
Create rule sets for all kinds of network traffic, whether it is crossing a simple home LAN, hiding behind NAT, traversing DMZs, or spanning bridges
Use PF to create a wireless access point, and lock it down tight with authpf and special access restrictions
Maximize availability by using redirection rules for load balancing and CARP for failover
Use tables for proactive defense against would-be attackers and spammers
Set up queues and traffic shaping with ALTQ, so your network stays responsive
Master your logs with monitoring and visualization, because you can never be too paranoid
The Book of PF is written for BSD enthusiasts and network admins at any level of expertise. With more and more services placing high demands on bandwidth and increasing hostility coming from the Internet at-large, you can never be too skilled with PF.
Chapter 1 WHAT PF IS
Packet Filter? Firewall? A Few Important Terms Explained
Network Address Translation
Chapter 2 LET'S GET ON WITH IT
Simplest Possible PF Setup on OpenBSD
Simplest Possible PF Setup on FreeBSD
Simplest Possible PF Setup on NetBSD
First Rule Set—A Single, Stand-Alone Machine
Slightly Stricter, with Lists and Macros
Statistics from pfctl
Chapter 3 INTO THE REAL WORLD
A Simple Gateway, NAT If You Need It
That Sad Old FTP Thing
FTP Through NAT: ftp-proxy
Making Your Network Troubleshooting Friendly
Tables Make Your Life Easier
Chapter 4 WIRELESS NETWORKS MADE EASY
A Little IEEE 802.11 Background
Setting Up a Simple Wireless Network
Guarding Your Wireless Network with authpf
Chapter 5 BIGGER OR TRICKIER NETWORKS
When Others Need Something in Your Network: Filtering Services
Back to the Single NATed Network
The Power of Tags
The Bridging Firewall
Handling Nonroutable Addresses from Elsewhere
Chapter 6 TURNING THE TABLES FOR PROACTIVE DEFENSE
Turning Away the Brutes
Giving Spammers a Hard Time with spamd
Chapter 7 QUEUES, SHAPING, AND REDUNDANCY
Directing Traffic with ALTQ
Redundancy and Failover: CARP and pfsync
Chapter 8 LOGGING, MONITORING, AND STATISTICS
PF Logs: The Basics
Some Additional Tools for PF Logs and Statistics
Remember, Useful Log Data Is the Basis for Effective Debugging
Chapter 9 GETTING YOUR SETUP JUST RIGHT
The Things You Can Tweak and What You Probably Should Leave Alone
Cleaning Up Your Traffic: scrub and antispoof
Testing Your Setup
Debugging Your Rule Set
Know Your Network, Stay in Control
General Networking and BSD Resources on the Internet
Sample Configurations and Related Musings
PF on Other BSD Systems
BSD and Networking Books
Wireless Networking Resources
spamd and Greylisting-Related Resources
Book-Related Web Resources
If You Enjoyed This Book, Buy OpenBSD CDs and Donate!
Appendix A NOTE ON HARDWARE SUPPORT
A Case in Point: The Story of a Small Wireless Network
Peter N. M. Hansteen is a consultant, writer and sysadmin based in Bergen, Norway. A longtime Freenix advocate, Hansteen is a frequent lecturer on FreeBSD and OpenBSD topics. His expertise as a documentation consultant (and humorous work with the RFC 1149 implementation team) have helped him gain regard in Norwegian IT publications. The Book of PF, Hansteen's first book, is an expanded follow-up to his very popular online PF tutorial.
If you're looking for information about the OpenBSD packet filter program "pf", you may have noticed a gaping hole on bookstore shelves. Two books that I have read on pf are "Building Firewalls with OpenBSD and PF, 2nd Edition" by Jacek Artymiak and the No Starch Press title, "The Book of PF", by Peter N.M. Hansteen.
"The Book of PF" is by far the easier of the two books to digest and will help you get up to speed very quickly. It's a short book, weighing in at 145 pages. The example rule sets are simple to follow and very thoroughly documented.
Hansteen helps you navigate through pf's basic configuration and then takes you through more advanced topics like wireless networks and how to deal with 'bigger or trickier networks'. There is also a treatment of OpenBSD's spamd program, designed to help you combat spam on your network.
You'll find a chapter on Alternate Queuing (ALTQ) and Common Address Redundancy Protocol (CARP). ALTQ provides a way to shape the traffic on your network and was integrated into pf for the OpenBSD 3.3 release. CARP was added to OpenBSD in release 3.5 to address the issue of high availability and uninterrupted service.
A chapter covering Logging, Monitoring, and Statistics helps bring it all together for the network administrator. Hansteen closes out the text with a chapter titled "Getting Your Setup Just Right" that provides a last-minute review of some of the most important configuration options.
If you're interested in "The Book of PF", most likely you're already familiar with OpenBSD - one of the most secure operating systems available today. If you're ready to enhance OpenBSD's default security, pick up a copy of this book and spend some time with the pf program.
Mr. Hansteen, Did a rather good job of putting this book together. The chapters flowed well and one led into the next in a very logical manner. I especially found useful the sections on Round-robin and setting up wireless (Chapter 4 and 7).
Although I make a business of building firewalls I will be keeping this book close at hand. Sadly I only gave 3 stars as I felt the editing could have been better I found several errors with the sample scripts and rules and found it lacking with one or two advanced areas for the professionals would have made this a 5 star easy.