The Book of PF, 3rd Edition
A No-Nonsense Guide to the OpenBSD Firewall
Published on 3. October 2014
248 pages
978-1-59327-621-8 (ISBN)
Description
OpenBSD's stateful packet filter, PF, is the heart of the OpenBSD firewall. With more and more services placing high demands on bandwidth and an increasingly hostile Internet environment, no sysadmin can afford to be without PF expertise.
The third edition of The Book of PF covers the most up-to-date developments in PF, including new content on IPv6, dual stack configurations, the "queues and priorities" traffic-shaping system, NAT and redirection, wireless networking, spam fighting, failover provision ing, logging, and more.
You'll also learn how to:
More details
Other editions
Additional editions
Book
03/2014
3rd Edition
No Starch Press
€49.30
Article exhausted; check different version
Book
01/2008
1st Edition
No Starch Press
€27.00
Withdrawn from sale
Person
Peter N. M. Hansteen is a consultant, writer, and sysadmin based in Bergen, Norway. A longtime Freenix advocate, Hansteen is a frequent lecturer on OpenBSD and FreeBSD topics, an occasional contributor to BSD Magazine, and the author of an often-slashdotted blog (http://bsdly.blogspot.com/). Hansteen was a participant in the original RFC 1149 implementation team. The Book of PF is an expanded follow-up to his very popular online PF tutorial (http://home.nuug.no/~peter/pf/).
Content
- Intro
- The Book of PF: A No-Nonsense Guide to the OpenBSD Firewall
- Dedication
- Praise for The Book of PF
- Foreword from the first edition
- Acknowledgments
- Introduction
- This Is Not a HOWTO
- What This Book Covers
- 1. Building the Network you Need
- Your Network: High Performance, Low Maintenance, and Secure
- Where the Packet Filter Fits In
- The Rise of PF
- If You Came from Elsewhere
- Pointers for Linux Users
- Frequently Answered Questions About PF
- Can I run PF on my Linux machine?
- Can you recommend a GUI tool for managing my PF rule set?
- Is there a tool I can use to convert my OtherProduct® setup to a PF configuration?
- I heard PF is based on IPFilter, which I know from working with Solaris. Can I just copy my IPFilter configuration across and have a working setup right away?
- Why did the PF rule syntax change all of a sudden?
- Where can I find out more?
- A Little Encouragement: A PF Haiku
- 2. PF Configuration Basics
- The First Step: Enabling PF
- Setting Up PF on OpenBSD
- Setting Up PF on FreeBSD
- Setting Up PF on NetBSD
- A Simple PF Rule Set: A Single, Stand-Alone Machine
- A Minimal Rule Set
- Testing the Rule Set
- Slightly Stricter: Using Lists and Macros for Readability
- A Stricter Baseline Rule Set
- Reloading the Rule Set and Looking for Errors
- Checking Your Rules
- Testing the Changed Rule Set
- Displaying Information About Your System
- Looking Ahead
- 3. Into the Real World
- A Simple Gateway
- Keep It Simple: Avoid the Pitfalls of in, out, and on
- Network Address Translation vs. IPv6
- Final Preparations: Defining Your Local Network
- Setting Up a Gateway
- Testing Your Rule Set
- That Sad Old FTP Thing
- If We Must: ftp-proxy with Divert or Redirect
- Variations on the ftp-proxy Setup
- Making Your Network Troubleshooting-Friendly
- Do We Let It All Through?
- The Easy Way Out: The Buck Stops Here
- Letting ping Through
- Helping traceroute
- Path MTU Discovery
- Tables Make Your Life Easier
- 4. Wireless Networks Made Easy
- A Little IEEE 802.11 Background
- MAC Address Filtering
- WEP
- WPA
- The Right Hardware for the Task
- Setting Up a Simple Wireless Network
- An OpenBSD WPA Access Point
- A FreeBSD WPA Access Point
- The Access Point's PF Rule Set
- Access Points with Three or More Interfaces
- Handling IPSec, VPN Solutions
- The Client Side
- OpenBSD Setup
- FreeBSD Setup
- Guarding Your Wireless Network with authpf
- A Basic Authenticating Gateway
- Wide Open but Actually Shut
- 5. Bigger or Trickier Networks
- A Web Server and Mail Server on the Inside: Routable IPv4 Addresses
- A Degree of Separation: Introducing the DMZ
- Sharing the Load: Redirecting to a Pool of Addresses
- Getting Load Balancing Right with relayd
- A Web Server and Mail Server on the Inside-The NAT Version
- DMZ with NAT
- Redirection for Load Balancing
- Back to the Single NATed Network
- Filtering on Interface Groups
- The Power of Tags
- The Bridging Firewall
- Basic Bridge Setup on OpenBSD
- Basic Bridge Setup on FreeBSD
- Basic Bridge Setup on NetBSD
- The Bridge Rule Set
- Handling Nonroutable IPv4 Addresses from Elsewhere
- Establishing Global Rules
- Restructuring Your Rule Set with Anchors
- How Complicated Is Your Network?-Revisited
- 6. Turning the Tables for Proactive Defense
- Turning Away the Brutes
- SSH Brute-Force Attacks
- Setting Up an Adaptive Firewall
- Tidying Your Tables with pfctl
- Giving Spammers a Hard Time with spamd
- Network-Level Behavior Analysis and Blacklisting
- Setting Up spamd in Blacklisting Mode
- spamd Logging
- Greylisting: My Admin Told Me Not to Talk to Strangers
- Setting Up spamd in Greylisting Mode
- Greylisting in Practice
- Tracking Your Real Mail Connections: spamlogd
- Greytrapping
- Managing Lists with spamdb
- Updating Lists
- Keeping spamd Greylists in Sync
- Detecting Out-of-Order MX Use
- Handling Sites That Do Not Play Well with Greylisting
- Spam-Fighting Tips
- 7. Traffic Shaping with Queues and Priorities
- Always-On Priority and Queues for Traffic Shaping
- Shaping by Setting Traffic Priorities
- The prio Priority Scheme
- The Two-Priority Speedup Trick
- Introducing Queues for Bandwidth Allocation
- The HFSC Algorithm
- Splitting Your Bandwidth into Fixed-Size Chunks
- Queue Definition
- Rule Set
- Upper and Lower Bounds with Bursts
- Queue Definition
- Rule Set
- The DMZ Network, Now with Traffic Shaping
- Using Queues to Handle Unwanted Traffic
- Overloading to a Tiny Queue
- Queue Assignments Based on Operating System Fingerprint
- Transitioning from ALTQ to Priorities and Queues
- Directing Traffic with ALTQ
- Basic ALTQ Concepts
- Queue Schedulers, aka Queue Disciplines
- priq
- cbq
- hfsc
- Setting Up ALTQ
- ALTQ on OpenBSD
- ALTQ on FreeBSD
- ALTQ on NetBSD
- Priority-Based Queues
- Using ALTQ Priority Queues to Improve Performance
- Using a match Rule for Queue Assignment
- Class-Based Bandwidth Allocation for Small Networks
- Queue Definition
- Rule Set
- A Basic HFSC Traffic Shaper
- Queue Definition
- Rule Set
- Queuing for Servers in a DMZ
- Using ALTQ to Handle Unwanted Traffic
- Overloading to a Tiny Queue
- Queue Assignments Based on Operating System Fingerprint
- Conclusion: Traffic Shaping for Fun, and Perhaps Even Profit
- 8. Redundancy and Resource Availability
- Redundancy and Failover: CARP and pfsync
- The Project Specification: A Redundant Pair of Gateways
- Setting Up CARP
- Checking Kernel Options
- Setting sysctl Values
- Setting Up Network Interfaces with ifconfig
- Keeping States Synchronized: Adding pfsync
- Putting Together a Rule Set
- CARP for Load Balancing
- CARP in Load-Balancing Mode
- Setting Up CARP Load Balancing
- 9. Logging, Monitoring, and Statistics
- PF Logs: The Basics
- Logging the Packet's Path Through Your Rule Set: log (matches)
- Logging All Packets: log (all)
- Logging to Several pflog Interfaces
- Logging to syslog, Local or Remote
- Tracking Statistics for Each Rule with Labels
- Additional Tools for PF Logs and Statistics
- Keeping an Eye on Things with systat
- Keeping an Eye on Things with pftop
- Graphing Your Traffic with pfstat
- Collecting NetFlow Data with pflow(4)
- Setting Up the NetFlow Sensor
- NetFlow Data Collecting, Reporting, and Analysis
- Collecting NetFlow Data with pfflowd
- SNMP Tools and PF-Related SNMP MIBs
- Log Data as the Basis for Effective Debugging
- 10. Getting Your Setup Just Right
- Things You Can Tweak and What You Probably Should Leave Alone
- Block Policy
- Skip Interfaces
- State Policy
- State Defaults
- Timeouts
- Limits
- Debug
- Rule Set Optimization
- Optimization
- Fragment Reassembly
- Cleaning Up Your Traffic
- Packet Normalization with scrub: OpenBSD 4.5 and Earlier
- Packet Normalization with scrub: OpenBSD 4.6 Onward
- Protecting Against Spoofing with antispoof
- Testing Your Setup
- Debugging Your Rule Set
- Know Your Network and Stay in Control
- A. Resources
- General Networking and BSD Resources on the Internet
- Sample Configurations and Related Musings
- PF on Other BSD Systems
- BSD and Networking Books
- Wireless Networking Resources
- spamd and Greylisting-Related Resources
- Book-Related Web Resources
- Buy OpenBSD CDs and Donate!
- B. A Note On Hardware Support
- Getting the Right Hardware
- Issues Facing Hardware Support Developers
- How to Help the Hardware Support Efforts
- Index
- About the Author
- Copyright
