Embed Doc
Copy Link
Readcast
Collections

1
CommentGo Back

You're Reading a Free Preview
Pages 4 to 21 are not shown in this preview.

You're Reading a Free Preview
Pages 25 to 61 are not shown in this preview.

You're Reading a Free Preview
Pages 65 to 68 are not shown in this preview.

You're Reading a Free Preview
Pages 72 to 122 are not shown in this preview.

You're Reading a Free Preview
Pages 126 to 188 are not shown in this preview.

of 00

Leave a Comment

No Starch Press

Please note that the complete book is for sale--both as an unrestricted PDF and in a print edition. Visit http://www.nostarch.com/pf.htm to place your order.

reply03 / 20 / 2009

The Book of PF - A No-Nonsense Guide to the OpenBSD Firewall

OpenBSD's stateful packet filter, PF, offers an amazing feature set and support across the major BSD platforms. But like most firewall software, unlocking PF's full potential ta... (More) OpenBSD's stateful packet filter, PF, offers an amazing feature set and support across the major BSD platforms. But like most firewall software, unlocking PF's full potential takes a good teacher. Peter N.M. Hansteen's PF website and conference tutorials have helped thousands of users build the networks they need using PF. The Book of PF is the product of Hansteen's knowledge and experience, teaching good practices as well as bare facts and software options. Throughout the book, Hansteen emphasizes the importance of staying in control by having a written network specification, using macros to make rule sets more readable, and performing rigid testing when loading in new rules.

Today's system administrators face increasing challenges in the quest for network quality, and The Book of PF can help by demystifying the tools of modern *BSD network defense. But, perhaps more importantly, because we know you like to tinker, The Book of PF tackles a broad range of topics that will stimulate your mind and pad your resume, including how to:

* Create rule sets for all kinds of network traffic, whether it is crossing a simple home LAN, hiding behind NAT, traversing DMZs, or spanning bridges
* Use PF to create a wireless access point, and lock it down tight with authpf and special access restrictions
* Maximize availability by using redirection rules for load balancing and CARP for failover
* Use tables for proactive defense against would-be attackers and spammers
* Set up queues and traffic shaping with ALTQ, so your network stays responsive
* Master your logs with monitoring and visualization, because you can never be too paranoid

The Book of PF is written for BSD enthusiasts and network admins at any level of expertise. With more and more services placing high demands on bandwidth and increasing hostility coming from the Internet at-large, you can never be too skilled with PF.

Peter N.M. Hansteen is a consultant, writer, and sysadmin based in Bergen, Norway. A longtime Freenix advocate, Hansteen is a frequent lecturer on FreeBSD and OpenBSD topics. The Book of PF, Hansteen's first book, is an expanded follow-up to his very popular online PF tutorial. (Less)

11,847 Reads

Info and Rating

Category:	How-To Guides/Manuals
Rating:	(23 Ratings)
Upload Date:	03/20/2009
Copyright:	Traditional Copyright: All rights reserved
Tags:	Technology Firewall Freebsd pf OpenBSD Technology Firewall Freebsd pf OpenBSD (fewer)

Flag document for inapproriate content

Uploaded by

No Starch Press

Download

Embed Doc
Copy Link
Add To Collection
Comments
Readcast
Share

×

Share on Scribd:

Readcast

Sections

WHAT PF IS
Packet Filter? Firewall? A Few Important Terms Explained
Network Address Translation
Why the Internet Lives on a Few White Lies
Internet Protocol, Version 6 on the Far Horizon
The Temporary Masquerade Solution Called NAT
PF Today
LET’S GET ON WITH IT
Simplest Possible PF Setup on OpenBSD
Simplest Possible PF Setup on FreeBSD
Simplest Possible PF Setup on NetBSD
First Rule Set—A Single, Stand-Alone Machine
Slightly Stricter, with Lists and Macros
Statistics from pfctl
INTO THE REAL WORLD
A Simple Gateway, NAT If You Need It
Gateways and the Pitfalls of in, out, and on
What Is Your Local Network, Anyway?
Setting Up
Testing Your Rule Set
That Sad Old FTP Thing
FTP Through NAT: ftp-proxy
FTP, PF, and Routable Addresses: ftpsesame, pftpx, and ftp-proxy
New-Style FTP: ftp-proxy
Making Your Network Troubleshooting Friendly
Then, Do We Let It All Through?
The Easy Way Out: The Buck Stops Here
Letting ping Through
Helping traceroute
Path MTU Discovery
Tables Make Your Life Easier
WIRELESS NETWORKS MADEEASY
A Little IEEE 802.11 Background
MAC Address Filtering
Picking the Right Hardware for the Task
Setting Up a Simple Wireless Network
The Access Point’s PF Rule Set
If Your Access Point Has Three or More Interfaces
Handling IPsec, VPN Solutions
The Client Side
Guarding Your Wireless Network with authpf
A Basic Authenticating Gateway
Wide Open but Actually Shut
BIGGER OR TRICKIER NETWORKS
When Others Need Something in Your Network: Filtering Services
A Webserver and a Mail Server on the Inside—Routable Addresses
A Degree of Physical Separation: Introducing the DMZ
Getting Load Balancing Right with hoststated
A Webserver and a Mail Server on the Inside—The NAT Version
Back to the Single NATed Network
Filtering on Interface Groups
The Power of Tags
The Bridging Firewall
Basic Bridge Setup on OpenBSD
Basic Bridge Setup on FreeBSD
Basic Bridge Setup on NetBSD
The Bridge Rule Set
Handling Nonroutable Addresses from Elsewhere
TURNING THE TABLES FOR PROACTIVE DEFENSE
Turning Away the Brutes
You May Not Need to Block All of Your Overloaders
Tidying Your Tables with pfctl
The Forerunner: expiretable
Giving Spammers a Hard Time with spamd
Remember, You Are Not Alone: Blacklisting
Greylisting: My Admin Told Me Not to Talk to Strangers
Some Highlights of Day-to-Day spamd Use
Handling Sites That Do Not Play Well with Greylisting
Conclusions from Our spamd Experience
QUEUES, SHAPING, AND REDUNDANCY
Directing Traffic with ALTQ
Basic ALTQ Concepts
Queue Schedulers, aka Queue Disciplines
Setting Up ALTQ
Understanding Priority-Based Queues (priq)
Class-Based Bandwidth Allocation for Small Networks (cbq)
Queuing for Servers in a DMZ
Using ALTQ to Handle Unwanted Traffic
Redundancy and Failover: CARP and pfsync
The Project Specification: A Redundant Pair of Gateways
Setting Up CARP: Kernel Options, sysctl, and ifconfig Commands
Keeping States Synced: Adding pfsync
Putting Together a Rule Set
PF Logs: The Basics
Logging All Packets: log (all)
Logging to Several pflog Interfaces
Logging to syslog, Local or Remote
Tracking Statistics for Each Rule with Labels
Some Additional Tools for PF Logs and Statistics
Keeping an Eye on Things with pftop
Graphing Your Traffic with pfstat
Collecting NetFlow Data with pfflowd
SNMP Tools and PF-Related SNMP MIBs
Remember, Useful Log Data Is the Basis for Effective Debugging
GETTING YOUR SETUP JUST RIGHT
The Things You Can Tweak and What You Probably Should Leave Alone
block-policy
skip
state-policy
timeout
limit
debug
ruleset-optimization
optimization
Cleaning Up Your Traffic: scrub and antispoof
scrub
antispoof
Testing Your Setup
Debugging Your Rule Set
Know Your Network, Stay in Control
RESOURCES
General Networking and BSD Resources on the Internet
Sample Configurations and Related Musings
PF on Other BSD Systems
BSD and Networking Books
Wireless Networking Resources
spamd and Greylisting-Related Resources
Book-Related Web Resources
If You Enjoyed This Book, Buy OpenBSD CDs and Donate!
A NOTE ON HARDWARE SUPPORT
A Case in Point: The Story of a Small Wireless Network
Getting the Right Hardware
Issues Facing Hardware-Support Developers
How to Help the Hardware-Support Efforts
INDEX

More from This User

Related Documents

More From This User

The Book of FileMaker 6

The Book of FileMaker 6 is a complete reference to the FileMaker Pro product ...

The Manga Guide to Molecular Biology (Excerpt)

Rin and Ami have been skipping molecular biology class all semester, and Prof...

The Manga Guide to Calculus (Excerpt)

Noriko is just getting started as a junior reporter for the Asagake Times. Sh...

Wicked Cool Ruby Scripts

Are you spending valuable time on work a well-trained monkey could do? If so,...

Cisco Routers for the Desperate, 2nd Edition

Cisco routers and switches are the cornerstones of many networks. But when th...

Network Know-How

Are the machines in your office living isolated lives? Do you have a few comp...

Growing Software

As the technology leader at a small software company, you need to focus on pe...

The Blender GameKit, 2nd Edition

Blender is the first of the 3D packages to integrate a game engine as well as...

Gray Hat Python

Python is fast becoming the programming language of choice for hackers, rever...

Shortly after World War I, Ford and GM created the large modern corporation, ...

The Book of IMAP: Building a Mail Server with Courier and Cyrus

IMAP (the Internet Message Access Protocol) allows clients to access their em...

Art of Debugging with GDB, DDD, and Eclipse

Debugging is crucial to successful software development, but even many experi...

The Book of Postfix: State-of-the-Art Message Transport

Developed with security and speed in mind, Postfix has become a popular alter...

The Manga Guide to Physics (Excerpt)

Megumi is an all-star athlete, but she's a failure when it comes to physics c...

The Book of PF - A No-Nonsense Guide to the OpenBSD Firewall

OpenBSD's stateful packet filter, PF, offers an amazing feature set and suppo...

The Manga Guide to Electricity (excerpt)

Rereko is just your average high-school girl from Electopia, the land of elec...

The Manga Guide to Databases (excerpt)

Want to learn about databases without the tedium? With its unique combination...

Related Docuements

From daniel_sengkey

The Client Side

From daniel_sengkey

Book.of.PF.2nd.edition

From daniel_sengkey

From ron-dulay-4384

From Constantin Florin

2.5.3 Bastion Host

From Constantin Florin

Building Firewall with OpenBSD and PF [2nd Edition]

From Constantin Florin

From Ganesh Kumar

Policy Filtering

From Luis Opazo Alfaro

PF: Packet Tagging (Policy Filtering)

From Luis Opazo Alfaro

From Luis Opazo Alfaro

Packet Logging Through Syslog

From kiug

PF: Shortcuts For Creating Rulesets

From kiug

The OpenBSD Packet Filter FAQ

From kiug

The Linux Tcpip Stack

From game__over

From luzivanmorais

Isolating a Problem at the Transport or Application Layer

From John

Part V: Resolving Problems at the Transport and Application Layers

From John

Ccnp Cit Cert Guide

From John

From api_user_11797_Xinsoft [辛亚平]

Linux Networking

test

From api_user_11797_mottyb

Troytec Network+ Exam

Network Security Hacks

In the fast-moving world of computers, things are always changing. Since the ...

From O'Reilly Media, Inc.

From Dascalescu Victor

1.2 Static IP Address

From Dascalescu Victor

BR 6214K Manual

From Dascalescu Victor

From Miguel Lugo

How to Network 2 Computers

Give the detail engineering behind networking with various cable type and var...