High Quality
Open the downloaded document, and select print from the file menu (PDF reader required).
You're Reading a Free Preview
Pages 4 to 21 are not shown in this preview.
Pages 4 to 21 are not shown in this preview.
You're Reading a Free Preview
Pages 25 to 61 are not shown in this preview.
Pages 25 to 61 are not shown in this preview.
You're Reading a Free Preview
Pages 65 to 68 are not shown in this preview.
Pages 65 to 68 are not shown in this preview.
You're Reading a Free Preview
Pages 72 to 122 are not shown in this preview.
Pages 72 to 122 are not shown in this preview.
You're Reading a Free Preview
Pages 126 to 188 are not shown in this preview.
Pages 126 to 188 are not shown in this preview.
The Book of PF - A No-Nonsense Guide to the OpenBSD Firewall
Info and Rating
Sections
« prev | next »- WHAT PF IS
- Packet Filter? Firewall? A Few Important Terms Explained
- Network Address Translation
- Why the Internet Lives on a Few White Lies
- Internet Protocol, Version 6 on the Far Horizon
- The Temporary Masquerade Solution Called NAT
- PF Today
- LET’S GET ON WITH IT
- Simplest Possible PF Setup on OpenBSD
- Simplest Possible PF Setup on FreeBSD
- Simplest Possible PF Setup on NetBSD
- First Rule Set—A Single, Stand-Alone Machine
- Slightly Stricter, with Lists and Macros
- Statistics from pfctl
- INTO THE REAL WORLD
- A Simple Gateway, NAT If You Need It
- Gateways and the Pitfalls of in, out, and on
- What Is Your Local Network, Anyway?
- Setting Up
- Testing Your Rule Set
- That Sad Old FTP Thing
- FTP Through NAT: ftp-proxy
- FTP, PF, and Routable Addresses: ftpsesame, pftpx, and ftp-proxy
- New-Style FTP: ftp-proxy
- Making Your Network Troubleshooting Friendly
- Then, Do We Let It All Through?
- The Easy Way Out: The Buck Stops Here
- Letting ping Through
- Helping traceroute
- Path MTU Discovery
- Tables Make Your Life Easier
- WIRELESS NETWORKS MADEEASY
- A Little IEEE 802.11 Background
- MAC Address Filtering
- Picking the Right Hardware for the Task
- Setting Up a Simple Wireless Network
- The Access Point’s PF Rule Set
- If Your Access Point Has Three or More Interfaces
- Handling IPsec, VPN Solutions
- The Client Side
- Guarding Your Wireless Network with authpf
- A Basic Authenticating Gateway
- Wide Open but Actually Shut
- BIGGER OR TRICKIER NETWORKS
- When Others Need Something in Your Network: Filtering Services
- A Webserver and a Mail Server on the Inside—Routable Addresses
- A Degree of Physical Separation: Introducing the DMZ
- Getting Load Balancing Right with hoststated
- A Webserver and a Mail Server on the Inside—The NAT Version
- Back to the Single NATed Network
- Filtering on Interface Groups
- The Power of Tags
- The Bridging Firewall
- Basic Bridge Setup on OpenBSD
- Basic Bridge Setup on FreeBSD
- Basic Bridge Setup on NetBSD
- The Bridge Rule Set
- Handling Nonroutable Addresses from Elsewhere
- TURNING THE TABLES FOR PROACTIVE DEFENSE
- Turning Away the Brutes
- You May Not Need to Block All of Your Overloaders
- Tidying Your Tables with pfctl
- The Forerunner: expiretable
- Giving Spammers a Hard Time with spamd
- Remember, You Are Not Alone: Blacklisting
- Greylisting: My Admin Told Me Not to Talk to Strangers
- Some Highlights of Day-to-Day spamd Use
- Handling Sites That Do Not Play Well with Greylisting
- Conclusions from Our spamd Experience
- QUEUES, SHAPING, AND REDUNDANCY
- Directing Traffic with ALTQ
- Basic ALTQ Concepts
- Queue Schedulers, aka Queue Disciplines
- Setting Up ALTQ
- Understanding Priority-Based Queues (priq)
- Class-Based Bandwidth Allocation for Small Networks (cbq)
- Queuing for Servers in a DMZ
- Using ALTQ to Handle Unwanted Traffic
- Redundancy and Failover: CARP and pfsync
- The Project Specification: A Redundant Pair of Gateways
- Setting Up CARP: Kernel Options, sysctl, and ifconfig Commands
- Keeping States Synced: Adding pfsync
- Putting Together a Rule Set
- PF Logs: The Basics
- Logging All Packets: log (all)
- Logging to Several pflog Interfaces
- Logging to syslog, Local or Remote
- Tracking Statistics for Each Rule with Labels
- Some Additional Tools for PF Logs and Statistics
- Keeping an Eye on Things with pftop
- Graphing Your Traffic with pfstat
- Collecting NetFlow Data with pfflowd
- SNMP Tools and PF-Related SNMP MIBs
- Remember, Useful Log Data Is the Basis for Effective Debugging
- GETTING YOUR SETUP JUST RIGHT
- The Things You Can Tweak and What You Probably Should Leave Alone
- block-policy
- skip
- state-policy
- timeout
- limit
- debug
- ruleset-optimization
- optimization
- Cleaning Up Your Traffic: scrub and antispoof
- scrub
- antispoof
- Testing Your Setup
- Debugging Your Rule Set
- Know Your Network, Stay in Control
- RESOURCES
- General Networking and BSD Resources on the Internet
- Sample Configurations and Related Musings
- PF on Other BSD Systems
- BSD and Networking Books
- Wireless Networking Resources
- spamd and Greylisting-Related Resources
- Book-Related Web Resources
- If You Enjoyed This Book, Buy OpenBSD CDs and Donate!
- A NOTE ON HARDWARE SUPPORT
- A Case in Point: The Story of a Small Wireless Network
- Getting the Right Hardware
- Issues Facing Hardware-Support Developers
- How to Help the Hardware-Support Efforts
- INDEX
Add a Comment
No Starch Pressleft a comment