The Book of PF, 3rd Edition

Book description

The Book of PF is the essential guide to building a secure network with PF, the OpenBSD packet filtering tool.

Table of contents

  1. Dedication
  2. Praise for The Book of PF
  3. Foreword from the first edition
  4. Acknowledgments
  5. Introduction
    1. This Is Not a HOWTO
    2. What This Book Covers
  6. 1. Building the Network you Need
    1. Your Network: High Performance, Low Maintenance, and Secure
    2. Where the Packet Filter Fits In
    3. The Rise of PF
    4. If You Came from Elsewhere
      1. Pointers for Linux Users
      2. Frequently Answered Questions About PF
        1. Can I run PF on my Linux machine?
        2. Can you recommend a GUI tool for managing my PF rule set?
        3. Is there a tool I can use to convert my OtherProduct® setup to a PF configuration?
        4. I heard PF is based on IPFilter, which I know from working with Solaris. Can I just copy my IPFilter configuration across and have a working setup right away?
        5. Why did the PF rule syntax change all of a sudden?
        6. Where can I find out more?
    5. A Little Encouragement: A PF Haiku
  7. 2. PF Configuration Basics
    1. The First Step: Enabling PF
      1. Setting Up PF on OpenBSD
      2. Setting Up PF on FreeBSD
      3. Setting Up PF on NetBSD
    2. A Simple PF Rule Set: A Single, Stand-Alone Machine
      1. A Minimal Rule Set
      2. Testing the Rule Set
    3. Slightly Stricter: Using Lists and Macros for Readability
      1. A Stricter Baseline Rule Set
      2. Reloading the Rule Set and Looking for Errors
      3. Checking Your Rules
      4. Testing the Changed Rule Set
    4. Displaying Information About Your System
    5. Looking Ahead
  8. 3. Into the Real World
    1. A Simple Gateway
      1. Keep It Simple: Avoid the Pitfalls of in, out, and on
      2. Network Address Translation vs. IPv6
      3. Final Preparations: Defining Your Local Network
      4. Setting Up a Gateway
      5. Testing Your Rule Set
    2. That Sad Old FTP Thing
      1. If We Must: ftp-proxy with Divert or Redirect
      2. Variations on the ftp-proxy Setup
    3. Making Your Network Troubleshooting-Friendly
      1. Do We Let It All Through?
      2. The Easy Way Out: The Buck Stops Here
      3. Letting ping Through
      4. Helping traceroute
      5. Path MTU Discovery
    4. Tables Make Your Life Easier
  9. 4. Wireless Networks Made Easy
    1. A Little IEEE 802.11 Background
      1. MAC Address Filtering
      2. WEP
      3. WPA
      4. The Right Hardware for the Task
      5. Setting Up a Simple Wireless Network
      6. An OpenBSD WPA Access Point
      7. A FreeBSD WPA Access Point
      8. The Access Point’s PF Rule Set
      9. Access Points with Three or More Interfaces
      10. Handling IPSec, VPN Solutions
      11. The Client Side
      12. OpenBSD Setup
      13. FreeBSD Setup
      14. Guarding Your Wireless Network with authpf
      15. A Basic Authenticating Gateway
      16. Wide Open but Actually Shut
  10. 5. Bigger or Trickier Networks
    1. A Web Server and Mail Server on the Inside: Routable IPv4 Addresses
      1. A Degree of Separation: Introducing the DMZ
      2. Sharing the Load: Redirecting to a Pool of Addresses
      3. Getting Load Balancing Right with relayd
    2. A Web Server and Mail Server on the Inside—The NAT Version
      1. DMZ with NAT
      2. Redirection for Load Balancing
      3. Back to the Single NATed Network
    3. Filtering on Interface Groups
    4. The Power of Tags
    5. The Bridging Firewall
      1. Basic Bridge Setup on OpenBSD
      2. Basic Bridge Setup on FreeBSD
      3. Basic Bridge Setup on NetBSD
      4. The Bridge Rule Set
    6. Handling Nonroutable IPv4 Addresses from Elsewhere
      1. Establishing Global Rules
      2. Restructuring Your Rule Set with Anchors
    7. How Complicated Is Your Network?—Revisited
  11. 6. Turning the Tables for Proactive Defense
    1. Turning Away the Brutes
      1. SSH Brute-Force Attacks
      2. Setting Up an Adaptive Firewall
      3. Tidying Your Tables with pfctl
    2. Giving Spammers a Hard Time with spamd
      1. Network-Level Behavior Analysis and Blacklisting
        1. Setting Up spamd in Blacklisting Mode
        2. spamd Logging
      2. Greylisting: My Admin Told Me Not to Talk to Strangers
        1. Setting Up spamd in Greylisting Mode
        2. Greylisting in Practice
      3. Tracking Your Real Mail Connections: spamlogd
      4. Greytrapping
      5. Managing Lists with spamdb
        1. Updating Lists
        2. Keeping spamd Greylists in Sync
      6. Detecting Out-of-Order MX Use
      7. Handling Sites That Do Not Play Well with Greylisting
    3. Spam-Fighting Tips
  12. 7. Traffic Shaping with Queues and Priorities
    1. Always-On Priority and Queues for Traffic Shaping
      1. Shaping by Setting Traffic Priorities
        1. The prio Priority Scheme
        2. The Two-Priority Speedup Trick
      2. Introducing Queues for Bandwidth Allocation
        1. The HFSC Algorithm
        2. Splitting Your Bandwidth into Fixed-Size Chunks
        3. Queue Definition
        4. Rule Set
        5. Upper and Lower Bounds with Bursts
        6. Queue Definition
        7. Rule Set
        8. The DMZ Network, Now with Traffic Shaping
      3. Using Queues to Handle Unwanted Traffic
        1. Overloading to a Tiny Queue
        2. Queue Assignments Based on Operating System Fingerprint
    2. Transitioning from ALTQ to Priorities and Queues
    3. Directing Traffic with ALTQ
      1. Basic ALTQ Concepts
      2. Queue Schedulers, aka Queue Disciplines
        1. priq
        2. cbq
        3. hfsc
      3. Setting Up ALTQ
        1. ALTQ on OpenBSD
        2. ALTQ on FreeBSD
        3. ALTQ on NetBSD
    4. Priority-Based Queues
      1. Using ALTQ Priority Queues to Improve Performance
      2. Using a match Rule for Queue Assignment
      3. Class-Based Bandwidth Allocation for Small Networks
        1. Queue Definition
        2. Rule Set
      4. A Basic HFSC Traffic Shaper
        1. Queue Definition
        2. Rule Set
      5. Queuing for Servers in a DMZ
      6. Using ALTQ to Handle Unwanted Traffic
        1. Overloading to a Tiny Queue
        2. Queue Assignments Based on Operating System Fingerprint
    5. Conclusion: Traffic Shaping for Fun, and Perhaps Even Profit
  13. 8. Redundancy and Resource Availability
    1. Redundancy and Failover: CARP and pfsync
      1. The Project Specification: A Redundant Pair of Gateways
      2. Setting Up CARP
        1. Checking Kernel Options
        2. Setting sysctl Values
        3. Setting Up Network Interfaces with ifconfig
      3. Keeping States Synchronized: Adding pfsync
      4. Putting Together a Rule Set
      5. CARP for Load Balancing
        1. CARP in Load-Balancing Mode
        2. Setting Up CARP Load Balancing
  14. 9. Logging, Monitoring, and Statistics
    1. PF Logs: The Basics
      1. Logging the Packet’s Path Through Your Rule Set: log (matches)
      2. Logging All Packets: log (all)
      3. Logging to Several pflog Interfaces
      4. Logging to syslog, Local or Remote
      5. Tracking Statistics for Each Rule with Labels
      6. Additional Tools for PF Logs and Statistics
      7. Keeping an Eye on Things with systat
      8. Keeping an Eye on Things with pftop
      9. Graphing Your Traffic with pfstat
      10. Collecting NetFlow Data with pflow(4)
        1. Setting Up the NetFlow Sensor
        2. NetFlow Data Collecting, Reporting, and Analysis
      11. Collecting NetFlow Data with pfflowd
      12. SNMP Tools and PF-Related SNMP MIBs
    2. Log Data as the Basis for Effective Debugging
  15. 10. Getting Your Setup Just Right
    1. Things You Can Tweak and What You Probably Should Leave Alone
      1. Block Policy
      2. Skip Interfaces
      3. State Policy
      4. State Defaults
      5. Timeouts
      6. Limits
      7. Debug
      8. Rule Set Optimization
      9. Optimization
      10. Fragment Reassembly
    2. Cleaning Up Your Traffic
      1. Packet Normalization with scrub: OpenBSD 4.5 and Earlier
      2. Packet Normalization with scrub: OpenBSD 4.6 Onward
      3. Protecting Against Spoofing with antispoof
    3. Testing Your Setup
    4. Debugging Your Rule Set
    5. Know Your Network and Stay in Control
  16. A. Resources
    1. General Networking and BSD Resources on the Internet
    2. Sample Configurations and Related Musings
    3. PF on Other BSD Systems
    4. BSD and Networking Books
    5. Wireless Networking Resources
    6. spamd and Greylisting-Related Resources
    7. Book-Related Web Resources
    8. Buy OpenBSD CDs and Donate!
  17. B. A Note On Hardware Support
    1. Getting the Right Hardware
    2. Issues Facing Hardware Support Developers
    3. How to Help the Hardware Support Efforts
  18. Index
  19. About the Author
  20. Copyright

Product information

  • Title: The Book of PF, 3rd Edition
  • Author(s): Peter N.M. Hansteen
  • Release date: October 2014
  • Publisher(s): No Starch Press
  • ISBN: 9781593275891