book

The Book of PF

Name: The Book of PF
Author: Peter N.M. Hansteen
ISBN: 9781593271657

by Peter N.M. Hansteen

December 2007

Intermediate to advanced

184 pages

4h 45m

English

No Starch Press

Read now

Unlock full access

The Book of PF
THE BOOK OF PF
FOREWORD
PREFACE
About the Book and Thanks
If You Came from Elsewhere
PF looks really cool. Can I run PF on my Linux machine?I know some Linux, but I need to learn some BSD. Any pointers?Can you recommend a GUI tool for managing my PF rule set?Is there a tool I can use to convert my OtherProduct® setup to a PF configuration?Where can I find out more?
A Little Encouragement: A PF Haiku
1. WHAT PF IS
Packet Filter? Firewall? A Few Important Terms Explained
Network Address Translation
Why the Internet Lives on a Few White LiesInternet Protocol, Version 6 on the Far HorizonThe Temporary Masquerade Solution Called NAT
PF Today
2. LET'S GET ON WITH IT
Simplest Possible PF Setup on OpenBSD

Simplest Possible PF Setup on FreeBSD
Simplest Possible PF Setup on NetBSD
First Rule Set—A Single, Stand-Alone Machine
Slightly Stricter, with Lists and Macros
Statistics from pfctl
3. INTO THE REAL WORLD
A Simple Gateway, NAT If You Need ItGateways and the Pitfalls of in, out, and onWhat Is Your Local Network, Anyway?Setting UpTesting Your Rule Set
That Sad Old FTP Thing
FTP Through NAT: ftp-proxy
FTP, PF, and Routable Addresses: ftpsesame, pftpx, and ftp-proxyNew-Style FTP: ftp-proxy
Making Your Network Troubleshooting Friendly
Then, Do We Let It All Through?The Easy Way Out: The Buck Stops HereLetting ping ThroughHelping traceroutePath MTU Discovery
Tables Make Your Life Easier
4. WIRELESS NETWORKS MADE EASY
A Little IEEE 802.11 BackgroundMAC Address FilteringWEPWPAPicking the Right Hardware for the Task
Setting Up a Simple Wireless Network
The Access Point's PF Rule SetIf Your Access Point Has Three or More InterfacesHandling IPsec, VPN SolutionsThe Client Side
Guarding Your Wireless Network with authpf
A Basic Authenticating GatewayWide Open but Actually Shut
5. BIGGER OR TRICKIER NETWORKS
When Others Need Something in Your Network: Filtering ServicesA Webserver and a Mail Server on the Inside—Routable AddressesA Degree of Physical Separation: Introducing the DMZSharing the Load: Redirecting to a Pool of AddressesGetting Load Balancing Right with hoststatedA Webserver and a Mail Server on the Inside—The NAT VersionDMZ with NATRedirection for Load Balancing
Back to the Single NATed Network
Filtering on Interface Groups
The Power of Tags
The Bridging Firewall
Basic Bridge Setup on OpenBSDBasic Bridge Setup on FreeBSDBasic Bridge Setup on NetBSDThe Bridge Rule Set
Handling Nonroutable Addresses from Elsewhere
6. TURNING THE TABLES FOR PROACTIVE DEFENSE
Turning Away the BrutesYou May Not Need to Block All of Your OverloadersTidying Your Tables with pfctlThe Forerunner: expiretable
Giving Spammers a Hard Time with spamd
Remember, You Are Not Alone: BlacklistingClassic spamd: Blacklists and the Sticky Tar PitA Basic spamd.conf FileGreylisting: My Admin Told Me Not to Talk to StrangersSetting Up spamd in Greylisting ModeTracking Your Real Mail Connections: spamlogdManual Intervention with spamdbSome Highlights of Day-to-Day spamd UseHarvesting the Noise: The Fundamentals of GreytrappingEnter GreytrappingSetting Up Your Own TraplistDeleting and Handling Trapped EntriesKeeping Several spamd Greylists in SyncDetecting Out-of-Order MX UseHandling Sites That Do Not Play Well with GreylistingConclusions from Our spamd Experience
7. QUEUES, SHAPING, AND REDUNDANCY
Directing Traffic with ALTQBasic ALTQ ConceptsQueue Schedulers, aka Queue DisciplinesSetting Up ALTQALTQ on OpenBSDALTQ on FreeBSDALTQ on NetBSDUnderstanding Priority-Based Queues (priq)Class-Based Bandwidth Allocation for Small Networks (cbq)Queuing for Servers in a DMZUsing ALTQ to Handle Unwanted TrafficOverloading to a Tiny QueueQueue Assignments Based on OS Fingerprints
Redundancy and Failover: CARP and pfsync
The Project Specification: A Redundant Pair of GatewaysSetting Up CARP: Kernel Options, sysctl, and ifconfig CommandsKeeping States Synced: Adding pfsyncPutting Together a Rule Set
8. LOGGING, MONITORING, AND STATISTICS
PF Logs: The BasicsLogging All Packets: log (all)Logging to Several pflog InterfacesLogging to syslog, Local or RemoteTracking Statistics for Each Rule with Labels
Some Additional Tools for PF Logs and Statistics
Keeping an Eye on Things with pftopGraphing Your Traffic with pfstatCollecting NetFlow Data with pfflowdSNMP Tools and PF-Related SNMP MIBs
Remember, Useful Log Data Is the Basis for Effective Debugging
9. GETTING YOUR SETUP JUST RIGHT
The Things You Can Tweak and What You Probably Should Leave Aloneblock-policyskipstate-policytimeoutlimitdebugruleset-optimizationoptimization
Cleaning Up Your Traffic: scrub and antispoof
scrubantispoof
Testing Your Setup
Debugging Your Rule Set
Know Your Network, Stay in Control
A. RESOURCES
General Networking and BSD Resources on the Internet
Sample Configurations and Related Musings
PF on Other BSD Systems
BSD and Networking Books
Wireless Networking Resources
spamd and Greylisting-Related Resources
Book-Related Web Resources
If You Enjoyed This Book, Buy OpenBSD CDs and Donate!
B. A NOTE ON HARDWARE SUPPORT
A Case in Point: The Story of a Small Wireless Network
Getting the Right Hardware
Issues Facing Hardware-Support Developers
How to Help the Hardware-Support Efforts
About the Author
COLOPHON

Content preview from The Book of PF

Chapter 5. BIGGER OR TRICKIER NETWORKS

In this chapter we'll build on the material from the previous chapters while trying to meet the real-life challenges of larger networks or even smaller ones with relatively demanding applications or users. The sample configurations in this chapter are all based on the assumption that your packet-filtering setups will need to accommodate services you run on your local network. We will mainly be looking at this from a Unix perspective, focusing on SSH, email, and Web services, with some pointers on how to take care of others.

When Others Need Something in Your Network: Filtering Services

Time passes, and needs ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781593271657Errata

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

The Book of PF

by Peter N.M. Hansteen

Chapter 5. BIGGER OR TRICKIER NETWORKS

When Others Need Something in Your Network: Filtering Services

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.