You are previewing The Book of PF.
O'Reilly logo
The Book of PF

Book Description

OpenBSD's stateful packet filter, PF, offers an amazing feature set and support across the major BSD platforms. Like most firewall software though, unlocking PF's full potential takes a good teacher. Peter N.M. Hansteen's PF website and conference tutorials have helped thousands of users build the networks they need using PF. The Book of PF is the product of Hansteen's knowledge and experience, teaching good practices as well as bare facts and software options. Throughout the book, Hansteen emphasizes the importance of staying in control by having a written network specification, using macros to make rule sets more readable, and performing rigid testing when loading in new rules.

Today's system administrators face increasing challenges in the quest for network quality, and The Book of PF can help by demystifying the tools of modern *BSD network defense. But, perhaps more importantly, because we know you like to tinker, The Book of PF tackles a broad range of topics that will stimulate your mind and pad your resume, including how to:

  • Create rule sets for all kinds of network traffic, whether it is crossing a simple home LAN, hiding behind NAT, traversing DMZs, or spanning bridges

  • Use PF to create a wireless access point, and lock it down tight with authpf and special access restrictions

  • Maximize availability by using redirection rules for load balancing and CARP for failover

  • Use tables for proactive defense against would-be attackers and spammers

  • Set up queues and traffic shaping with ALTQ, so your network stays responsive

  • Master your logs with monitoring and visualization, because you can never be too paranoid

The Book of PF is written for BSD enthusiasts and network admins at any level of expertise. With more and more services placing high demands on bandwidth and increasing hostility coming from the Internet at-large, you can never be too skilled with PF.

Table of Contents

  1. The Book of PF
    1. THE BOOK OF PF
    2. FOREWORD
    3. PREFACE
      1. About the Book and Thanks
      2. If You Came from Elsewhere
        1. PF looks really cool. Can I run PF on my Linux machine?
        2. I know some Linux, but I need to learn some BSD. Any pointers?
        3. Can you recommend a GUI tool for managing my PF rule set?
        4. Is there a tool I can use to convert my OtherProduct® setup to a PF configuration?
        5. Where can I find out more?
      3. A Little Encouragement: A PF Haiku
    4. 1. WHAT PF IS
      1. Packet Filter? Firewall? A Few Important Terms Explained
      2. Network Address Translation
        1. Why the Internet Lives on a Few White Lies
        2. Internet Protocol, Version 6 on the Far Horizon
        3. The Temporary Masquerade Solution Called NAT
      3. PF Today
    5. 2. LET'S GET ON WITH IT
      1. Simplest Possible PF Setup on OpenBSD
      2. Simplest Possible PF Setup on FreeBSD
      3. Simplest Possible PF Setup on NetBSD
      4. First Rule Set—A Single, Stand-Alone Machine
      5. Slightly Stricter, with Lists and Macros
      6. Statistics from pfctl
    6. 3. INTO THE REAL WORLD
      1. A Simple Gateway, NAT If You Need It
        1. Gateways and the Pitfalls of in, out, and on
        2. What Is Your Local Network, Anyway?
        3. Setting Up
        4. Testing Your Rule Set
      2. That Sad Old FTP Thing
      3. FTP Through NAT: ftp-proxy
        1. FTP, PF, and Routable Addresses: ftpsesame, pftpx, and ftp-proxy
        2. New-Style FTP: ftp-proxy
      4. Making Your Network Troubleshooting Friendly
        1. Then, Do We Let It All Through?
        2. The Easy Way Out: The Buck Stops Here
        3. Letting ping Through
        4. Helping traceroute
        5. Path MTU Discovery
      5. Tables Make Your Life Easier
    7. 4. WIRELESS NETWORKS MADE EASY
      1. A Little IEEE 802.11 Background
        1. MAC Address Filtering
        2. WEP
        3. WPA
        4. Picking the Right Hardware for the Task
      2. Setting Up a Simple Wireless Network
        1. The Access Point's PF Rule Set
        2. If Your Access Point Has Three or More Interfaces
        3. Handling IPsec, VPN Solutions
        4. The Client Side
      3. Guarding Your Wireless Network with authpf
        1. A Basic Authenticating Gateway
        2. Wide Open but Actually Shut
    8. 5. BIGGER OR TRICKIER NETWORKS
      1. When Others Need Something in Your Network: Filtering Services
        1. A Webserver and a Mail Server on the Inside—Routable Addresses
          1. A Degree of Physical Separation: Introducing the DMZ
          2. Sharing the Load: Redirecting to a Pool of Addresses
        2. Getting Load Balancing Right with hoststated
        3. A Webserver and a Mail Server on the Inside—The NAT Version
          1. DMZ with NAT
          2. Redirection for Load Balancing
      2. Back to the Single NATed Network
        1. Filtering on Interface Groups
      3. The Power of Tags
      4. The Bridging Firewall
        1. Basic Bridge Setup on OpenBSD
        2. Basic Bridge Setup on FreeBSD
        3. Basic Bridge Setup on NetBSD
        4. The Bridge Rule Set
      5. Handling Nonroutable Addresses from Elsewhere
    9. 6. TURNING THE TABLES FOR PROACTIVE DEFENSE
      1. Turning Away the Brutes
        1. You May Not Need to Block All of Your Overloaders
        2. Tidying Your Tables with pfctl
        3. The Forerunner: expiretable
      2. Giving Spammers a Hard Time with spamd
        1. Remember, You Are Not Alone: Blacklisting
          1. Classic spamd: Blacklists and the Sticky Tar Pit
          2. A Basic spamd.conf File
        2. Greylisting: My Admin Told Me Not to Talk to Strangers
          1. Setting Up spamd in Greylisting Mode
          2. Tracking Your Real Mail Connections: spamlogd
          3. Manual Intervention with spamdb
        3. Some Highlights of Day-to-Day spamd Use
          1. Harvesting the Noise: The Fundamentals of Greytrapping
          2. Enter Greytrapping
          3. Setting Up Your Own Traplist
          4. Deleting and Handling Trapped Entries
          5. Keeping Several spamd Greylists in Sync
          6. Detecting Out-of-Order MX Use
        4. Handling Sites That Do Not Play Well with Greylisting
        5. Conclusions from Our spamd Experience
    10. 7. QUEUES, SHAPING, AND REDUNDANCY
      1. Directing Traffic with ALTQ
        1. Basic ALTQ Concepts
        2. Queue Schedulers, aka Queue Disciplines
        3. Setting Up ALTQ
          1. ALTQ on OpenBSD
          2. ALTQ on FreeBSD
          3. ALTQ on NetBSD
        4. Understanding Priority-Based Queues (priq)
        5. Class-Based Bandwidth Allocation for Small Networks (cbq)
        6. Queuing for Servers in a DMZ
        7. Using ALTQ to Handle Unwanted Traffic
          1. Overloading to a Tiny Queue
          2. Queue Assignments Based on OS Fingerprints
      2. Redundancy and Failover: CARP and pfsync
        1. The Project Specification: A Redundant Pair of Gateways
        2. Setting Up CARP: Kernel Options, sysctl, and ifconfig Commands
        3. Keeping States Synced: Adding pfsync
        4. Putting Together a Rule Set
    11. 8. LOGGING, MONITORING, AND STATISTICS
      1. PF Logs: The Basics
        1. Logging All Packets: log (all)
        2. Logging to Several pflog Interfaces
        3. Logging to syslog, Local or Remote
        4. Tracking Statistics for Each Rule with Labels
      2. Some Additional Tools for PF Logs and Statistics
        1. Keeping an Eye on Things with pftop
        2. Graphing Your Traffic with pfstat
        3. Collecting NetFlow Data with pfflowd
        4. SNMP Tools and PF-Related SNMP MIBs
      3. Remember, Useful Log Data Is the Basis for Effective Debugging
    12. 9. GETTING YOUR SETUP JUST RIGHT
      1. The Things You Can Tweak and What You Probably Should Leave Alone
        1. block-policy
        2. skip
        3. state-policy
        4. timeout
        5. limit
        6. debug
        7. ruleset-optimization
        8. optimization
      2. Cleaning Up Your Traffic: scrub and antispoof
        1. scrub
        2. antispoof
      3. Testing Your Setup
      4. Debugging Your Rule Set
      5. Know Your Network, Stay in Control
    13. A. RESOURCES
      1. General Networking and BSD Resources on the Internet
      2. Sample Configurations and Related Musings
      3. PF on Other BSD Systems
      4. BSD and Networking Books
      5. Wireless Networking Resources
      6. spamd and Greylisting-Related Resources
      7. Book-Related Web Resources
      8. If You Enjoyed This Book, Buy OpenBSD CDs and Donate!
    14. B. A NOTE ON HARDWARE SUPPORT
      1. A Case in Point: The Story of a Small Wireless Network
      2. Getting the Right Hardware
      3. Issues Facing Hardware-Support Developers
      4. How to Help the Hardware-Support Efforts
    15. About the Author
    16. COLOPHON