Introduction
This is a book about building the network you need. We’ll dip into the topics of firewalls and related functions, starting from a little theory. You’ll see plenty of examples of filtering and other ways to direct network traffic. I’ll assume that you have a basic to intermediate command of TCP/IP networking concepts and Unix administration.
All the information in this book comes with a warning: As in many endeavors, the solutions we discuss can be done in more than one way. And, of course, the software world is always changing and the best way to do things may have changed since this book was printed. This book was tested with OpenBSD version 5.6, FreeBSD 10.0, and NetBSD 6.1, and any patches available in late July 2014.
This Is Not a HOWTO
The book is a direct descendant of my popular PF tutorial, and the third edition of the manuscript in book form. With all the work that’s gone into making this book a useful one over the years, I am fairly confident you will find it useful, and I hope you will find it an enjoyable read, too. But please keep in mind that this document is not intended as a precooked recipe for cutting and pasting.
Just to hammer this in, repeat after me:
//The Pledge of the Network Admin// This is my network. It is mine, or technically, my employer's. It is my responsibility, and I care for it with all my heart. There are many other networks a lot like mine, but none are just like it. I solemnly swear that I will not mindlessly paste from HOWTOs.
The point is that while I have tested all of the configurations in this book, they’re almost certainly at least a little wrong for your network as written. Please keep in mind that this book is intended to show you a few useful techniques and inspire you to achieve good things.
Strive to understand your network and what you need to do to make it better and please do not paste blindly from this document or any other.
What This Book Covers
The book is intended to be a stand-alone document to enable you to work on your machines with only short forays into man pages and occasional reference to the online and printed resources listed in Appendix A.
Your system probably comes with a prewritten pf.conf file containing some commented-out suggestions for useful configurations, as well as a few examples in the documentation directories such as /usr/share/pf/. These examples are useful as a reference, but we won’t use them directly in this book. Instead, you’ll learn how to construct a pf.conf from scratch, step by step.
Here is a brief rundown of what you will find in this book:
Chapter 1, walks through basic networking concepts, gives a short overview of PF’s history, and provides some pointers on how to adjust to the BSD way if you are new to this family of operating systems. Read this chapter first to get a sense of how to work with BSD systems.
Chapter 2, shows how to enable PF on your system and covers a very basic rule set for a single machine. This chapter is fairly crucial, since all the later configurations are based on the one we build here.
Chapter 3, builds on the single-machine configuration in Chapter 2 and leads you through the basics of setting up a gateway to serve as a point of contact between separate networks. By the end of Chapter 3, you will have built a configuration that is fairly typical for a home or small office network, and have some tricks up your sleeve to make network management easier. You’ll also get an early taste of how to handle services with odd requirements such as FTP, as well as some tips on how to make your network troubleshooting-friendly by catering to some of the frequently less understood Internet protocols and services.
Chapter 4, walks you through adding wireless networking to your setup. The wireless environment presents some security challenges, and by the end of this chapter, you may find yourself with a wireless network with access control and authentication via
authpf. Some of the information is likely to be useful in wired environments, too.Chapter 5, tackles the situation where you introduce servers and services that need to be accessible from outside your own network. By the end of this chapter, you may have a network with one or several separate subnets and DMZs, and you will have tried your hand at a couple of different load-balancing schemes via redirections and
relaydin order to improve service quality for your users.Chapter 6, introduces some of the tools in the PF tool chest for dealing with attempts at undesirable activity, and shows how to use them productively. We deal with brute-force password-guessing attempts and other network flooding, as well as the antispam tool
spamd, the OpenBSD spam deferral daemon. This chapter should make your network a more pleasant one for legitimate users and less welcoming to those with less than good intentions.Chapter 7, introduces traffic shaping via the priorities and queues systems introduced in OpenBSD 5.5. This chapter also contains tips on how to convert earlier ALTQ-based setups to the new system, as well as information on setting up and maintaining ALTQ on operating systems where the newer queueing system is not available. This chapter should leave you with better resource utilization by adapting traffic shaping to your network needs.
Chapter 8, shows how to create redundant configurations, with CARP configurations for both failover and load balancing. This chapter should give you insight into how to create and maintain a highly available, redundant, CARP-based configuration.
Chapter 9, explains PF logs. You’ll learn how to extract and process log and statistics data from your PF configuration with tools in the base system as well as optional packages. We’ll also discuss NetFlow and SNMP-based tools.
Chapter 10, walks through various options that will help you tune your setup. It ties together the knowledge you have gained from the previous chapters with a rule set debugging tutorial.
Appendix A, is an annotated list of print and online literature and other resources you may find useful as you expand your knowledge of PF and networking topics.
Appendix B, gives an overview of some of the issues involved in creating a first-rate tool as free software.
Each chapter in this book builds on the previous one. While as a free being you can certainly skip around, it may be useful to read through chapters in sequence.
For a number of reasons, OpenBSD is my favorite operating system. My main environment for writing this book is dominated by OpenBSD systems running either recent snapshots, the odd -stable system and every now and then a locally built -current. This means that the main perspective in the book is the world as seen from the command line in OpenBSD 5.6. However, I keep enough of the other BSDs around that this book should be useful even if your choice of platform is FreeBSD, NetBSD or DragonFly BSD. There are areas of network configuration and PF setup where those systems are noticeably different from the OpenBSD baseline, and in those cases you will find notes on the differences as well as platform-specific advice on how to build a useful configuration for your environment.