Home Page Icon
Home Page
Table of Contents for
Cover
Close
Cover
by Peter N.M. Hansteen
The Book of PF, 2nd Edition
The Book of PF
PRAISE FOR THE FIRST EDITION OF THE BOOK OF PF
Foreword
Acknowledgments
Introduction
This Is Not a HOWTO
What This Book Covers
1. Building the Network You Need
Your Network: High Performance, Low Maintenance, and Secure
Where the Packet Filter Fits In
The Rise of PF
If You Came from Elsewhere
Pointers for Linux Users
Frequently Answered Questions About PF
Can I run PF on my Linux machine?
Can you recommend a GUI tool for managing my PF rule set?
Is there a tool I can use to convert my OtherProduct ® setup to a PF configuration?
Why did the PF rules syntax change all of a sudden?
Where can I find out more?
A Little Encouragement: A PF Haiku
2. PF Configuration Basics
The First Step: Enabling PF
Setting Up PF on OpenBSD
Setting Up PF on FreeBSD
Setting Up PF on NetBSD
A Simple PF Rule Set: A Single, Stand-Alone Machine
A Minimal Rule Set
Testing the Rule Set
Slightly Stricter: Using Lists and Macros for Readability
A Stricter Baseline Rule Set
Reloading the Rule Set and Looking for Errors
Checking Your Rules
Testing the Changed Rule Set
Displaying Information About Your System
Looking Ahead
3. Into the Real World
A Simple Gateway
Keep It Simple: Avoid the Pitfalls of in, out, and on
Network Address Translation vs. IPv6
Final Preparations: Defining Your Local Network
Setting Up a Gateway
Testing Your Rule Set
That Sad Old FTP Thing
If We Must: ftp-proxy with Redirection
Making Your Network Troubleshooting Friendly
Do We Let It All Through?
The Easy Way Out: The Buck Stops Here
Letting ping Through
Helping traceroute
Path MTU Discovery
Tables Make Your Life Easier
4. Wireless Networks Made Easy
A Little IEEE 802.11 Background
MAC Address Filtering
WEP
WPA
The Right Hardware for the Task
Setting Up a Simple Wireless Network
An OpenBSD WPA Access Point
A FreeBSD WPA Access Point
The Access Point's PF Rule Set
Access Points with Three or More Interfaces
Handling IPSec, VPN Solutions
The Client Side
OpenBSD Setup
FreeBSD Setup
Guarding Your Wireless Network with authpf
A Basic Authenticating Gateway
Wide Open but Actually Shut
5. Bigger or Trickier Networks
A Web Server and Mail Server on the Inside—Routable Addresses
A Degree of Separation: Introducing the DMZ
Sharing the Load: Redirecting to a Pool of Addresses
Getting Load Balancing Right with relayd
A Web Server and Mail Server on the Inside—the NAT Version
DMZ with NAT
Redirection for Load Balancing
Back to the Single NATed Network
Filtering on Interface Groups
The Power of Tags
The Bridging Firewall
Basic Bridge Setup on OpenBSD
Basic Bridge Setup on FreeBSD
Basic Bridge Setup on NetBSD
The Bridge Rule Set
Handling Nonroutable Addresses from Elsewhere
6. Turning the Tables for Proactive Defense
Turning Away the Brutes
SSH Brute-Force Attacks
Setting Up an Adaptive Firewall
Tidying Your Tables with pfctl
Giving Spammers a Hard Time with spamd
Network-Level Behavior Analysis and Blacklisting
Setting Up spamd in Blacklisting Mode
spamd Logging
Greylisting: My Admin Told Me Not to Talk to Strangers
Setting Up spamd in Greylisting Mode
Greylisting in Practice
Tracking Your Real Mail Connections: spamlogd
Greytrapping
Setting Up a Traplist
Managing Lists with spamdb
Updating Lists
Keeping spamd Greylists in Sync
Detecting Out-of-Order MX Use
Handling Sites That Do Not Play Well with Greylisting
Spam-Fighting Tips
7. Queues, Shaping, and Redundancy
Directing Traffic with ALTQ
Basic ALTQ Concepts
Queue Schedulers, aka Queue Disciplines
priq
cbq
hfsc
Setting Up ALTQ
ALTQ on OpenBSD
ALTQ on FreeBSD
ALTQ on NetBSD
Setting Up Queues
Priority-Based Queues
A Real-World Example
Using a match Rule for Queue Assignment
Class-Based Bandwidth Allocation for Small Networks
Queue Definition
Rule Set
A Basic HFSC Traffic Shaper
Queue Definition
Rule Set
Queueing for Servers in a DMZ
Using ALTQ to Handle Unwanted Traffic
Overloading to a Tiny Queue
Queue Assignments Based on Operating System Fingerprint
Redundancy and Failover: CARP and pfsync
The Project Specification: A Redundant Pair of Gateways
Setting Up CARP
Checking Kernel Options
Setting sysctl Values
Setting Up Network Interfaces with ifconfig
Keeping States Synchronized: Adding pfsync
Putting Together a Rule Set
CARP for Load Balancing
8. Logging, Monitoring, and Statistics
PF Logs: The Basics
Logging All Packets: log (all)
Logging to Several pflog Interfaces
Logging to Syslog, Local or Remote
Tracking Statistics for Each Rule with Labels
Additional Tools for PF Logs and Statistics
Keeping an Eye on Things with systat
Keeping an Eye on Things with pftop
Graphing Your Traffic with pfstat
Collecting NetFlow Data with pflow(4)
Setting Up the NetFlow Sensor
NetFlow Data Collecting, Reporting, and Analysis
Collecting NetFlow Data with pfflowd
SNMP Tools and PF-Related SNMP MIBs
Log Data as the Basis for Effective Debugging
9. Getting Your Setup Just Right
Things You Can Tweak and What You Probably Should Leave Alone
Block Policy
Skip Interfaces
State Policy
State Defaults
Timeouts
Limits
Debug
Rule Set Optimization
Optimization
Fragment Reassembly
Cleaning Up Your Traffic
Packet Normalization with scrub
Protecting Against Spoofing with antispoof
Testing Your Setup
Debugging Your Rule Set
Know Your Network and Stay in Control
A. Resources
General Networking and BSD Resources on the Internet
Sample Configurations and Related Musings
PF on Other BSD Systems
BSD and Networking Books
Wireless Networking Resources
spamd and Greylisting-Related Resources
Book-Related Web Resources
Buy OpenBSD CDs and Donate!
B. A Note on Hardware Support
Getting the Right Hardware
Issues Facing Hardware Support Developers
How to Help the Hardware Support Efforts
Index
About the Author
Colophon
C. Updates
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Next
Next Chapter
The Book of PF
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset