The Book of PF: A No-Nonsense Guide to the OpenBSD Firewall

The Book of PF: A No-Nonsense Guide to the OpenBSD Firewall

Language: English

Pages: 248

ISBN: 1593275897

Format: PDF / Kindle (mobi) / ePub

The Book of PF: A No-Nonsense Guide to the OpenBSD Firewall

Language: English

Pages: 248

ISBN: 1593275897

Format: PDF / Kindle (mobi) / ePub


OpenBSD's stateful packet filter, PF, is the heart of the OpenBSD firewall. With more and more services placing high demands on bandwidth and an increasingly hostile Internet environment, no sysadmin can afford to be without PF expertise.

The third edition of The Book of PF covers the most up-to-date developments in PF, including new content on IPv6, dual stack configurations, the "queues and priorities" traffic-shaping system, NAT and redirection, wireless networking, spam fighting, failover provision ing, logging, and more.

You'll also learn how to:

  • Create rule sets for all kinds of network traffic, whether crossing a simple LAN, hiding behind NAT, traversing DMZs, or spanning bridges or wider networks
  • Set up wireless networks with access points, and lock them down using authpf and special access restrictions
  • Maximize flexibility and service availability via CARP, relayd, and redirection
  • Build adaptive firewalls to proactively defend against attackers and spammers
  • Harness OpenBSD's latest traffic-shaping system to keep your network responsive, and convert your existing ALTQ configurations to the new system
  • Stay in control of your traffic with monitoring and visualization tools (including NetFlow)

The Book of PF is the essential guide to building a secure network with PF. With a little effort and this book, you'll be well prepared to unlock PF's full potential.

Newsweek (28 November 2014)

Rise of the Robots: Technology and the Threat of a Jobless Future

Program or Be Programmed: Ten Commands for a Digital Age

Quantifying the User Experience: Practical Statistics for User Research

Crypto Anarchy, Cyberstates, and Pirate Utopias

 

 

 

 

 

 

 

 

 

 

 

 

 

 

address in your local network: pass quick inet proto { tcp, udp } from to port $udp_services pass inet proto tcp from to port $client_out 56 Chapter 4 For a more differentiated setup, you could put the rest of your rule set in /etc/authpf/authpf.rules or per-user rules in customized authpf.rules files in each user’s directory under /etc/authpf/users/. If your users generally need some protection, your general /etc/authpf/authpf.rules could have content like this:

you put in has been worth it. 130 Chapter 7 LOGGING, MONITORING, AND STATISTICS Exercising control over a network— whether for your home networking needs or in a professional context—is likely to be a main objective for anyone who reads this book. One necessary element of keeping control is having access to all relevant information about what happens in your network. Fortunately for us, PF (like most components of Unix-like systems) is able to generate log data for network activity. PF

providers to retain traffic logs for a specific period of time, in some cases with a requirement to deliver any such data to law enforcement upon request. Make sure you understand the legal issues before you build a logging infrastructure. 134 Chapter 8 Even with all but port domain filtered out by tcpdump, adding log (all) to one or more rules considerably increases the amount of data in your logs. If you need to log all traffic, but your gateway’s storage capacity is limited, you may find

filtering on the loopback interface is almost never useful, and can lead to odd results with a number of common programs and services. The default is that skip is unset, which means that all configured interfaces can take part in PF processing. In addition to making your rule set slightly simpler, setting skip on interfaces where you do not want to perform filtering results in a slight performance gain. State Policy The state-policy option specifies how PF matches packets to the state table.

(all) quick from to any [ Evaluations: 341770 Packets: 2 Bytes: 104 States: 0 ] [ Inserted: uid 0 pid 14717 State Creations: 0 ] @5 anchor "ftp-proxy/*" all [ Evaluations: 341768 Packets: 319954 Bytes: 263432399 States: 0 ] [ Inserted: uid 0 pid 14717 State Creations: 70 ] Now you should perform a structured walk-through of the loaded rule set. Find the rules that match the packets you are investigating. What is the last matching rule? If more than one rule matches, is one of the

Download sample

Download