The Book of PF: A No-Nonsense Guide to the OpenBSD Firewall [1 ed.]
1-59327-165-4, 1-59327-165-4, 978-1-59327-165-7
OpenBSD's stateful packet filter, PF, offers an amazing feature set and support across the major BSD platforms. Lik
229
39
25KB
English
Pages 184
[174]
Year 2008
Report DMCA / Copyright
DOWNLOAD PDF FILE
Table of contents :
Preface......Page 12
About the Book and Thanks......Page 13
I know some Linux, but I need to learn some BSD. Any pointers?......Page 15
Can you recommend a GUI tool for managing my PF rule set?......Page 16
Where can I find out more?......Page 17
A Little Encouragement: A PF Haiku......Page 18
1: What PF Is......Page 19
Network Address Translation......Page 21
Internet Protocol, Version 6 on the Far Horizon......Page 22
The Temporary Masquerade Solution Called NAT......Page 23
PF Today......Page 24
2: Let’s Get On With It......Page 25
Simplest Possible PF Setup on OpenBSD......Page 26
Simplest Possible PF Setup on FreeBSD......Page 27
Simplest Possible PF Setup on NetBSD......Page 28
First Rule Set -A Single, Stand-Alone Machine......Page 29
Slightly Stricter, with Lists and Macros......Page 31
Statistics from pfctl......Page 33
A Simple Gateway, NAT If You Need It......Page 35
Gateways and the Pitfalls of in, out, and on......Page 36
Setting Up......Page 37
Testing Your Rule Set......Page 41
That Sad Old FTP Thing......Page 42
FTP Through NAT: ftp-proxy......Page 43
New-Style FTP: ftp-proxy......Page 44
Then, Do We Let It All Through?......Page 46
Helping traceroute......Page 47
Path MTU Discovery......Page 48
Tables Make Your Life Easier......Page 49
A Little IEEE 802.11 Background......Page 51
MAC Address Filtering......Page 52
Picking the Right Hardware for the Task......Page 53
Setting Up a Simple Wireless Network......Page 54
If Your Access Point Has Three or More Interfaces......Page 56
Handling IPsec, VPN Solutions......Page 57
Guarding Your Wireless Network with authpf......Page 58
A Basic Authenticating Gateway......Page 59
Wide Open but Actually Shut......Page 61
When Others Need Something in Your Network: Filtering Services......Page 63
A Webserver and a Mail Server on the Inside-Routable Addresses......Page 64
Getting Load Balancing Right with hoststated......Page 69
A Webserver and a Mail Server on the Inside-The NAT Version......Page 74
Back to the Single NATed Network......Page 75
Filtering on Interface Groups......Page 77
The Power of Tags......Page 78
Basic Bridge Setup on OpenBSD......Page 79
Basic Bridge Setup on FreeBSD......Page 80
Basic Bridge Setup on NetBSD......Page 81
The Bridge Rule Set......Page 82
Handling Nonroutable Addresses from Elsewhere......Page 83
6: Turning the Tables for Proactive Defense......Page 85
Turning Away the Brutes......Page 86
Tidying Your Tables with pfctl......Page 88
Giving Spammers a Hard Time with spamd......Page 89
Remember, You Are Not Alone: Blacklisting......Page 90
Greylisting: My Admin Told Me Not to Talk to Strangers......Page 93
Some Highlights of Day-to-Day spamd Use......Page 96
Handling Sites That Do Not Play Well with Greylisting......Page 101
Conclusions from Our spamd Experience......Page 102
Directing Traffic with ALTQ......Page 104
Queue Schedulers, aka Queue Disciplines......Page 105
Setting Up ALTQ......Page 106
Understanding Priority-Based Queues (priq)......Page 108
Class-Based Bandwidth Allocation for Small Networks (cbq)......Page 110
Queuing for Servers in a DMZ......Page 111
Using ALTQ to Handle Unwanted Traffic......Page 113
Redundancy and Failover: CARP and pfsync......Page 114
The Project Specification: A Redundant Pair of Gateways......Page 115
Setting Up CARP: Kernel Options, sysctl, and ifconfig Commands......Page 117
Keeping States Synced: Adding pfsync......Page 120
Putting Together a Rule Set......Page 121
8: Logging, Monitoring, and Statistics......Page 123
PF Logs: The Basics......Page 124
Logging All Packets: log (all)......Page 126
Logging to Several pflog Interfaces......Page 127
Logging to syslog, Local or Remote......Page 128
Tracking Statistics for Each Rule with Labels......Page 129
Keeping an Eye on Things with pftop......Page 131
Graphing Your Traffic with pfstat......Page 132
SNMP Tools and PF-Related SNMP MIBs......Page 134
Remember, Useful Log Data Is the Basis for Effective Debugging......Page 135
The Things You Can Tweak and What You Probably Should Leave Alone......Page 136
block-policy......Page 137
timeout......Page 138
limit......Page 140
ruleset-optimization......Page 141
Cleaning Up Your Traffic: scrub and antispoof......Page 142
antispoof......Page 143
Testing Your Setup......Page 144
Debugging Your Rule Set......Page 146
Know Your Network, Stay in Control......Page 148
A: Resources......Page 150
General Networking and BSD Resources on the Internet......Page 151
Sample Configurations and Related Musings......Page 152
BSD and Networking Books......Page 153
Book-Related Web Resources......Page 154
If You Enjoyed This Book, Buy OpenBSD CDs and Donate!......Page 155
B: A Note on Hardware Support......Page 156
A Case in Point: The Story of a Small Wireless Network......Page 157
Getting the Right Hardware......Page 158
How to Help the Hardware-Support Efforts......Page 159
Index......Page 162