www.nostarch.com THE FINEST IN GEEK ENTERTAINMENT ™ SHELVE IN: OPERATING SYSTEMS/UNIX $29.95 ($34.95 CDN) BUILD A MORE SECURE NET WORK WITH PF BUILD A MORE SECURE NET WORK WITH PF OpenBSD’s stateful packet filter, PF, is the heart of the OpenBSD firewall and a necessity for any admin working in a BSD environment. With a little effort and this book, you’ll gain the insight needed to unlock PF’s full potential. This second edition of The Book of PF has been completely updated and revised. Based on Peter N.M. Hansteen’s popular PF website and conference tutorials, this no-nonsense guide covers NAT and redirection, wireless networking, spam fighting, failover provisioning, logging, and more. Throughout the book, Hansteen emphasizes the importance of staying in control with a written network specification, keeping rule sets readable using macros, and performing rigid testing when loading new rules. The Book of PF tackles a broad range of topics that will stimulate your mind and pad your resume, including how to: • Create rule sets for all kinds of network traffic, whether it’s crossing a simple LAN, hiding behind NAT, travers- ing DMZs, or spanning bridges or wider networks • Create wireless networks with access points, and lock them down with authpf and special access restrictions • Maximize flexibility and service availability via CARP, relayd, and redirection • Create adaptive firewalls to proactively defend against would-be attackers and spammers • Implement traffic shaping and queues with ALTQ (priq, cbq, or hfsc) to keep your network responsive • Master your logs with monitoring and visualization tools (including NetFlow) The Book of PF is for BSD enthusiasts and network administrators at any skill level. With more and more services placing high demands on bandwidth and an increasingly hostile Internet environment, you can’t afford to be without PF expertise. ABOUT THE AUTHOR Peter N.M. Hansteen is a consultant, writer, and sysadmin based in Bergen, Norway. A longtime Freenix advocate, Hansteen is a frequent lecturer on OpenBSD and FreeBSD topics, an occasional contributor to BSD Magazine, and one of the original members of the RFC 1149 implementation team. He writes a frequently slashdotted blog (http://bsdly.blogspot.com/) and is the author of the highly regarded PF tutorial (http://home.nuug.no/~peter/pf/). 2ND EDITION Covers OpenBSD 4.8, FreeBSD 8.1, and NetBSD 5 “I LIE FLAT.” This book uses a lay-flat binding that won't snap shut. PETER N.M. HANSTEEN THE BOOK OF PF THE BOOK OF PF A NO-NONSENSE GUIDE TO THE OPENBSD FIREWALL 2ND EDITION HANSTEEN 2ND EDITION THE BOOK OF PF THE BOOK OF PF www.it-ebooks.info www.it-ebooks.info PRAISE FOR THE FIRST EDITION OF THE BOOK OF PF “This book is for everyone who uses PF. Regardless of operating system and skill level, this book will teach you something new and interesting.” —BSD M AGAZINE “With Mr. Hansteen paying close attention to important topics like state inspection, SPAM, black/grey listing, and many others, this must-have reference for BSD users can go a long way to helping you fine tune the who/what/where/when/how of access control on your BSD box.” —I NFOWORLD “A must-have resource for anyone who deals with firewall configurations. If you’ve heard good things about PF and have been thinking of giving it a go, this book is definitely for you. Start at the beginning and before you know it you’ll be through the book and quite the PF guru. Even if you’re already a PF guru, this is still a good book to keep on the shelf to refer to in thorny situations or to lend to colleagues.” —D RU LAVIGNE, TECH WRITER “The book is a great resource and has me eager to rewrite my aging rulesets.” —; LOGIN: “This book is a super-easy read. I loved it! This book easily makes my Top 5 Book list.” —D AEMON NEWS pf2e_PRAISE.fm Page i Wednesday, October 20, 2010 11:20 AM www.it-ebooks.info www.it-ebooks.info THE BOOK OF ™ PF 2ND EDITION A NO-NONSENSE GUIDE TO THE OPENBSD FIREWALL by Peter N.M. Hansteen San Francisco www.it-ebooks.info THE BOOK OF PF, 2ND EDITION. Copyright © 2011 by Peter N.M. Hansteen. All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher. 14 13 12 11 10 1 2 3 4 5 6 7 8 9 ISBN-10: 1-59327-274-X ISBN-13: 978-1-59327-274-6 Publisher: William Pollock Production Editors: Ansel Staton and Serena Yang Cover and Interior Design: Octopod Studios Developmental Editor: William Pollock Technical Reviewer: Henning Brauer Copyeditor: Marilyn Smith Compositors: Riley Hoffman and Ansel Staton Proofreader: Linda Seifert Indexer: Valerie Haynes Perry For information on book distributors or translations, please contact No Starch Press, Inc. directly: No Starch Press, Inc. 38 Ringold Street, San Francisco, CA 94103 phone: 415.863.9900; fax: 415.863.9950; info@nostarch.com; www.nostarch.com The Library of Congress has cataloged the first edition as follows: Hansteen, Peter N. M. The book of PF : a no-nonsense guide to the OpenBSD firewall / Peter N.M. Hansteen. p. cm. Includes index. ISBN-13: 978-1-59327-165-7 ISBN-10: 1-59327-165-4 1. OpenBSD (Electronic resource) 2. TCP/IP (Computer network protocol) 3. Firewalls (Computer security) I. Title. TK5105.585.H385 2008 005.8 dc22 2007042929 No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The information in this book is distributed on an “As Is” basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it. www.it-ebooks.info To Gene Scharmann, who all those years ago nudged me in the direction of free software www.it-ebooks.info www.it-ebooks.info BRIEF CONTENTS Foreword by Bob Beck (from the first edition) xiii Acknowledgments xv Introduction xvii Chapter 1: Building the Network You Need 1 Chapter 2: PF Configuration Basics 11 Chapter 3: Into the Real World 25 Chapter 4: Wireless Networks Made Easy 41 Chapter 5: Bigger or Trickier Networks 59 Chapter 6: Turning the Tables for Proactive Defense 85 Chapter 7: Queues, Shaping, and Redundancy 105 Chapter 8: Logging, Monitoring, and Statistics 131 Chapter 9: Getting Your Setup Just Right 151 Appendix A: Resources 167 Appendix B: A Note on Hardware Support 173 Index 177 www.it-ebooks.info www.it-ebooks.info [...]... When the small computers became networked, they were introduced to yet another kind of malicious software called a worm, a class of software that uses the network to propagate its payload.1 Along the way, the networked versions of various kinds of frauds made it onto the network security horizon as well, and today a significant part of computer security activity (possibly the largest segment of the. .. quite a bit since the book was printed The information in the book is as up to date and correct as possible at the time of writing, and refers to OpenBSD version 4.8, FreeBSD 8.1, and NetBSD 5.0, with any patches available in late August 2010 www.it-ebooks.info This Is Not a HOWTO The book is a direct descendant of a moderately popular PF tutorial The tutorial is also the source of the following admonition,... input on various parts of the manuscript; and, finally, warm thanks to Megan Dunchak and Linda Recktenwald for their efforts in getting the first edition of the book into its final shape and to Serena Yang for guiding the second edition to completion Special thanks are due to Dru Lavigne for making the introductions which led to this book getting written in the first place, instead of just hanging around... operating system that contained the original reference implementation of the TCP/IP Internet protocols in the early 1980s As the research project behind BSD development started winding down in the early 1990s, the code was liberated for further development by small groups of enthusiasts around the world Some of these enthusiasts were responsible for keeping vital parts of the emerging Internet’s infrastructure... from the PF implementations on other systems, but the newest, most up-to-date PF code is always to be found on OpenBSD Some of the features described in this book are available only in the most recent versions of OpenBSD The other BSDs tend to port the latest released PF version from OpenBSD to their code bases in time for their next release, but synchronized updates are far from guaranteed, and the. .. into the networking stack and then making packets pass through it Then he began thinking about filtering When the license crisis happened, PF was already well under development The first commit of the PF code was on Sunday, June 24, 2001, at 19:48:58 UTC A few months of intense activity followed, and the resulting version of PF was launched as a default part of the OpenBSD 3.0 base system in December of. .. adopted PF, first as 4 The IPFilter copyright episode spurred the OpenBSD team to perform a license audit of the entire source tree and ports in order to avoid similar situations in the future Several potential problems were resolved over the months that followed, resulting in the removal of a number of potential license pitfalls for everyone involved in free software development Theo de Raadt summed up the. .. dear wife, Birthe, and my daughter, Nora, for all their love and support, before and during the book writing process as well as throughout the rather intense work periods that yielded the second edition This would not have been possible without you xvi A c kn o w l e d g m e n t s www.it-ebooks.info INTRODUCTION This is a book about building the network you need We’ll dip into the topics of firewalls... However, this has the effect of inserting another layer of abstraction between you and your rule set, and puts you at the mercy of the tool author’s understanding of how PF rule sets work I recommend working through at least the relevant parts of this book before spending serious time on considering an automated conversion Why did the PF rules syntax change all of a sudden? The world changed, and PF changed... little theory You’ll see plenty of examples of filtering and other ways to direct network traffic I’ll assume that you have a basic to intermediate command of TCP/IP networking concepts and Unix administration All the information in this book comes with a fair warning: As in any number of other endeavors, the solutions we discuss can be done in more than one way You should also be aware that the software . HANSTEEN THE BOOK OF PF THE BOOK OF PF A NO-NONSENSE GUIDE TO THE OPENBSD FIREWALL 2ND EDITION HANSTEEN 2ND EDITION THE BOOK OF PF THE BOOK OF PF www.it-ebooks.info www.it-ebooks.info PRAISE. PF www.it-ebooks.info www.it-ebooks.info PRAISE FOR THE FIRST EDITION OF THE BOOK OF PF “This book is for everyone who uses PF. Regardless of operating system and