PF is a packet filter developed originally on the OpenBSD operating system, and now also available on NetBSD, FreeBSD, and FreeBSD derivatives such as DragonFly BSD. It can be used to control access to your network, mitigate spam attacks, redirect traffic, and manage failover provisioning.
You may need to edit some configuration files in order to ensure that PF starts on your system. The author describes how this can be done on each of the systems listed above, with particular attention to additional steps that might be necessary on older versions of those systems.
The behavior of PF is determined by a set of rules contained in a configuration file. Some simple rules for controlling access to a standalone machine are introduced in chapter 2. Readers are encouraged to use macros to define sets of ports and sets of interfaces to which rule sets can be applied, and commands that can check and expand the contents of configuration files are shown. Running instances of PF maintain statistics on packets that are passed and blocked through each interface; there are a couple of pages showing how these statistics can be displayed and interpreted.
PF’s real potential is best realized in gateway machines, and some rule sets that are appropriate in this context are discussed in chapter 3. Examples are provided to show how packet forwarding can be enabled in a gateway machine, and some macros are defined for use in simple rule sets that enable appropriate access for services commonly used. It is noted that Internet control message protocol (ICMP) traffic is often blocked so as to mitigate the possibility of attacks such as “ping of death,” but it may be appropriate to pass some ICMP messages so that tools like traceroute can be used, and so that that various maximum transmission unit (MTU) size and router advertisement messages can be exchanged.
There is an entire chapter devoted to wireless networks. The differences between wired equivalent privacy (WEP) and Wi-Fi protected access (WPA) encryption procedures are discussed, and simple one-line access point setup entries for use in OpenBSD “hostname.iface” files are provided. Equivalent setup entries for NetBSD and FreeBSD are also shown. For an access point, you will probably need to add some PF rules, and some suggestions are offered. Client-side OpenBSD entries for “hostname.iface” files are then discussed, and there are a couple of pages covering FreeBSD setup procedures.
The author observes that there may be occasions where you need to assign privileges to a network user once he has logged in. The “authpf” shell has been developed to satisfy such a requirement, and an example is provided showing how users of an airport Wi-Fi network may be redirected to a specific webpage until they have cleared some sort of authentication.
The chapter entitled “Bigger or Trickier Networks” has a diagram showing a real-life network with clients, email server, and web server connected to a switch inside a firewall. Some appropriate rule sets for this arrangement are suggested. A more elaborate arrangement is then considered, with servers inside a demilitarized zone (DMZ). Server redirection mechanisms are also discussed; these can be used for load balancing or to enable removal of a machine from a web server pool.
Brute-force SSH attacks can effectively bring down an entire site, and email spam messages have been used for the wide-scale distribution of some nasty malware. The author shows how the effects of these can be mitigated through the use of state-tracking PF options, and “spamd” blacklisting capabilities.
Traffic shaping and priority-based queues can be used to expedite the flow of voice over Internet protocol (VoIP) or other packets through a gateway; they can also be used to prioritize ACK packets, thereby providing some relief during periods of heavy congestion. Some appropriate rules are discussed.
There is a chapter that illustrates how the common address redundancy protocol (CARP) can be used to ensure that a network will keep functioning when a firewall or other service becomes unavailable, and the use of “pfsync” is suggested to ensure that resource handovers are accomplished without noticeable interruption.
PF can be instructed to accumulate logs related to selected rules, and this capability is described in the penultimate chapter. The book ends with a short chapter containing some general housekeeping and debugging suggestions; this chapter also shows how the PF “antispoof” rule can be used.
This book left me totally impressed at the breadth of capabilities offered by PF. I was able to use a number of its suggested rule sets on my own OpenBSD and NetBSD machines, and I can recommend it to anyone with an interest (professional or otherwise) in network management.
More reviews about this item: Amazon