You’ll also learn how to: • Create rule sets for all kinds of network traffic, whether crossing a simple LAN, hiding behind NAT, traversing DMZs, or spanning bridges or wider networks • Set up wireless networks with access points, and lock them down using authpf and special access restrictions • Maximize flexibility and service availability via CARP, relayd, and redirection w w w.nostarch.com This book uses a durable binding that won’t snap shut • Build adaptive firewalls to proactively defend against attackers and spammers • Harness OpenBSD’s latest traffic-shaping system to keep your network responsive, and convert your existing ALTQ configurations to the new system • Stay in control of your traffic with monitoring and visualization tools (including NetFlow) The Book of PF is the essential guide to building a secure network with PF With a little effort and this book, you’ll be well prepared to unlock PF’s full potential ABOUT THE AUTHOR Peter N.M Hansteen is a consultant, writer, and sysadmin based in Bergen, Norway A longtime Freenix advocate, Hansteen is a frequent lecturer on OpenBSD and FreeBSD topics, an occasional contributor to BSD Magazine, and the author of an often-slashdotted blog (http://bsdly.blogspot.com/ ) Hansteen was a participant in the original RFC 1149 implementation team The Book of PF is an expanded follow-up to his very popular online PF tutorial (http:// home.nuug.no/~peter/pf/ ) $34.95 ($36.95 CDN) SHELVE IN: OPERATING SYSTEMS/UNIX “ I L I E F L AT ” NetBSD 6.x THE BOOK OF PF A NO-NONSENSE GUIDE TO THE O P E N B S D F I R E W A L L PETER N.M HANSTEEN HANSTEEN T H E F I N E ST I N G E E K E N T E RTA I N M E N T ™ D N R O TI I D E The third edition of The Book of PF covers the most up-to-date developments in PF, including new content on IPv6, dual stack configurations, the “queues and priorities” traffic-shaping system, NAT and redirection, wireless networking, spam fighting, failover provisioning, logging, and more FreeBSD 10.x, and THE BOOK OF PF OpenBSD’s stateful packet filter, PF, is the heart of the OpenBSD firewall With more and more services placing high demands on bandwidth and an increasingly hostile Internet environment, no sysadmin can afford to be without PF expertise Covers OpenBSD 5.6, 3RD EDITION BUILD A MORE SECURE NET WORK WITH PF www.it-ebooks.info Praise for The Book of PF “The definitive hardcopy guide to deployment and configuration of PF firewalls, written in clear, exacting style Its coverage is outstanding.” —Chad Perrin, Tech Republic “This book is for everyone who uses PF Regardless of operating system and skill level, this book will teach you something new and interesting.” —BSD Magazine “With Mr Hansteen paying close attention to important topics like state inspection, SPAM, black/grey listing, and many others, this must-have ­reference for BSD users can go a long way to helping you fine-tune the who/what/where/when/how of access control on your BSD box.” —InfoWorld “A must-have resource for anyone who deals with firewall configurations If you’ve heard good things about PF and have been thinking of giving it a go, this book is definitely for you Start at the beginning and before you know it you’ll be through the book and quite the PF guru Even if you’re already a PF guru, this is still a good book to keep on the shelf to refer to in thorny situations or to lend to colleagues.” —Dru Lavigne, author of BSD Hacks and The Definitive Guide to PC-BSD “The book is a great resource and has me eager to rewrite my aging rulesets.” —;login: “This book is a super easy read I loved it! This book easily makes my Top Books list.” —Daemon News www.it-ebooks.info www.it-ebooks.info The Book of PF 3rd Edition A No-Nonsense Guide to the OpenBSD Firewall b y P e t e r N M H a ns t e e n San Francisco www.it-ebooks.info The Book of PF, 3rd Edition Copyright © 2015 by Peter N.M Hansteen All rights reserved No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher Printed in USA First printing 18 17 16 15 14   ISBN-10: 1-59327-589-7 ISBN-13: 978-1-59327-589-1 Publisher: William Pollock Production Editor: Serena Yang Cover and Interior Design: Octopod Studios Developmental Editor: William Pollock Technical Reviewer: Henning Brauer Copyeditor: Julianne Jigour Compositor: Susan Glinert Stevens Proofreader: Paula L Fleming Indexer: BIM Indexing and Proofreading Services For information on distribution, translations, or bulk sales, please contact No Starch Press, Inc directly: No Starch Press, Inc 245 8th Street, San Francisco, CA 94103 phone: 415.863.9900; info@nostarch.com www.nostarch.com The Library of Congress has catalogued the first edition as follows: Hansteen, Peter N M The book of PF : a no-nonsense guide to the OpenBSD firewall / Peter N.M Hansteen p cm Includes index ISBN-13: 978-1-59327-165-7 ISBN-10: 1-59327-165-4 OpenBSD (Electronic resource) TCP/IP (Computer network protocol) Firewalls (Computer security) I Title TK5105.585.H385 2008 005.8 dc22 2007042929 No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc Other product and company names mentioned herein may be the trademarks of their respective owners Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark The information in this book is distributed on an “As Is” basis, without warranty While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it www.it-ebooks.info To Gene Scharmann, who all those years ago nudged me in the direction of free software www.it-ebooks.info www.it-ebooks.info B r i e f C o n t e n ts Foreword by Bob Beck (from the first edition) xv Acknowledgments xvii Introduction xix Chapter 1: Building the Network You Need Chapter 2: PF Configuration Basics 11 Chapter 3: Into the Real World 25 Chapter 4: Wireless Networks Made Easy 45 Chapter 5: Bigger or Trickier Networks 65 Chapter 6: Turning the Tables for Proactive Defense 95 Chapter 7: Traffic Shaping with Queues and Priorities 117 Chapter 8: Redundancy and Resource Availability 147 Chapter 9: Logging, Monitoring, and Statistics 161 Chapter 10: Getting Your Setup Just Right 185 Appendix A: Resources 201 Appendix B: A Note on Hardware Support 207 Index 211 www.it-ebooks.info www.it-ebooks.info C o n t e n ts i n D e ta i l Foreword by Bob Beck (from the first edition) xv Acknowledgments xvii Introduction xix This Is Not a HOWTO xx What This Book Covers xx Building the Network You Need Your Network: High Performance, Low Maintenance, and Secure Where the Packet Filter Fits In The Rise of PF If You Came from Elsewhere Pointers for Linux Users Frequently Answered Questions About PF A Little Encouragement: A PF Haiku PF Configuration Basics 3 6 11 The First Step: Enabling PF Setting Up PF on OpenBSD Setting Up PF on FreeBSD Setting Up PF on NetBSD A Simple PF Rule Set: A Single, Stand-Alone Machine A Minimal Rule Set Testing the Rule Set Slightly Stricter: Using Lists and Macros for Readability A Stricter Baseline Rule Set Reloading the Rule Set and Looking for Errors Checking Your Rules Testing the Changed Rule Set Displaying Information About Your System Looking Ahead Into the Real World 12 12 13 15 16 16 18 18 19 20 21 22 22 24 25 A Simple Gateway Keep It Simple: Avoid the Pitfalls of in, out, and on Network Address Translation vs IPv6 Final Preparations: Defining Your Local Network Setting Up a Gateway Testing Your Rule Set www.it-ebooks.info 25 26 27 29 29 34 ... “This book is a super easy read I loved it! This book easily makes my Top Books list.” —Daemon News www.it-ebooks.info www.it-ebooks.info The Book of PF 3rd Edition A No-Nonsense Guide to the OpenBSD... with several other improvements since the second edition were adequate reason to start work on the third edition during the second half of 2013 Finally, during the process of turning the manuscript... to yet another kind of malicious software called a worm, a class of software that uses the network to propagate its payload.1 Along the way, the networked versions of various kinds of frauds