ebook img

The Book of PF: A No-Nonsense Guide to the OpenBSD Firewall PDF

250 Pages·2014·4.988 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview The Book of PF: A No-Nonsense Guide to the OpenBSD Firewall

E 3 D R BBUUIILLDD AA I T D Covers OpenBSD 5.6, I MMOORREE SSEECCUURREE TT HH EE BB OO OO KK O FreeBSD 10.x, and N NNEETTWWOORRKK E NetBSD 6.x D3 WWIITTHH PPFF ITR IOD N OO FF PP FF TT OpenBSD’s stateful packet filter, PF, is the heart of • Build adaptive firewalls to proactively defend against A N O - N O N S E N S E G U I D E T O T H E the OpenBSD firewall. With more and more services attackers and spammers HH placing high demands on bandwidth and an increas- O P E N B S D F I R E W A L L • Harness OpenBSD’s latest traffic-shaping system ingly hostile Internet environment, no sysadmin can EE to keep your network responsive, and convert your afford to be without PF expertise. existing ALTQ configurations to the new system The third edition of The Book of PF covers the most BB • Stay in control of your traffic with monitoring and P E T E R N . M . H A N S T E E N up-to-date developments in PF, including new content visualization tools (including NetFlow) on IPv6, dual stack configurations, the “queues and OO priorities” traffic-shaping system, NAT and redirection, The Book of PF is the essential guide to building a secure wireless networking, spam fighting, failover provision- network with PF. With a little effort and this book, you’ll OO ing, logging, and more. be well prepared to unlock PF’s full potential. You’ll also learn how to: ABOUT THE AUTHOR KK • Create rule sets for all kinds of network traffic, whether Peter N.M. Hansteen is a consultant, writer, and crossing a simple LAN, hiding behind NAT, traversing sysadmin based in Bergen, Norway. A longtime DMZs, or spanning bridges or wider networks Freenix advocate, Hansteen is a frequent lecturer OO on OpenBSD and FreeBSD topics, an occasional • Set up wireless networks with access points, and contributor to BSD Magazine, and the author of an FF lock them down using authpf and special access often-slashdotted blog (http://bsdly.blogspot.com/). restrictions Hansteen was a participant in the original RFC 114 9 PP • Maximize flexibility and service availability via CARP, implementation team. The Book of PF is an expanded relayd, and redirection follow-up to his very popular online PF tutorial (http:// FF home.nuug.no/~peter/pf/). H A N wTHwE wF.InNoEsStTa rIcNh G.cEoEmK ENTERTAINMENT™ $34.95 ($36.95 CDN) ST E “I LIE FLAT.” OPERATINSHELVE IN EN This book uses a durable binding that won’t snap shut. G SYSTEM: S/UN IX Praise for The Book of Pf “The definitive hardcopy guide to deployment and configuration of PF firewalls, written in clear, exacting style. Its coverage is outstanding.” —Chad Perrin, TeCh rePubliC “This book is for everyone who uses PF. Regardless of operating system and skill level, this book will teach you something new and interesting.” —bSd Magazine “With Mr. Hansteen paying close attention to important topics like state inspection, SPAM, black/grey listing, and many others, this must-have reference for BSD users can go a long way to helping you fine-tune the who/what/where/when/how of access control on your BSD box.” —infoWorld “A must-have resource for anyone who deals with firewall configurations. If you’ve heard good things about PF and have been thinking of giving it a go, this book is definitely for you. Start at the beginning and before you know it you’ll be through the book and quite the PF guru. Even if you’re already a PF guru, this is still a good book to keep on the shelf to refer to in thorny situa- tions or to lend to colleagues.” —dru lavigne, auThor of BSD HackS and THe DefiniTive GuiDe To Pc-BSD “The book is a great resource and has me eager to rewrite my aging rulesets.” —;login: “This book is a super easy read. I loved it! This book easily makes my Top 5 Books list.” —daeMon neWS T h e B o o k o f Pf 3 r d ed iTi o n A no-nonsense Guide to the openBSd firewall by Peter N.M. Hansteen San Francisco The Book of Pf, 3rd ediTion. Copyright © 2015 by Peter N.M. Hansteen. All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher. Printed in USA First printing 18 17 16 15 14 1 2 3 4 5 6 7 8 9 ISBN-10: 1-59327-589-7 ISBN-13: 978-1-59327-589-1 Publisher: William Pollock Production Editor: Serena Yang Cover and Interior Design: Octopod Studios Developmental Editor: William Pollock Technical Reviewer: Henning Brauer Copyeditor: Julianne Jigour Compositor: Susan Glinert Stevens Proofreader: Paula L. Fleming Indexer: BIM Indexing and Proofreading Services For information on distribution, translations, or bulk sales, please contact No Starch Press, Inc. directly: No Starch Press, Inc. 245 8th Street, San Francisco, CA 94103 phone: 415.863.9900; [email protected] www.nostarch.com The Library of Congress has catalogued the first edition as follows: Hansteen, Peter N. M. The book of PF : a no-nonsense guide to the OpenBSD firewall / Peter N.M. Hansteen. p. cm. Includes index. ISBN-13: 978-1-59327-165-7 ISBN-10: 1-59327-165-4 1. OpenBSD (Electronic resource) 2. TCP/IP (Computer network protocol) 3. Firewalls (Computer security) I. Title. TK5105.585.H385 2008 005.8--dc22 2007042929 No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The information in this book is distributed on an “As Is” basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it. To Gene Scharmann, who all those years ago nudged me in the direction of free software Brief ConTenTS Foreword by Bob Beck (from the first edition) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xix Chapter 1: Building the Network You Need . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Chapter 2: PF Configuration Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Chapter 3: Into the Real World . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Chapter 4: Wireless Networks Made Easy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Chapter 5: Bigger or Trickier Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65 Chapter 6: Turning the Tables for Proactive Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95 Chapter 7: Traffic Shaping with Queues and Priorities . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Chapter 8: Redundancy and Resource Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147 Chapter 9: Logging, Monitoring, and Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Chapter 10: Getting Your Setup Just Right . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185 Appendix A: Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201 Appendix B: A Note on Hardware Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 ConTenTS in d e TAil foreword by Bob Beck (from the first edition) xv AcknowledgmenTs xvii inTroducTion xix This Is Not a HOWTO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx What This Book Covers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx 1 Building The neTwork You need 1 Your Network: High Performance, Low Maintenance, and Secure . . . . . . . . . . . . . . . . . 1 Where the Packet Filter Fits In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 The Rise of PF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 If You Came from Elsewhere . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Pointers for Linux Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Frequently Answered Questions About PF . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 A Little Encouragement: A PF Haiku . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2 Pf configurATion BAsics 11 The First Step: Enabling PF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Setting Up PF on OpenBSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Setting Up PF on FreeBSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Setting Up PF on NetBSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 A Simple PF Rule Set: A Single, Stand-Alone Machine . . . . . . . . . . . . . . . . . . . . . . . . 16 A Minimal Rule Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Testing the Rule Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Slightly Stricter: Using Lists and Macros for Readability . . . . . . . . . . . . . . . . . . . . . . . . 18 A Stricter Baseline Rule Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Reloading the Rule Set and Looking for Errors . . . . . . . . . . . . . . . . . . . . . . . . 20 Checking Your Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Testing the Changed Rule Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Displaying Information About Your System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Looking Ahead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 3 inTo The reAl world 25 A Simple Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Keep It Simple: Avoid the Pitfalls of in, out, and on . . . . . . . . . . . . . . . . . . . . 26 Network Address Translation vs . IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Final Preparations: Defining Your Local Network . . . . . . . . . . . . . . . . . . . . . . 29 Setting Up a Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Testing Your Rule Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.