E 2 BBUUIILLDD AA 2ND EDITION DIN T D I MMOORREE SSEECCUURREE TT HH EE BB OO OO KK O Covers OpenBSD 4.8, N NNEETTWWOORRKK E FreeBSD 8.1, and D WWIITTHH PPFF IT2N NetBSD 5 IOD N OO FF PP FF TT OpenBSD’s stateful packet filter, PF, is the heart of • Maximize flexibility and service availability via CARP, the OpenBSD firewall and a necessity for any admin relayd, and redirection HH A N O - N O N S E N S E G U I D E T O T H E working in a BSD environment. With a little effort and • Create adaptive firewalls to proactively defend O P E N B S D F I R E W A L L this book, you’ll gain the insight needed to unlock PF’s against would-be attackers and spammers EE full potential. • Implement traffic shaping and queues with ALTQ (priq, This second edition of The Book of PF has been cbq, or hfsc) to keep your network responsive BB completely updated and revised. Based on Peter N.M. P E T E R N . M . H A N S T E E N Hansteen’s popular PF website and conference tutorials, • Master your logs with monitoring and visualization this no-nonsense guide covers NAT and redirection, tools (including NetFlow) OO wireless networking, spam fighting, failover provisioning, The Book of PF is for BSD enthusiasts and network logging, and more. Throughout the book, Hansteen OO administrators at any skill level. With more and more emphasizes the importance of staying in control with services placing high demands on bandwidth and a written network specification, keeping rule sets an increasingly hostile Internet environment, you can’t KK readable using macros, and performing rigid testing afford to be without PF expertise. when loading new rules. The Book of PF tackles a broad range of topics that will ABOUT THE AUTHOR OO stimulate your mind and pad your resume, including Peter N.M. Hansteen is a consultant, writer, and how to: sysadmin based in Bergen, Norway. A longtime Freenix FF advocate, Hansteen is a frequent lecturer on OpenBSD • Create rule sets for all kinds of network traffic, whether and FreeBSD topics, an occasional contributor to it’s crossing a simple LAN, hiding behind NAT, travers- PP BSD Magazine, and one of the original members ing DMZs, or spanning bridges or wider networks of the RFC 1149 implementation team. He writes a FF • Create wireless networks with access points, and lock frequently slashdotted blog (http://bsdly.blogspot.com/) them down with authpf and special access restrictions and is the author of the highly regarded PF tutorial (http://home.nuug.no/~peter/pf/). H A N S THE FINEST IN GEEK ENTERTAINMENT™ $29.95 ($34.95 CDN) TE www.nostarch.com OPERATINSHELVE IN EN “I LIE FLAT.” G SYSTEM: This book uses a lay-flat binding that won't snap shut. S/UN IX pf2e_PRAISE.fm Page i Wednesday, October 20, 2010 11:20 AM PRAISE FOR THE FIRST EDITION OF THE BOOK OF PF “This book is for everyone who uses PF. Regardless of operating system and skill level, this book will teach you something new and interesting.” —BSD MAGAZINE “With Mr. Hansteen paying close attention to important topics like state inspection, SPAM, black/grey listing, and many others, this must-have reference for BSD users can go a long way to helping you fine tune the who/what/where/when/how of access control on your BSD box.” —INFOWORLD “A must-have resource for anyone who deals with firewall configurations. If you’ve heard good things about PF and have been thinking of giving it a go, this book is definitely for you. Start at the beginning and before you know it you’ll be through the book and quite the PF guru. Even if you’re already a PF guru, this is still a good book to keep on the shelf to refer to in thorny situations or to lend to colleagues.” —DRU LAVIGNE, TECH WRITER “The book is a great resource and has me eager to rewrite my aging rulesets.” —;LOGIN: “This book is a super-easy read. I loved it! This book easily makes my Top 5 Book list.” —DAEMON NEWS T H E B O O K O F P F ™ 2 N D E D I T I O N A NO-NONSENSE GUIDE TO THE OPENBSD FIREWALL by Peter N.M. Hansteen San Francisco THE BOOK OF PF, 2ND EDITION. Copyright © 2011 by Peter N.M. Hansteen. All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher. 14 13 12 11 10 1 2 3 4 5 6 7 8 9 ISBN-10: 1-59327-274-X ISBN-13: 978-1-59327-274-6 Publisher: William Pollock Production Editors: Ansel Staton and Serena Yang Cover and Interior Design: Octopod Studios Developmental Editor: William Pollock Technical Reviewer: Henning Brauer Copyeditor: Marilyn Smith Compositors: Riley Hoffman and Ansel Staton Proofreader: Linda Seifert Indexer: Valerie Haynes Perry For information on book distributors or translations, please contact No Starch Press, Inc. directly: No Starch Press, Inc. 38 Ringold Street, San Francisco, CA 94103 phone: 415.863.9900; fax: 415.863.9950; [email protected]; www.nostarch.com The Library of Congress has cataloged the first edition as follows: Hansteen, Peter N. M. The book of PF : a no-nonsense guide to the OpenBSD firewall / Peter N.M. Hansteen. p. cm. Includes index. ISBN-13: 978-1-59327-165-7 ISBN-10: 1-59327-165-4 1. OpenBSD (Electronic resource) 2. TCP/IP (Computer network protocol) 3. Firewalls (Computer security) I. Title. TK5105.585.H385 2008 005.8--dc22 2007042929 No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The information in this book is distributed on an “As Is” basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it. To Gene Scharmann, who all those years ago nudged me in the direction of free software B R I E F C O N T E N T S Foreword by Bob Beck (from the first edition)...................................................................xiii Acknowledgments..........................................................................................................xv Introduction.................................................................................................................xvii Chapter 1: Building the Network YouNeed.......................................................................1 Chapter 2: PF Configuration Basics.................................................................................11 Chapter 3: Into the Real World.......................................................................................25 Chapter 4: Wireless Networks MadeEasy.......................................................................41 Chapter 5: Bigger or Trickier Networks............................................................................59 Chapter 6: Turning the Tables for Proactive Defense..........................................................85 Chapter 7: Queues, Shaping, and Redundancy..............................................................105 Chapter 8: Logging, Monitoring, andStatistics...............................................................131 Chapter 9: Getting Your Setup JustRight........................................................................151 Appendix A: Resources................................................................................................167 Appendix B: A Note on Hardware Support....................................................................173 Index.........................................................................................................................177