2014-11-05

Book review - The Book of PF 3rd Edition

PF has always been my "only" choice of firewall when I'm on OpenBSD or FreeBSD. My PF kungfu is just enough to use it as a host firewall though. Recently I needed to level up my PF skill in order to use it on one of my hobby project. This book came in the right time.

Since I'm using OpenBSD, the excellent manual & FAQ at www.openbsd.org would have what I needed. But the commercial offering (of this book) illustrated PF differently and with much more working examples. This means my homework is already done mostly, leaving me to read and "realized" the knowledge. :)

This is a short summary on what I found interesting while reading this book:
Chapter 1:
  • a good read on history of PF
Chapter 2:
  • configuring PF starts in this chapter
  • a minimum pf.conf makes understanding what is needed to build a firewall easier
  • always use macros and list to increase readability of rules
Chapter 3:
  • keeping it simple & stupid (aka KISS), avoid maintenance & debug nightmares
  • ICMP myths debunk and how to allow necessary ICMP types to make our life easier
Chapter 4:
  • combining PF and ssh yields profit in authentication, specifically using authpf
  • this also means a PF gateway can act as an authentication point of a network
Chapter 5:
  • what and how to setup a DeMilitarised Zone (aka DMZ)
  • load balancing PF boxes with random and round-robin method
  • introduction to relayd and how to apply load balancing with it
  • when relayd & PF working together, scaling wasn't that complicated after all
Chapter 6:
  • drop those ssh bruteforce traffic
  • how to punish spammer using spamd and PF
  • anti-spam with blacklist, whitelist and greylisting
Chapter 7:
  • the new queueing system explained
  • interesting read on how queueing and priority works
Chapter 8:
  • redundancy with CARP and pfsync
  • CARP illustration is rather confusing but a few more iteration gets it sorted
  • load balancing re-visit, this time with CARP
Chapter 9:
  • benefits of logging
  • useful examples on tcpdump, logging, statistic and graphing traffic
  • netflow users must read
Chapter 10:
  • tuning and testing without going too deep

The book contents is presented in a tutorial style which make it easy to read and follow. Its configuration examples was constructed in a hand-held manner that anyone with minimum experience in PF can understand it. Although I have prior experience in PF, there wasn't any problem skimming through the first few chapters and begin following when the technical topic interests me.

Advice and gotchas through out the book should saves a beginner much time from trial and error. In fact, I consider it a gem of this book given the author (Peter N. M. Hansteen) experiences in this subject.

Surprisingly, the footnotes and "Resources A" section has quite a number of good reads. I'll be spending more time digging up those recommended links.

Definitely a must have for any PF beginner and those who are in the mid of converting ALTQ to the new queueing system. For others, it'll be a good read for spending a weekend with it. Who knows, you might pick up a new thing or two for your hobby project.

*** Disclaimer, I got a complementary review copy of this book from No Starch Press. Nothing else. I'm doing this review because I've always "stalk" Peter's blog (http://bsdly.blogspot.com) and find his technical experiences is of my interest.

No comments: