Since I'm using OpenBSD, the excellent manual & FAQ at www.openbsd.org would have what I needed. But the commercial offering (of this book) illustrated PF differently and with much more working examples. This means my homework is already done mostly, leaving me to read and "realized" the knowledge. :)
This is a short summary on what I found interesting while reading this book:
- a good read on history of PF
- configuring PF starts in this chapter
- a minimum pf.conf makes understanding what is needed to build a firewall easier
- always use macros and list to increase readability of rules
- keeping it simple & stupid (aka KISS), avoid maintenance & debug nightmares
- ICMP myths debunk and how to allow necessary ICMP types to make our life easier
- combining PF and ssh yields profit in authentication, specifically using authpf
- this also means a PF gateway can act as an authentication point of a network
- what and how to setup a DeMilitarised Zone (aka DMZ)
- load balancing PF boxes with random and round-robin method
- introduction to relayd and how to apply load balancing with it
- when relayd & PF working together, scaling wasn't that complicated after all
- drop those ssh bruteforce traffic
- how to punish spammer using spamd and PF
- anti-spam with blacklist, whitelist and greylisting
- the new queueing system explained
- interesting read on how queueing and priority works
- redundancy with CARP and pfsync
- CARP illustration is rather confusing but a few more iteration gets it sorted
- load balancing re-visit, this time with CARP
- benefits of logging
- useful examples on tcpdump, logging, statistic and graphing traffic
- netflow users must read
- tuning and testing without going too deep
The book contents is presented in a tutorial style which make it easy to read and follow. Its configuration examples was constructed in a hand-held manner that anyone with minimum experience in PF can understand it. Although I have prior experience in PF, there wasn't any problem skimming through the first few chapters and begin following when the technical topic interests me.
Advice and gotchas through out the book should saves a beginner much time from trial and error. In fact, I consider it a gem of this book given the author (Peter N. M. Hansteen) experiences in this subject.
Surprisingly, the footnotes and "Resources A" section has quite a number of good reads. I'll be spending more time digging up those recommended links.
Definitely a must have for any PF beginner and those who are in the mid of converting ALTQ to the new queueing system. For others, it'll be a good read for spending a weekend with it. Who knows, you might pick up a new thing or two for your hobby project.
*** Disclaimer, I got a complementary review copy of this book from No Starch Press. Nothing else. I'm doing this review because I've always "stalk" Peter's blog (http://bsdly.blogspot.com) and find his technical experiences is of my interest.