| Foreword |
|
xv | |
|
|
| Acknowledgments |
|
xvii | |
| Introduction |
|
xix | |
|
|
|
xx | |
|
|
|
xx | |
| 1 Building The Network You Need |
|
1 | (10) |
|
Your Network: High Performance, Low Maintenance, and Secure |
|
|
1 | (2) |
|
Where the Packet Filter Fits In |
|
|
3 | (1) |
|
|
|
3 | (3) |
|
If You Came from Elsewhere |
|
|
6 | (3) |
|
|
|
6 | (1) |
|
Frequently Answered Questions About PF |
|
|
7 | (2) |
|
A Little Encouragement: A PF Haiku |
|
|
9 | (2) |
| 2 PF Configuration Basics |
|
11 | (14) |
|
The First Step: Enabling PF |
|
|
12 | (4) |
|
|
|
12 | (1) |
|
|
|
13 | (2) |
|
|
|
15 | (1) |
|
A Simple PF Rule Set: A Single, Stand-Alone Machine |
|
|
16 | (2) |
|
|
|
16 | (2) |
|
|
|
18 | (1) |
|
Slightly Stricter: Using Lists and Macros for Readability |
|
|
18 | (4) |
|
A Stricter Baseline Rule Set |
|
|
19 | (1) |
|
Reloading the Rule Set and Looking for Errors |
|
|
20 | (1) |
|
|
|
21 | (1) |
|
Testing the Changed Rule Set |
|
|
22 | (1) |
|
Displaying Information About Your System |
|
|
22 | (2) |
|
|
|
24 | (1) |
| 3 Into The Real World |
|
25 | (20) |
|
|
|
25 | (10) |
|
Keep It Simple: Avoid the Pitfalls of in, out, and on |
|
|
26 | (1) |
|
Network Address Translation vs. IPv6 |
|
|
27 | (2) |
|
Final Preparations: Defining Your Local Network |
|
|
29 | (1) |
|
|
|
29 | (5) |
|
|
|
34 | (1) |
|
|
|
35 | (2) |
|
If We Must: ftp-proxy with Divert or Redirect |
|
|
36 | (1) |
|
Variations on the ftp-proxy Setup |
|
|
37 | (1) |
|
Making Your Network Troubleshooting-Friendly |
|
|
37 | (5) |
|
Do We Let It All Through? |
|
|
38 | (1) |
|
The Easy Way Out: The Buck Stops Here |
|
|
39 | (1) |
|
|
|
39 | (1) |
|
|
|
40 | (1) |
|
|
|
40 | (2) |
|
Tables Make Your Life Easier |
|
|
42 | (3) |
| 4 Wireless Networks Made Easy |
|
45 | (20) |
|
A Little IEEE 802.11 Background |
|
|
46 | (19) |
|
|
|
46 | (1) |
|
|
|
47 | (1) |
|
|
|
47 | (1) |
|
The Right Hardware for the Task |
|
|
48 | (1) |
|
Setting Up a Simple Wireless Network |
|
|
48 | (3) |
|
An OpenBSD WPA Access Point |
|
|
51 | (1) |
|
A FreeBSD WPA Access Point |
|
|
52 | (1) |
|
The Access Point's PF Rule Set |
|
|
53 | (1) |
|
Access Points with Three or More Interfaces |
|
|
54 | (1) |
|
Handling IPSec, VPN Solutions |
|
|
55 | (1) |
|
|
|
55 | (1) |
|
|
|
56 | (2) |
|
|
|
58 | (1) |
|
Guarding Your Wireless Network with authpf |
|
|
59 | (1) |
|
A Basic Authenticating Gateway |
|
|
60 | (2) |
|
Wide Open but Actually Shut |
|
|
62 | (3) |
| 5 Bigger Or Trickier Networks |
|
65 | (30) |
|
A Web Server and Mail Server on the Inside: Routable IPv4 Addresses |
|
|
66 | (13) |
|
A Degree of Separation: Introducing the DMZ |
|
|
70 | (2) |
|
Sharing the Load: Redirecting to a Pool of Addresses |
|
|
72 | (1) |
|
Getting Load Balancing Right with relayd |
|
|
73 | (6) |
|
A Web Server and Mail Server on the Inside—The NAT Version |
|
|
79 | (5) |
|
|
|
80 | (1) |
|
Redirection for Load Balancing |
|
|
81 | (1) |
|
Back to the Single NATed Network |
|
|
81 | (3) |
|
Filtering on Interface Groups |
|
|
84 | (1) |
|
|
|
85 | (1) |
|
|
|
86 | (5) |
|
Basic Bridge Setup on OpenBSD |
|
|
87 | (1) |
|
Basic Bridge Setup on FreeBSD |
|
|
88 | (1) |
|
Basic Bridge Setup on NetBSD |
|
|
89 | (1) |
|
|
|
90 | (1) |
|
Handling Nonroutable IPv4 Addresses from Elsewhere |
|
|
91 | (3) |
|
Establishing Global Rules |
|
|
91 | (1) |
|
Restructuring Your Rule Set with Anchors |
|
|
91 | (3) |
|
How Complicated Is Your Network?—Revisited |
|
|
94 | (1) |
| 6 Turning The Tables For Proactive Defense |
|
95 | (22) |
|
|
|
96 | (4) |
|
|
|
96 | (1) |
|
Setting Up an Adaptive Firewall |
|
|
97 | (2) |
|
Tidying Your Tables with pfctl |
|
|
99 | (1) |
|
Giving Spammers a Hard Time with spamd |
|
|
100 | (15) |
|
Network-Level Behavior Analysis and Blacklisting |
|
|
100 | (4) |
|
Greylisting: My Admin Told Me Not to Talk to Strangers |
|
|
104 | (4) |
|
Tracking Your Real Mail Connections: spamlogd |
|
|
108 | (1) |
|
|
|
109 | (2) |
|
Managing Lists with spamdb |
|
|
111 | (2) |
|
Detecting Out-of-Order MX Use |
|
|
113 | (1) |
|
Handling Sites That Do Not Play Well with Greylisting |
|
|
113 | (2) |
|
|
|
115 | (2) |
| 7 Traffic Shaping With Queues And Priorities |
|
117 | (30) |
|
Always-On Priority and Queues for Traffic Shaping |
|
|
118 | (13) |
|
Shaping by Setting Traffic Priorities |
|
|
119 | (2) |
|
Introducing Queues for Bandwidth Allocation |
|
|
121 | (9) |
|
Using Queues to Handle Unwanted Traffic |
|
|
130 | (1) |
|
Transitioning from ALTQ to Priorities and Queues |
|
|
131 | (2) |
|
Directing Traffic with ALTQ |
|
|
133 | (3) |
|
|
|
134 | (1) |
|
Queue Schedulers, aka Queue Disciplines |
|
|
134 | (1) |
|
|
|
135 | (1) |
|
|
|
136 | (9) |
|
Using ALTQ Priority Queues to Improve Performance |
|
|
136 | (1) |
|
Using a match Rule for Queue Assignment |
|
|
137 | (2) |
|
Class-Based Bandwidth Allocation for Small Networks |
|
|
139 | (1) |
|
A Basic HFSC Traffic Shaper |
|
|
140 | (2) |
|
Queuing for Servers in a DMZ |
|
|
142 | (2) |
|
Using ALTQ to Handle Unwanted Traffic |
|
|
144 | (1) |
|
Conclusion: Traffic Shaping for Fun, and Perhaps Even Profit |
|
|
145 | (2) |
| 8 Redundancy And Resource Availability |
|
147 | (14) |
|
Redundancy and Failover: CARP and pfsync |
|
|
148 | (13) |
|
The Project Specification: A Redundant Pair of Gateways |
|
|
148 | (2) |
|
|
|
150 | (4) |
|
Keeping States Synchronized: Adding pfsync |
|
|
154 | (1) |
|
Putting Together a Rule Set |
|
|
155 | (2) |
|
|
|
157 | (4) |
| 9 Logging, Monitoring, And Statistics |
|
161 | (24) |
|
|
|
162 | (21) |
|
Logging the Packet's Path Through Your Rule Set: log (matches) |
|
|
164 | (1) |
|
Logging All Packets: log (all) |
|
|
165 | (2) |
|
Logging to Several pflog Interfaces |
|
|
167 | (1) |
|
Logging to syslog, Local or Remote |
|
|
167 | (2) |
|
Tracking Statistics for Each Rule with Labels |
|
|
169 | (2) |
|
Additional Tools for PF Logs and Statistics |
|
|
171 | (1) |
|
Keeping an Eye on Things with systat |
|
|
171 | (2) |
|
Keeping an Eye on Things with pftop |
|
|
173 | (1) |
|
Graphing Your Traffic with pfstat |
|
|
173 | (3) |
|
Collecting NetFlow Data with pflow(4) |
|
|
176 | (6) |
|
Collecting NetFlow Data with pfflowd |
|
|
182 | (1) |
|
SNMP Tools and PF-Related SNMP MIBs |
|
|
182 | (1) |
|
Log Data as the Basis for Effective Debugging |
|
|
183 | (2) |
| 10 Getting Your Setup Just Right |
|
185 | (16) |
|
Things You Can Tweak and What You Probably Should Leave Alone |
|
|
185 | (8) |
|
|
|
186 | (1) |
|
|
|
187 | (1) |
|
|
|
187 | (1) |
|
|
|
188 | (1) |
|
|
|
188 | (1) |
|
|
|
189 | (1) |
|
|
|
190 | (1) |
|
|
|
191 | (1) |
|
|
|
192 | (1) |
|
|
|
192 | (1) |
|
|
|
193 | (2) |
|
Packet Normalization with scrub: OpenBSD 4.5 and Earlier |
|
|
193 | (1) |
|
Packet Normalization with scrub: OpenBSD 4.6 Onward |
|
|
193 | (1) |
|
Protecting Against Spoofing with antispoof |
|
|
194 | (1) |
|
|
|
195 | (2) |
|
|
|
197 | (2) |
|
Know Your Network and Stay in Control |
|
|
199 | (2) |
| A Resources |
|
201 | (6) |
|
General Networking and BSD Resources on the Internet |
|
|
201 | (2) |
|
Sample Configurations and Related Musings |
|
|
203 | (1) |
|
|
|
204 | (1) |
|
|
|
204 | (1) |
|
Wireless Networking Resources |
|
|
205 | (1) |
|
spamd and Greylisting-Related Resources |
|
|
205 | (1) |
|
Book-Related Web Resources |
|
|
206 | (1) |
|
Buy OpenBSD CDs and Donate! |
|
|
206 | (1) |
| B A Note On Hardware Support |
|
207 | (4) |
|
Getting the Right Hardware |
|
|
208 | (1) |
|
Issues Facing Hardware Support Developers |
|
|
209 | (1) |
|
How to Help the Hardware Support Efforts |
|
|
210 | (1) |
| Index |
|
211 | |
