| Foreword |
|
xi | |
|
|
| Preface |
|
xiii | |
| About the Book and Thanks |
|
xiv | |
| If You Came from Elsewhere |
|
xvi | |
| PF looks really cool. Can I run PF on my Linux machine? |
|
xvi | |
| I know some Linux, but I need to learn some BSD. Any pointers? |
|
xvi | |
| Can you recommend a GUI tool for managing my PF rule set? |
|
xvii | |
| Is there a tool I can use to convert my OtherProduct® setup to a PF configuration? |
|
xviii | |
| Where can I find out more? |
|
xviii | |
| A Little Encouragement: A PF Haiku |
|
xix | |
|
|
|
1 | (6) |
|
Packet Filter? Firewall? A Few Important Terms Explained |
|
|
3 | (1) |
|
Network Address Translation |
|
|
3 | (3) |
|
Why the Internet Lives on a Few White Lies |
|
|
4 | (1) |
|
Internet Protocol, Version 6 on the Far Horizon |
|
|
4 | (1) |
|
The Temporary Masquerade Solution Called NAT |
|
|
5 | (1) |
|
|
|
6 | (1) |
|
|
|
7 | (10) |
|
Simplest Possible PF Setup on OpenBSD |
|
|
8 | (1) |
|
Simplest Possible PF Setup on FreeBSD |
|
|
9 | (1) |
|
Simplest Possible PF Setup on NetBSD |
|
|
10 | (1) |
|
First Rule Set---A Single, Stand-Alone Machine |
|
|
11 | (2) |
|
Slightly Stricter, with Lists and Macros |
|
|
13 | (2) |
|
|
|
15 | (2) |
|
|
|
17 | (16) |
|
A Simple Gateway, NAT If You Need It |
|
|
17 | (7) |
|
Gateways and the Pitfalls of in, out, and on |
|
|
18 | (1) |
|
What Is Your Local Network, Anyway? |
|
|
19 | (1) |
|
|
|
19 | (4) |
|
|
|
23 | (1) |
|
|
|
24 | (1) |
|
FTP Through NAT: ftp-proxy |
|
|
25 | (3) |
|
FTP, PF, and Routable Addresses: ftpsesame, pftpx, and ftp-proxy |
|
|
26 | (1) |
|
|
|
26 | (2) |
|
Making Your Network Troubleshooting Friendly |
|
|
28 | (3) |
|
Then, Do We Let It All Through? |
|
|
28 | (1) |
|
The Easy Way Out: The Buck Stops Here |
|
|
29 | (1) |
|
|
|
29 | (1) |
|
|
|
29 | (1) |
|
|
|
30 | (1) |
|
Tables Make Your Life Easier |
|
|
31 | (2) |
|
Wireless Networks Made Easy |
|
|
33 | (12) |
|
A Little IEEE 802.11 Background |
|
|
33 | (3) |
|
|
|
34 | (1) |
|
|
|
35 | (1) |
|
|
|
35 | (1) |
|
Picking the Right Hardware for the Task |
|
|
35 | (1) |
|
Setting Up a Simple Wireless Network |
|
|
36 | (4) |
|
The Access Point's PF Rule Set |
|
|
38 | (1) |
|
If Your Access Point Has Three or More Interfaces |
|
|
38 | (1) |
|
Handling IPsec, VPN Solutions |
|
|
39 | (1) |
|
|
|
40 | (1) |
|
Guarding Your Wireless Network with authpf |
|
|
40 | (5) |
|
A Basic Authenticating Gateway |
|
|
41 | (2) |
|
Wide Open but Actually Shut |
|
|
43 | (2) |
|
Bigger or Trickier Networks |
|
|
45 | (22) |
|
When Others Need Something in Your Network: Filtering Services |
|
|
45 | (12) |
|
A Webserver and a Mail Server on the Inside---Routable Addresses |
|
|
46 | (5) |
|
Getting Load Balancing Right with hoststated |
|
|
51 | (5) |
|
A Webserver and a Mail Server on the Inside---The NAT Version |
|
|
56 | (1) |
|
Back to the Single NATed Network |
|
|
57 | (3) |
|
Filtering on Interface Groups |
|
|
59 | (1) |
|
|
|
60 | (1) |
|
|
|
61 | (4) |
|
Basic Bridge Setup on Open BSD |
|
|
61 | (1) |
|
Basic Bridge Setup on FreeBSD |
|
|
62 | (1) |
|
Basic Bridge Setup on NetBSD |
|
|
63 | (1) |
|
|
|
64 | (1) |
|
Handling Nonroutable Addresses from Elsewhere |
|
|
65 | (2) |
|
Turning the Tables for Proactive Defense |
|
|
67 | (20) |
|
|
|
68 | (3) |
|
You May Not Need to Block All of Your Overloaders |
|
|
70 | (1) |
|
Tidying Your Tables with pfctl |
|
|
70 | (1) |
|
The Forerunner: expiretable |
|
|
71 | (1) |
|
Giving Spammers a Hard Time with spamd |
|
|
71 | (16) |
|
Remember, You Are Not Alone: Blacklisting |
|
|
72 | (3) |
|
Greylisting: My Admin Told Me Not to Talk to Strangers |
|
|
75 | (3) |
|
Some Highlights of Day-to-Day spamd Use |
|
|
78 | (5) |
|
Handling Sites That Do Not Play Well with Greylisting |
|
|
83 | (1) |
|
Conclusions from Our spamd Experience |
|
|
84 | (3) |
|
Queues, Shaping, and Redundancy |
|
|
87 | (20) |
|
Directing Traffic with ALTQ |
|
|
87 | (10) |
|
|
|
88 | (1) |
|
Queue Schedulers, aka Queue Disciplines |
|
|
88 | (1) |
|
|
|
89 | (2) |
|
Understanding Priority-Based Queues (priq) |
|
|
91 | (2) |
|
Class-Based Bandwidth Allocation for Small Networks (cbq) |
|
|
93 | (1) |
|
Queuing for Servers in a DMZ |
|
|
94 | (2) |
|
Using ALTQ to Handle Unwanted Traffic |
|
|
96 | (1) |
|
Redundancy and Failover: CARP and pfsync |
|
|
97 | (10) |
|
The Project Specification: A Redundant Pair of Gateways |
|
|
98 | (2) |
|
Setting Up CARP: Kernel Options, sysctl, and ifconfig Commands |
|
|
100 | (3) |
|
Keeping States Synced: Adding pfsync |
|
|
103 | (1) |
|
Putting Together a Rule Set |
|
|
104 | (3) |
|
Logging, Monitoring, and Statistics |
|
|
107 | (14) |
|
|
|
108 | (7) |
|
Logging All Packets: log (all) |
|
|
110 | (1) |
|
Logging to Several pflog Interfaces |
|
|
111 | (1) |
|
Logging to syslog, Local or Remote |
|
|
112 | (1) |
|
Tracking Statistics for Each Rule with Labels |
|
|
113 | (2) |
|
Some Additional Tools for PF Logs and Statistics |
|
|
115 | (4) |
|
Keeping an Eye on Things with pftop |
|
|
115 | (1) |
|
Graphing Your Traffic with pfstat |
|
|
116 | (2) |
|
Collecting NetFlow Data with pfflowd |
|
|
118 | (1) |
|
SNMP Tools and PF-Related SNMP MIBs |
|
|
118 | (1) |
|
Remember, Useful Log Data Is the Basis for Effective Debugging |
|
|
119 | (2) |
|
Getting Your Setup Just Right |
|
|
121 | (14) |
|
The Things You Can Tweak and What You Probably Should Leave Alone |
|
|
121 | (6) |
|
|
|
122 | (1) |
|
|
|
123 | (1) |
|
|
|
123 | (1) |
|
|
|
123 | (2) |
|
|
|
125 | (1) |
|
|
|
126 | (1) |
|
|
|
126 | (1) |
|
|
|
127 | (1) |
|
Cleaning Up Your Traffic: scrub and antispoof |
|
|
127 | (2) |
|
|
|
128 | (1) |
|
|
|
128 | (1) |
|
|
|
129 | (2) |
|
|
|
131 | (2) |
|
Know Your Network, Stay in Control |
|
|
133 | (2) |
|
|
|
135 | (6) |
|
General Networking and BSD Resources on the Internet |
|
|
136 | (1) |
|
Sample Configurations and Related Musings |
|
|
137 | (1) |
|
|
|
138 | (1) |
|
|
|
138 | (1) |
|
Wireless Networking Resources |
|
|
139 | (1) |
|
spamd and Greylisting-Related Resources |
|
|
139 | (1) |
|
Book-Related Web Resources |
|
|
139 | (1) |
|
If You Enjoyed This Book, Buy OpenBSD CDs and Donate! |
|
|
140 | (1) |
|
B. A NOTE ON HARDWARE SUPPORT |
|
|
141 | (6) |
|
A Case in Point: The Story of a Small Wireless Network |
|
|
142 | (1) |
|
Getting the Right Hardware |
|
|
143 | (1) |
|
Issues Facing Hardware-Support Developers |
|
|
144 | (1) |
|
How to Help the Hardware-Support Efforts |
|
|
144 | (3) |
| Index |
|
147 | |
