Security

The Book of PF is the canonical reference for the PF firewall

Chad Perrin takes a thorough look at the second edition of The Book of PF, a practical reference to the OpenBSD firewall. Find out what it offers and what it lacks.

Firewalls constitute a key component of any Internet-connected network's security strategy today, and have done so for a long time. That is true of individual desktop systems as well, though until MS Windows XP Service Pack 2 incorporated a default firewall into the OS, the majority of such system deployments failed to address that important factor in any reasonable security strategy. Microsoft's Windows Firewall provides minimal protection even for those who do not take any steps to secure their own systems, but real security requires personal attention to firewall software selection and configuration.

The standard firewall software for the OpenBSD operating system is called PF, which stands for Packet Filter. It is, appropriately enough, packet filtering firewall software. It is the favorite firewall software of a great many network administrators, not only on OpenBSD, but also on other BSD Unix flavors including FreeBSD.

You might have read about PF here in the past. The article "Using PF and ALTQ for QoS management" discussed quality of service assurance for networks using ALTQ with PF, and "Use firewall software like PF to protect your desktop systems" provided a simple start on desktop computer oriented PF configuration for FreeBSD.

Peter N. M. Hansteen is a long-time PF user who has gained something of a reputation for himself by giving presentations at conferences about effective PF configuration, and for writing an extensive introduction to PF configuration called Firewalling with OpenBSD's PF packet filter. It may be tempting to call it a how-to, but at the very beginning of the introduction, he says:

This document is not intended as a pre-cooked recipe for cutting and pasting.

Just to hammer this in, please repeat after me

The Pledge of the Network Admin

This is my network.

It is mine

or technically my employer's,

it is my responsibility

and I care for it with all my heart

there are many other networks a lot like mine,

but none are just like it.

I solemnly swear

that I will not mindlessly paste from HOWTOs.

Eventually, a lot of the material in Firewalling with OpenBSD's PF packet filter was expanded by Hansteen and published by No Starch Press as The Book of PF. The above statement encouraging people to avoid cut-and-past system administration is duplicated in the book, and sets the tone for the entire text.

The first edition of Hansteen's book, published in 2007, has been on my shelf since it was new. To say that it was the best book about PF on the market would be redundant, given that it was the only widely published, current book specifically about PF itself (given that Building Firewalls with OpenBSD and PF dates back to 2003), especially for users of operating systems other than OpenBSD. Even if it was a mediocre offering, it would still be the best available. Far from mediocre, however, it is the definitive hardcopy guide to deployment and configuration of PF firewalls, written in clear, exacting style. Its coverage is outstanding as a familiarization with PF, and what it says on the cover is no false advertising:

A no-nonsense guide to the OpenBSD firewall

PF has evolved since 2007, and some of what was in The Book of PF is getting a bit dated. Peter Hansteen addressed the problem by updating it for a second edition printing. He contacted me as a writer who has had some positive things to say about BSD Unix systems in the past and offered me a copy of the second edition, giving me the choice between an early copy and one he signed. I opted for the latter and, in the midst of the rest of the reading I do, I managed to find the time to go through it in some detail.

Updates

Among the updates incorporated in the second edition are the major changes to PF in OpenBSD 4.7 and the addition of pflow. Hansteen's attention to detail includes information about PF on FreeBSD and NetBSD, which are slightly different animals than the OpenBSD version of the firewall software. Saying that my experience with PF on NetBSD is minimal might be overstating my expertise, but the second edition of this book has already proved instructive and invaluable for me as a FreeBSD user; its treatment of the software on my current platform of choice is excellent.

The text focuses on information that does not change from one day to the next, laying a strong foundation for understanding the software now and in the future, rather than wasting time indoctrinating the reader in the ephemeral notions of the present. Getting the most out of the book requires some hands-on work; learn by doing, and not merely by trying to memorize. Hansteen's approach does not try to obscure that fact, but rather provides you with the tools needed to not only learn by doing, but expand on a basis of understanding that the book can provide.

Many security-conscious readers may disagree with some of Hansteen's perspectives on security as a whole — such as greylisting and blanket sudo usage — but there is no faulting the effort to impart knowledge to the reader that will stand us in good stead when deploying and maintaining PF firewalls of our own.

Flaws

If there is a flaw in the book, it is its tendency to only skim past certain terms and functionalities of PF, where the reader is expected to look up the specifics for himself or herself. For example, in the section on access points with three or more interfaces on page 50 of the second edition, an example configuration rule for PF versions prior to OpenBSD 4.7 uses the static-port option, but the text fails to explain what man pf.conf will tell you:

 static‐port

With nat rules, the static‐port option prevents pf(4) from modify‐

ing the source port on TCP and UDP packets.

There are a number of such omissions, though it has not proven difficult to cover for the them by way of the documentation that comes with the PF software. For the most part, the brevity of the book is good, in that it consciously avoids repeating what can be found in the manpages and the official PF User's Guide (which is also available from links on the OpenBSD FAQ page in PDF and text file formats). Occasionally, something falls through the cracks that could have benefited from a little bit more elucidation, though.

Ultimately, The Book of PF was not allotted enough pages to be a truly comprehensive reference, and should be used in concert with the online documentation that comes with PF and the User's Guide rather than purely as a stand-alone work. The manner in which it is written is clearly intended to put the capabilities of PF in a practical context, and to convey to the reader how to think in the language of PF; in that role, it excels. For that reason, it is a great tutorial not only for people who plan to work with PF directly, but also for those who plan to deploy or maintain "user friendly" front-ends such as pfSense, because it can give them an understanding of the foundation of that software that will teach them about the implications of their decisions.

The Book of PF is available in the distinctive paperback hardcopy format of No Starch Press technical books, and in a number of electronic formats directly from the No Starch Press Website, including PDF, Mobi, and ePub for about half the price of the hardcopy. Regardless of how you get it, though, it is a must-have text for anyone deploying and maintaining PF firewalls — even if only on your personal computer.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

Editor's Picks