Book Review: The Book of PF

The Book of PFThe Book of PF: A No-Nonsense Guide to the OpenBSD Firewall (2nd Edition)
Author: Peter N.M. Hansteen
Publisher: No Starch Press
Publishing Date: November 19, 2010 (2nd Edition)
216 pages (paperback edition)

Book Review

In all my years in IT, I have read a number of computer books, but relatively few of these books I would count as indispensible. For C/C++, there was the elegantly written C Programming Language book written by Kernighan and Ritchie. When I learned Windows programming, Programming Windows® by Charles Petzold proved to be an invaluable resource. Around 1995-96 when I became interested in Java, I used one of the O’Reilly books as my tutorial. Some of the O’Reilly books (as well as ones produced by Sams Publishing) were invaluable in providing some of my initial education in Linux in the 1990s. So when I came across The Book of PF: A No-Nonsense Guide to the OpenBSD Firewall by Peter N.M. Hansteen (2nd Edition, No Starch Press, 2010), I was curious to see how it would measure up.

As it turned out, The Book of PF is a worthwhile read, and for those seeking a more detailed understanding of PF, it should prove quite useful. The book is not a cookbook, as the author states fairly explicitly in the introduction. Thus it does not contain a series of how-to instruction sets; nonetheless, those with little knowledge of pf need not fear, as Hansteen starts with simple concepts and builds on these concepts in subsequent chapters. In this way, he is able to progress from very simple PF rule sets (e.g. block all outside traffic except the ports that need to be open, and only the protocols that are needed) sets to somewhat more involved rule sets (ones for networks that run SSH, FTP, and e-mail services), to even more complex rule sets that start to approximate real world scenarios. It also stresses the importance of making rule sets that are as granular as possible so as to allow only the traffic you really want. I like Hansteen’s attitude as well: he challenges readers not to cut and paste rule sets, but to think for themselves, and he also seems to disdain what he considers overly prophylactic policies such as blocking ping and traceroute. The book will also be a good guide for those who want to effectively protect their networks using such services as synproxy, relayd (for expiring nonfunctional hosts from a load balancing pool), and spamd (for blocking spam).

For those techies who only want to learn about pfSense, there are other books. If you just want to know the basics about how to configure your pfSense box, there’s the pfSense 2 Cookbook by Matt Williamson. If you want a more comprehensive explanation of pfSense’s features, pfSense: The Definitive Guide by Christopher M. Buechler (one of the co-founders of pfSense), Jim Pingle and Michael W. Lucas is likely the book for you. But for the network tech or admin who does not mind working primarily at the command line and editing rule sets manually, “The Book of PF” is a potentially valuable guide. Whether or not its worth your time to understand the nuances of pf is a cost-benefit analysis you will have to make yourself. But you will gain a greater degree of control you could ever hope to have working with the pfSense user interface alone. For example, take the problem of SSH brute force attacks. pfSense allows you to set a maximum number of connections per second, and you can block an IP address or a range of IP addresses. But as far as I know, pfSense does not enable you to set a maximum connection rate and add an IP address to a table of blocked IP addresses if it exceeds the rate. pf makes this possible, and this book shows you how. And this is just one example of how this book demonstrates how you can fine-tune your firewall’s settings; there are many other such instances.

For those really wanting to acquire an in-depth knowledge of pf, BSD and networking in general, Hansteen has included a list of resources as the first appendix to the book. Needless to say, it is chock full of helpful links and contains a bibliography which should provide a good starting point for anyone whose interest in BSD has been piqued.

In conclusion, The Book of PF is not for everyone, but if you are serious about network security, it can potentially be a useful guide. Not only will you be able to customize your firewall rules to meet your requirements, a working knowledge of pf is arguably even more valuable in the long term than a working knowledge of pfSense. pfSense superseded m0n0wall as the firewall/router of choice among many network security experts and will likely be superseded itself someday. pf may or may not be replaced as the primary packet filter for BSD users, but even if it is, my guess is that the structure of the rules will likely be similar, so if you have a good knowledge of pf, the learning curve should not be that steep. As the only in-depth book on pf, The Book of PF is recommended for anyone who wants to gain a better understanding of OpenBSD’s packet filtering engine.

External Links:

The Book of PF: A No-Nonsense Guide to the OpenBSD Firewall at Amazon

Be Sociable, Share!

Speak Your Mind


© 2013 David Zientara. All rights reserved. Privacy Policy