Review Dæmon: Building Firewalls with OpenBSD and PF, 2nd ed.

reviewed by George Rosamond

Without question, OpenBSD's packet filter (pf) has leaped from strength to strength since its release with OpenBSD 3.0. What seemed to start out as a placeholder for IPF has become not only the premier open source firewall in terms of capabilities, but something that could only make your standard commercial firewall vendor shake in their smug boots.

A simultaneous trend has been a significant increase in the publication of BSD-related books. Sure, we've been graced with a variety of brilliant handbooks, FAQ's and guides, not to mention the most readable manual pages in the UNIX world, but for many years, understandable publications for the BSD end user administrator were sorely lacking.

Jacek Artymiak's "Building Firewalls with OpenBSD and PF" (second edition, 2003, Poland) brilliantly asserts these two phenomena.

Unable to strike a deal with any technical publishers, Jacek listened to the chorus of comments about his OnLamp.com articles and decided to become part of the current new BSD era. I write "new BSD era" because it's quite convincing that we've entered one. You can now search Amazon.com, and have your listing include a good number of books published over the past year or so, including two from Michael Lucas.

Jacek's scope, however, is narrow in relation to the more common generalist "get into a BSD and start hacking a great OS." He has written this book to explain "how to build, configure, and manage IP packet firewalls using commodity hardware, the OpenBSD operating system, and Daniel Hartmeier's pf packet filter." (p. 5) It is a level of BSD specificity that technical publishers should be ready for.

Let's start with a look at the structure of the book, which covers not only the pf box itself but its role in a secure network too, and the additional pf enhancements that have developed since OpenBSD 3.0. This includes add-ons like authpf, which not only forces users to authenticate to the firewall but also allows rulesets be defined by user, without the constraint of keeping a user tied to an ip address.

Possibly the funkiest enhancement to pf, for lack of a better term, is the Operating System Fingerprinting ability. Want to block a port to all remote clients except an OpenBSD box, say, for OpenSSH administration? Need to stop the latest Windows virus from DOS'ing your network as it hits SMTP port 25, carrying itself with all pre-Windows 2000 service pack 3 servers? OS Fingerprinting provides that.

Jacek is quite simple in his presentation of this function, which is what the average pf firewall builder needs. He provides a handful of example rules for your /etc/pf.conf, and gives you what you need. Like any good handbook for administrators or developers, "Building Firewalls with OpenBSD and PF" doesn't belabor points that aren't relevant. It's not necessary to go into the why's and history for to practically apply the tools covered in this book.

For some, the striking aspect of this book may be its binding and material. The back cover has a bar code on it, and nothing more. It's not a McGraw-Hill grade book that will catch the eye of the average computer bookstore peruser.

That's fine. There's an audience for this book that will and should be seeking this book out. And quite frankly, they are looking for substance not pretty covers.

Jacek's contribution may be negligible to the technical publishing industry itself. I don't think he has an issue with that. You shouldn't either.

You can purchase "Building Firewalls with OpenBSD and PF" directly from OpenBSD. A portion of the $40/40€ price goes to assist OpenBSD. It's well worth the cost, particularly if Jacek continues to publish useful books like this.

Gratulujemy wspanialej ksiazki, zyczymy owocnej pracy i z niecierpliwoscia oczekujemy dalszych pozycji!