Review: The OpenBSD PF Packet Filter Book PF for NetBSD, FreeBSD, DragonFly, and OpenBSD

by Mikel King <mikel.king@techally.com>

First of all do not be put off by this book’s lack of size. Its concise 193 pages contain a wealth of information specific to PF and related systems. More importantly the material is NOT unique to OpenBSD, in fact Jeremy has gone to great lengths to include the other major BSD varieties like Free, Net and DragonFly. Although one can argue that this book is largely just a collection of documentation culled from the OpenBSD PF FAQ as well as other sources already throughout the web, it is important to note that it is in actuality more of a community effort that lead to the development of the NetBSD specific web pages as well as the entire chapter on spamd.

What is unique to this book is that it encompasses all of those distinct entities homgenizing them into one compact text with notes interject throughout by the editor. As anyone who has ever been under pressure of a client looming over their shoulder continually asking, “How long until I get my email back?” will tell you when the main connection to the internet is down all the web pages in the world will not do you an ounce of good. A concise book like this in your library and you should be able to overcome most firewall troubles. This is an invaluable text to keep text to keep at one’s side.

One of the main features I particularly enjoyed is the comparative notes interjected by Mr. Reed as he progresses through the installation and setup of each component. It was nice to read things like if you are installing PF on FreeBSD you will need to do it this way as opposed the way it would be done on say Net of DragonFly for instance. This kind of commentary is particularly invaluable to system planners who would need to evaluate the consequences of selecting one platform over another even if that other happens to be a different BSD.

The later sections include chapters dealing with advanced subjects like FTP, AuthPF, spamd and CARP to function with PF. While FTP and spamd should be rather self explanatory, AuthPF and CARP is more likely to seem mystical to the uninitiated. Well AuthPF is a semi built-in mechanism for requiring a user to successfully authenticate to the gateway prior to the gateway routing his/her traffic. An example of this would be a hospitality network, where you need to enter a username and password or even purchase a day pass credential to use the network.

While Common Address Redundancy Protocol or CARP as it is more commonly known supports both IPv4 and IPV6 address sharing between multiple hosts on the same network segment. Basically it is an Open and Free alternative to other proprietary solutions like VRRP (Virtual Router Redundancy Protocol) and HSRP (Hot Standby Router Protocol). Fortunately once again the editor continues with his commentary to aide in the installation and proper setup of such advanced features under the other BSDs.

The only problem with a book of this nature is that the information may become stale and outdated faster than one can assimilate it. However the spirit of the text and the conceptual knowledge that it conveys stands on its own. Ultimately this book is in my opinion a must have for your NOC library, and should prove an invaluable tool for maintaining such systems.