11 of 12 people found the following review helpful:
5.0 out of 5 stars
Great book of PF without endless details, January 24, 2008
This review is from: The Book of PF: A No-Nonsense Guide to the OpenBSD Firewall (Paperback)
Biased review ahead
This review is going to be biased. First of all I love OpenBSD, I love PF and I have meet Peter who is a nice guy to talk to.
But we are getting ahead here. This book is obviously about PF, what is that? PF is the Packet Filter developed for OpenBSD and then ported to several other BSD systems. PF is a modern firewall system which performs great, like many others, but which has a built-in language which makes it very easy to understand the ruleset and create a better firewall.
Note:
To be fair the filtering language of PF was in the first versions very similar to the IP Filter by Darren Reed. Credit goes to him for making IP Filter in the first place, I learnt a lot about firewalls from using it. As explained in the book PF was actually the child of need when IP Filter was removed from OpenBSD.
So PF was invented and at some time Peter Hansteen wrote his famous web page "Firewalling with OpenBSD's PF packet filter". From this source he has then managed with help from No Starch Press to produce an important book about the best firewall for Open Source systems.
Compared to web page version
With this source the first question from a potential reader might be, how does it compare to the web page. Why should I buy this when I can download and print.
The content of the book is arranged similarly to the web page, but better. The layout is better since the people at No Starch knows how to layout pages and the typography which makes reading a pleasure. Peter has also written new paragraphs and introductory sections which are much better and makes the overall reading from cover to cover better.
So to answer the question: the book is way better than the web page and easier to read.
Further the format, a book, as compared to printed paper is much nicer when sitting at home reading or as I did when you bring the book along to read a chapter.
Contents
Since not all have read the web page I will try to summarize what the book is about, and why it does matter as an extension of the current available reference and other information about PF.
The book is about PF, and not only about PF on OpenBSD. Since Peter uses PF on OpenBSD he does remind people that not all features are available on FreeBSD and NetBSD - but this book is not just about OpenBSD - it really is about PF.
The chapters of the book goes from enabling PF with the simplest possible rulesets on OpenBSD, FreeBSD and NetBSD through expected firewall/gateways to advanced networks like: wireless networks, bigger networks with DMZ subnets, bandwidth shaping with ALTQ and even logging and statistics. Judging from the number of pages it should not be possible, the book is only about 150 pages, but the way Peter has organized it makes it possible.
Writing style
Peter has a unique writing style and be warned, I don't think everybody will enjoy it, unless prepared for it. This book is not a HOWTO with complex and magic instructions which you can follow and not learn from. This book is about educating you the reader to become the local PF guru by having a master guide you onto the path and pushing you forward.
What you need to succeed with this book is access to a computer running OpenBSD, FreeBSD or NetBSD. You will need this access to try out the instructions and to learn. Peter is not spoonfeeding you - you will need to make an effort to learn, and learn by doing.
While you tinker with PF you also need access to the internet, not all the time - but when you want to check the state of PF in FreeBSD for example you will need to go to the FreeBSD PF web page. This information could of course have been included, but why? Including information that will soon be outdated is not the style for Peter, rather he has digested and decided to include references where appropriate and not include a lot of copy paste from other sources.
When Peter wrote this book he also makes it clear that he is not just teaching the available features, but the process of developing gateways with PF. His way of expanding simple "block in all" ruleset into a fully working examples with DMZ are fun to read and a beginner will learn not just the syntax of a firewall, but what makes a good firewall. If you need the syntax, which we all do, go to the materials from the extensive Appendix A with links to internet resources.
Having a book with the process is going to last longer than a book listing just the features in the current version. So this book will be worth it for years ahead, even though PF is in rapid development.
He also presents his view of the world, and while I might not agree to everything - I consider greylisting evil - he does make some good arguments about which features to use and why. He doesn't just present a solution, he explains the why in the solution. When you get more experience with PF and firewalls you can always modify his solution to fit your needs.
Target audience
From my viewpoint this book is for everyone who uses PF. Regardless of operating system and skill level this book will teach you something new and interesting. The instructions are precise enough to get the beginner started, while the seasoned PF user will be compelled to update rulesets to include the best current practice for improved readability and performance. I have used PF since it was included in OpenBSD and yet I have something to try out immediately.
Conclusion
This book is a great version of the "Firewalling with OpenBSD's PF packet filter" web page which is a joy to read from cover to cover. The content is presented in a compressed format that will make the interested reader eager to try PF in practice. Combined with the official PF User's guide it will make you proficient in PF.
I can recommend buying this book and at the same time download his online web page.
A big thank you goes to Peter, the OpenBSD project and especially Daniel Hartmeier for giving us PF.
[...]
Help other customers find the most helpful reviews
Was this review helpful to you? Yes
No
13 of 16 people found the following review helpful:
3.0 out of 5 stars
Great in some respects but disappointing in others; wait for the second edition, December 31, 2007
This review is from: The Book of PF: A No-Nonsense Guide to the OpenBSD Firewall (Paperback)
I was excited to see a new book on Pf on the market. Three years ago I read and reviewed Building Firewalls with OpenBSD and PF (BFWOAP) by Jacek Artymiak and gave it five stars. I hoped The Book of Pf (TBOP) would acknowledge the best ideas in BFWOAP and expand into Pf developments of the last three years. TBOP is strong when it addresses how to install or use Pf on operating systems other than OpenBSD. Elsewhere, the book is too weak to merit more than three stars.
Let me start with the positive aspects of TBOP. First, it appears to be technically correct. I am not a Pf expert, but the recommendations made sense. The technical editor is an OpenBSD expert and Pf developer, so I am confident the text is accurate! Second, the author did an excellent job explaining how to install and use Pf on OpenBSD, FreeBSD, and NetBSD. I use FreeBSD extensively on servers, and I did not feel left out at all. The author was quick to point out quirks affecting Pf on non-OpenBSD platforms. Third, I liked the chapter on Pf monitoring (Ch 8) but thought it was way too brief.
Turning to the negative side, the first problem involves introducing technical concepts. One of the major rules governing book-writing is to properly explain technical items before including them. For example, p 39 includes the term "static-port" in a configuration. This is not explained anywhere. On p 43 we see "OS = OpenBSD", again with no explanation. On p 65 "set skip" is used, but at least there is some mention of it again on p 123. If you tell me to read the man pages to figure out what these terms mean, why should anyone read this book? The author should examine how Michael Lucas or Mike Rash describe technical details. Both know how to describe the minute details of configuration syntax so the reader understands each element.
Second, the book is way too short because it fails to properly explain many of the issues it mentions. After reading the book I do not expect the average reader to have a good understanding of anchors, tags, and tables. I think the major problem here is the devotion to brevity. I wanted to learn more about Pf's scrubbing features, but guess how much ink was spent talking about it? One paragraph, on p 128. There's more about scrubbing in the books I've written that there is in a book on Pf. That is disappointing. Another manifestation of the book's length is the failure to properly discuss some of the tools in Ch 8. I liked Ch 8, but the chapter needs to be expanded. How about more than a mention of pfflowd or using Pf with SNMP?
Third, I think it would be very helpful for TBOP to include a comparative chapter. The author should explain how Pf stacks up against other firewalls, especially open source alternatives like Linux's IPTables and FreeBSD's IPFW. The author appears to be a Pf advocate, but explaining how Pf compares to programs used by other people would help sell this book.
Earlier I wrote a five start review of a No Starch book called Linux Firewalls, so I know what a great firewall book looks like. I also thought Jacek Artymiak's BFWOAP was a five star book. I think the best course of action is to wait for a second edition of TBOP. Pf is a well-supported program, so you can expect to see plenty of additional features in the coming years. If the author addresses the shortcomings in this book I would recommend it.
Help other customers find the most helpful reviews
Was this review helpful to you? Yes
No
