Customer Reviews: The Book of PF: A No-Nonsense Guide to the OpenBSD Firewall
Amazon Vehicles Editors' Picks Amazon Fashion Learn more nav_sap_plcc_ascpsc $5 Albums Fire TV Stick Health, Household and Grocery Back to School Totes Summer-Event-Garden Amazon Cash Back Offer ElvisandNixon ElvisandNixon ElvisandNixon  Amazon Echo  Echo Dot  Amazon Tap  Echo Dot  Amazon Tap  Amazon Echo Starting at $49.99 All-New Kindle Oasis Celine Dion Water Sports

Your rating(Clear)Rate this item

There was a problem filtering reviews right now. Please try again later.

on January 24, 2008
Biased review ahead
This review is going to be biased. First of all I love OpenBSD, I love PF and I have meet Peter who is a nice guy to talk to.

But we are getting ahead here. This book is obviously about PF, what is that? PF is the Packet Filter developed for OpenBSD and then ported to several other BSD systems. PF is a modern firewall system which performs great, like many others, but which has a built-in language which makes it very easy to understand the ruleset and create a better firewall.

To be fair the filtering language of PF was in the first versions very similar to the IP Filter by Darren Reed. Credit goes to him for making IP Filter in the first place, I learnt a lot about firewalls from using it. As explained in the book PF was actually the child of need when IP Filter was removed from OpenBSD.

So PF was invented and at some time Peter Hansteen wrote his famous web page "Firewalling with OpenBSD's PF packet filter". From this source he has then managed with help from No Starch Press to produce an important book about the best firewall for Open Source systems.

Compared to web page version
With this source the first question from a potential reader might be, how does it compare to the web page. Why should I buy this when I can download and print.

The content of the book is arranged similarly to the web page, but better. The layout is better since the people at No Starch knows how to layout pages and the typography which makes reading a pleasure. Peter has also written new paragraphs and introductory sections which are much better and makes the overall reading from cover to cover better.

So to answer the question: the book is way better than the web page and easier to read.

Further the format, a book, as compared to printed paper is much nicer when sitting at home reading or as I did when you bring the book along to read a chapter.

Since not all have read the web page I will try to summarize what the book is about, and why it does matter as an extension of the current available reference and other information about PF.

The book is about PF, and not only about PF on OpenBSD. Since Peter uses PF on OpenBSD he does remind people that not all features are available on FreeBSD and NetBSD - but this book is not just about OpenBSD - it really is about PF.

The chapters of the book goes from enabling PF with the simplest possible rulesets on OpenBSD, FreeBSD and NetBSD through expected firewall/gateways to advanced networks like: wireless networks, bigger networks with DMZ subnets, bandwidth shaping with ALTQ and even logging and statistics. Judging from the number of pages it should not be possible, the book is only about 150 pages, but the way Peter has organized it makes it possible.

Writing style
Peter has a unique writing style and be warned, I don't think everybody will enjoy it, unless prepared for it. This book is not a HOWTO with complex and magic instructions which you can follow and not learn from. This book is about educating you the reader to become the local PF guru by having a master guide you onto the path and pushing you forward.

What you need to succeed with this book is access to a computer running OpenBSD, FreeBSD or NetBSD. You will need this access to try out the instructions and to learn. Peter is not spoonfeeding you - you will need to make an effort to learn, and learn by doing.

While you tinker with PF you also need access to the internet, not all the time - but when you want to check the state of PF in FreeBSD for example you will need to go to the FreeBSD PF web page. This information could of course have been included, but why? Including information that will soon be outdated is not the style for Peter, rather he has digested and decided to include references where appropriate and not include a lot of copy paste from other sources.

When Peter wrote this book he also makes it clear that he is not just teaching the available features, but the process of developing gateways with PF. His way of expanding simple "block in all" ruleset into a fully working examples with DMZ are fun to read and a beginner will learn not just the syntax of a firewall, but what makes a good firewall. If you need the syntax, which we all do, go to the materials from the extensive Appendix A with links to internet resources.

Having a book with the process is going to last longer than a book listing just the features in the current version. So this book will be worth it for years ahead, even though PF is in rapid development.

He also presents his view of the world, and while I might not agree to everything - I consider greylisting evil - he does make some good arguments about which features to use and why. He doesn't just present a solution, he explains the why in the solution. When you get more experience with PF and firewalls you can always modify his solution to fit your needs.

Target audience
From my viewpoint this book is for everyone who uses PF. Regardless of operating system and skill level this book will teach you something new and interesting. The instructions are precise enough to get the beginner started, while the seasoned PF user will be compelled to update rulesets to include the best current practice for improved readability and performance. I have used PF since it was included in OpenBSD and yet I have something to try out immediately.

This book is a great version of the "Firewalling with OpenBSD's PF packet filter" web page which is a joy to read from cover to cover. The content is presented in a compressed format that will make the interested reader eager to try PF in practice. Combined with the official PF User's guide it will make you proficient in PF.

I can recommend buying this book and at the same time download his online web page.

A big thank you goes to Peter, the OpenBSD project and especially Daniel Hartmeier for giving us PF.

0Comment| 15 people found this helpful. Was this review helpful to you?YesNoReport abuse
on December 31, 2007
I was excited to see a new book on Pf on the market. Three years ago I read and reviewed Building Firewalls with OpenBSD and PF (BFWOAP) by Jacek Artymiak and gave it five stars. I hoped The Book of Pf (TBOP) would acknowledge the best ideas in BFWOAP and expand into Pf developments of the last three years. TBOP is strong when it addresses how to install or use Pf on operating systems other than OpenBSD. Elsewhere, the book is too weak to merit more than three stars.

Let me start with the positive aspects of TBOP. First, it appears to be technically correct. I am not a Pf expert, but the recommendations made sense. The technical editor is an OpenBSD expert and Pf developer, so I am confident the text is accurate! Second, the author did an excellent job explaining how to install and use Pf on OpenBSD, FreeBSD, and NetBSD. I use FreeBSD extensively on servers, and I did not feel left out at all. The author was quick to point out quirks affecting Pf on non-OpenBSD platforms. Third, I liked the chapter on Pf monitoring (Ch 8) but thought it was way too brief.

Turning to the negative side, the first problem involves introducing technical concepts. One of the major rules governing book-writing is to properly explain technical items before including them. For example, p 39 includes the term "static-port" in a configuration. This is not explained anywhere. On p 43 we see "OS = OpenBSD", again with no explanation. On p 65 "set skip" is used, but at least there is some mention of it again on p 123. If you tell me to read the man pages to figure out what these terms mean, why should anyone read this book? The author should examine how Michael Lucas or Mike Rash describe technical details. Both know how to describe the minute details of configuration syntax so the reader understands each element.

Second, the book is way too short because it fails to properly explain many of the issues it mentions. After reading the book I do not expect the average reader to have a good understanding of anchors, tags, and tables. I think the major problem here is the devotion to brevity. I wanted to learn more about Pf's scrubbing features, but guess how much ink was spent talking about it? One paragraph, on p 128. There's more about scrubbing in the books I've written that there is in a book on Pf. That is disappointing. Another manifestation of the book's length is the failure to properly discuss some of the tools in Ch 8. I liked Ch 8, but the chapter needs to be expanded. How about more than a mention of pfflowd or using Pf with SNMP?

Third, I think it would be very helpful for TBOP to include a comparative chapter. The author should explain how Pf stacks up against other firewalls, especially open source alternatives like Linux's IPTables and FreeBSD's IPFW. The author appears to be a Pf advocate, but explaining how Pf compares to programs used by other people would help sell this book.

Earlier I wrote a five start review of a No Starch book called Linux Firewalls, so I know what a great firewall book looks like. I also thought Jacek Artymiak's BFWOAP was a five star book. I think the best course of action is to wait for a second edition of TBOP. Pf is a well-supported program, so you can expect to see plenty of additional features in the coming years. If the author addresses the shortcomings in this book I would recommend it.
22 comments| 15 people found this helpful. Was this review helpful to you?YesNoReport abuse
on September 23, 2014
I'm a programmer, not a network admin. I found this book useful for getting started with PF and network security in general.

Some people have made the criticism, "you can find all this stuff on the Internet." And that's true, but in many cases you'll have to know what you're looking for. If you're already a subject-matter expert, I'm sure you'll be fine with that. But I liked this book because it introduces you to many topics that you might not be familiar with, creating fertile ground for further research.

Please use the Yes or No buttons to let me know whether or not you found this review helpful. Your feedback helps me write better reviews, which in turn helps others get the information they're looking for.
0Comment| One person found this helpful. Was this review helpful to you?YesNoReport abuse
on June 4, 2013
This book doesn't really concern itself with the installation of OpenBSD or various other configuration aspects, just PF. It's straight and to the point. This book isn't a howto or hand holding example, it requires you to understand and review the material instead of dumping someone elses config on your systems and expecting it to work.
Other than the OpenBSD FAQ's themselves, this is a nice compliment and addition with plenty of good information. There is good information on turning away brute force attacks and about ALTQ that I found were lacking on the OpenBSD site - as thorough as it usually is.

If you set up OpenBSD firewalls, want to try to set them up or have any need whatsoever to use PF in in y our environment this is certainly a good manual to have close by that will certainly give you insight in those couple of little things the FAQs do not. I find myself always looking at it when making config changes.
0Comment| 2 people found this helpful. Was this review helpful to you?YesNoReport abuse
on October 6, 2008
If you're looking for information about the OpenBSD packet filter program "pf", you may have noticed a gaping hole on bookstore shelves. Two books that I have read on pf are "Building Firewalls with OpenBSD and PF, 2nd Edition" by Jacek Artymiak and the No Starch Press title, "The Book of PF", by Peter N.M. Hansteen.

"The Book of PF" is by far the easier of the two books to digest and will help you get up to speed very quickly. It's a short book, weighing in at 145 pages. The example rule sets are simple to follow and very thoroughly documented.

Hansteen helps you navigate through pf's basic configuration and then takes you through more advanced topics like wireless networks and how to deal with 'bigger or trickier networks'. There is also a treatment of OpenBSD's spamd program, designed to help you combat spam on your network.

You'll find a chapter on Alternate Queuing (ALTQ) and Common Address Redundancy Protocol (CARP). ALTQ provides a way to shape the traffic on your network and was integrated into pf for the OpenBSD 3.3 release. CARP was added to OpenBSD in release 3.5 to address the issue of high availability and uninterrupted service.

A chapter covering Logging, Monitoring, and Statistics helps bring it all together for the network administrator. Hansteen closes out the text with a chapter titled "Getting Your Setup Just Right" that provides a last-minute review of some of the most important configuration options.

If you're interested in "The Book of PF", most likely you're already familiar with OpenBSD - one of the most secure operating systems available today. If you're ready to enhance OpenBSD's default security, pick up a copy of this book and spend some time with the pf program.
0Comment| 3 people found this helpful. Was this review helpful to you?YesNoReport abuse
on July 4, 2013
I was surprised that this book didn't cover the basics of pf. The reserved words, configuration syntax, statement order are not covered. Someone new to pf is not served well by this book. I recommend reading the pfctl and pf.conf man pages for the basics. You can pick up the rest of the info you need from the web. This book is a poor value.
0Comment| One person found this helpful. Was this review helpful to you?YesNoReport abuse
on January 2, 2009
Hansteen has put together a mostly well written, OS-independent guide to PF. He states he "made a conscious decision early on to introduce you to its methods via interesting and useful configurations, rather than make this book the complete reference", and I feel this book mostly accomplishes that goal. He points to the man pages as the complete reference, though I disagree on that to some extent, as they lack detailed coverage and practical usage examples in some areas.

There is no introductory coverage of any of the BSDs, which is fine for the scope of the book and those topics are already well covered elsewhere, but don't expect to pick this up and get anywhere with it if you have no prior BSD experience. You'll first need to seek resources on your BSD of choice and have a decent understanding of the OS. Basic networking knowledge is also a prerequisite.

There are some areas that are covered very minimally, to the extent that without seeking additional material, you will likely have difficulty with your implementation unless it is very basic. I agree with most of the complaints noted in Betjlich's review. Given the stated scope of the book, I'm not quite as critical. I do think the stated scope is too limited though.

This book is adequate if you want to get up and running with a basic configuration. Anything more complex will leave you seeking additional resources.

I think this is a worthwhile read if you want to setup a PF firewall, and understand the limits of a book that comes in at 134 pages excluding the appendices. The second edition could be much better though.
0Comment| One person found this helpful. Was this review helpful to you?YesNoReport abuse
on June 27, 2012
There are plenty of resources on the web that you can piece together to get PF functional. What I found difficult was to get a broader overview of PF with the implementation details, which is what this book does. I highly recommend it.
0Comment| One person found this helpful. Was this review helpful to you?YesNoReport abuse
on March 15, 2010
I like brevity so I am going to stick with it on my review. This book was easy to read and follow as the author progressed. Once or twice the author expected you to insert an external function to your rule set ([.]) without conjoining the location to the present example. However he did state that some functions were to be used as a base template which all I can think of was the *block all* rule...

Once I finished reading this book the only outstanding questions were learning the complete syntax definitions which can be found here:


Thank you for providing us with such an informative and logical read.
11 comment| One person found this helpful. Was this review helpful to you?YesNoReport abuse
on January 18, 2011
Just because you're not using Windows doesn't decrease the high value of security. "The Book of PF: A No-Nonsense Guide to the OpenBSD Firewall" seeks to educate readers and users of Open BSD on PF, OpenBSD's firewall. Using PF to its fullest will provide a secure network, but it can be quite overwhelming to new OpenBSD adopters who are looking to gain a better understanding of this operating systems and its many tools. With everything you need to know to succeed, "The Book of PF" is an invaluable tool, and highly recommended.
0Comment| One person found this helpful. Was this review helpful to you?YesNoReport abuse