Top positive review
15 people found this helpful
Great book of PF without endless details
on January 24, 2008
Biased review ahead
This review is going to be biased. First of all I love OpenBSD, I love PF and I have meet Peter who is a nice guy to talk to.
But we are getting ahead here. This book is obviously about PF, what is that? PF is the Packet Filter developed for OpenBSD and then ported to several other BSD systems. PF is a modern firewall system which performs great, like many others, but which has a built-in language which makes it very easy to understand the ruleset and create a better firewall.
To be fair the filtering language of PF was in the first versions very similar to the IP Filter by Darren Reed. Credit goes to him for making IP Filter in the first place, I learnt a lot about firewalls from using it. As explained in the book PF was actually the child of need when IP Filter was removed from OpenBSD.
So PF was invented and at some time Peter Hansteen wrote his famous web page "Firewalling with OpenBSD's PF packet filter". From this source he has then managed with help from No Starch Press to produce an important book about the best firewall for Open Source systems.
Compared to web page version
With this source the first question from a potential reader might be, how does it compare to the web page. Why should I buy this when I can download and print.
The content of the book is arranged similarly to the web page, but better. The layout is better since the people at No Starch knows how to layout pages and the typography which makes reading a pleasure. Peter has also written new paragraphs and introductory sections which are much better and makes the overall reading from cover to cover better.
So to answer the question: the book is way better than the web page and easier to read.
Further the format, a book, as compared to printed paper is much nicer when sitting at home reading or as I did when you bring the book along to read a chapter.
Since not all have read the web page I will try to summarize what the book is about, and why it does matter as an extension of the current available reference and other information about PF.
The book is about PF, and not only about PF on OpenBSD. Since Peter uses PF on OpenBSD he does remind people that not all features are available on FreeBSD and NetBSD - but this book is not just about OpenBSD - it really is about PF.
The chapters of the book goes from enabling PF with the simplest possible rulesets on OpenBSD, FreeBSD and NetBSD through expected firewall/gateways to advanced networks like: wireless networks, bigger networks with DMZ subnets, bandwidth shaping with ALTQ and even logging and statistics. Judging from the number of pages it should not be possible, the book is only about 150 pages, but the way Peter has organized it makes it possible.
Peter has a unique writing style and be warned, I don't think everybody will enjoy it, unless prepared for it. This book is not a HOWTO with complex and magic instructions which you can follow and not learn from. This book is about educating you the reader to become the local PF guru by having a master guide you onto the path and pushing you forward.
What you need to succeed with this book is access to a computer running OpenBSD, FreeBSD or NetBSD. You will need this access to try out the instructions and to learn. Peter is not spoonfeeding you - you will need to make an effort to learn, and learn by doing.
While you tinker with PF you also need access to the internet, not all the time - but when you want to check the state of PF in FreeBSD for example you will need to go to the FreeBSD PF web page. This information could of course have been included, but why? Including information that will soon be outdated is not the style for Peter, rather he has digested and decided to include references where appropriate and not include a lot of copy paste from other sources.
When Peter wrote this book he also makes it clear that he is not just teaching the available features, but the process of developing gateways with PF. His way of expanding simple "block in all" ruleset into a fully working examples with DMZ are fun to read and a beginner will learn not just the syntax of a firewall, but what makes a good firewall. If you need the syntax, which we all do, go to the materials from the extensive Appendix A with links to internet resources.
Having a book with the process is going to last longer than a book listing just the features in the current version. So this book will be worth it for years ahead, even though PF is in rapid development.
He also presents his view of the world, and while I might not agree to everything - I consider greylisting evil - he does make some good arguments about which features to use and why. He doesn't just present a solution, he explains the why in the solution. When you get more experience with PF and firewalls you can always modify his solution to fit your needs.
From my viewpoint this book is for everyone who uses PF. Regardless of operating system and skill level this book will teach you something new and interesting. The instructions are precise enough to get the beginner started, while the seasoned PF user will be compelled to update rulesets to include the best current practice for improved readability and performance. I have used PF since it was included in OpenBSD and yet I have something to try out immediately.
This book is a great version of the "Firewalling with OpenBSD's PF packet filter" web page which is a joy to read from cover to cover. The content is presented in a compressed format that will make the interested reader eager to try PF in practice. Combined with the official PF User's guide it will make you proficient in PF.
I can recommend buying this book and at the same time download his online web page.
A big thank you goes to Peter, the OpenBSD project and especially Daniel Hartmeier for giving us PF.