OpenBSD Journal

Review: The OpenBSD Packet Filter Book

Contributed by sean on from the dept.

The wide variety of features and flexibility has made PF popular as a general packet filter in the various BSDs. It has been ported to pretty much all of them and I'm still holding some hope that Apple will port it over to OS X. Aside from that the PF manuals around are usually of the 'how to use and install' OpenBSD variety. Jeremy Reed's packaging of the PF FAQ is definitely an exception. His book is called The OpenBSD Packet Filter Book (or 'PF-Book' for short) and is published via Lulu's self publishing services.

Starting from the original FAQ and working towards a print version, Jeremy has packaged up a rather complete tome on our friendly packet filter. I've read the book in it's entirety and for comparison's sake the original FAQ. Just flipping through the book, it is obvious that Jeremy took the time to paginate and format the entire text into something easily readable on the bus (my venue for this book) or pretty much anywhere, as the form factor is quite comfortable (a bit larger than a pulp novel). On the form itself, the index while being complete and helpful has a bold face which I find a bit distracting and renders the text larger than the normal face in the rest of the book. One of the nice changes Jeremy made was replacing the brain teasing ASCII art diagrams (much easier to handle with a mono space font) to graphically rendered versions which makes things clearer at a glance.

The audience for this book is any user already familiar with the various BSD incarnations but is intrigued by the idea of using PF in their environment (instead of converting to OpenBSD 'whole-hog'). If you are looking for a book which goes into more detail about setting up OpenBSD and using PF then I would suggest Jacek's approach to the topic but if all you care about is PF then you found the right one. The PF-Book is also well suited as a nice encyclopedic reference of the various uses and features PF has and the through index at the back makes it suited for this function.

This book took me a long time to read as there have been a number of large projects at work and 'at home' so the book was read chapter by chapter either on the commute to the office or while forcing a break during the day. This is usually a bad thing for technical books but in this case each of the chapters was self contained and the examples didn't distract from the bulk of the material.

Since I'm more comfortable with the 'dead-tree' format I learned all kinds of things that I didn't get from reading the online version (but were still there). Specifically a few examples are the explanation of the state manipulation (ie. modulate, synproxy) and tcp flag use in pass rules.

One thing I felt lacking was in examples portion as the examples given dealt with very simple uses of PF in basic environments I would have definitely appreciated a few more complicated examples which show off the power of PF in not so trivial network layouts (such as bridges and IPsec tunnelling).

Another welcome addition was the appending summarizing 'Other Tools' which lists and gives a brief synopsis of the various add-ons and extension packages available for PF. I didn't know so many existed! The list is in alphabetical order so you will have to read through them all if you are looking for any particular one. I would have preferred a sectioned list instead.

As for the donations questions raised when the book was first announced/published, I've confirmed that funds have made their way to the project though it seems as though the distributor has been giving Jeremy a hard time redeeming on sales.

If I was to force myself into an Amazon rating I would give 'The OpenBSD Packet Filter Book' 3.5 out of 5 puffies.

Note: a complementary copy of the above book was sent to me for review on this site.

(Comments are closed)


  1. By tmib (tmib) t m i b AT x s 4 a l l DOT n l on

    Nice review, I am looking forward to reading the book as well. Will it be available from OpenBSD orders and/or OpenBSD orders EU in the future, or do I have to buy it from Lulu/Amazon/whatever?

    1. By sean (sean) sean@tinfoilhat.ca on I don't work here.

      > Nice review, I am looking forward to reading the book as well.
      > Will it be available from OpenBSD orders and/or OpenBSD orders EU
      > in the future, or do I have to buy it from Lulu/Amazon/whatever?

      The latter.

  2. By Anonymous Coward (151.38.56.254) on

    Am I the only guy who is surprised to know that the website, the FAQ, and the man pages are "BSD licensed" as Jeremy Reed states in his book/website?

    I have only seen copyright statements about those things, so I'm wondering if he really had the permission to use them.

    Obviously nobody will sue him, but...

    1. By Ray Percival (sng) on http://undeadly.org/cgi?action=search&sort=time&query=sng

      > Am I the only guy who is surprised to know that the website, the FAQ, and the man pages are "BSD licensed" as Jeremy Reed states in his book/website?
      >
      > I have only seen copyright statements about those things, so I'm wondering if he really had the permission to use them.
      >
      > Obviously nobody will sue him, but...

      Yay, for clicking on links and reading.

      http://www.openbsd.org/cgi-bin/cvsweb/www/faq/pf/nat.html?rev=1.15&content-type=text/x-cvsweb-markup

    2. By Nick Holland (68.43.117.34) nick@openbsd.org on http://www.openbsd.org/faq/pf/

      > Am I the only guy who is surprised to know that the website, the FAQ,
      > and the man pages are "BSD licensed" as Jeremy Reed states in his
      > book/website?
      >
      > I have only seen copyright statements about those things, so I'm
      > wondering if he really had the permission to use them.
      >
      > Obviously nobody will sue him, but...

      That's not so obvious to me. We'd defend it vigorously if needed. There are a few people around who can attest to that.

      HOWEVER, that's not needed here. After much discussion, including Theo thinking we were a bit nuts, Joel Knight and I did put the entire PF FAQ under a nice, simple BSDish license...see the HTML source. We did this fully understanding the potential implications of this, and this was one of the ones we understood could happen, and we were ok with that then, and still are now.

      It turned out Joel and I had been thinking about doing this for some time independantly, and when FreeBSD imported PF, we were approached about making the PF Users' Guide available to them to jumpstart their documentation efforts.

      Note: the rest of the FAQ and the website is under standard copyright, and is likely to stay that way.

      Nick.

  3. By Nuno Morgadinho (nunomorgadinho) nm@di.uevora.pt on http://www.morgadinho.org/blog

    I didn't read the book yet but 3.5 seems a low rating. Is this because you think there are better books on PF available or because your idea of a good PF book is still to come?

    1. By sean (sean) on

      > I didn't read the book yet but 3.5 seems a low rating. Is this because
      > you think there are better books on PF available or because your idea of
      > a good PF book is still to come?

      I took off one point for lack of complicated examples and .5 for the typographic annoyances. Probably too much to take off and I could be
      persuaded to only take .5 off of the lack of examples.

      Is it good (yes, just as the source material was).
      Is it good for _me_? A reserved yes as I did learn something from it.
      Where I come from 3.5/5 = 70% = B which I feel is good.

      As stated in the article if you don't care about the OS surrounding PF then this book is a great start.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]