I’m going to dive right in with an anecdote: As is normal for anyone in systems administration, I’m busy at work. I’ve been short an employee for some time, and I brought in a managed service provider to do some work. This included a revamping of the network equipment and layout, as it has been growing organically rather than in a planned fashion.
I received the formal assessment from the provider a few weeks ago, and it mentioned that we were using a non ICSA-certified firewall: pf, in the form of pfSense. This was accompanied by some rather drastic warnings about how open source was targeted by hackers! and implied that ICSA certification was a mark of quality rather than a purchasable certification. All bogus, of course.
The reason I’m starting this review with this little story is to note that while open source has become well-accepted for system and application software, there’s still a lot of people that expect commercial hardware to be exclusively handling data once it leaves the server. That’s been valid for a long time, but software like pf represents a realistic option, or even an improvement, over many commercial and proprietary options. Since pf exists in one form or another on all the BSDs, it’s a tool you should be at least somewhat familiar with.
Peter N. M. Hansteen has written about pf first online, and then in printed form, for some time. The Book of PF is in its third edition, and that’s what I have to read. (Disclosure: No Starch Press gave me the book free, without requirements)
The book is excellent, and easier to read than I expected for a book about network processing. It can be read in linear form, as it takes the reader from simple to more complex network layouts. It works as a reference book, too, as it focuses on different tools around pf and what they are used for.
It covers the different pf version in OpenBSD, NetBSD, and FreeBSD, and DragonFly gets at least a partial mention in some portions of the book. For example, OpenBSD recently removed ALTQ, but the other BSDs still use it. With- and without-ALTQ scenarios are covered every place it applies. You’re going to get the most mileage out of an OpenBSD setup with it, though.
The parts where the book shines are the later chapters; the descriptions of greylisting and spamd, the traffic shaping notes, and the information on monitoring pf will be useful for most anyone. It’s quite readable; similar in tone to Peter’s blog. If you enjoy his in–depth online articles, the book will be a pleasant read.