Reddit reviews The Book of PF, 3rd Edition: A No-Nonsense Guide to the OpenBSD Firewall
We found 2 Reddit comments about The Book of PF, 3rd Edition: A No-Nonsense Guide to the OpenBSD Firewall. Here are the top ones, ranked by their Reddit score.
https://www.amazon.com/Book-PF-No-Nonsense-OpenBSD-Firewall-ebook/dp/B00O9A7E88/ref=sr_1_1?ie=UTF8&qid=1481714449&sr=8-1&keywords=book+of+pf+openbsd
I would recommend The Book of PF: 3rd Edition. Also, even though this page isnt updated any longer it is helpful: http://www.bsdnow.tv/tutorials/openbsd-router
Here is my /etc/pf.conf file with some minor alterations:
ext_if="bge0"
int_if="bge1"
dmz_if="bge2"
int_net="10.10.199.0/24"
dmz_net="172.30.67.0/24"
broken="224.0.0.22 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 \
10.0.0.0/8 169.254.0.0/16 192.0.2.0/24 \
198.51.100.0/24, 203.0.113.0/24, \
169.254.0.0/16 0.0.0.0/8 240.0.0.0/4 255.255.255.255/32"
set optimization aggressive
set block-policy return
set skip on { lo }
queue main on $ext_if bandwidth 10M
queue defq parent main bandwidth 2500K default
queue web parent main bandwidth 7100K
queue icmp parent main bandwidth 400K
antispoof for { $ext_if, $int_if, $dmz_if }
match in all scrub (no-df random-id max-mss 1440)
match out on $ext_if set prio (5, 6)
match out on $ext_if proto tcp to port { www, https } \
set queue web
match out on $ext_if proto icmp queue icmp
match out on $ext_if from !($ext_if:network) to any nat-to ($ext_if:0)
block in log on $ext_if
pass out
block in quick on $ext_if from { $broken no-route urpf-failed } to any
block out quick on $ext_if from any to { no-route $broken }
pass on { $int_if, $dmz_if }
pass in quick on { $int_if, $dmz_if } inet proto tcp to port ftp \
divert-to 127.0.0.1 port 8021
block proto tcp from any to any port 1688
block log from $dmz_net to $int_net