I’ll toss this out there: pf ruined all other firewalls for me. Once you’ve been spoiled by pf.conf, it’s awfully hard to look at any other without running away screaming. Seriously, it’s a joy, like discovering Python after you’ve learned Brainfuck.
I wish Linux’s firewalls were so easy to configure. The closest I’ve found there is with ufw, which isn’t nearly so comprehensive or straightforward, but at least goes in the right direction.
Also worth checking out Michael W Lucas' books:
I've heard (but not read) good things about his fictional works as well, e.g., $ git commit murder:
PF: Packet Filtering (Open BSD Firewall). Saved you a click there.
Thank you
Interestingly, the author dodged that one:
>A few questions immediately pop into readers' minds on hearing this news. The ones I get most often are,
> Why now? What took you so long?
>which quite frequently combines with
> What changed? Are previous editions now useless?
Which somehow contribute to highlight the inadequacy of the reader for not knowing what PF stands for in the first place.
It’s a post in a BSD blog, specifically of the author of The Book of PF, that is in its entirety concerned with the question of whether a new edition of The Book of PF is coming. It’s not an ad in a computer magazine. It’s fair to presuppose that a reader of the blog knows what The Book of PF is. (It’s then arguably not fair to post it for a general audience on HN, but the author can hardly control that.)
Please don’t assume everybody who presupposes knowledge does so to assert their intellectual superiority. Presupposing knowledge is how we can communicate anything at all in a culture where one can be a dozen inferences or a couple of years of learning away from even understanding a question. And people who assert their intellectual superiority usually aren’t worth listening to at all—so if you end up concluding that every smart person is doing it, or even most of them, or most of them in a field, then you have a wide-ranging misunderstanding of some sort. This, about presupposing knowledge, is one that could be. (Another popular one is not understanding that, in mathematics, “obvious”, etc., does not mean “skill issue if you don’t get it” but rather “you’ve missed something important if you don’t get it, go back and think on it some more”.)
There has arisen this strange obsession on this website with every page having to explain what a project is about. This makes some sense for the marketing of the project, if there is for example a new version of some software. But for a personal blog it really does not. If a reader of a technical website is incapable of searching for "openbsd pf" then maybe they are indeed inadequate and are better off reading something else.
Right. It's a question of context. And here we all are on a website that is basically purpose built for taking things out of context. We might just need to manage our expections in this regard.
I just think it would be nice if "The Book of PF" was quoted so it's obvious it's a book title, not just a weirdly phrased sentence. After that, yeah, it's pretty obvious whether you care about the topic or can just move on without commenting on your apathy.
Ok, great, so we put Packet Filter in the title. Still doesn't explain it. So let's put Packet Filter for BSD in the title. You didn't explain what BSD is.
Eventually let's just put the entire article in the title.
> not knowing what PF stands for in the first place
I'm going to level you up 10x right now.
1. Select the text "Book of PF" in Chrome
2. Right click on it
3. Search with Google
4. Read the summary "OpenBSD's stateful packet filter, PF, is the heart of the OpenBSD firewall"
BOOM! You can now do this with anything you don't know! You no longer need to ask someone to explain everything to you!
I wish there was a "book of nftables" or something like that.
When you choose BSD, many common Linux frustrations evaporate. :)
Rusty Russell’s old iptables HOWTO was okay—or as okay as an iptables anything can be. An nftables HOWTO covering basically the same issues that The Book of PF does has the potential to be much better, simply because it would concern a much less messy system, but somebody has to write it. There’s little Linux-specific about this situation.
yeah, but many new ones appear, sadly.
(I've used both FreeBSD and NetBSD in the past, this is not a baseless claim)
> I wish Linux’s firewalls were so easy to configure.
nft (nftables) is easy and has a similar pf-like 'feel' while offering way more functionality. After decades of `iptables` (and `ipchains` before) nft(ables) is a breath of fresh air.
Totally agree. I rarely need to adjust my pf.conf but it's a joy when I do. The syntax is easy to read and I can easily get up to speed on my rules just by paging through the file.
FWIW I have the previous edition of the Book of PF on my bookshelf but I rarely reference it after reading through it a couple years back. Standard homelab-grade rulesets are pretty straightforward to setup.