Pf3e Index.Pdf

Index

Note: Pages numbers followed by f, n, priority-based queues, 136–145 or t indicate figures, notes, and tables, match rule for queue assignment, respectively. 137–138 overview, 134–135 Symbols performance improvement, 136–137 # (hash mark), 13, 15 queuing for servers in DMZ, ! (logical NOT) operator, 42 142–144 setting up, 135–136 A on FreeBSD, 135–136 on NetBSD, 136 Acar, Can Erkin, 173 on OpenBSD, 135 ACK (acknowledgment) packets transitioning to priority and class-based bandwidth allocation, queuing system, 131–133 139–140 anchors, 35–36 HFSC algorithm, 124, 126, 142 authpf program, 61, 63 priority queues, 132, 137–138 listing current contents of, 92 two-priority configuration, loading rules into, 92 120–121, 120n1 manipulating contents, 92 adaptive.end value, 188 relayd daemon, 74 adaptive firewalls, 97–99 restructuring rule set with, 91–94 adaptive.start value, 188 tagging to help policy routing, 93 advbase parameter, 153–154 ancontrol command, 46n1 advskew parameter, 153–154, 158–159 antispoof tool, 27, 193–195, 194f aggressive value, 192 ARP balancing, 151, 157–158 ALTQ (alternate queuing) framework, atomic rule set load, 21 9, 133–145, 133n2 authpf program, 59–63, 60 basic concepts, 134 basic authenticating gateways, class-based bandwidth allocation, 60–62 139–140 public networks, 62–63 overview, 135 queue definition, 139–140 tying queues into rule set, 140 B handling unwanted traffic, 144–145 bandwidth operating system-based queue actual available, 142–143 assignments, 145 class-based allocation of, 139–140 overloading to tiny queues, overview, 135 144 –145 queue definition, 139–140 HFSC algorithm, 140–142 tying queues into rule set, 140 overview, 135 queues for allocation of, 121–122 queue definition, 140–141 DMZ network with traffic tying queues into rule set, shaping, 128–130 141–142 fixed, 123–125 bandwidth, queues for allocation of load balancing, 157 (continued) load-balancing mode, 158 flexible, 125–128 setting up, 158–160 HFSC algorithm, 123 overview, 147–148 total usable, 122 carpdev option, 150, 152 Beck, Bob, 115 cbq (class-based) queues, 132–135 Berkeley Software Distributions. See definition, 139–140 BSDs (Berkeley Software tying into rule set, 140 Distributions); FreeBSD; cloneable interfaces, 55n4, 167 NetBSD; OpenBSD command succeeded message, 77 blacklisting, 101–103, 115 Common Address Redundancy block all rule, 19, 24, 61, 69 Protocol. See CARP block in all rule, 16 –17 complicated networks, 65–94 blocknonip option, 87–88 bridges, 86–91 block-policy option, 186–187 FreeBSD setup, 88–89 block rule, 13 NetBSD setup, 89–90 Brauer, Henning, 5, 133, 177 OpenBSD setup, 87–88 brconfig command, 87, 89 rule set, 90–91 bridges, 86–91, 86n5, 90f interface groups, 84–85 defined, 86 NAT, 79–84 pros and cons of, 86 DMZ, 80–81 rule set, 90–91 load balancing with setting up redirection, 81 on FreeBSD, 88–89 single NATed network, 81–84 on NetBSD, 89–90 nonroutable IPv4 addresses, 91–94 on OpenBSD, 87–88 establishing global rules, 91 brute-force attacks, 96–99 restructuring rule set with defined, 96 anchors, 91–94 expiring tables using pfctl, 99 packet tagging, 85–86 overview, 96 routable IPv4 addresses, 66–79, 67f setting up adaptive firewalls, 97–99 DMZ, 70–71, 70f BSDs (Berkeley Software load balancing with redirection, Distributions), 3–4, 3n3. 72–73 See also FreeBSD; NetBSD; load balancing with relayd, OpenBSD 73–79 configuration files, 7 macros, 66–67 Linux versus, 6–7 configuration files network interface naming FreeBSD, 7, 14–15 conventions, 6 NetBSD, 15–16 online resources, 201–203 OpenBSD, 7, 13 print resources, 204–205 tools for managing, 7–8, 11 Bytes In/Out statistics, 23 connection refused message, 18 content filtering, 100, 105, 107 C Core Force project, 5n7 Core Security, 5n7 CARP (Common Address Redundancy Protocol), 79 failover, 150–154 D kernel options, 150 DDoS (distributed denial-of-service) network interface setup with attacks, 187, 187n1 ifconfig, 151–154 sysctl values, 151

212 Index debugging, 197–199. See also logging sysctl values, 151 debug option, 190–191 load balancing versus, 158 troubleshooting-friendly networks, pfsync protocol, 154–155 37–38 rule set, 155–156 debug option, 52, 190–191 false positives, 102, 106, 110, 115 deep packet inspection, 2 FIFO (first in, first out), 120, demilitarized zone (DMZ). See DMZ 132–134, 137 demotion counter, 79, 153 file servers denial-of-service (DoS) attacks, 91, NAT, 79 168, 193n2 routable IPv4 addresses, 66–67 de Raadt, Theo, 4n4 file transfer protocol. See FTP dhclient command, 56–57, 59 firewalls, 3. See also bridges dhcpd program, 54 adaptive, 97–99 distributed denial-of-service (DDoS) simple gateways, 25–27 attacks, 187, 187n1 first in, first out (FIFO), 120, divert(4) sockets, 2 132–134, 137 diver t-to component, 36 flags S/SA keep state rule, 21 Dixon, Jason, 10 floating state policy, 187 dmesg command, 48–49, 209 Floeter, Reyk, 183 DMZ (demilitarized zone) flowd collector daemon, 177–182 NAT, 80–81 flowd-reader program, 178 –181 queuing for servers in, 142–144 flow-tools program, 177 routable IPv4 addresses, 70–71, 70f flush global state-tracking option, 97 testing rule set, 195–196, 195f fragment reassembly options, 192–193 with traffic shaping, 128–130, 128f frag value, 188 DNS, 22, 34n4, 66, 68 FreeBSD, 3n3, 5 documentation, 8 configuration files, 7 domain name lookups, 163–164, online resources, 204 166, 169 pfSense, 8 domain name resolution, 18, 20 setting up ALTQ framework on, domain names, 34 135–136 DoS (denial-of-service) attacks, 91, setting up bridges, 88–89 168, 193n2 setting up PF on, 13–15 DragonFly BSD, 3n3, 5–6, 12 spamd spam-deferral daemon, dropped packets, 128 101, 105 drop value, 186 wireless interface configuration, 50 wireless network setup, 58–59 E WPA access points, 52–53 FreeBSD Handbook, 14 echo requests/replies, 38–41, 53, 69, from keyword, 33 82, 90, 92 FTP (file transfer protocol), 35–37, Engen, Vegard, 62n5 53–54 expiretable tool, 99n4 fetching list data via, 102 ftp-proxy with diversion or F redirection, 36–37 history of, 35, 35n5 failover, 148–156 security challenges, 35 CARP, 79, 150 variations on ftp-proxy setup, 37 kernel options, 150 ftp-proxy command, 13 network interface setup with enabling, 36 ifconfig, 151–154 redirection, 36–37 reverse mode, 36–37

Index 213 ftpproxy_flags variable, 36–37 I FTPS, 35n6 IBM Christmas Tree EXEC worm, 2n1 fw_update script, 48 ICMP, 37–41, 41n7, 124, 140 bandwidth allocation, 124 G letting pass unconditionally, 38 grep program, 113, 178 letting pass while stopping probes greyexp value, 107 from elsewhere, 39 greylisting, 104–108 path MTU discovery, 40–41 compensating for unusual ICMP6, 38 situations, 113–114 letting pass unconditionally, 38 defined, 104 letting pass while stopping probes keeping lists in sync, 112–113 from elsewhere, 39 online resources, 205–206 path MTU discovery, 41 in practice, 107–108 if-bound policy, 187–188 setting up, 104–105, 107 if_bridge module, 88 greytrapping, 109–111, 115 ifconfig command, 46n1, 59, 109, 148 adding to list, 111–112 bridge setup, 87–89 deleting from list, 112 interface groups, 84–85 logging, 167, 176 MTU, 40 H redundancy and resource Hail Mary Cloud sequence of brute- availability, 150–155, force attempts, 98, 98n2 158–160 hardware, 5, 207–210 running status of interfaces, 30 helping hardware support wireless networks, 49–53, 56–59 efforts, 210 ifstated interface state daemon, 157 issues facing hardware support ILOVEYOU worm, 2n1 developers, 209 inserts statistic, 23 pool memory, 190 interface groups, 84–85 selecting, 208–209 Interface Stats statistics, 23 selecting for wireless networks, 48 interval value, 188 Harris, Evan, 104 IP-based load balancing, 157–158 Hartmeier, Daniel, 4–5, 132, 136 IPFilter subsystem, 4–5, 4n4, 4n5, 8–9 hash mark (#), 13, 15 IPsec HFSC (Hierarchical Fair Service filtering on encapsulation Curve) algorithm, 123, interfaces, 55, 55n4 125–126, 134–135, 140–142 state synchronization, 155 queue definition, 140–141 with UDP key exchange, 55 transitioning from ALTQ to IPv4, 23–24 priority and queuing network address translation, system, 132–133 28–29, 54 tying queues into rule set, 141–142 nonroutable addresses, 91–94 high-latency value, 192 establishing global rules, 91 hostapd command, 52–53 restructuring rule set with host command, 18, 22, 34 anchors, 91–94 hostnames, 34 packet forwarding, 30 HTTP, 68, 75, 77–79, 99 routable addresses, 31–32, 66–79 fetching list data via, 102 DMZ, 70–71 NetFlow data collection, 181 load balancing with relayd, HTTPS, 77, 79 73–79

214 Index load balancing with redirection, NetFlow data collection, 176–182 72–73 flowd collector daemon, 177–182 wireless networks, 49–50, 54, 58 pfflowd tool, 182 IPv6, 24, 30, 37–38, 41, 67, 71, 73, 75, 81 setting up sensor, 176–177 NAT versus, 28–29 packet path through rule set, release of, 28 164–165 wireless networks, 49–50, 54, 56–59 to several pflog interfaces, 167 SNMP tools and MIBs, 182–183 K to syslog, 167–169 tracking statistics for each rule with KAME project, 28, 28n3 labels, 169–171 keep state flags S/SA rule, 17n3 logical NOT (!) operator, 42 keep state rules, 16–17, 17n3, 21, 26, log keyword, 162, 167 26n1, 41, 68, 188 log (m atches) clause, 164–165 kernel memory, 189–190 Knight, Joel, 183 M L MAC addresses bridges, 87 labels, 169–171 filtering, 46–47, 46n2, 60 leaf queues, 126–127 IP-based load balancing, 157–158 limit option, 189 Mac OS X, 3n3 linkshare value, 140–141 macros Linux defined, 18–19 BSD versus, 6–7 defining, 18–19 network interface naming defining local network, 29 conventions, 6 expanding into separate rules, porting PF to Linux machines, 7 20–21 lists usefulness of, 19–20 defined, 18 mail servers usefulness of, 20 NAT, 79 load balancing routable IPv4 addresses, 66–69 CARP for, 157 mail-in/mail-out labels, 170 load-balancing mode, 158 management information bases setting up, 158–160 (MIBs), 182–183 redirection for man pages, 9 NAT, 81 match rules, 31–32 routable IPv4 addresses, 72–73 debugging, 198 with relayd daemon, 73–79 load balancing, 73–74, 79, 83 synproxy state option, 68 logging, 164–165 log (all) clause, 165–166 packet normalization, 193–194 logger option, 169 spam, 103 logging, 161 tags, 85 all packets, 165–166 traffic shaping, 119, 121–122, 124– basic concepts, 162–164 126, 130, 132, 134, 137–138, graphing traffic with pfstat, 141–142 173 –175 wireless networks, 54 legal implications of, 166 max-src-conn-rate state-tracking monitoring with pftop, 173 option, 97 monitoring with systat, 171–173 max-src-conn state-tracking option, 97

Index 215 max state-tracking option, 98 O McBride, Ryan, 5 oldqueue keyword, 133 mekmitasdigoat passphrase, 154, 154n2 OpenBSD MIBs (management information approach to security, 2, 2n2 bases), 182–183 bridge setup, 87–88 Miller, Damien, 178, 182 configuration files, 7 Morris worm, 2n1 configuring wireless interface, 50 history of, 3–5 N purchasing, 205–206 NAT (network address translation), 31, setting up ALTQ framework on, 135 71, 73, 79–84, 165 setting up PF on, 12–13, 12n1 IPv6 versus, 28–29 wireless network setup, 56–57 release of, 28 WPA access points, 51–52 wireless networks, 54–55, 61 operating system-based queue nat rule, 32 assignments nat-to keyword, 31–32, 54, 81, 83–84, ALTQ framework, 145 138, 164–165 priority and queuing system, 131 neighbradv (neighbor advertisements), 41 optimization option, 192 neighbrsol (neighbor solicitations), 41 overload option, 97–99 NetBSD, 3n3, 5 ALTQ framework, 144–145 bridge setup, 89–90 priority and queuing system, configuring wireless interface, 50 130–131 online resources, 204 setting up ALTQ P framework on, 136 packet-filtering gateways, 25 setting up PF on, 15–16 FTP, 35 –37 spamd spam-deferral daemon, 101 ftp-proxy with diversion or NetFlow, 176 –182 redirection, 36–37 collectors variations on ftp-proxy setup, 37 choosing, 178 simple, 25–34, 26f defined, 176 defining local network, 29 data collection with pfflowd, 182 in/out rules, 26–27 flowd collector daemon, 177–182 NAT versus IPv6, 28–29 flow-tools program, 177 setting up, 29–33 nfdump program, 177 testing rule set, 34 sensors tables, 42–43 defined, 176 troubleshooting-friendly networks, setting up, 176 –177 37–41 net-snm p package, 183 letting ICMP pass, 38–39 network address translation (NAT), 31, path MTU discovery, 40–41 71, 73, 79–84, 165 ping command, 39 IPv6 versus, 28–29 traceroute command, 40 release of, 28 Packet Filter subsystem. See PF (Packet wireless networks, 54–55, 61 Filter) subsystem nfdump tool, 177 packet forwarding, 30 nixspam blacklist, 115 Packets In/Out statistics, 23 nohup command, 168 packet tagging, 85–86 no-sync option, 156 pass all rule, 15, 22 NTP, 33 pass in rule, 26, 33 nwid parameter, 49, 56 pass out rule, 16–17, 27 nwkey parameter, 50, 56

216 Index passtime value, 107 pfflowd tool, 182 path MTU (maximum transmission pflogd logging daemon, 162 unit) discovery, 38, 40–41 logging to several interfaces, 167 pf_rules= setting, 13 logging to syslog, 168 PF (Packet Filter) subsystem, 1–2 pflow(4) interface, 176 –182 displaying system information, data collecting, reporting, and 22–24 analysis, 177–182 history of, 4–5 setting up sensor, 176–177 IPFilter configuration pfSense, 8 compatibility, 4n5, 8–9 pfstat command, 173 –175, 175f migrating from other systems, 6–9 pfsync protocol, 154–155 copying across IPFilter pftop command configuration to OpenBSD, traffic monitoring, 173, 173n1 8–9 ping6 command, 39 Linux versus BSD, 6–7 ping command, 39 porting to Linux machines, 7 ping of death bug, 38 rule syntax changes, 9 PPP, 31 tools for configuration file PPP over Ethernet (PPPoE), 31 management, 7–8 prio keyword, 119–121 tools for converting network priority and queuing system, 118–131 setups, 8 handling unwanted traffic, 130–131 performance improvements, 5 operating system-based queue purpose and function of, 3 assignments, 131 rule set configuration overloading to tiny queues, simple, 16–18 130–131 stricter, 18–22 queues for bandwidth allocation, setting up, 12–16 121–130 on FreeBSD, 13–15 DMZ network with traffic on NetBSD, 15–16 shaping, 128–130 on OpenBSD, 12–13 fixed, 123–125 wireless access point rule set, 53–54 flexible, 125–128 pfctl command-line administration HFSC algorithm, 123 tool, 11–12 setting traffic priorities, 119–121 debug level, 191 assigning two priorities, disabling PF, 12, 197 120–121 displaying system information, prio priority scheme, 119–120 22–23, 189 transitioning from ALTQ to, displaying verbose output, 20–21 131–133 enabling PF, 12, 13 priq (priority) queues, 131–132, expiring table entries, 99 134–138 fetching periodic data, 170 match rule for queue assignment, flushing existing rules, 22 137–138 list current contents of anchors, 92 performance improvement, load rules into anchors, 92 136–137 manipulating anchor contents, 92 proactive defense, 95–115 memory pool information, 190 spam, 100–114 parsing rules without loading, 21 blacklisting, 100–103 traffic tracking totals on per-rule compensating for unusual basis, 169–170 situations, 113–114 viewing rule numbers and debug content filtering, 100 information, 197–198 detecting out-of-order MX use, 113

Index 217 proactive defense, spam (continued) R greylisting, 104–108 random early detection (RED), 137 greytrapping, 109–111 random option, 72–73 list management with spamdb, rc script, 13–15, 30 111–113 rdr-anchor anchor, 74 tips for fighting, 115 rdr-to keyword, 36, 75, 80, 83, 103, 164 updating whitelists, 108–109 realtime value, 141 SSH brute-force attacks, 96–99 reassemble option, 192–193 defined, 96 RED (random early detection), 137 expiring tables using pfctl, 99 redirection overview, 96 FTP, 36 setting up adaptive firewalls, for load balancing 97–99 NAT, 81 routable IPv4 addresses, 72–73 Q public networks, 62–63 qlimit value, 125–126, 141 with relayd daemon, 73–75 queues. See also priority and queuing redundancy and resource availability, system 147–160 for bandwidth allocation, 121–122 failover DMZ network with traffic CARP, 150–154 shaping, 128–130 pfsync protocol, 154–155 fixed, 123–125 rule set, 155–156 flexible, 125–128 load balancing, 157–160 HFSC algorithm, 123 CARP in load-balancing handling unwanted traffic mode, 158 overloading to tiny queues, setting up CARP, 158–160 130–131 redundant pair of gateways, queue assignments based 148–150, 149f on operating system Reed, Darren, 4 fingerprint, 131 relayctl administration program, 76–77 queue-scheduler algorithms relayd daemon, 73–79, 73n2 (disciplines), 134–135 CARP, 79 class-based bandwidth allocation, checking configuration before 132–133, 135 starting, 76 queue definition, 139–140 checking interval, 75 tying queues into rule set, 140 HTTP, 77–78 HFSC algorithm, 123, 125–126, SSL, 78 132–135 relays, 73–75 queue definition, 140–141 removals statistic, 23 tying queues into rule set, return value, 186 141–142 round-robin option, 72 priority-based queues, 131–132, routeradv (router advertisements), 41 134–138 routersol (router solicitations), 41 match rule for queue assignment, rtadvd daemon, 54 137–138 rtsol command, 56, 58 performance improvement, ruleset-optimization option, 191 136–137 rule sets quick rules, 33, 192, 198 atomic rule set load, 21 bridges, 90–91 defined, 11 evaluation of, 17

218 Index queues for bandwidth allocation greytrapping, 109–111 fixed, 124–125 list management, 111–113 flexible, 126–128 keeping greylists in sync, restructuring with anchors, 91–94 112–113 simple, 16–18 updating lists, 111–112 overview, 16–18 logging, 103 testing, 18 stuttering, 100–101 stricter, 18–22 tarpitting, 100–101 checking rules, 21–22 tips for fighting, 115 overview, 19–20 updating whitelists, 108–109 reloading and looking for SpamAssassin, 100 errors, 20–21 spamdb tool testing, 22 adding/deleting whitelist using domain names and entries, 111 hostnames in, 34 greylisting, 104, 111–113 wireless access point, 53–54 keeping lists in sync, 112–113 writing to default deny, 18n4 updating lists, 111–112 greytrapping, 110–112 S adding to list, 111–112 deleting from list, 112 sample configurations, 203–204 spamd spam-deferral daemon, 13, satellite value, 192 100–114 SCP, 35, 124, 139–140 blacklisting, setting up, 101–103 scrub keyword detecting out-of-order MX use, 113 fragment reassembly options, greylisting, 104–108 192–193 compensating for unusual packet normalization, 193 situations, 113–114 Secure Shell. See SSH defined, 104 self keyword, 32 function of, 106 Sender Policy Framework (SPF) in practice, 107–108 records, 114, 114n7 setting up, 104–105, 107 set skip on lo rule, 13, 15–16 greytrapping, 109–111 SFTP, 35 list management with spamdb, Simple Network Management Protocol 111–113 (SNMP), 182–183, 182n5 keeping greylists in sync, skip option, 187 112–113 SMTP, 22, 68–69, 95, 100–106, updating lists, 111–112 108–110, 113–114, 164 logging, 103 SNMP (Simple Network Management online resources, 205–206 Protocol), 182–183, 182n5 updating whitelist, 108–109 Solaris, 8–9 spamlogd whitelist updater, 108–109, 167 spam, 100–114 SPF (Sender Policy Framework) blacklisting, 100–103, 101–103 records, 114, 114n7 content filtering, 100 spoofing, 194–195, 194f detecting out-of-order MX use, 113 SSH (Secure Shell), 33, 48, 156 greylisting authpf program, 60 compensating for unusual bandwidth allocation, 124, 139 situations, 113–114 brute-force attacks, 96–99 defined, 104 defined, 96 function of, 106 expiring tables using pfctl, 99 in practice, 107–108 overview, 96 setting up, 104–105, 107 setting up adaptive firewalls, 97–99

Index 219 SSH (Secure Shell) (continued) strict rule sets, 21–22 traffic prioritizing, 119 tcpdump program, 198 VPNs, 55 two-priority configuration, 120 SSL encryption, 48, 78 UDP versus, 20 state defaults, 177, 188 tcpdump program, 162–163, 166, 168, state-defaults option, 188 198–199 state-policy option, 187–188 TCP/IP, 3 state tables, 22–23, 182, 187–189 ATLQ, 134 defined, 17 bridges, 86 logging, 171, 174, 175f, 176 FTP, 35n5 synchronizing, 154–155 NetFlow data collection, 176 State Table statistics, 23 network interface configuration, 24 state-tracking options, 97 packet filtering, 31 sticky-address option, 72–73, 75 redundancy and resource stuttering, 100–101 availability, 154 sudo command, 12, 14–16 total usable bandwidth, 122 symon utility, 175 troubleshooting-friendly networks, sync listeners, 112 37, 40 sync targets, 112 wireless networks, 46, 49, 56–57, 62 SYN-flood attacks, 68 testing, 195–196, 196t synproxy state option, 68 timeout option, 188–189 sysctl command, 88, 158 to keyword, 26–27 setting up CARP, 151 traceroute6 command, 39 turning on packet forwarding, 30 traceroute command, 39 syslogd logging daemon, 167–169 traffic shaping, 117–145 systat command ALTQ framework, 117–118, redundancy and resource 133–145 availability, 155, 160 basic ALTQ concepts, 134 traffic monitoring views, 171–173, class-based bandwidth 173n1 allocation, 139–140 traffic shaping, 127, 138, 142 handling unwanted traffic, system information, displaying, 22–24 144 –145 HFSC algorithm, 140–142 T priority-based queues, 136–145 queue-scheduler algorithms, tables. See also state tables 134–135 brute-force attacks, 97, 99 queuing for servers in DMZ, expiring table entries, 99 142–144 loading, 42 setting up, 135–136 manipulating contents of, 42–43 priority and queuing system, naming, 42 118–131 “probation”, 99 handling unwanted traffic, tagged keyword, 85, 87 130–131 tags, 85–86 queues for bandwidth tarpitting, 100–101 allocation, 121–130 TCP setting traffic priorities, ALTQ priority queues, 137 119–121 NetFlow data collection, 176, transitioning from ALTQ to, 179, 181 131–133 ports, 35 trojans (trojan horses), 2 protocol handler definitions, 78

220 Index troubleshooting-friendly networks, W 37–41 web servers letting ICMP pass NAT, 79 unconditionally, 38 routable IPv4 addresses, 66–67, 72, while stopping probes from 74–75, 77 elsewhere, 39 WEP (Wired Equivalent Privacy), 47, 59 path MTU discovery, 40–41 whiteexp value, 107 ping command, 39 whitelists, 101–102, 105 traceroute command, 40 adding/deleting entries, 111 two-priority configuration, keeping updated, 108–109 120–121, 132 wicontrol command, 46n1 Wi-Fi Protected Access. See WPA U Wired Equivalent Privacy (WEP), 47, 59 UDP, 21, 33, 40, 61, 168 wireless networks, 45–63, 205 IPsec with UDP key exchange, 55 guarding with authpf, 59–63 NetFlow data collection, basic authenticating gateways, 176 –177, 179 60–62 TCP versus, 20 public networks, 62–63 up parameter, 49, 56 privacy mechanisms upperlimit value, 141 MAC address filtering, 46–47 user_ip macro, 62 W EP, 47 WPA, 47–48 selecting hardware for, 48 V setting up, 48–59 verbose output access point PF rule set, 53–54 flowd-reader program, 178 –179, 181 access points with three or pfctl administration tool, 20–21 more interfaces, 54–55 spamd spam-deferral daemon, client side, 55 102, 107 configuring interface, 49–51 vhid (virtual host ID) parameter, 152 FreeBSD setup, 58–59 virtual local area networks FreeBSD WPA access points, (VLANs), 70f 52–53 virtual private networks (VPNs), 55 initializing card, 48–49 Virtual Router Redundancy Protocol OpenBSD setup, 56–57 (VRRP), 148, 152 OpenBSD WPA access points, viruses, defined, 2 51–52 VLANs (virtual local area VPNs, 55 networks), 70f worms, 2, 2n1 VoIP (Voice over Internet Protocol), WPA (Wi-Fi Protected Access), 119–120 47–48, 59 VPNs (virtual private networks), 55 FreeBSD access points, 52–53 VRRP (Virtual Router Redundancy OpenBSD access points, 51–52 Protocol), 148, 152 wpakey parameter, 56

Index 221