OpenBSD Journal

[BookReview] Building Linux and OpenBSD Firewalls

Contributed by Dengue on from the our-very-first-review dept.

Byron Sonne graciously submitted a review of "Building Linux and OpenBSD Firewalls" .

Building Linux and OpenBSD Firewalls
Copyright 2000 by Wes Sonnenreich and Tom Yates
Published by John Wiley & Sons, Inc.
ISBN 0-471-35366-3
$69.95 CAN, $44.99 USA
352 pages

This is one of those rare books that makes me think, "Gee, someone out there is on the same wavelength as I am". While all the information in this book can be found in man pages or on the internet, it packages it all conveniently in one chunk. What we are given is a book that serves as the best introduction to firewall design and implementation that I have yet seen. Experts will probably not find anything new in this book but it will still serve as excellent reference material. It even contains a brief vi tutorial :)

The book is written with a great sense of humour, so people that are expecting a dry technical volume may be put off by this, as well as the authors' proclivity to extoll the virtues of the open source philosophy at every possible opportunity. Mind you, these are some of the same reasons that I enjoyed the book as much as I did. If someone were to slap a picture of an animal on the cover, this book would be right at home in the O'Reilly nutshell series.

What made this book particularly valuable, in my opinion, was that the authors chose to focus on BOTH Linux and OpenBSD. Being able to compare both platforms is intrinsically interesting and very helpful: while most people are probably buying this book because Linux is in the title, it will help get OpenBSD's foot in the door. It outlines the differences quite well and fairly, and in my opinion, OpenBSD emerges as the clear winner for the purpose of building a firewall. Linux users please don't flame me; read this book first and then tell me if you still disagree. Chapter 4 is dedicated entirely to the issue of choosing which OS to use, even taking the time to discuss the idiocy of OS holy wars, a subject sure to arise in a topic like this.

While reading this book, I got the feeling that the authors do indeed have the day to day experience with either OS that they claim to have. Alot of handy tips are included, as well as great information about the nature of many attacks that a firewall could be subjected to. I'm not saying that this book is a primer for TCP/IP, but the sections that deal with it could be excerpted from the book and published as seperate guide, and still be usefull.

The only problems I had with this book was the Linux distro they chose to focus on, which was RedHat, and the versions of either OS (6.0 for RedHat and 2.5 for OpenBSD). Nothing against RedHat, it makes sense to focus on it due to the large marketshare it has, but information specific to other distros such as SuSE, Slackware and Debian would have been a great touch. Also, if I recall correctly, the framework for packet mangling in Linux has changed for the 2.4 kernel, so newcomers looking to build a Linux firewall with the latest and greatest might have issues here. I know things can't be cutting edge when your printing on dead trees, so I look forward to seeing new editions of this book that cover changes as they arise. These are personal gripes. If you have half a brain you should be able to extrapolate the information you need and apply it appropriately.

To sum it up, this is a great book. If you work for, or know, someone who is thinking of dropping a whack of dough on Borderware, FW-1 or a Pix, then buy them this book and force them to read it. It reads like a manifesto and is written like a good HOWTO.

  • Chapter 1: The ABCs of Network Security, 15 pages
  • Chapter 2: Fundamental Internet Security Issues, 17 pages
  • Chapter 3: How Secure Should Your Network Be?, 66 pages
  • Chapter 4: Choosing an OS: Linux versus OpenBSD, 18 pages
  • Chapter 5: Getting the Right Hardware, 17 pages
  • Chapter 6: Installing Linux, 23 pages
  • Chapter 7: Configuring the Firewall under Linux, 25 pages
  • Chapter 8: Installing OpenBSD, 36 pages
  • Chapter 9: Configuring the Firewall under OpenBSD, 43 pages
  • Chapter 10: Tuning Your Firewall, 20 pages
  • Chapter 11: Intrusion Detection and Response, 14 pages
  • Chapter 12: Loose notes, 19 pages
  • Index: 10 pages and plenty of entries

(Comments are closed)


Comments
  1. By Jeff () no@thanks.com on none

    This is not published by ORA, but John Wiley & Sons...
    http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=0471353663

    Comments
    1. By James Phillips () dengue@deadly.org on file:/dev/null

      Doh! My bad.... Everything I read is from O'Reilly, and I just wasn't thinkin. Bad Webmaster, no bone!

    2. By Byron Sonne () blsonne@home.com on mailto:blsonne@home.com

      I don't know where you get the idea that it was said this book was published by ORA... The 3rd line down from the top clearly says Wiley.

      Regards,
      Byron

      Comments
      1. By Jeff () no@thanks.com on none

        Originally, the article snippet on the main page, said it was ORA, that is what I was making reference too. and it is now fixed.

      2. By James Phillips () dengue@deadly.org on file:/dev/null

        My bad Byron, I mistakenly called it an O'Reilly publication in the opening paragraph. I fixed the article so the reference to O'Reilly is no longer there.

        Comments
        1. By Byron Sonne () blsonne@home.com on mailto:blsonne@home.com

          Greetings,

          After reading my comment I realized that I sounded like a bit of a prick there. That was not my intention; but I would like to apologize anyways.

          Regards,
          Byron

  2. By some guy that visits this site a lot... () on

    first off, I really liked this review (more reviews!) and I really liked the book. I do think it's true that experts won't find anything new. However, I'm not an expert but I'm trying :-)

    It is very fun to read and there are quite a fair funny parts that suck you into the material and stop you from falling asleep (firewalls can be dry matrial). This is the type of book that helps you put up a firewall, with no OpenBSD experience. I didn't encounter any problems building mine, but if you do I might think you won't find too much help here. You'll have to figure out how to carry on with the lesson by yourself. There's no mention of anything ISDN (some of us are still stuck with ISDN), but that's ok.

    OpenBSD did come up on top, which may have been helped by Theo's involvement by helping the author (does not appear in the book)? OpenBSD may have been made more accessible to the Linux community with this book. Maybe some people will move to OpenBSD. It must be said, the book offers a very neutral perspective on the comparison of the two camps. Especially the GPL vs. BSD section (no rel. wars here). It didn't leave me with the notion OpenBSD rules as a firewall and Linux doesn't.

    Intrusion Detection is a bit short, I wish they had included a little more. If they'd copied a little bit of that from "Maximum Linux Security"'s it may be have been a little better.

    All in all, a good book that's worth the money (I've read it twice). I may be biased towards OpenBSD but this is a well rounded book, it's fun to read, offers nice information, and has "OpenBSD" in the title.

    Darn, I ended up writing a review, when all I wanted to say is I liked this review and I knew I should have written one on this book earlier :-)

    Comments
    1. By Tony () aschlemm@comcast.net on mailto:aschlemm@comcast.net

      There are many of us that use both OpenBSD and Linux. Where many Linux users are finding a use for OpenBSD is in that system that is one of the most important on our network and that is for our firewall. I'd love to have a dedicated firewall that only did firewalling and NAT but being short on space I also have my firewall running ntpd, and dhcpd. I also share a laser printer with through lpd and Samba. Yep I know its bad to run servers on a firewall but my ruleset is setup to block any outside access to the running services so this isn't a problem.

      I also have a VPN setup using isakmpd between my office's little Netgear FVS318 firewall appliance and my firewall so I now have the option to work from home. :)

  3. By Curtis Collicutt () on

    I am very glad that this book arrived on the scene. If it were not for this book I would have likely implemented my firewall with Linux rather than OpenBSD. Now all I need is an OpenBSD specific manual (as the FAQ, while very well done, just doesn't seem to get through my thick skull).

    Also, I will never understand how publishers determine the price of a book, as $70 is steep.

    Comments
    1. By Goetz.R () Roland.Goetz@erl.sbs.de on mailto:Roland.Goetz@erl.sbs.de

      I ordered the book at amazon.com
      price 35.99 $
      shipping 5.95 $
      ----------------
      41.94 $
      What is not nice is the long time to get it shipped. Still waiting. I am in Germany

      Comments
      1. By daniel () toowonderful@hotmail.com on mailto:toowonderful@hotmail.com

        I checked out the price at www.bookpool.com and
        it's selling for $27.50 (U.S. dollars)

    2. By Dave () karnak@nova.org on mailto:karnak@nova.org

      OpenBSD had not released a manual yet - but I have not had any problems with it - it is like FreeBSD so if I get lost and no FAQ will help - I just open the handy dandy FreeBSD manual - HEY OPENBSD GUYS - when ya gonna put out a manual for me to buy?!?!?!?!

  4. By Karnak () karnak@nova.org on mailto:karnak@nova.org

    The June 2000 Sysadmin mag had a wonderful article on how to setup IPFilter on FreeBSD. After the set up - you can use Building Linux and OpenBSD Firewalls as an excellent IPFilter reference.

    Comments
    1. By Anonymous Coward () on

      You are absoulutely sure!

      It's a good IPFilter reference, and it's now
      mainly used on FreeBSD and NetBSD.

      This good book it's completely outdated, compares
      ipchains on Linux with IPFilter on OpenBSD.

  5. By Philip Jensen () phil_jensen@yahoo.com on mailto:phil_jensen@yahoo.com

    I think it would've helped the cause to include CDs of both Linux (at least the version used for the book) and OpenBSD. This is nearly becoming the standard for technical books relying on Open Source tools.

    Overall it is good to see OpenBSD get out there commercially. I even saw the book on my local bookstore shelves, and 2 copies at that.

    Comments
    1. By Tyrann () Tyrann@Astux.com on http://www.Astux.com

      With a new release of OpenBSD every 6 months, the CD would soon become obsolete.

  6. By Stefan Feurle () phuego@phlatcode.de on www.phlatcode.de

    Your review made me very interested in this book.
    I tried to order it at amazon, but they don't have it on stock; even a search on
    John Wiley & Sons webpage remained unsuccessful.

    So tell me please where I can purchase it.

    thanx,
    phuego

    Comments
    1. By Anonymous Coward () on

      Greetings,


      I'm guessing your in Germany... so I don't have any idead where you can buy it over there. I'm located in Toronto, Canada, and I purchased my copy at 'The World's Biggest Bookstore'.

      I try never to buy things online because I always (with the exception of buying my OpenBSD CDs) get shipped the wrong thing or the couriers lose my order.


      As a side note, perhaps the people who sell the OpenBSD CDs ('The Computer Shop' in Calgary, Canada?) ought to carry this book, it would be most helpful and tie in really well.


      Regards,
      Byron

      Comments
      1. By Cabl3 () openbsd@cybercable.fr on mailto:openbsd@cybercable.fr

        Well I got mine from www.bookpool.com (BTW, this site which specializes in Technical books usually have much lower prices than Amazon). I'm located in France.

  7. By Cabl3 () openbsd@cybercable.fr on mailto:openbsd@cybercable.fr

    Hi,

    I began fiddling around with OpenBSD 3/4 months ago and I'm really astonished by the very quality of this wonderful OS.

    I think that OpenBSD deserves more coverage (that's why I started wearing BlowFish or OBSD cop gear ;-) ) and this book is truly GUH-REAT . It has a companion website where you can find very interesting pieces of info and updates to the book.

    Get this book if you can (very funny style), buy OpenBSD CDs (as it helps the project) and feel the groove ;-).

    Regards,

  8. By lambchop () i_lambchop@yahoo.com on Yes, Please!

    I love this book! I am (still) a command line newbie. When I bought this book, (about two years ago, or so) I didn't know doodly-squat about OpenBSD; and I didn't really know that much about Linux either. But with this book, I was able to not only install OpenBSD (come on, when you're coming at OpenBSD from a Winbloze background, that installer can be pretty scary;), but within 45 minutes of installation, I had a functioning, functional, and more importantly, secure firewall protecting my little network from all the baddies on the Internet. I can't get over how accurate, helpful, and practical the information in this book is. I can't recommend this book enough! Now if only more the authors would write more books, on other topics (like women;)!

  9. By ZZ () zz@mickey.cc.uic.edu on http://mickey.cc.uic.edu

    I was breezing through this book and reading it somewhat and looking at the examples. Not only was the author knowledgable but as said, he was amusing. His examples were sensible. I was and am a linux user, but as I am evolving, I am moving towards the BSD's. OpenBSD is the newest one that I have jumped into. It's BEAUTIFUL. Not a lot of "hoopla" and it gets the job done. FreeBSD I have used but I still don't love it. NetBSD I will work with soon. Anyways, the OpenBSD firewall section was of great help. I would purchase it if I wasn't plumb broke. But reading through it was enough for me to know that this book is a great book.

  10. By John Smith () on

    Year 2000. I hope that the author has time to update this book. We have now Linux kernel 2.4.xx with iptables, OpenBSD 3.3 and especially Gentoo Linux.

    The basics are the same but the little bits have changed a lot. When building a firewall these little bits are important.

    Anyway, a great book.

    BR, JS

    Comments
    1. By goon () goonmail@netspace.net.au on slashdot.org/~goon

      try http://www.openlysecure.org/ according to the site the authors have 0.5 completed the second edition but the publishers are holding off.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]