Author: Michael Lucas

Writer. Sysadmin. Owns this site.
Posted on

Book Review: Book of PF, 3rd Edition

No Starch Press was kind enough to send me a review copy of the new 3rd edition of Peter Hansteen’s Book of PF. The first two editions are the standard reference work on the OpenBSD packet filter, and this is a topic I’ve written about in some depth before, so I’m fully prepared to eviscerate Hansteen if he screwed up.

Third edition, huh? So how does this stack up?

Let’s get the obvious out of the way. All three editions have yellow covers, but the first edition had blue trim; the second edition, pumpkin; the third, a kind of fern green.

Once you open the cover, you find that the third edition works much like the earlier editions, starting with a simple packet filter setup and building upon it. Building upon success is perhaps the best education technique, and it fits the topic quite well.

Structurally, BoPF3 is very similar to the earlier editions. CARP and redundancy now gets its own chapter, which is a welcome addition.

The real meat of this book is in the examples, tutorials, and explanations. PF has changed since the second edition, notably with more flexible traffic management and some syntax changes. Not all BSDs have remained synchronized with OpenBSD’s PF, so he has the unenviable job of documenting the differences between OpenBSD, NetBSD, and FreeBSD. He’s done an excellent job of this by combining information where appropriate, but breaking out some topics by operating system. For example, if a topic needs a sysctl, he lists them for each operating system. When a topic requires more in-depth explanation, such as traffic prioritization, he breaks out OpenBSD’s new priority system into one section and FreeBSD/NetBSD’s older altq prioritization scheme in another. This makes it very easy to find what you’re looking for. This book teaches you how to use PF to filter packets just as well as a million dollar appliance, with more insight and control.

One impressive thing is that this book is very clear. Giving a section a title like “Things You Can Tweak and What You Probably Should Leave Alone” gives you very definite ideas about what’s in this part of the book. Hansteen explicitly describes how PF works. He also discusses what happens when the real world impacts your firewall. He hasn’t just got PF up and running in his lab: he actually uses this stuff in the real world, with all its malformed packets and stupid protocol implementations and worse protocols, and keeps services running despite all that.

Complaints with this edition?

As with the earlier editions, the footnotes contain actual facts. It’s like Hansteen wants you to be able to go look up actual sources to verify what he says, instead of requiring us to trust him. As a writer, I prefer assuming blind faith and unyielding obedience from my readers.

If you use PF on any platform, buy this book. You can get it from Amazon (of course), and also get a combined print/DRM-free ebook deal direct from No Starch Press.

This ends the actual review. But someone is going to ask a couple things in the comments, so I’m jumping ahead of them here.

First: my general thoughts on authors writing reviews.

Second: Why hasn’t FreeBSD imported the latest PF?

The FreeBSD and OpenBSD network stacks have massively diverged in the last twenty years. OpenBSD’s kernel uses the Big Giant Lock model. FreeBSD’s kernel is much more finely locked, and the network stack can be in multiple CPU cores simultaneously. Despite their common heritage and licenses, FreeBSD and OpenBSD are different operating systems. They have different use cases. They are designed for different uses. They target different hardware.

FreeBSD’s previous PF import required a lot of work to make it fit its network stack. The FreeBSD Foundation invested a fair chunk of change in thrashing PF in the network test cluster and on high-performance customers so that it didn’t slow down the network stack. (It’s not that OpenBSD is slow, it’s just designed differently than FreeBSD.)

A “new import” is not trivial.

FreeBSD has a flexible firewall system, however. A new PF could be imported as, say, pf56.ko, without impacting the older PF import. You could use mailwrapper-like functionality to transparently assign the proper userland programs to the PF version in use. This can be done.

Nobody has done the work.

I suggest you get coding.

Posted on

Initial reactions to “Immortal Clay”

(For my own reference later.)

One of the worrisome things about putting out your own books is the concern that it might suck. I have a long track record in nonfiction, so I’m pretty confident there. But novels are a whole different art. When I put Immortal Clay out two weeks ago, I suspected that nobody would get past page two.

Most of the initial feedback came via Twitter, with things like:

So someone I know bought it. That’s cool.

Then some of my nonfiction readers picked it up, and gave it its own hashtag:

People began reading it, and said things like:

Then someone finished it:

So the real message came through? Excellent!

And then a couple comments in private mail, like:

“You bastard! That book kept me up half the night. There was just no good place to stop!

Yep. That’ll do.

If you’ve read the book, I’d appreciate a review on Amazon. There’s four right now. Amazon won’t show it in searches and “also bought” lists until there’s five.

Posted on

Sudo talk at mug.org, 9 Dec 2014

I’ll be talking at mug.org in Farmington Hills, MI, on 9 December 2014.

The topic is Sudo: You’re Doing It Wrong. If you use sudo, you need to show up for this. Because you’re doing it wrong. It’s based on Sudo Mastery, as you might guess.

Come to mug.org. They have cookies.

They usually record and show their talks, so if you can’t be bothered to go to Farmington Hills in December you can probably catch it on YouTube later. But it won’t be nearly as awesome.

Also, I’m planning to go to the IT in the D casual social event on 20 November 2014. I’m not speaking, just hanging out. Why?

Now that I’m a full time writer, this is my staff.
Tilted Windmill Press staff
They’re perfectly sociable, and definitely cuter than most of my previous co-workers, but they’re a little short in the techie conversation department.

So, yeah. Two chances to see me in the near future. No public appearances planned afterwards. I’ll be busy trying to teach my staff how to copyedit.

Posted on

And today, on Audible…

What? Lucas linking to an audiobook? What the heck?

My aversion to audiobooks is pretty well known (I don’t object to you listening to them, just don’t ask me to). But yep, I’m going to point you at Audible today.

John Campbell’s classic novella, Who Goes There, is on sale at Audible.com today for $0.99.

Less than a week ago, I put out a novel that owes certain literary debts to this classic SF work. It’s three-quarters of a century old, and certainly bears signs of the age it was written in, but when I first read it (decades ago) it left scars that endured until… well, until I had to write a novel about those scars.

Had I known this sale was coming, I would have… I dunno. Contacted Audible and begged for co-marketing? Something. Something cool.

Posted on

FreeBSD “Working copy ‘/usr/src’ locked.”

Poul-Henning Kamp is working with me on some GBDE fixes. Which means he sends me patches and says “Here, try this,” along with very valuable exposition on how GBDE works and the threat model it applies to. This means I’m updating frequently.

My usual update process is:

# cd /usr/src
# make update && make -j8 buildworld && make -j8 kernel && reboot

Half a second after typing this, I realized I’d forgotten to apply PHK’s latest patch. I hit CTRL-C during the make update before building an unsuitable userland. I need to do the source update, apply the patch, and then build everything.

# make update
--------------------------------------------------------------
>>> Updating /usr/src using Subversion
--------------------------------------------------------------
svn: E155004: Run 'svn cleanup' to remove locks (type 'svn help cleanup' for det
ails)
svn: E155004: Working copy '/usr/src' locked.
svn: E155004: '/usr/src' is already locked.
*** Error code 1

Stop.
make[1]: stopped in /usr/src
*** Error code 1

Fine. svn cleanup it is. But wait–I don’t have svn installed!

As a matter of principle, I don’t want to install svn on this test box. svnlite is what FreeBSD offers to users, so it should be able to handle everything.

The good news is, svnlite also have a cleanup feature.

# svnlite cleanup
# make update

And the update proceeds as I would hope.

Is this worth a PR to get the error message changed? Dunno. What do you think?

Now all I must do is master all the GBDE wisdom PHK dumped in my brain…

Posted on

New novel out: “Immortal Clay”

Most of you follow me for nonfiction, but this book just came out, so I’m gonna tell you about it anyway.

My SF novel, Immortal Clay, just hit Kobo and Amazon. It’s in process at other outlets like Barnes & Noble, iTunes, and so on, and print is forthcoming.

I’d describe this book as an alien invasion tale like Invasion of the Body Snatchers or The Thing, set after we lose.

You can read the opening on my web site. Or you can jump straight to Kobo or Amazon and buy it sight unseen. I’m good either way.

And Ben Baldwin did an absolutely amazing cover. I mean… wow! Click on the preview and take a look. If you have a big screen, look at the high-res version.

Posted on

Next Project: “Networking for Sysadmins”

FreeBSD Mastery: Storage Essentials is out for tech review. (If you’re reading the pre-pub book, you’ve got a few more days to get comments back to me.) I’ll then make the corrections and send it to copyediting.

So I’m writing another book.

The current title is Networking for System Administrators. (I’d like to work the word “Mastery” in there, but it sounds artificially kludged together, because it would be.) It’s a small book, readable in a couple hours.

I’ve worked in a whole bunch of IT organizations as both a system administrator and a network administrator. In most of them I get sucked into a bridge role because I can speak to both teams in their own language.

It’s hard to teach a network administrator to be a sysadmin. An enterprise often runs a dozen or more different operating system, and who knows how many variants of each. Plus, each team might configure their differently. “You need a password to sudo here, you need a Yubikey to log on here, you need a hole in the head to log on here…” oy vey! Asking a network administrator to learn all this is like asking a sysadmin to configure Cisco, RouterOS, and OpenBSD routers. It just isn’t going to happen.

But the basic principles of networking isn’t hard, and understanding basic networking can save the sysadmin so much time. A sysadmin who wants to learn networking is often referred to books like The TCP/IP Guide or TCP/IP Illustrated. These are awesome books, and some systems administrators (and all non-web app developers) need to read them. For the majority of sysadmins, they’re overkill. An enterprise database administrator who needs to understand TCP/IP window scaling to do his job should call his network administrator.

Instead, most sysadmins learn networking via occasional blog posts, Google searches, and oral tradition. This is a ghastly way to learn any technical topic.

The result? Calls the sysadmin doesn’t want to make and the network administrator doesn’t want to get.

  • “Did that firewall port ever get opened?”
  • “Is my server plugged into the right network?”
  • “What do you mean that service is broken, I can ping it?”
  • “That service isn’t working, I can’t ping it.”
  • “That UDP port isn’t open, I can’t telnet to it!”

    A knowledgeable sysadmin can quickly answer all of these questions for themselves without picking up the phone. And we wouldn’t be in IT if we wanted to talk on the phone.

    The table of contents so far is:

  • Introduction
  • Network layers — the bottom 4 layers, and troubleshooting pointers to later chapters
  • Ethernet
  • IPv4
  • IPv6
  • TCP/IP (protocols, ports, etc)
  • Active traffic (netstat)
  • DNS
  • Checking the Network (sending vs receiving)
  • tcpdump (what we receive)
  • netcat (what we send)
  • packet filtering for sysadmins
  • tracing problems (traceroute & mtr)

    This book also contains guidance on detecting an uneducated network administrator. “Filtering all ICMP, because ICMP is bad? Bzzzt!” I don’t put it in quite those terms, but… yeah. You at least need to know what you’re dealing with.

    Unlike my earlier Mastery books, the incomplete draft of this book will not be available for pre-order. Sales of books that I offer for pre-order are much lower than books I don’t offer pre-order on. Part of this is the topic–DNSSEC has less popular interest than SSH. But the sudo book is doing much less well than I expected, excluding a spike from the Slashdot review. (Reviews on sites like Slashdot help sales more than anything I’ve found.)

    From talking to other indie authors, it seems that an initial surge of sales strongly affects online bookstore’s algorithms. I say seems because most online bookstores do not make their algorithms public–they don’t want clever buggers like you telling me how to game their system.

    The only way for me to tell is to test it, however. I won’t be doing preorders for this book and the next FreeBSD Mastery title.

    I believe that many of my readers don’t need this book. I do hope that you’ll tell certain people you work with to read it, however. You know the ones I mean.

    More updates as events warrant. Or you can check Twitter for the hashtag #n4sa. (I’m not the only one with that hashtag, but it seems pretty rarely used, so I’ll claim it.)

    • Posted on

    Revoked and Replaced OpenPGP Key

    I uploaded a GPG key to subkeys.pgp.net back in 2005. It’s well past time for me to replace it. I covered creating your revocation certificate back in PGP & GPG, but didn’t actually write about using that revocation certificate. Nine years later… yeah, I better figure this out.

    So Io to the machine with my keypair, and create my revocation certificate.

    # gpg --output oldgpg.revoke.asc --gen-revoke E68C49BC

    sec 1024D/E68C49BC 2005-02-21 Michael Warren Lucas Jr (Author, consultant, sysadmin)

    Yep, that’s my old key.

    Create a revocation certificate for this key? (y/N) y
    Please select the reason for the revocation:
    0 = No reason specified
    1 = Key has been compromised
    2 = Key is superseded
    3 = Key is no longer used
    Q = Cancel
    (Probably you want to select 1 here)
    Your decision? 2

    Why is this key being revoked? Because it’s nine years old. I’ve generated a new key,

    Enter an optional description; end it with an empty line:
    >
    Reason for revocation: Key is superseded
    (No description given)
    Is this okay? (y/N) y

    Nobody cares about the details, so I don’t enter any.

    You need a passphrase to unlock the secret key for
    user: "Michael Warren Lucas Jr (Author, consultant, sysadmin) "
    1024-bit DSA key, ID E68C49BC, created 2005-02-21

    I enter my passphrase.

    ASCII armored output forced.
    Revocation certificate created.

    I now have a revocation certificate, oldgpg.revoke.asc. To activate it, I import it into my keyring.

    # gpg --import oldgpg.revoke.asc
    gpg: key E68C49BC: "Michael Warren Lucas Jr (Author, consultant, sysadmin) " revocation certificate imported
    gpg: Total number processed: 1
    gpg: new key revocations: 1
    gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
    gpg: depth: 0 valid: 2 signed: 14 trust: 0-, 0q, 0n, 0m, 0f, 2u
    gpg: depth: 1 valid: 14 signed: 1 trust: 14-, 0q, 0n, 0m, 0f, 0u
    gpg: next trustdb check due at 2020-10-13

    No passphrase needed–it just happens.

    Now: sleep tight, sweet prince.

    # gpg --send-keys E68C49BC
    gpg: sending key E68C49BC to hkp server subkeys.pgp.net

    My old key is dead.

    For the record, my new key is 1F2E54A8, for mwlucas at michaelwlucas dot com.

    Now if I could only kill 4EBA9723…