pfctl.8 (148011) | pfctl.8 (171172) |
---|---|
1.\" $OpenBSD: pfctl.8,v 1.118 2005/01/05 23:41:45 jmc Exp $ | 1.\" $OpenBSD: pfctl.8,v 1.128 2007/01/30 21:01:56 jmc Exp $ |
2.\" 3.\" Copyright (c) 2001 Kjell Wooding. All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. --- 9 unchanged lines hidden (view full) --- 19.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26.\" | 2.\" 3.\" Copyright (c) 2001 Kjell Wooding. All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. --- 9 unchanged lines hidden (view full) --- 19.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26.\" |
27.\" $FreeBSD: head/contrib/pf/pfctl/pfctl.8 148011 2005-07-14 20:29:08Z brueffer $ | 27.\" $FreeBSD: head/contrib/pf/pfctl/pfctl.8 171172 2007-07-03 12:30:03Z mlaier $ |
28.\" 29.Dd November 20, 2002 30.Dt PFCTL 8 31.Os 32.Sh NAME 33.Nm pfctl 34.Nd "control the packet filter (PF) and network address translation (NAT) device" 35.Sh SYNOPSIS 36.Nm pfctl 37.Bk -words | 28.\" 29.Dd November 20, 2002 30.Dt PFCTL 8 31.Os 32.Sh NAME 33.Nm pfctl 34.Nd "control the packet filter (PF) and network address translation (NAT) device" 35.Sh SYNOPSIS 36.Nm pfctl 37.Bk -words |
38.Op Fl AdeghmNnOoqRrvz | 38.Op Fl AdeghmNnOqRrvz |
39.Op Fl a Ar anchor | 39.Op Fl a Ar anchor |
40.Xo 41.Oo Fl D 42.Ar macro Ns = Ns Ar value Oc 43.Xc | 40.Oo Fl D Ar macro Ns = 41.Ar value Oc |
44.Op Fl F Ar modifier 45.Op Fl f Ar file 46.Op Fl i Ar interface | 42.Op Fl F Ar modifier 43.Op Fl f Ar file 44.Op Fl i Ar interface |
47.Op Fl k Ar host | 45.Op Fl K Ar host | network 46.Op Fl k Ar host | network 47.Op Fl o Op Ar level |
48.Op Fl p Ar device 49.Op Fl s Ar modifier | 48.Op Fl p Ar device 49.Op Fl s Ar modifier |
50.Oo Xo | 50.Oo |
51.Fl t Ar table 52.Fl T Ar command | 51.Fl t Ar table 52.Fl T Ar command |
53.Op Ar address ... Oc 54.Xc | 53.Op Ar address ... 54.Oc |
55.Op Fl x Ar level 56.Ek 57.Sh DESCRIPTION 58The 59.Nm 60utility communicates with the packet filter device using the 61ioctl interface described in 62.Xr pf 4 . --- 72 unchanged lines hidden (view full) --- 135Evaluation of 136.Ar anchor 137rules from the main ruleset is described in 138.Xr pf.conf 5 . 139.Pp 140For example, the following will show all filter rules (see the 141.Fl s 142flag below) inside the anchor | 55.Op Fl x Ar level 56.Ek 57.Sh DESCRIPTION 58The 59.Nm 60utility communicates with the packet filter device using the 61ioctl interface described in 62.Xr pf 4 . --- 72 unchanged lines hidden (view full) --- 135Evaluation of 136.Ar anchor 137rules from the main ruleset is described in 138.Xr pf.conf 5 . 139.Pp 140For example, the following will show all filter rules (see the 141.Fl s 142flag below) inside the anchor |
143.Li authpf/smith(1234) , 144which would have been created for user smith by | 143.Dq authpf/smith(1234) , 144which would have been created for user 145.Dq smith 146by |
145.Xr authpf 8 , 146PID 1234: 147.Bd -literal -offset indent 148# pfctl -a "authpf/smith(1234)" -s rules 149.Ed 150.Pp 151Private tables can also be put inside anchors, either by having table 152statements in the --- 5 unchanged lines hidden (view full) --- 158.Pp 159When a rule referring to a table is loaded in an anchor, the rule will use the 160private table if one is defined, and then fall back to the table defined in the 161main ruleset, if there is one. 162This is similar to C rules for variable scope. 163It is possible to create distinct tables with the same name in the global 164ruleset and in an anchor, but this is often bad design and a warning will be 165issued in that case. | 147.Xr authpf 8 , 148PID 1234: 149.Bd -literal -offset indent 150# pfctl -a "authpf/smith(1234)" -s rules 151.Ed 152.Pp 153Private tables can also be put inside anchors, either by having table 154statements in the --- 5 unchanged lines hidden (view full) --- 160.Pp 161When a rule referring to a table is loaded in an anchor, the rule will use the 162private table if one is defined, and then fall back to the table defined in the 163main ruleset, if there is one. 164This is similar to C rules for variable scope. 165It is possible to create distinct tables with the same name in the global 166ruleset and in an anchor, but this is often bad design and a warning will be 167issued in that case. |
168.Pp 169By default, recursive inline printing of anchors applies only to unnamed 170anchors specified inline in the ruleset. 171If the anchor name is terminated with a 172.Sq * 173character, the 174.Fl s 175flag will recursively print all anchors in a brace delimited block. 176For example the following will print the 177.Dq authpf 178ruleset recursively: 179.Bd -literal -offset indent 180# pfctl -a 'authpf/*' -sr 181.Ed 182.Pp 183To print the main ruleset recursively, specify only 184.Sq * 185as the anchor name: 186.Bd -literal -offset indent 187# pfctl -a '*' -sr 188.Ed |
|
166.It Fl D Ar macro Ns = Ns Ar value 167Define 168.Ar macro 169to be set to 170.Ar value 171on the command line. 172Overrides the definition of 173.Ar macro --- 38 unchanged lines hidden (view full) --- 212order. 213.It Fl g 214Include output helpful for debugging. 215.It Fl h 216Help. 217.It Fl i Ar interface 218Restrict the operation to the given 219.Ar interface . | 189.It Fl D Ar macro Ns = Ns Ar value 190Define 191.Ar macro 192to be set to 193.Ar value 194on the command line. 195Overrides the definition of 196.Ar macro --- 38 unchanged lines hidden (view full) --- 235order. 236.It Fl g 237Include output helpful for debugging. 238.It Fl h 239Help. 240.It Fl i Ar interface 241Restrict the operation to the given 242.Ar interface . |
220.It Fl k Ar host | 243.It Fl K Ar host | network 244Kill all of the source tracking entries originating from the specified 245.Ar host 246or 247.Ar network . 248A second 249.Fl K Ar host 250or 251.Fl K Ar network 252option may be specified, which will kill all the source tracking 253entries from the first host/network to the second. 254.It Fl k Ar host | network |
221Kill all of the state entries originating from the specified | 255Kill all of the state entries originating from the specified |
222.Ar host . | 256.Ar host 257or 258.Ar network . |
223A second 224.Fl k Ar host | 259A second 260.Fl k Ar host |
261or 262.Fl k Ar network |
|
225option may be specified, which will kill all the state entries | 263option may be specified, which will kill all the state entries |
226from the first 227.Ar host 228to the second 229.Ar host . | 264from the first host/network to the second. |
230For example, to kill all of the state entries originating from | 265For example, to kill all of the state entries originating from |
231.Li host : 232.Bd -literal -offset indent 233# pfctl -k host 234.Ed | 266.Dq host : |
235.Pp | 267.Pp |
268.Dl # pfctl -k host 269.Pp |
|
236To kill all of the state entries from | 270To kill all of the state entries from |
237.Li host1 | 271.Dq host1 |
238to | 272to |
239.Li host2 : 240.Bd -literal -offset indent 241# pfctl -k host1 -k host2 242.Ed | 273.Dq host2 : 274.Pp 275.Dl # pfctl -k host1 -k host2 276.Pp 277To kill all states originating from 192.168.1.0/24 to 172.16.0.0/16: 278.Pp 279.Dl # pfctl -k 192.168.1.0/24 -k 172.16.0.0/16 280.Pp 281A network prefix length of 0 can be used as a wildcard. 282To kill all states with the target 283.Dq host2 : 284.Pp 285.Dl # pfctl -k 0.0.0.0/0 -k host2 |
243.It Fl m 244Merge in explicitly given options without resetting those 245which are omitted. 246Allows single options to be modified without disturbing the others: 247.Bd -literal -offset indent 248# echo "set loginterface fxp0" | pfctl -mf - 249.Ed 250.It Fl N 251Load only the NAT rules present in the rule file. 252Other rules and options are ignored. 253.It Fl n 254Do not actually load rules, just parse them. 255.It Fl O 256Load only the options present in the rule file. 257Other rules and options are ignored. | 286.It Fl m 287Merge in explicitly given options without resetting those 288which are omitted. 289Allows single options to be modified without disturbing the others: 290.Bd -literal -offset indent 291# echo "set loginterface fxp0" | pfctl -mf - 292.Ed 293.It Fl N 294Load only the NAT rules present in the rule file. 295Other rules and options are ignored. 296.It Fl n 297Do not actually load rules, just parse them. 298.It Fl O 299Load only the options present in the rule file. 300Other rules and options are ignored. |
258.It Fl o 259Enable the ruleset optimizer. | 301.It Fl o Op Ar level 302Control the ruleset optimizer. |
260The ruleset optimizer attempts to improve rulesets by removing rule 261duplication and making better use of rule ordering. | 303The ruleset optimizer attempts to improve rulesets by removing rule 304duplication and making better use of rule ordering. |
262Specifically, it does four things: | |
263.Pp | 305.Pp |
306.Bl -tag -width xxxxxxxxxxxx -compact 307.It Fl o Cm none 308Disable the ruleset optimizer. 309.It Fl o Cm basic 310Enable basic ruleset optimizations. 311.It Fl o Cm profile 312Enable basic ruleset optimizations with profiling. 313.El 314.Pp 315.Cm basic 316optimization does does four things: 317.Pp |
|
264.Bl -enum -compact 265.It 266remove duplicate rules 267.It 268remove rules that are a subset of another rule 269.It 270combine multiple rules into a table when advantageous 271.It 272re-order the rules to improve evaluation performance 273.El 274.Pp | 318.Bl -enum -compact 319.It 320remove duplicate rules 321.It 322remove rules that are a subset of another rule 323.It 324combine multiple rules into a table when advantageous 325.It 326re-order the rules to improve evaluation performance 327.El 328.Pp |
275A second 276.Fl o 277may be specified to use the currently loaded ruleset as a feedback profile 278to tailor the optimization of the | 329If 330.Cm profile 331is specified, the currently loaded ruleset will be examined as a feedback 332profile to tailor the optimization of the |
279.Ar quick 280rules to the actual network behavior. 281.Pp 282It is important to note that the ruleset optimizer will modify the ruleset 283to improve performance. 284A side effect of the ruleset modification is that per-rule accounting 285statistics will have different meanings than before. 286If per-rule accounting is important for billing purposes or whatnot, either 287the ruleset optimizer should not be used or a 288.Ar label 289field should be added to all of the accounting rules to act as optimization 290barriers. | 333.Ar quick 334rules to the actual network behavior. 335.Pp 336It is important to note that the ruleset optimizer will modify the ruleset 337to improve performance. 338A side effect of the ruleset modification is that per-rule accounting 339statistics will have different meanings than before. 340If per-rule accounting is important for billing purposes or whatnot, either 341the ruleset optimizer should not be used or a 342.Ar label 343field should be added to all of the accounting rules to act as optimization 344barriers. |
345.Pp 346To retain compatibility with previous behaviour, a single 347.Fl o 348without any options will enable 349.Cm basic 350optimizations, and a second 351.Fl o 352will enable profiling. |
|
291.It Fl p Ar device 292Use the device file 293.Ar device 294instead of the default 295.Pa /dev/pf . 296.It Fl q 297Only print errors and warnings. 298.It Fl R --- 48 unchanged lines hidden (view full) --- 347.It Fl s Cm Sources 348Show the contents of the source tracking table. 349.It Fl s Cm info 350Show filter information (statistics and counters). 351When used together with 352.Fl v , 353source tracking statistics are also shown. 354.It Fl s Cm labels | 353.It Fl p Ar device 354Use the device file 355.Ar device 356instead of the default 357.Pa /dev/pf . 358.It Fl q 359Only print errors and warnings. 360.It Fl R --- 48 unchanged lines hidden (view full) --- 409.It Fl s Cm Sources 410Show the contents of the source tracking table. 411.It Fl s Cm info 412Show filter information (statistics and counters). 413When used together with 414.Fl v , 415source tracking statistics are also shown. 416.It Fl s Cm labels |
355Show per-rule statistics (label, evaluations, packets, bytes) of | 417Show per-rule statistics (label, evaluations, packets total, bytes total, 418packets in, bytes in, packets out, bytes out) of |
356filter rules with labels, useful for accounting. 357.It Fl s Cm timeouts 358Show the current global timeouts. 359.It Fl s Cm memory 360Show the current pool memory hard limits. 361.It Fl s Cm Tables 362Show the list of tables. 363.It Fl s Cm osfp 364Show the list of operating system fingerprints. 365.It Fl s Cm Interfaces 366Show the list of interfaces and interface drivers available to PF. | 419filter rules with labels, useful for accounting. 420.It Fl s Cm timeouts 421Show the current global timeouts. 422.It Fl s Cm memory 423Show the current pool memory hard limits. 424.It Fl s Cm Tables 425Show the list of tables. 426.It Fl s Cm osfp 427Show the list of operating system fingerprints. 428.It Fl s Cm Interfaces 429Show the list of interfaces and interface drivers available to PF. |
367When used together with a double | 430When used together with |
368.Fl v , | 431.Fl v , |
432it additionally lists which interfaces have skip rules activated. 433When used together with 434.Fl vv , |
|
369interface statistics are also shown. 370.Fl i 371can be used to select an interface or a group of interfaces. 372.It Fl s Cm all 373Show all of the above, except for the lists of interfaces and operating 374system fingerprints. 375.El 376.It Fl T Ar command Op Ar address ... --- 7 unchanged lines hidden (view full) --- 384Kill a table. 385.It Fl T Cm flush 386Flush all addresses of a table. 387.It Fl T Cm add 388Add one or more addresses in a table. 389Automatically create a nonexisting table. 390.It Fl T Cm delete 391Delete one or more addresses from a table. | 435interface statistics are also shown. 436.Fl i 437can be used to select an interface or a group of interfaces. 438.It Fl s Cm all 439Show all of the above, except for the lists of interfaces and operating 440system fingerprints. 441.El 442.It Fl T Ar command Op Ar address ... --- 7 unchanged lines hidden (view full) --- 450Kill a table. 451.It Fl T Cm flush 452Flush all addresses of a table. 453.It Fl T Cm add 454Add one or more addresses in a table. 455Automatically create a nonexisting table. 456.It Fl T Cm delete 457Delete one or more addresses from a table. |
458.It Fl T Cm expire Ar number 459Delete addresses which had their statistics cleared more than 460.Ar number 461seconds ago. 462For entries which have never had their statistics cleared, 463.Ar number 464refers to the time they were added to the table. |
|
392.It Fl T Cm replace 393Replace the addresses of the table. 394Automatically create a nonexisting table. 395.It Fl T Cm show 396Show the content (addresses) of a table. 397.It Fl T Cm test 398Test if the given addresses match a table. 399.It Fl T Cm zero --- 60 unchanged lines hidden (view full) --- 460For example, the following commands define a wide open firewall which will keep 461track of packets going to or coming from the 462.Ox 463FTP server. 464The following commands configure the firewall and send 10 pings to the FTP 465server: 466.Bd -literal -offset indent 467# printf "table <test> { ftp.openbsd.org }\en \e | 465.It Fl T Cm replace 466Replace the addresses of the table. 467Automatically create a nonexisting table. 468.It Fl T Cm show 469Show the content (addresses) of a table. 470.It Fl T Cm test 471Test if the given addresses match a table. 472.It Fl T Cm zero --- 60 unchanged lines hidden (view full) --- 533For example, the following commands define a wide open firewall which will keep 534track of packets going to or coming from the 535.Ox 536FTP server. 537The following commands configure the firewall and send 10 pings to the FTP 538server: 539.Bd -literal -offset indent 540# printf "table <test> { ftp.openbsd.org }\en \e |
468 pass out to <test> keep state\en" | pfctl -f- | 541 pass out to |
469# ping -qc10 ftp.openbsd.org 470.Ed 471.Pp 472We can now use the table 473.Cm show 474command to output, for each address and packet direction, the number of packets 475and bytes that are being passed or blocked by rules referencing the table. 476The time at which the current accounting started is also shown with the --- 135 unchanged lines hidden --- | 542# ping -qc10 ftp.openbsd.org 543.Ed 544.Pp 545We can now use the table 546.Cm show 547command to output, for each address and packet direction, the number of packets 548and bytes that are being passed or blocked by rules referencing the table. 549The time at which the current accounting started is also shown with the --- 135 unchanged lines hidden --- |