| pf.conf.5 (170194) | pf.conf.5 (171172) |
|---|---|
| 1.\" $FreeBSD: head/contrib/pf/man/pf.conf.5 170194 2007-06-01 21:33:21Z remko $ 2.\" $OpenBSD: pf.conf.5,v 1.292 2004/02/24 05:44:48 mcbride Exp $ | 1.\" $FreeBSD: head/contrib/pf/man/pf.conf.5 171172 2007-07-03 12:30:03Z mlaier $ 2.\" $OpenBSD: pf.conf.5,v 1.376 2006/12/01 07:23:26 camield Exp $ |
| 3.\" 4.\" Copyright (c) 2002, Daniel Hartmeier 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" --- 47 unchanged lines hidden (view full) --- 58Traffic normalization protects internal machines against inconsistencies 59in Internet protocols and implementations. 60.It Cm Queueing 61Queueing provides rule-based bandwidth control. 62.It Cm Translation Li (Various forms of NAT) 63Translation rules specify how addresses are to be mapped or redirected to 64other addresses. 65.It Cm Packet Filtering | 3.\" 4.\" Copyright (c) 2002, Daniel Hartmeier 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" --- 47 unchanged lines hidden (view full) --- 58Traffic normalization protects internal machines against inconsistencies 59in Internet protocols and implementations. 60.It Cm Queueing 61Queueing provides rule-based bandwidth control. 62.It Cm Translation Li (Various forms of NAT) 63Translation rules specify how addresses are to be mapped or redirected to 64other addresses. 65.It Cm Packet Filtering |
| 66Stateful and stateless packet filtering provides rule-based blocking or 67passing of packets. | 66Packet filtering provides rule-based blocking or passing of packets. |
| 68.El 69.Pp 70With the exception of 71.Cm macros 72and 73.Cm tables , 74the types of statements should be grouped and appear in 75.Nm pf.conf 76in the order shown above, as this matches the operation of the underlying 77packet filtering engine. 78By default 79.Xr pfctl 8 80enforces this order (see 81.Ar set require-order 82below). 83.Sh MACROS | 67.El 68.Pp 69With the exception of 70.Cm macros 71and 72.Cm tables , 73the types of statements should be grouped and appear in 74.Nm pf.conf 75in the order shown above, as this matches the operation of the underlying 76packet filtering engine. 77By default 78.Xr pfctl 8 79enforces this order (see 80.Ar set require-order 81below). 82.Sh MACROS |
| 84Much like 85.Xr cpp 1 86or 87.Xr m4 1 , 88macros can be defined that will later be expanded in context. | 83Macros can be defined that will later be expanded in context. |
| 89Macro names must start with a letter, and may contain letters, digits 90and underscores. 91Macro names may not be reserved words (for example 92.Ar pass , 93.Ar in , 94.Ar out ) . 95Macros are not expanded inside quotes. 96.Pp 97For example, 98.Bd -literal -offset indent 99ext_if = \&"kue0\&" 100all_ifs = \&"{\&" $ext_if lo0 \&"}\&" | 84Macro names must start with a letter, and may contain letters, digits 85and underscores. 86Macro names may not be reserved words (for example 87.Ar pass , 88.Ar in , 89.Ar out ) . 90Macros are not expanded inside quotes. 91.Pp 92For example, 93.Bd -literal -offset indent 94ext_if = \&"kue0\&" 95all_ifs = \&"{\&" $ext_if lo0 \&"}\&" |
| 101pass out on $ext_if from any to any keep state 102pass in on $ext_if proto tcp from any to any port 25 keep state | 96pass out on $ext_if from any to any 97pass in on $ext_if proto tcp from any to any port 25 |
| 103.Ed 104.Sh TABLES 105Tables are named structures which can hold a collection of addresses and 106networks. 107Lookups against tables in 108.Xr pf 4 109are relatively fast, making a single rule with tables much more efficient, 110in terms of --- 66 unchanged lines hidden (view full) --- 177can be used to add or remove addresses from the table at any time, even 178when running with 179.Xr securelevel 7 180= 2. 181.El 182.Pp 183For example, 184.Bd -literal -offset indent | 98.Ed 99.Sh TABLES 100Tables are named structures which can hold a collection of addresses and 101networks. 102Lookups against tables in 103.Xr pf 4 104are relatively fast, making a single rule with tables much more efficient, 105in terms of --- 66 unchanged lines hidden (view full) --- 172can be used to add or remove addresses from the table at any time, even 173when running with 174.Xr securelevel 7 175= 2. 176.El 177.Pp 178For example, 179.Bd -literal -offset indent |
| 185table <private> const { 10/8, 172.16/12, 192.168/16 } 186table <badhosts> persist 187block on fxp0 from { <private>, <badhosts> } to any | 180table \*(Ltprivate\*(Gt const { 10/8, 172.16/12, 192.168/16 } 181table \*(Ltbadhosts\*(Gt persist 182block on fxp0 from { \*(Ltprivate\*(Gt, \*(Ltbadhosts\*(Gt } to any |
| 188.Ed 189.Pp 190creates a table called private, to hold RFC 1918 private network 191blocks, and a table called badhosts, which is initially empty. 192A filter rule is set up to block all traffic coming from addresses listed in 193either table. 194The private table cannot have its contents changed and the badhosts table 195will exist even when no active filter rules reference it. 196Addresses may later be added to the badhosts table, so that traffic from 197these hosts can be blocked by using 198.Bd -literal -offset indent 199# pfctl -t badhosts -Tadd 204.92.77.111 200.Ed 201.Pp 202A table can also be initialized with an address list specified in one or more 203external files, using the following syntax: 204.Bd -literal -offset indent | 183.Ed 184.Pp 185creates a table called private, to hold RFC 1918 private network 186blocks, and a table called badhosts, which is initially empty. 187A filter rule is set up to block all traffic coming from addresses listed in 188either table. 189The private table cannot have its contents changed and the badhosts table 190will exist even when no active filter rules reference it. 191Addresses may later be added to the badhosts table, so that traffic from 192these hosts can be blocked by using 193.Bd -literal -offset indent 194# pfctl -t badhosts -Tadd 204.92.77.111 195.Ed 196.Pp 197A table can also be initialized with an address list specified in one or more 198external files, using the following syntax: 199.Bd -literal -offset indent |
| 205table <spam> persist file \&"/etc/spammers\&" file \&"/etc/openrelays\&" 206block on fxp0 from <spam> to any | 200table \*(Ltspam\*(Gt persist file \&"/etc/spammers\&" file \&"/etc/openrelays\&" 201block on fxp0 from \*(Ltspam\*(Gt to any |
| 207.Ed 208.Pp 209The files 210.Pa /etc/spammers 211and 212.Pa /etc/openrelays 213list IP addresses, one per line. 214Any lines beginning with a # are treated as comments and ignored. 215In addition to being specified by IP address, hosts may also be 216specified by their hostname. 217When the resolver is called to add a hostname to a table, 218.Em all 219resulting IPv4 and IPv6 addresses are placed into the table. 220IP addresses can also be entered in a table by specifying a valid interface | 202.Ed 203.Pp 204The files 205.Pa /etc/spammers 206and 207.Pa /etc/openrelays 208list IP addresses, one per line. 209Any lines beginning with a # are treated as comments and ignored. 210In addition to being specified by IP address, hosts may also be 211specified by their hostname. 212When the resolver is called to add a hostname to a table, 213.Em all 214resulting IPv4 and IPv6 addresses are placed into the table. 215IP addresses can also be entered in a table by specifying a valid interface |
| 221name or the | 216name, a valid interface group or the |
| 222.Em self 223keyword, in which case all addresses assigned to the interface(s) will be 224added to the table. 225.Sh OPTIONS 226.Xr pf 4 227may be tuned for various situations using the 228.Ar set 229command. --- 76 unchanged lines hidden (view full) --- 306(adaptive.end - number of states) / (adaptive.end - adaptive.start). 307.It Ar adaptive.end 308When reaching this number of state entries, all timeout values become 309zero, effectively purging all state entries immediately. 310This value is used to define the scale factor, it should not actually 311be reached (set a lower state limit, see below). 312.El 313.Pp | 217.Em self 218keyword, in which case all addresses assigned to the interface(s) will be 219added to the table. 220.Sh OPTIONS 221.Xr pf 4 222may be tuned for various situations using the 223.Ar set 224command. --- 76 unchanged lines hidden (view full) --- 301(adaptive.end - number of states) / (adaptive.end - adaptive.start). 302.It Ar adaptive.end 303When reaching this number of state entries, all timeout values become 304zero, effectively purging all state entries immediately. 305This value is used to define the scale factor, it should not actually 306be reached (set a lower state limit, see below). 307.El 308.Pp |
| 314These values can be defined both globally and for each rule. | 309Adaptive timeouts are enabled by default, with an adaptive.start value 310equal to 60% of the state limit, and an adaptive.end value equal to 311120% of the state limit. 312They can be disabled by setting both adaptive.start and adaptive.end to 0. 313.Pp 314The adaptive timeout values can be defined both globally and for each rule. |
| 315When used on a per-rule basis, the values relate to the number of 316states created by the rule, otherwise to the total number of 317states. 318.Pp 319For example: 320.Bd -literal -offset indent 321set timeout tcp.first 120 322set timeout tcp.established 86400 --- 31 unchanged lines hidden (view full) --- 354.Pp 355For example, 356.Bd -literal -offset indent 357set limit states 20000 358.Ed 359.Pp 360sets the maximum number of entries in the memory pool used by state table 361entries (generated by | 315When used on a per-rule basis, the values relate to the number of 316states created by the rule, otherwise to the total number of 317states. 318.Pp 319For example: 320.Bd -literal -offset indent 321set timeout tcp.first 120 322set timeout tcp.established 86400 --- 31 unchanged lines hidden (view full) --- 354.Pp 355For example, 356.Bd -literal -offset indent 357set limit states 20000 358.Ed 359.Pp 360sets the maximum number of entries in the memory pool used by state table 361entries (generated by |
| 362.Ar keep state 363rules) to 20000. | 362.Ar pass 363rules which do not specify 364.Ar no state ) 365to 20000. |
| 364Using 365.Bd -literal -offset indent 366set limit frags 20000 367.Ed 368.Pp 369sets the maximum number of entries in the memory pool used for fragment 370reassembly (generated by 371.Ar scrub 372rules) to 20000. | 366Using 367.Bd -literal -offset indent 368set limit frags 20000 369.Ed 370.Pp 371sets the maximum number of entries in the memory pool used for fragment 372reassembly (generated by 373.Ar scrub 374rules) to 20000. |
| 373Finally, | 375Using |
| 374.Bd -literal -offset indent 375set limit src-nodes 2000 376.Ed 377.Pp 378sets the maximum number of entries in the memory pool used for tracking 379source IP addresses (generated by the 380.Ar sticky-address 381and | 376.Bd -literal -offset indent 377set limit src-nodes 2000 378.Ed 379.Pp 380sets the maximum number of entries in the memory pool used for tracking 381source IP addresses (generated by the 382.Ar sticky-address 383and |
| 382.Ar source-track | 384.Ar src.track |
| 383options) to 2000. | 385options) to 2000. |
| 386Using 387.Bd -literal -offset indent 388set limit tables 1000 389set limit table-entries 100000 390.Ed |
|
| 384.Pp | 391.Pp |
| 385These can be combined: | 392sets limits on the memory pools used by tables. 393The first limits the number of tables that can exist to 1000. 394The second limits the overall number of addresses that can be stored 395in tables to 100000. 396.Pp 397Various limits can be combined on a single line: |
| 386.Bd -literal -offset indent 387set limit { states 20000, frags 20000, src-nodes 2000 } 388.Ed 389.Pp | 398.Bd -literal -offset indent 399set limit { states 20000, frags 20000, src-nodes 2000 } 400.Ed 401.Pp |
| 402.It Ar set ruleset-optimization 403.Bl -tag -width xxxxxxxx -compact 404.It Ar none 405Disable the ruleset optimizer. 406This is the default behaviour. 407.It Ar basic 408Enable basic ruleset optimization, which does four things to improve the 409performance of ruleset evaluations: 410.Pp 411.Bl -enum -compact 412.It 413remove duplicate rules 414.It 415remove rules that are a subset of another rule 416.It 417combine multiple rules into a table when advantageous 418.It 419re-order the rules to improve evaluation performance 420.El 421.Pp 422.It Ar profile 423Uses the currently loaded ruleset as a feedback profile to tailor the 424ordering of quick rules to actual network traffic. 425.El 426.Pp 427It is important to note that the ruleset optimizer will modify the ruleset 428to improve performance. 429A side effect of the ruleset modification is that per-rule accounting 430statistics will have different meanings than before. 431If per-rule accounting is important for billing purposes or whatnot, 432either the ruleset optimizer should not be used or a label field should 433be added to all of the accounting rules to act as optimization barriers. 434.Pp 435Optimization can also be set as a command-line argument to 436.Xr pfctl 8 , 437overriding the settings in 438.Nm . |
|
| 390.It Ar set optimization | 439.It Ar set optimization |
| 391Optimize the engine for one of the following network environments: | 440Optimize state timeouts for one of the following network environments: |
| 392.Pp 393.Bl -tag -width xxxx -compact 394.It Ar normal 395A normal network environment. 396Suitable for almost all networks. 397.It Ar high-latency 398A high-latency environment (such as a satellite connection). 399.It Ar satellite --- 38 unchanged lines hidden (view full) --- 438.It Ar set state-policy 439The 440.Ar state-policy 441option sets the default behaviour for states: 442.Pp 443.Bl -tag -width group-bound -compact 444.It Ar if-bound 445States are bound to interface. | 441.Pp 442.Bl -tag -width xxxx -compact 443.It Ar normal 444A normal network environment. 445Suitable for almost all networks. 446.It Ar high-latency 447A high-latency environment (such as a satellite connection). 448.It Ar satellite --- 38 unchanged lines hidden (view full) --- 487.It Ar set state-policy 488The 489.Ar state-policy 490option sets the default behaviour for states: 491.Pp 492.Bl -tag -width group-bound -compact 493.It Ar if-bound 494States are bound to interface. |
| 446.It Ar group-bound 447States are bound to interface group (i.e. ppp) | |
| 448.It Ar floating 449States can match packets on any interfaces (the default). 450.El 451.Pp 452For example: 453.Bd -literal -offset indent 454set state-policy if-bound 455.Ed | 495.It Ar floating 496States can match packets on any interfaces (the default). 497.El 498.Pp 499For example: 500.Bd -literal -offset indent 501set state-policy if-bound 502.Ed |
| 503.It Ar set hostid 504The 32-bit 505.Ar hostid 506identifies this firewall's state table entries to other firewalls 507in a 508.Xr pfsync 4 509failover cluster. 510By default the hostid is set to a pseudo-random value, however it may be 511desirable to manually configure it, for example to more easily identify the 512source of state table entries. 513.Bd -literal -offset indent 514set hostid 1 515.Ed 516.Pp 517The hostid may be specified in either decimal or hexadecimal. |
|
| 456.It Ar set require-order 457By default 458.Xr pfctl 8 459enforces an ordering of the statement types in the ruleset to: 460.Em options , 461.Em normalization , 462.Em queueing , 463.Em translation , --- 15 unchanged lines hidden (view full) --- 479Setting this option may leave a small period of time where the fingerprints 480referenced by the currently active ruleset are inconsistent until the new 481ruleset finishes loading. 482.Pp 483For example: 484.Pp 485.Dl set fingerprints \&"/etc/pf.os.devel\&" 486.Pp | 518.It Ar set require-order 519By default 520.Xr pfctl 8 521enforces an ordering of the statement types in the ruleset to: 522.Em options , 523.Em normalization , 524.Em queueing , 525.Em translation , --- 15 unchanged lines hidden (view full) --- 541Setting this option may leave a small period of time where the fingerprints 542referenced by the currently active ruleset are inconsistent until the new 543ruleset finishes loading. 544.Pp 545For example: 546.Pp 547.Dl set fingerprints \&"/etc/pf.os.devel\&" 548.Pp |
| 487.It Ar set skip on <ifspec> | 549.It Ar set skip on Aq Ar ifspec |
| 488List interfaces for which packets should not be filtered. 489Packets passing in or out on such interfaces are passed as if pf was 490disabled, i.e. pf does not process them in any way. 491This can be useful on loopback and other virtual interfaces, when 492packet filtering is not desired and can have unexpected effects. 493For example: 494.Pp 495.Dl set skip on lo0 --- 50 unchanged lines hidden (view full) --- 546.Ar dont-fragment 547bit on packets with a zero IP ID may cause deleterious results if an 548upstream router later fragments the packet. 549Using the 550.Ar random-id 551modifier (see below) is recommended in combination with the 552.Ar no-df 553modifier to ensure unique IP identifiers. | 550List interfaces for which packets should not be filtered. 551Packets passing in or out on such interfaces are passed as if pf was 552disabled, i.e. pf does not process them in any way. 553This can be useful on loopback and other virtual interfaces, when 554packet filtering is not desired and can have unexpected effects. 555For example: 556.Pp 557.Dl set skip on lo0 --- 50 unchanged lines hidden (view full) --- 608.Ar dont-fragment 609bit on packets with a zero IP ID may cause deleterious results if an 610upstream router later fragments the packet. 611Using the 612.Ar random-id 613modifier (see below) is recommended in combination with the 614.Ar no-df 615modifier to ensure unique IP identifiers. |
| 554.It Ar min-ttl <number> | 616.It Ar min-ttl Aq Ar number |
| 555Enforces a minimum TTL for matching IP packets. | 617Enforces a minimum TTL for matching IP packets. |
| 556.It Ar max-mss <number> | 618.It Ar max-mss Aq Ar number |
| 557Enforces a maximum MSS for matching TCP packets. 558.It Ar random-id 559Replaces the IP identification field with random values to compensate 560for predictable values generated by many hosts. 561This option only applies to packets that are not fragmented 562after the optional fragment reassembly. 563.It Ar fragment reassemble 564Using --- 202 unchanged lines hidden (view full) --- 767.Pp 768The interfaces on which queueing should be activated are declared using 769the 770.Ar altq on 771declaration. 772.Ar altq on 773has the following keywords: 774.Bl -tag -width xxxx | 619Enforces a maximum MSS for matching TCP packets. 620.It Ar random-id 621Replaces the IP identification field with random values to compensate 622for predictable values generated by many hosts. 623This option only applies to packets that are not fragmented 624after the optional fragment reassembly. 625.It Ar fragment reassemble 626Using --- 202 unchanged lines hidden (view full) --- 829.Pp 830The interfaces on which queueing should be activated are declared using 831the 832.Ar altq on 833declaration. 834.Ar altq on 835has the following keywords: 836.Bl -tag -width xxxx |
| 775.It Ar <interface> | 837.It Aq Ar interface |
| 776Queueing is enabled on the named interface. | 838Queueing is enabled on the named interface. |
| 777.It Ar <scheduler> | 839.It Aq Ar scheduler |
| 778Specifies which queueing scheduler to use. 779Currently supported values 780are 781.Ar cbq 782for Class Based Queueing, 783.Ar priq 784for Priority Queueing and 785.Ar hfsc 786for the Hierarchical Fair Service Curve scheduler. | 840Specifies which queueing scheduler to use. 841Currently supported values 842are 843.Ar cbq 844for Class Based Queueing, 845.Ar priq 846for Priority Queueing and 847.Ar hfsc 848for the Hierarchical Fair Service Curve scheduler. |
| 787.It Ar bandwidth <bw> | 849.It Ar bandwidth Aq Ar bw |
| 788The maximum bitrate for all queues on an 789interface may be specified using the 790.Ar bandwidth 791keyword. 792The value can be specified as an absolute value or as a 793percentage of the interface bandwidth. 794When using an absolute value, the suffixes 795.Ar b , 796.Ar Kb , 797.Ar Mb , 798and 799.Ar Gb 800are used to represent bits, kilobits, megabits, and 801gigabits per second, respectively. 802The value must not exceed the interface bandwidth. 803If 804.Ar bandwidth | 850The maximum bitrate for all queues on an 851interface may be specified using the 852.Ar bandwidth 853keyword. 854The value can be specified as an absolute value or as a 855percentage of the interface bandwidth. 856When using an absolute value, the suffixes 857.Ar b , 858.Ar Kb , 859.Ar Mb , 860and 861.Ar Gb 862are used to represent bits, kilobits, megabits, and 863gigabits per second, respectively. 864The value must not exceed the interface bandwidth. 865If 866.Ar bandwidth |
| 805is not specified, the interface bandwidth is used. 806.It Ar qlimit <limit> | 867is not specified, the interface bandwidth is used 868(but take note that some interfaces do not know their bandwidth, 869or can adapt their bandwidth rates). 870.It Ar qlimit Aq Ar limit |
| 807The maximum number of packets held in the queue. 808The default is 50. | 871The maximum number of packets held in the queue. 872The default is 50. |
| 809.It Ar tbrsize <size> | 873.It Ar tbrsize Aq Ar size |
| 810Adjusts the size, in bytes, of the token bucket regulator. 811If not specified, heuristics based on the 812interface bandwidth are used to determine the size. | 874Adjusts the size, in bytes, of the token bucket regulator. 875If not specified, heuristics based on the 876interface bandwidth are used to determine the size. |
| 813.It Ar queue <list> | 877.It Ar queue Aq Ar list |
| 814Defines a list of subqueues to create on an interface. 815.El 816.Pp 817In the following example, the interface dc0 818should queue up to 5 Mbit/s in four second-level queues using 819Class Based Queueing. 820Those four queues will be shown in a later example. 821.Bd -literal -offset indent --- 12 unchanged lines hidden (view full) --- 834directive (e.g. mail), or, except for the 835.Ar priq 836.Ar scheduler , 837in a parent 838.Ar queue 839declaration. 840The following keywords can be used: 841.Bl -tag -width xxxx | 878Defines a list of subqueues to create on an interface. 879.El 880.Pp 881In the following example, the interface dc0 882should queue up to 5 Mbit/s in four second-level queues using 883Class Based Queueing. 884Those four queues will be shown in a later example. 885.Bd -literal -offset indent --- 12 unchanged lines hidden (view full) --- 898directive (e.g. mail), or, except for the 899.Ar priq 900.Ar scheduler , 901in a parent 902.Ar queue 903declaration. 904The following keywords can be used: 905.Bl -tag -width xxxx |
| 842.It Ar on <interface> | 906.It Ar on Aq Ar interface |
| 843Specifies the interface the queue operates on. 844If not given, it operates on all matching interfaces. | 907Specifies the interface the queue operates on. 908If not given, it operates on all matching interfaces. |
| 845.It Ar bandwidth <bw> | 909.It Ar bandwidth Aq Ar bw |
| 846Specifies the maximum bitrate to be processed by the queue. 847This value must not exceed the value of the parent 848.Ar queue 849and can be specified as an absolute value or a percentage of the parent 850queue's bandwidth. 851If not specified, defaults to 100% of the parent queue's bandwidth. 852The 853.Ar priq 854scheduler does not support bandwidth specification. | 910Specifies the maximum bitrate to be processed by the queue. 911This value must not exceed the value of the parent 912.Ar queue 913and can be specified as an absolute value or a percentage of the parent 914queue's bandwidth. 915If not specified, defaults to 100% of the parent queue's bandwidth. 916The 917.Ar priq 918scheduler does not support bandwidth specification. |
| 855.It Ar priority <level> | 919.It Ar priority Aq Ar level |
| 856Between queues a priority level can be set. 857For 858.Ar cbq 859and 860.Ar hfsc , 861the range is 0 to 7 and for 862.Ar priq , 863the range is 0 to 15. 864The default for all is 1. 865.Ar Priq 866queues with a higher priority are always served first. 867.Ar Cbq 868and 869.Ar Hfsc 870queues with a higher priority are preferred in the case of overload. | 920Between queues a priority level can be set. 921For 922.Ar cbq 923and 924.Ar hfsc , 925the range is 0 to 7 and for 926.Ar priq , 927the range is 0 to 15. 928The default for all is 1. 929.Ar Priq 930queues with a higher priority are always served first. 931.Ar Cbq 932and 933.Ar Hfsc 934queues with a higher priority are preferred in the case of overload. |
| 871.It Ar qlimit <limit> | 935.It Ar qlimit Aq Ar limit |
| 872The maximum number of packets held in the queue. 873The default is 50. 874.El 875.Pp 876The 877.Ar scheduler 878can get additional parameters with | 936The maximum number of packets held in the queue. 937The default is 50. 938.El 939.Pp 940The 941.Ar scheduler 942can get additional parameters with |
| 879.Ar <scheduler> Ns Li (\& Ar <parameters> No ) . | 943.Xo Aq Ar scheduler 944.Pf ( Aq Ar parameters ) . 945.Xc |
| 880Parameters are as follows: 881.Bl -tag -width Fl 882.It Ar default 883Packets not matched by another queue are assigned to this one. 884Exactly one default queue is required. 885.It Ar red 886Enable RED (Random Early Detection) on this queue. 887RED drops packets with a probability proportional to the average --- 17 unchanged lines hidden (view full) --- 905The queue can borrow bandwidth from the parent. 906.El 907.Pp 908The 909.Ar hfsc 910.Ar scheduler 911supports some additional options: 912.Bl -tag -width Fl | 946Parameters are as follows: 947.Bl -tag -width Fl 948.It Ar default 949Packets not matched by another queue are assigned to this one. 950Exactly one default queue is required. 951.It Ar red 952Enable RED (Random Early Detection) on this queue. 953RED drops packets with a probability proportional to the average --- 17 unchanged lines hidden (view full) --- 971The queue can borrow bandwidth from the parent. 972.El 973.Pp 974The 975.Ar hfsc 976.Ar scheduler 977supports some additional options: 978.Bl -tag -width Fl |
| 913.It Ar realtime <sc> | 979.It Ar realtime Aq Ar sc |
| 914The minimum required bandwidth for the queue. | 980The minimum required bandwidth for the queue. |
| 915.It Ar upperlimit <sc> | 981.It Ar upperlimit Aq Ar sc |
| 916The maximum allowed bandwidth for the queue. | 982The maximum allowed bandwidth for the queue. |
| 917.It Ar linkshare <sc> | 983.It Ar linkshare Aq Ar sc |
| 918The bandwidth share of a backlogged queue. 919.El 920.Pp | 984The bandwidth share of a backlogged queue. 985.El 986.Pp |
| 921<sc> is an acronym for | 987.Aq Ar sc 988is an acronym for |
| 922.Ar service curve . 923.Pp 924The format for service curve specifications is 925.Ar ( m1 , d , m2 ) . 926.Ar m2 927controls the bandwidth assigned to the queue. 928.Ar m1 929and --- 47 unchanged lines hidden (view full) --- 977queue employees bandwidth 15% 978queue mail bandwidth 10% priority 0 cbq(borrow ecn) 979queue ssh bandwidth 20% cbq(borrow) { ssh_interactive, ssh_bulk } 980queue ssh_interactive bandwidth 50% priority 7 cbq(borrow) 981queue ssh_bulk bandwidth 50% priority 0 cbq(borrow) 982 983block return out on dc0 inet all queue std 984pass out on dc0 inet proto tcp from $developerhosts to any port 80 \e | 989.Ar service curve . 990.Pp 991The format for service curve specifications is 992.Ar ( m1 , d , m2 ) . 993.Ar m2 994controls the bandwidth assigned to the queue. 995.Ar m1 996and --- 47 unchanged lines hidden (view full) --- 1044queue employees bandwidth 15% 1045queue mail bandwidth 10% priority 0 cbq(borrow ecn) 1046queue ssh bandwidth 20% cbq(borrow) { ssh_interactive, ssh_bulk } 1047queue ssh_interactive bandwidth 50% priority 7 cbq(borrow) 1048queue ssh_bulk bandwidth 50% priority 0 cbq(borrow) 1049 1050block return out on dc0 inet all queue std 1051pass out on dc0 inet proto tcp from $developerhosts to any port 80 \e |
| 985 keep state queue developers | 1052 queue developers |
| 986pass out on dc0 inet proto tcp from $employeehosts to any port 80 \e | 1053pass out on dc0 inet proto tcp from $employeehosts to any port 80 \e |
| 987 keep state queue employees | 1054 queue employees |
| 988pass out on dc0 inet proto tcp from any to any port 22 \e | 1055pass out on dc0 inet proto tcp from any to any port 22 \e |
| 989 keep state queue(ssh_bulk, ssh_interactive) | 1056 queue(ssh_bulk, ssh_interactive) |
| 990pass out on dc0 inet proto tcp from any to any port 25 \e | 1057pass out on dc0 inet proto tcp from any to any port 25 \e |
| 991 keep state queue mail | 1058 queue mail |
| 992.Ed 993.Sh TRANSLATION 994Translation rules modify either the source or destination address of the 995packets associated with a stateful connection. 996A stateful connection is automatically created to track packets matching 997such a rule as long as they are not blocked by the filtering section of 998.Nm pf.conf . 999The translation engine modifies the specified address and/or port in the --- 43 unchanged lines hidden (view full) --- 1043172.16.0.0 - 172.31.255.255 (i.e., 172.16/12) 1044192.168.0.0 - 192.168.255.255 (i.e., 192.168/16) 1045.Ed 1046.It Pa rdr 1047The packet is redirected to another destination and possibly a 1048different port. 1049.Ar rdr 1050rules can optionally specify port ranges instead of single ports. | 1059.Ed 1060.Sh TRANSLATION 1061Translation rules modify either the source or destination address of the 1062packets associated with a stateful connection. 1063A stateful connection is automatically created to track packets matching 1064such a rule as long as they are not blocked by the filtering section of 1065.Nm pf.conf . 1066The translation engine modifies the specified address and/or port in the --- 43 unchanged lines hidden (view full) --- 1110172.16.0.0 - 172.31.255.255 (i.e., 172.16/12) 1111192.168.0.0 - 192.168.255.255 (i.e., 192.168/16) 1112.Ed 1113.It Pa rdr 1114The packet is redirected to another destination and possibly a 1115different port. 1116.Ar rdr 1117rules can optionally specify port ranges instead of single ports. |
| 1051rdr ... port 2000:2999 -> ... port 4000 | 1118rdr ... port 2000:2999 -\*(Gt ... port 4000 |
| 1052redirects ports 2000 to 2999 (inclusive) to port 4000. | 1119redirects ports 2000 to 2999 (inclusive) to port 4000. |
| 1053rdr ... port 2000:2999 -> ... port 4000:* | 1120rdr ... port 2000:2999 -\*(Gt ... port 4000:* |
| 1054redirects port 2000 to 4000, 2001 to 4001, ..., 2999 to 4999. 1055.El 1056.Pp 1057In addition to modifying the address, some translation rules may modify 1058source or destination ports for 1059.Xr tcp 4 1060or 1061.Xr udp 4 1062connections; implicitly in the case of 1063.Ar nat 1064rules and explicitly in the case of 1065.Ar rdr 1066rules. 1067Port numbers are never translated with a 1068.Ar binat 1069rule. 1070.Pp | 1121redirects port 2000 to 4000, 2001 to 4001, ..., 2999 to 4999. 1122.El 1123.Pp 1124In addition to modifying the address, some translation rules may modify 1125source or destination ports for 1126.Xr tcp 4 1127or 1128.Xr udp 4 1129connections; implicitly in the case of 1130.Ar nat 1131rules and explicitly in the case of 1132.Ar rdr 1133rules. 1134Port numbers are never translated with a 1135.Ar binat 1136rule. 1137.Pp |
| 1071For each packet processed by the translator, the translation rules are 1072evaluated in sequential order, from first to last. | 1138Evaluation order of the translation rules is dependent on the type 1139of the translation rules and of the direction of a packet. 1140.Ar binat 1141rules are always evaluated first. 1142Then either the 1143.Ar rdr 1144rules are evaluated on an inbound packet or the 1145.Ar nat 1146rules on an outbound packet. 1147Rules of the same type are evaluated in the same order in which they 1148appear in the ruleset. |
| 1073The first matching rule decides what action is taken. 1074.Pp 1075The 1076.Ar no 1077option prefixed to a translation rule causes packets to remain untranslated, 1078much in the same way as 1079.Ar drop quick 1080works in the packet filter (see below). --- 9 unchanged lines hidden (view full) --- 1090external interface. 1091Redirections cannot reflect packets back through the interface they arrive 1092on, they can only be redirected to hosts connected to different interfaces 1093or to the firewall itself. 1094.Pp 1095Note that redirecting external incoming connections to the loopback 1096address, as in 1097.Bd -literal -offset indent | 1149The first matching rule decides what action is taken. 1150.Pp 1151The 1152.Ar no 1153option prefixed to a translation rule causes packets to remain untranslated, 1154much in the same way as 1155.Ar drop quick 1156works in the packet filter (see below). --- 9 unchanged lines hidden (view full) --- 1166external interface. 1167Redirections cannot reflect packets back through the interface they arrive 1168on, they can only be redirected to hosts connected to different interfaces 1169or to the firewall itself. 1170.Pp 1171Note that redirecting external incoming connections to the loopback 1172address, as in 1173.Bd -literal -offset indent |
| 1098rdr on ne3 inet proto tcp to port 8025 -> 127.0.0.1 port 25 | 1174rdr on ne3 inet proto tcp to port spamd -\*(Gt 127.0.0.1 port smtp |
| 1099.Ed 1100.Pp 1101will effectively allow an external host to connect to daemons 1102bound solely to the loopback address, circumventing the traditional 1103blocking of such connections on a real interface. 1104Unless this effect is desired, any of the local non-loopback addresses 1105should be used as redirection target instead, which allows external 1106connections only to daemons bound to this address or not bound to --- 19 unchanged lines hidden (view full) --- 1126.Xr udp 4 ) 1127headers. 1128In addition, packets may also be 1129assigned to queues for the purpose of bandwidth control. 1130.Pp 1131For each packet processed by the packet filter, the filter rules are 1132evaluated in sequential order, from first to last. 1133The last matching rule decides what action is taken. | 1175.Ed 1176.Pp 1177will effectively allow an external host to connect to daemons 1178bound solely to the loopback address, circumventing the traditional 1179blocking of such connections on a real interface. 1180Unless this effect is desired, any of the local non-loopback addresses 1181should be used as redirection target instead, which allows external 1182connections only to daemons bound to this address or not bound to --- 19 unchanged lines hidden (view full) --- 1202.Xr udp 4 ) 1203headers. 1204In addition, packets may also be 1205assigned to queues for the purpose of bandwidth control. 1206.Pp 1207For each packet processed by the packet filter, the filter rules are 1208evaluated in sequential order, from first to last. 1209The last matching rule decides what action is taken. |
| 1210If no rule matches the packet, the default action is to pass 1211the packet. |
|
| 1134.Pp 1135The following actions can be used in the filter: 1136.Bl -tag -width xxxx 1137.It Ar block 1138The packet is blocked. 1139There are a number of ways in which a 1140.Ar block 1141rule can behave when blocking a packet. --- 23 unchanged lines hidden (view full) --- 1165packets and an ICMP UNREACHABLE for UDP and other packets. 1166.El 1167.Pp 1168Options returning ICMP packets currently have no effect if 1169.Xr pf 4 1170operates on a 1171.Xr if_bridge 4 , 1172as the code to support this feature has not yet been implemented. | 1212.Pp 1213The following actions can be used in the filter: 1214.Bl -tag -width xxxx 1215.It Ar block 1216The packet is blocked. 1217There are a number of ways in which a 1218.Ar block 1219rule can behave when blocking a packet. --- 23 unchanged lines hidden (view full) --- 1243packets and an ICMP UNREACHABLE for UDP and other packets. 1244.El 1245.Pp 1246Options returning ICMP packets currently have no effect if 1247.Xr pf 4 1248operates on a 1249.Xr if_bridge 4 , 1250as the code to support this feature has not yet been implemented. |
| 1251.Pp 1252The simplest mechanism to block everything by default and only pass 1253packets that match explicit rules is specify a first filter rule of: 1254.Bd -literal -offset indent 1255block all 1256.Ed |
|
| 1173.It Ar pass | 1257.It Ar pass |
| 1174The packet is passed. | 1258The packet is passed; 1259state is created state unless the 1260.Ar no state 1261option is specified. |
| 1175.El 1176.Pp | 1262.El 1263.Pp |
| 1177If no rule matches the packet, the default action is 1178.Ar pass . | 1264By default 1265.Xr pf 4 1266filters packets statefully; the first time a packet matches a 1267.Ar pass 1268rule, a state entry is created; for subsequent packets the filter checks 1269whether the packet matches any state. 1270If it does, the packet is passed without evaluation of any rules. 1271After the connection is closed or times out, the state entry is automatically 1272removed. |
| 1179.Pp | 1273.Pp |
| 1180To block everything by default and only pass packets 1181that match explicit rules, one uses | 1274This has several advantages. 1275For TCP connections, comparing a packet to a state involves checking 1276its sequence numbers, as well as TCP timestamps if a 1277.Ar scrub reassemble tcp 1278rule applies to the connection. 1279If these values are outside the narrow windows of expected 1280values, the packet is dropped. 1281This prevents spoofing attacks, such as when an attacker sends packets with 1282a fake source address/port but does not know the connection's sequence 1283numbers. 1284Similarly, 1285.Xr pf 4 1286knows how to match ICMP replies to states. 1287For example, |
| 1182.Bd -literal -offset indent | 1288.Bd -literal -offset indent |
| 1183block all | 1289pass out inet proto icmp all icmp-type echoreq |
| 1184.Ed 1185.Pp | 1290.Ed 1291.Pp |
| 1186as the first filter rule. | 1292allows echo requests (such as those created by 1293.Xr ping 8 ) 1294out statefully, and matches incoming echo replies correctly to states. |
| 1187.Pp | 1295.Pp |
| 1296Also, looking up states is usually faster than evaluating rules. 1297If there are 50 rules, all of them are evaluated sequentially in O(n). 1298Even with 50000 states, only 16 comparisons are needed to match a 1299state, since states are stored in a binary search tree that allows 1300searches in O(log2 n). 1301.Pp 1302Furthermore, correct handling of ICMP error messages is critical to 1303many protocols, particularly TCP. 1304.Xr pf 4 1305matches ICMP error messages to the correct connection, checks them against 1306connection parameters, and passes them if appropriate. 1307For example if an ICMP source quench message referring to a stateful TCP 1308connection arrives, it will be matched to the state and get passed. 1309.Pp 1310Finally, state tracking is required for 1311.Ar nat , binat No and Ar rdr 1312rules, in order to track address and port translations and reverse the 1313translation on returning packets. 1314.Pp 1315.Xr pf 4 1316will also create state for other protocols which are effectively stateless by 1317nature. 1318UDP packets are matched to states using only host addresses and ports, 1319and other protocols are matched to states using only the host addresses. 1320.Pp 1321If stateless filtering of individual packets is desired, 1322the 1323.Ar no state 1324keyword can be used to specify that state will not be created 1325if this is the last matching rule. 1326A number of parameters can also be set to affect how 1327.Xr pf 4 1328handles state tracking. |
|
| 1188See | 1329See |
| 1189.Sx FILTER EXAMPLES 1190below. | 1330.Sx STATEFUL TRACKING OPTIONS 1331below for further details. |
| 1191.Sh PARAMETERS 1192The rule parameters specify the packets to which a rule applies. 1193A packet always comes in on, or goes out through, one interface. 1194Most parameters are optional. 1195If a parameter is specified, the rule only applies to packets with 1196matching attributes. 1197Certain parameters can be expressed as lists, in which case 1198.Xr pfctl 8 1199generates all needed rule combinations. 1200.Bl -tag -width xxxx 1201.It Ar in No or Ar out 1202This rule applies to incoming or outgoing packets. 1203If neither 1204.Ar in 1205nor 1206.Ar out 1207are specified, the rule will match packets in both directions. 1208.It Ar log 1209In addition to the action specified, a log message is generated. | 1332.Sh PARAMETERS 1333The rule parameters specify the packets to which a rule applies. 1334A packet always comes in on, or goes out through, one interface. 1335Most parameters are optional. 1336If a parameter is specified, the rule only applies to packets with 1337matching attributes. 1338Certain parameters can be expressed as lists, in which case 1339.Xr pfctl 8 1340generates all needed rule combinations. 1341.Bl -tag -width xxxx 1342.It Ar in No or Ar out 1343This rule applies to incoming or outgoing packets. 1344If neither 1345.Ar in 1346nor 1347.Ar out 1348are specified, the rule will match packets in both directions. 1349.It Ar log 1350In addition to the action specified, a log message is generated. |
| 1210All packets for that connection are logged, unless the 1211.Ar keep state , 1212.Ar modulate state 1213or 1214.Ar synproxy state 1215options are specified, in which case only the 1216packet that establishes the state is logged. 1217(See 1218.Ar keep state , 1219.Ar modulate state 1220and 1221.Ar synproxy state 1222below). 1223The logged packets are sent to the | 1351Only the packet that establishes the state is logged, 1352unless the 1353.Ar no state 1354option is specified. 1355The logged packets are sent to a |
| 1224.Xr pflog 4 | 1356.Xr pflog 4 |
| 1225interface. | 1357interface, by default 1358.Ar pflog0 . |
| 1226This interface is monitored by the 1227.Xr pflogd 8 1228logging daemon, which dumps the logged packets to the file 1229.Pa /var/log/pflog 1230in 1231.Xr pcap 3 1232binary format. | 1359This interface is monitored by the 1360.Xr pflogd 8 1361logging daemon, which dumps the logged packets to the file 1362.Pa /var/log/pflog 1363in 1364.Xr pcap 3 1365binary format. |
| 1233.It Ar log-all 1234Used with 1235.Ar keep state , 1236.Ar modulate state 1237or 1238.Ar synproxy state 1239rules to force logging of all packets for a connection. | 1366.It Ar log (all) 1367Used to force logging of all packets for a connection. 1368This is not necessary when 1369.Ar no state 1370is explicitly specified. |
| 1240As with 1241.Ar log , 1242packets are logged to 1243.Xr pflog 4 . | 1371As with 1372.Ar log , 1373packets are logged to 1374.Xr pflog 4 . |
| 1375.It Ar log (user) 1376Logs the 1377.Ux 1378user ID of the user that owns the socket and the PID of the process that 1379has the socket open where the packet is sourced from or destined to 1380(depending on which socket is local). 1381This is in addition to the normal information logged. 1382.Pp 1383Due to the problems described in the BUGS section only the first packet 1384logged via 1385.Ar log (all, user) 1386will have the user credentials logged when using stateful matching. 1387.It Ar log (to Aq Ar interface ) 1388Send logs to the specified 1389.Xr pflog 4 1390interface instead of 1391.Ar pflog0 . |
|
| 1244.It Ar quick 1245If a packet matches a rule which has the 1246.Ar quick 1247option set, this rule 1248is considered the last matching rule, and evaluation of subsequent rules 1249is skipped. | 1392.It Ar quick 1393If a packet matches a rule which has the 1394.Ar quick 1395option set, this rule 1396is considered the last matching rule, and evaluation of subsequent rules 1397is skipped. |
| 1250.It Ar on <interface> | 1398.It Ar on Aq Ar interface |
| 1251This rule applies only to packets coming in on, or going out through, this | 1399This rule applies only to packets coming in on, or going out through, this |
| 1252particular interface. 1253It is also possible to simply give the interface driver name, like ppp or fxp, 1254to make the rule match packets flowing through a group of interfaces. 1255.It Ar <af> | 1400particular interface or interface group. 1401For more information on interface groups, 1402see the 1403.Ic group 1404keyword in 1405.Xr ifconfig 8 . 1406.It Aq Ar af |
| 1256This rule applies only to packets of this address family. 1257Supported values are 1258.Ar inet 1259and 1260.Ar inet6 . | 1407This rule applies only to packets of this address family. 1408Supported values are 1409.Ar inet 1410and 1411.Ar inet6 . |
| 1261.It Ar proto <protocol> | 1412.It Ar proto Aq Ar protocol |
| 1262This rule applies only to packets of this protocol. 1263Common protocols are 1264.Xr icmp 4 , 1265.Xr icmp6 4 , 1266.Xr tcp 4 , 1267and 1268.Xr udp 4 . 1269For a list of all the protocol name to number mappings used by 1270.Xr pfctl 8 , 1271see the file 1272.Em /etc/protocols . 1273.It Xo | 1413This rule applies only to packets of this protocol. 1414Common protocols are 1415.Xr icmp 4 , 1416.Xr icmp6 4 , 1417.Xr tcp 4 , 1418and 1419.Xr udp 4 . 1420For a list of all the protocol name to number mappings used by 1421.Xr pfctl 8 , 1422see the file 1423.Em /etc/protocols . 1424.It Xo |
| 1274.Ar from <source> port <source> os <source> 1275.Ar to <dest> port <dest> | 1425.Ar from Aq Ar source 1426.Ar port Aq Ar source 1427.Ar os Aq Ar source 1428.Ar to Aq Ar dest 1429.Ar port Aq Ar dest |
| 1276.Xc 1277This rule applies only to packets with the specified source and destination 1278addresses and ports. 1279.Pp 1280Addresses can be specified in CIDR notation (matching netblocks), as 1281symbolic host names or interface names, or as any of the following keywords: 1282.Pp 1283.Bl -tag -width xxxxxxxxxxxxxx -compact 1284.It Ar any 1285Any address. | 1430.Xc 1431This rule applies only to packets with the specified source and destination 1432addresses and ports. 1433.Pp 1434Addresses can be specified in CIDR notation (matching netblocks), as 1435symbolic host names or interface names, or as any of the following keywords: 1436.Pp 1437.Bl -tag -width xxxxxxxxxxxxxx -compact 1438.It Ar any 1439Any address. |
| 1286.It Ar route <label> | 1440.It Ar route Aq Ar label |
| 1287Any address whose associated route has label | 1441Any address whose associated route has label |
| 1288.Ar <label> . | 1442.Aq Ar label . |
| 1289See 1290.Xr route 4 1291and 1292.Xr route 8 . 1293.It Ar no-route 1294Any address which is not currently routable. | 1443See 1444.Xr route 4 1445and 1446.Xr route 8 . 1447.It Ar no-route 1448Any address which is not currently routable. |
| 1295.It Ar <table> | 1449.It Ar urpf-failed 1450Any source address that fails a unicast reverse path forwarding (URPF) 1451check, i.e. packets coming in on an interface other than that which holds 1452the route back to the packet's source address. 1453.It Aq Ar table |
| 1296Any address that matches the given table. 1297.El 1298.Pp 1299Interface names can have modifiers appended: 1300.Pp 1301.Bl -tag -width xxxxxxxxxxxx -compact 1302.It Ar :network 1303Translates to the network(s) attached to the interface. --- 30 unchanged lines hidden (view full) --- 1334.Xr pfctl 8 , 1335see the file 1336.Pa /etc/services . 1337.Pp 1338Ports and ranges of ports are specified by using these operators: 1339.Bd -literal -offset indent 1340= (equal) 1341!= (unequal) | 1454Any address that matches the given table. 1455.El 1456.Pp 1457Interface names can have modifiers appended: 1458.Pp 1459.Bl -tag -width xxxxxxxxxxxx -compact 1460.It Ar :network 1461Translates to the network(s) attached to the interface. --- 30 unchanged lines hidden (view full) --- 1492.Xr pfctl 8 , 1493see the file 1494.Pa /etc/services . 1495.Pp 1496Ports and ranges of ports are specified by using these operators: 1497.Bd -literal -offset indent 1498= (equal) 1499!= (unequal) |
| 1342< (less than) 1343<= (less than or equal) 1344> (greater than) 1345>= (greater than or equal) | 1500\*(Lt (less than) 1501\*(Le (less than or equal) 1502\*(Gt (greater than) 1503\*(Ge (greater than or equal) |
| 1346: (range including boundaries) | 1504: (range including boundaries) |
| 1347>< (range excluding boundaries) 1348<> (except range) | 1505\*(Gt\*(Lt (range excluding boundaries) 1506\*(Lt\*(Gt (except range) |
| 1349.Ed 1350.Pp | 1507.Ed 1508.Pp |
| 1351><, <> and : | 1509.Sq \*(Gt\*(Lt , 1510.Sq \*(Lt\*(Gt 1511and 1512.Sq \&: |
| 1352are binary operators (they take two arguments). 1353For instance: 1354.Bl -tag -width Fl 1355.It Ar port 2000:2004 1356means | 1513are binary operators (they take two arguments). 1514For instance: 1515.Bl -tag -width Fl 1516.It Ar port 2000:2004 1517means |
| 1357.Sq all ports >= 2000 and <= 2004 , | 1518.Sq all ports \*(Ge 2000 and \*(Le 2004 , |
| 1358hence ports 2000, 2001, 2002, 2003 and 2004. | 1519hence ports 2000, 2001, 2002, 2003 and 2004. |
| 1359.It Ar port 2000 >< 2004 | 1520.It Ar port 2000 \*(Gt\*(Lt 2004 |
| 1360means | 1521means |
| 1361.Sq all ports > 2000 and < 2004 , | 1522.Sq all ports \*(Gt 2000 and \*(Lt 2004 , |
| 1362hence ports 2001, 2002 and 2003. | 1523hence ports 2001, 2002 and 2003. |
| 1363.It Ar port 2000 <> 2004 | 1524.It Ar port 2000 \*(Lt\*(Gt 2004 |
| 1364means | 1525means |
| 1365.Sq all ports < 2000 or > 2004 , | 1526.Sq all ports \*(Lt 2000 or \*(Gt 2004 , |
| 1366hence ports 1-1999 and 2005-65535. 1367.El 1368.Pp 1369The operating system of the source host can be specified in the case of TCP 1370rules with the 1371.Ar OS 1372modifier. 1373See the 1374.Sx OPERATING SYSTEM FINGERPRINTING 1375section for more information. 1376.Pp 1377The host, port and OS specifications are optional, as in the following examples: 1378.Bd -literal -offset indent 1379pass in all 1380pass in from any to any | 1527hence ports 1-1999 and 2005-65535. 1528.El 1529.Pp 1530The operating system of the source host can be specified in the case of TCP 1531rules with the 1532.Ar OS 1533modifier. 1534See the 1535.Sx OPERATING SYSTEM FINGERPRINTING 1536section for more information. 1537.Pp 1538The host, port and OS specifications are optional, as in the following examples: 1539.Bd -literal -offset indent 1540pass in all 1541pass in from any to any |
| 1381pass in proto tcp from any port <= 1024 to any | 1542pass in proto tcp from any port \*(Le 1024 to any |
| 1382pass in proto tcp from any to any port 25 | 1543pass in proto tcp from any to any port 25 |
| 1383pass in proto tcp from 10.0.0.0/8 port > 1024 \e | 1544pass in proto tcp from 10.0.0.0/8 port \*(Gt 1024 \e |
| 1384 to ! 10.1.2.3 port != ssh | 1545 to ! 10.1.2.3 port != ssh |
| 1385pass in proto tcp from any os "OpenBSD" flags S/SA | 1546pass in proto tcp from any os "OpenBSD" |
| 1386pass in proto tcp from route "DTAG" 1387.Ed 1388.It Ar all 1389This is equivalent to "from any to any". | 1547pass in proto tcp from route "DTAG" 1548.Ed 1549.It Ar all 1550This is equivalent to "from any to any". |
| 1390.It Ar group <group> | 1551.It Ar group Aq Ar group |
| 1391Similar to 1392.Ar user , 1393this rule only applies to packets of sockets owned by the specified group. 1394.Pp 1395The use of 1396.Ar group 1397or 1398.Ar user 1399in 1400.Va debug.mpsafenet Ns = Ns 1 1401environments may result in a deadlock. 1402Please see the 1403.Sx BUGS 1404section for details. | 1552Similar to 1553.Ar user , 1554this rule only applies to packets of sockets owned by the specified group. 1555.Pp 1556The use of 1557.Ar group 1558or 1559.Ar user 1560in 1561.Va debug.mpsafenet Ns = Ns 1 1562environments may result in a deadlock. 1563Please see the 1564.Sx BUGS 1565section for details. |
| 1405.It Ar user <user> | 1566.It Ar user Aq Ar user |
| 1406This rule only applies to packets of sockets owned by the specified user. 1407For outgoing connections initiated from the firewall, this is the user 1408that opened the connection. 1409For incoming connections to the firewall itself, this is the user that 1410listens on the destination port. 1411For forwarded connections, where the firewall is not a connection endpoint, 1412the user and group are 1413.Em unknown . --- 16 unchanged lines hidden (view full) --- 1430.Em unknown 1431matches packets of forwarded connections. 1432.Em unknown 1433can only be used with the operators 1434.Cm = 1435and 1436.Cm != . 1437Other constructs like | 1567This rule only applies to packets of sockets owned by the specified user. 1568For outgoing connections initiated from the firewall, this is the user 1569that opened the connection. 1570For incoming connections to the firewall itself, this is the user that 1571listens on the destination port. 1572For forwarded connections, where the firewall is not a connection endpoint, 1573the user and group are 1574.Em unknown . --- 16 unchanged lines hidden (view full) --- 1591.Em unknown 1592matches packets of forwarded connections. 1593.Em unknown 1594can only be used with the operators 1595.Cm = 1596and 1597.Cm != . 1598Other constructs like |
| 1438.Cm user >= unknown | 1599.Cm user \*(Ge unknown |
| 1439are invalid. 1440Forwarded packets with unknown user and group ID match only rules 1441that explicitly compare against 1442.Em unknown 1443with the operators 1444.Cm = 1445or 1446.Cm != . 1447For instance | 1600are invalid. 1601Forwarded packets with unknown user and group ID match only rules 1602that explicitly compare against 1603.Em unknown 1604with the operators 1605.Cm = 1606or 1607.Cm != . 1608For instance |
| 1448.Cm user >= 0 | 1609.Cm user \*(Ge 0 |
| 1449does not match forwarded packets. 1450The following example allows only selected users to open outgoing 1451connections: 1452.Bd -literal -offset indent 1453block out proto { tcp, udp } all | 1610does not match forwarded packets. 1611The following example allows only selected users to open outgoing 1612connections: 1613.Bd -literal -offset indent 1614block out proto { tcp, udp } all |
| 1454pass out proto { tcp, udp } all \e 1455 user { < 1000, dhartmei } keep state | 1615pass out proto { tcp, udp } all user { \*(Lt 1000, dhartmei } |
| 1456.Ed | 1616.Ed |
| 1457.It Ar flags <a>/<b> | /<b> | 1617.It Xo Ar flags Aq Ar a 1618.Pf / Ns Aq Ar b 1619.No \*(Ba / Ns Aq Ar b 1620.No \*(Ba any 1621.Xc |
| 1458This rule only applies to TCP packets that have the flags | 1622This rule only applies to TCP packets that have the flags |
| 1459.Ar <a> | 1623.Aq Ar a |
| 1460set out of set | 1624set out of set |
| 1461.Ar <b> . | 1625.Aq Ar b . |
| 1462Flags not specified in | 1626Flags not specified in |
| 1463.Ar <b> | 1627.Aq Ar b |
| 1464are ignored. | 1628are ignored. |
| 1629For stateful connections, the default is 1630.Ar flags S/SA . 1631To indicate that flags should not be checkd at all, specify 1632.Ar flags any . |
|
| 1465The flags are: (F)IN, (S)YN, (R)ST, (P)USH, (A)CK, (U)RG, (E)CE, and C(W)R. 1466.Bl -tag -width Fl 1467.It Ar flags S/S 1468Flag SYN is set. 1469The other flags are ignored. 1470.It Ar flags S/SA | 1633The flags are: (F)IN, (S)YN, (R)ST, (P)USH, (A)CK, (U)RG, (E)CE, and C(W)R. 1634.Bl -tag -width Fl 1635.It Ar flags S/S 1636Flag SYN is set. 1637The other flags are ignored. 1638.It Ar flags S/SA |
| 1639This is the default setting for stateful connections. |
|
| 1471Out of SYN and ACK, exactly SYN may be set. 1472SYN, SYN+PSH and SYN+RST match, but SYN+ACK, ACK and ACK+RST do not. 1473This is more restrictive than the previous example. 1474.It Ar flags /SFRA 1475If the first set is not specified, it defaults to none. 1476All of SYN, FIN, RST and ACK must be unset. 1477.El | 1640Out of SYN and ACK, exactly SYN may be set. 1641SYN, SYN+PSH and SYN+RST match, but SYN+ACK, ACK and ACK+RST do not. 1642This is more restrictive than the previous example. 1643.It Ar flags /SFRA 1644If the first set is not specified, it defaults to none. 1645All of SYN, FIN, RST and ACK must be unset. 1646.El |
| 1478.It Ar icmp-type <type> code <code> 1479.It Ar icmp6-type <type> code <code> | 1647.Pp 1648Because 1649.Ar flags S/SA 1650is applied by default (unless 1651.Ar no state 1652is specified), only the initial SYN packet of a TCP handshake will create 1653a state for a TCP connection. 1654It is possible to be less restrictive, and allow state creation from 1655intermediate 1656.Pq non-SYN 1657packets, by specifying 1658.Ar flags any . 1659This will cause 1660.Xr pf 4 1661to synchronize to existing connections, for instance 1662if one flushes the state table. 1663However, states created from such intermediate packets may be missing 1664connection details such as the TCP window scaling factor. 1665States which modify the packet flow, such as those affected by 1666.Ar nat , binat No or Ar rdr 1667rules, 1668.Ar modulate No or Ar synproxy state 1669options, or scrubbed with 1670.Ar reassemble tcp 1671will also not be recoverable from intermediate packets. 1672Such connections will stall and time out. 1673.It Xo Ar icmp-type Aq Ar type 1674.Ar code Aq Ar code 1675.Xc 1676.It Xo Ar icmp6-type Aq Ar type 1677.Ar code Aq Ar code 1678.Xc |
| 1480This rule only applies to ICMP or ICMPv6 packets with the specified type 1481and code. 1482Text names for ICMP types and codes are listed in 1483.Xr icmp 4 1484and 1485.Xr icmp6 4 . 1486This parameter is only valid for rules that cover protocols ICMP or 1487ICMP6. 1488The protocol and the ICMP type indicator 1489.Po 1490.Ar icmp-type 1491or 1492.Ar icmp6-type 1493.Pc 1494must match. | 1679This rule only applies to ICMP or ICMPv6 packets with the specified type 1680and code. 1681Text names for ICMP types and codes are listed in 1682.Xr icmp 4 1683and 1684.Xr icmp6 4 . 1685This parameter is only valid for rules that cover protocols ICMP or 1686ICMP6. 1687The protocol and the ICMP type indicator 1688.Po 1689.Ar icmp-type 1690or 1691.Ar icmp6-type 1692.Pc 1693must match. |
| 1694.It Xo Ar tos Aq Ar string 1695.No \*(Ba Aq Ar number 1696.Xc 1697This rule applies to packets with the specified 1698.Em TOS 1699bits set. 1700.Em TOS 1701may be 1702given as one of 1703.Ar lowdelay , 1704.Ar throughput , 1705.Ar reliability , 1706or as either hex or decimal. 1707.Pp 1708For example, the following rules are identical: 1709.Bd -literal -offset indent 1710pass all tos lowdelay 1711pass all tos 0x10 1712pass all tos 16 1713.Ed |
|
| 1495.It Ar allow-opts 1496By default, IPv4 packets with IP options or IPv6 packets with routing 1497extension headers are blocked. 1498When 1499.Ar allow-opts 1500is specified for a 1501.Ar pass 1502rule, packets that pass the filter based on that rule (last matching) 1503do so even if they contain IP options or routing extension headers. 1504For packets that match state, the rule that initially created the 1505state is used. 1506The implicit 1507.Ar pass 1508rule that is used when a packet does not match any rules does not 1509allow IP options. | 1714.It Ar allow-opts 1715By default, IPv4 packets with IP options or IPv6 packets with routing 1716extension headers are blocked. 1717When 1718.Ar allow-opts 1719is specified for a 1720.Ar pass 1721rule, packets that pass the filter based on that rule (last matching) 1722do so even if they contain IP options or routing extension headers. 1723For packets that match state, the rule that initially created the 1724state is used. 1725The implicit 1726.Ar pass 1727rule that is used when a packet does not match any rules does not 1728allow IP options. |
| 1510.It Ar label <string> | 1729.It Ar label Aq Ar string |
| 1511Adds a label (name) to the rule, which can be used to identify the rule. 1512For instance, 1513pfctl -s labels 1514shows per-rule statistics for rules that have labels. 1515.Pp 1516The following macros can be used in labels: 1517.Pp 1518.Bl -tag -width $srcaddr -compact -offset indent --- 12 unchanged lines hidden (view full) --- 1531.It Ar $nr 1532The rule number. 1533.El 1534.Pp 1535For example: 1536.Bd -literal -offset indent 1537ips = \&"{ 1.2.3.4, 1.2.3.5 }\&" 1538pass in proto tcp from any to $ips \e | 1730Adds a label (name) to the rule, which can be used to identify the rule. 1731For instance, 1732pfctl -s labels 1733shows per-rule statistics for rules that have labels. 1734.Pp 1735The following macros can be used in labels: 1736.Pp 1737.Bl -tag -width $srcaddr -compact -offset indent --- 12 unchanged lines hidden (view full) --- 1750.It Ar $nr 1751The rule number. 1752.El 1753.Pp 1754For example: 1755.Bd -literal -offset indent 1756ips = \&"{ 1.2.3.4, 1.2.3.5 }\&" 1757pass in proto tcp from any to $ips \e |
| 1539 port > 1023 label \&"$dstaddr:$dstport\&" | 1758 port \*(Gt 1023 label \&"$dstaddr:$dstport\&" |
| 1540.Ed 1541.Pp 1542expands to 1543.Bd -literal -offset indent 1544pass in inet proto tcp from any to 1.2.3.4 \e | 1759.Ed 1760.Pp 1761expands to 1762.Bd -literal -offset indent 1763pass in inet proto tcp from any to 1.2.3.4 \e |
| 1545 port > 1023 label \&"1.2.3.4:>1023\&" | 1764 port \*(Gt 1023 label \&"1.2.3.4:\*(Gt1023\&" |
| 1546pass in inet proto tcp from any to 1.2.3.5 \e | 1765pass in inet proto tcp from any to 1.2.3.5 \e |
| 1547 port > 1023 label \&"1.2.3.5:>1023\&" | 1766 port \*(Gt 1023 label \&"1.2.3.5:\*(Gt1023\&" |
| 1548.Ed 1549.Pp 1550The macro expansion for the 1551.Ar label 1552directive occurs only at configuration file parse time, not during runtime. | 1767.Ed 1768.Pp 1769The macro expansion for the 1770.Ar label 1771directive occurs only at configuration file parse time, not during runtime. |
| 1553.It Ar queue <queue> | ( <queue> , <queue> ) | 1772.It Xo Ar queue Aq Ar queue 1773.No \*(Ba ( Aq Ar queue , 1774.Aq Ar queue ) 1775.Xc |
| 1554Packets matching this rule will be assigned to the specified queue. 1555If two queues are given, packets which have a | 1776Packets matching this rule will be assigned to the specified queue. 1777If two queues are given, packets which have a |
| 1556.Em tos | 1778.Em TOS |
| 1557of 1558.Em lowdelay 1559and TCP ACKs with no data payload will be assigned to the second one. 1560See 1561.Sx QUEUEING/ALTQ 1562for setup details. 1563.Pp 1564For example: 1565.Bd -literal -offset indent 1566pass in proto tcp to port 25 queue mail 1567pass in proto tcp to port 22 queue(ssh_bulk, ssh_prio) 1568.Ed | 1779of 1780.Em lowdelay 1781and TCP ACKs with no data payload will be assigned to the second one. 1782See 1783.Sx QUEUEING/ALTQ 1784for setup details. 1785.Pp 1786For example: 1787.Bd -literal -offset indent 1788pass in proto tcp to port 25 queue mail 1789pass in proto tcp to port 22 queue(ssh_bulk, ssh_prio) 1790.Ed |
| 1569.It Ar tag <string> | 1791.It Ar tag Aq Ar string |
| 1570Packets matching this rule will be tagged with the 1571specified string. 1572The tag acts as an internal marker that can be used to 1573identify these packets later on. 1574This can be used, for example, to provide trust between 1575interfaces and to determine if packets have been 1576processed by translation rules. 1577Tags are 1578.Qq sticky , 1579meaning that the packet will be tagged even if the rule 1580is not the last matching rule. 1581Further matching rules can replace the tag with a 1582new one but will not remove a previously applied tag. 1583A packet is only ever assigned one tag at a time. | 1792Packets matching this rule will be tagged with the 1793specified string. 1794The tag acts as an internal marker that can be used to 1795identify these packets later on. 1796This can be used, for example, to provide trust between 1797interfaces and to determine if packets have been 1798processed by translation rules. 1799Tags are 1800.Qq sticky , 1801meaning that the packet will be tagged even if the rule 1802is not the last matching rule. 1803Further matching rules can replace the tag with a 1804new one but will not remove a previously applied tag. 1805A packet is only ever assigned one tag at a time. |
| 1584.Ar pass 1585rules that use the 1586.Ar tag 1587keyword must also use 1588.Ar keep state , 1589.Ar modulate state 1590or 1591.Ar synproxy state . | |
| 1592Packet tagging can be done during 1593.Ar nat , 1594.Ar rdr , 1595or 1596.Ar binat 1597rules in addition to filter rules. 1598Tags take the same macros as labels (see above). | 1806Packet tagging can be done during 1807.Ar nat , 1808.Ar rdr , 1809or 1810.Ar binat 1811rules in addition to filter rules. 1812Tags take the same macros as labels (see above). |
| 1599.It Ar tagged <string> | 1813.It Ar tagged Aq Ar string |
| 1600Used with filter or translation rules to specify that packets must already 1601be tagged with the given tag in order to match the rule. 1602Inverse tag matching can also be done 1603by specifying the 1604.Cm !\& 1605operator before the 1606.Ar tagged 1607keyword. | 1814Used with filter or translation rules to specify that packets must already 1815be tagged with the given tag in order to match the rule. 1816Inverse tag matching can also be done 1817by specifying the 1818.Cm !\& 1819operator before the 1820.Ar tagged 1821keyword. |
| 1608.It Ar probability <number> | 1822.It Ar rtable Aq Ar number 1823Used to select an alternate routing table for the routing lookup. 1824Only effective before the route lookup happened, i.e. when filtering inbound. 1825.It Ar probability Aq Ar number |
| 1609A probability attribute can be attached to a rule, with a value set between 16100 and 1, bounds not included. 1611In that case, the rule will be honoured using the given probability value 1612only. 1613For example, the following rule will drop 20% of incoming ICMP packets: 1614.Bd -literal -offset indent 1615block in proto icmp probability 20% 1616.Ed --- 105 unchanged lines hidden (view full) --- 1722pool options. 1723Note that by default these associations are destroyed as soon as there are 1724no longer states which refer to them; in order to make the mappings last 1725beyond the lifetime of the states, increase the global options with 1726.Ar set timeout source-track 1727See 1728.Sx STATEFUL TRACKING OPTIONS 1729for more ways to control the source tracking. | 1826A probability attribute can be attached to a rule, with a value set between 18270 and 1, bounds not included. 1828In that case, the rule will be honoured using the given probability value 1829only. 1830For example, the following rule will drop 20% of incoming ICMP packets: 1831.Bd -literal -offset indent 1832block in proto icmp probability 20% 1833.Ed --- 105 unchanged lines hidden (view full) --- 1939pool options. 1940Note that by default these associations are destroyed as soon as there are 1941no longer states which refer to them; in order to make the mappings last 1942beyond the lifetime of the states, increase the global options with 1943.Ar set timeout source-track 1944See 1945.Sx STATEFUL TRACKING OPTIONS 1946for more ways to control the source tracking. |
| 1730.Sh STATEFUL INSPECTION 1731.Xr pf 4 1732is a stateful packet filter, which means it can track the state of 1733a connection. 1734Instead of passing all traffic to port 25, for instance, it is possible 1735to pass only the initial packet, and then begin to keep state. 1736Subsequent traffic will flow because the filter is aware of the connection. 1737.Pp 1738If a packet matches a 1739.Ar pass ... keep state 1740rule, the filter creates a state for this connection and automatically 1741lets pass all subsequent packets of that connection. 1742.Pp 1743Before any rules are evaluated, the filter checks whether the packet 1744matches any state. 1745If it does, the packet is passed without evaluation of any rules. 1746.Pp 1747States are removed after the connection is closed or has timed out. 1748.Pp 1749This has several advantages. 1750Comparing a packet to a state involves checking its sequence numbers. 1751If the sequence numbers are outside the narrow windows of expected 1752values, the packet is dropped. 1753This prevents spoofing attacks, such as when an attacker sends packets with 1754a fake source address/port but does not know the connection's sequence 1755numbers. 1756.Pp 1757Also, looking up states is usually faster than evaluating rules. 1758If there are 50 rules, all of them are evaluated sequentially in O(n). 1759Even with 50000 states, only 16 comparisons are needed to match a 1760state, since states are stored in a binary search tree that allows 1761searches in O(log2 n). 1762.Pp 1763For instance: 1764.Bd -literal -offset indent 1765block all 1766pass out proto tcp from any to any flags S/SA keep state 1767pass in proto tcp from any to any port 25 flags S/SA keep state 1768.Ed 1769.Pp 1770This ruleset blocks everything by default. 1771Only outgoing connections and incoming connections to port 25 are allowed. 1772The initial packet of each connection has the SYN 1773flag set, will be passed and creates state. 1774All further packets of these connections are passed if they match a state. 1775.Pp 1776By default, packets coming in and out of any interface can match a state, 1777but it is also possible to change that behaviour by assigning states to a 1778single interface or a group of interfaces. 1779.Pp 1780The default policy is specified by the 1781.Ar state-policy 1782global option, but this can be adjusted on a per-rule basis by adding one 1783of the 1784.Ar if-bound , 1785.Ar group-bound 1786or 1787.Ar floating 1788keywords to the 1789.Ar keep state 1790option. 1791For example, if a rule is defined as: 1792.Bd -literal -offset indent 1793pass out on ppp from any to 10.12/16 keep state (group-bound) 1794.Ed 1795.Pp 1796A state created on ppp0 would match packets an all PPP interfaces, 1797but not packets flowing through fxp0 or any other interface. 1798.Pp 1799Keeping rules 1800.Ar floating 1801is the more flexible option when the firewall is in a dynamic routing 1802environment. 1803However, this has some security implications since a state created by one 1804trusted network could allow potentially hostile packets coming in from other 1805interfaces. 1806.Pp 1807Specifying 1808.Ar flags S/SA 1809restricts state creation to the initial SYN 1810packet of the TCP handshake. 1811One can also be less restrictive, and allow state creation from 1812intermediate 1813.Pq non-SYN 1814packets. 1815This will cause 1816.Xr pf 4 1817to synchronize to existing connections, for instance 1818if one flushes the state table. 1819.Pp 1820For UDP, which is stateless by nature, 1821.Ar keep state 1822will create state as well. 1823UDP packets are matched to states using only host addresses and ports. 1824.Pp 1825ICMP messages fall into two categories: ICMP error messages, which always 1826refer to a TCP or UDP packet, are matched against the referred to connection. 1827If one keeps state on a TCP connection, and an ICMP source quench message 1828referring to this TCP connection arrives, it will be matched to the right 1829state and get passed. 1830.Pp 1831For ICMP queries, 1832.Ar keep state 1833creates an ICMP state, and 1834.Xr pf 4 1835knows how to match ICMP replies to states. 1836For example, 1837.Bd -literal -offset indent 1838pass out inet proto icmp all icmp-type echoreq keep state 1839.Ed 1840.Pp 1841allows echo requests (such as those created by 1842.Xr ping 8 ) 1843out, creates state, and matches incoming echo replies correctly to states. 1844.Pp 1845Note: 1846.Ar nat , binat No and Ar rdr 1847rules implicitly create state for connections. | |
| 1848.Sh STATE MODULATION 1849Much of the security derived from TCP is attributable to how well the 1850initial sequence numbers (ISNs) are chosen. 1851Some popular stack implementations choose 1852.Em very 1853poor ISNs and thus are normally susceptible to ISN prediction exploits. 1854By applying a 1855.Ar modulate state --- 6 unchanged lines hidden (view full) --- 1862.Ar modulate state 1863directive implicitly keeps state on the rule and is 1864only applicable to TCP connections. 1865.Pp 1866For instance: 1867.Bd -literal -offset indent 1868block all 1869pass out proto tcp from any to any modulate state | 1947.Sh STATE MODULATION 1948Much of the security derived from TCP is attributable to how well the 1949initial sequence numbers (ISNs) are chosen. 1950Some popular stack implementations choose 1951.Em very 1952poor ISNs and thus are normally susceptible to ISN prediction exploits. 1953By applying a 1954.Ar modulate state --- 6 unchanged lines hidden (view full) --- 1961.Ar modulate state 1962directive implicitly keeps state on the rule and is 1963only applicable to TCP connections. 1964.Pp 1965For instance: 1966.Bd -literal -offset indent 1967block all 1968pass out proto tcp from any to any modulate state |
| 1870pass in proto tcp from any to any port 25 flags S/SA modulate state | 1969pass in proto tcp from any to any port 25 flags S/SFRA modulate state |
| 1871.Ed 1872.Pp | 1970.Ed 1971.Pp |
| 1873There are two caveats associated with state modulation: 1874A 1875.Ar modulate state 1876rule can not be applied to a pre-existing but unmodulated connection. 1877Such an application would desynchronize TCP's strict 1878sequencing between the two endpoints. 1879Instead, 1880.Xr pf 4 1881will treat the 1882.Ar modulate state 1883modifier as a 1884.Ar keep state 1885modifier and the pre-existing connection will be inferred without 1886the protection conferred by modulation. 1887.Pp 1888The other caveat affects currently modulated states when the state table | 1972Note that modulated connections will not recover when the state table |
| 1889is lost (firewall reboot, flushing the state table, etc...). 1890.Xr pf 4 1891will not be able to infer a connection again after the state table flushes 1892the connection's modulator. 1893When the state is lost, the connection may be left dangling until the 1894respective endpoints time out the connection. 1895It is possible on a fast local network for the endpoints to start an ACK 1896storm while trying to resynchronize after the loss of the modulator. | 1973is lost (firewall reboot, flushing the state table, etc...). 1974.Xr pf 4 1975will not be able to infer a connection again after the state table flushes 1976the connection's modulator. 1977When the state is lost, the connection may be left dangling until the 1978respective endpoints time out the connection. 1979It is possible on a fast local network for the endpoints to start an ACK 1980storm while trying to resynchronize after the loss of the modulator. |
| 1897Using a 1898.Ar flags S/SA 1899modifier on | 1981The default 1982.Ar flags 1983settings (or a more strict equivalent) should be used on |
| 1900.Ar modulate state | 1984.Ar modulate state |
| 1901rules between fast networks is suggested to prevent ACK storms. | 1985rules to prevent ACK storms. 1986.Pp 1987Note that alternative methods are available 1988to prevent loss of the state table 1989and allow for firewall failover. 1990See 1991.Xr carp 4 1992and 1993.Xr pfsync 4 1994for further information. |
| 1902.Sh SYN PROXY 1903By default, 1904.Xr pf 4 1905passes packets that are part of a 1906.Xr tcp 4 1907handshake between the endpoints. 1908The 1909.Ar synproxy state --- 9 unchanged lines hidden (view full) --- 1919.Pp 1920The proxy is transparent to both endpoints, they each see a single 1921connection from/to the other endpoint. 1922.Xr pf 4 1923chooses random initial sequence numbers for both handshakes. 1924Once the handshakes are completed, the sequence number modulators 1925(see previous section) are used to translate further packets of the 1926connection. | 1995.Sh SYN PROXY 1996By default, 1997.Xr pf 4 1998passes packets that are part of a 1999.Xr tcp 4 2000handshake between the endpoints. 2001The 2002.Ar synproxy state --- 9 unchanged lines hidden (view full) --- 2012.Pp 2013The proxy is transparent to both endpoints, they each see a single 2014connection from/to the other endpoint. 2015.Xr pf 4 2016chooses random initial sequence numbers for both handshakes. 2017Once the handshakes are completed, the sequence number modulators 2018(see previous section) are used to translate further packets of the 2019connection. |
| 1927Hence, | |
| 1928.Ar synproxy state 1929includes | 2020.Ar synproxy state 2021includes |
| 1930.Ar modulate state 1931and 1932.Ar keep state . | 2022.Ar modulate state . |
| 1933.Pp 1934Rules with 1935.Ar synproxy 1936will not work if 1937.Xr pf 4 1938operates on a 1939.Xr if_bridge 4 . 1940.Pp 1941Example: 1942.Bd -literal -offset indent | 2023.Pp 2024Rules with 2025.Ar synproxy 2026will not work if 2027.Xr pf 4 2028operates on a 2029.Xr if_bridge 4 . 2030.Pp 2031Example: 2032.Bd -literal -offset indent |
| 1943pass in proto tcp from any to any port www flags S/SA synproxy state | 2033pass in proto tcp from any to any port www synproxy state |
| 1944.Ed 1945.Sh STATEFUL TRACKING OPTIONS | 2034.Ed 2035.Sh STATEFUL TRACKING OPTIONS |
| 1946All three of | 2036A number of options related to stateful tracking can be applied on a 2037per-rule basis. |
| 1947.Ar keep state , 1948.Ar modulate state 1949and 1950.Ar synproxy state | 2038.Ar keep state , 2039.Ar modulate state 2040and 2041.Ar synproxy state |
| 1951support the following options: | 2042support these options, and 2043.Ar keep state 2044must be specified explicitly to apply options to a rule. |
| 1952.Pp 1953.Bl -tag -width xxxx -compact | 2045.Pp 2046.Bl -tag -width xxxx -compact |
| 1954.It Ar max <number> | 2047.It Ar max Aq Ar number |
| 1955Limits the number of concurrent states the rule may create. 1956When this limit is reached, further packets matching the rule that would 1957create state are dropped, until existing states time out. 1958.It Ar no-sync 1959Prevent state changes for states created by this rule from appearing on the 1960.Xr pfsync 4 1961interface. | 2048Limits the number of concurrent states the rule may create. 2049When this limit is reached, further packets matching the rule that would 2050create state are dropped, until existing states time out. 2051.It Ar no-sync 2052Prevent state changes for states created by this rule from appearing on the 2053.Xr pfsync 4 2054interface. |
| 1962.It Ar <timeout> <seconds> | 2055.It Xo Aq Ar timeout 2056.Aq Ar seconds 2057.Xc |
| 1963Changes the timeout values used for states created by this rule. 1964For a list of all valid timeout names, see 1965.Sx OPTIONS 1966above. 1967.El 1968.Pp 1969Multiple options can be specified, separated by commas: 1970.Bd -literal -offset indent 1971pass in proto tcp from any to any \e | 2058Changes the timeout values used for states created by this rule. 2059For a list of all valid timeout names, see 2060.Sx OPTIONS 2061above. 2062.El 2063.Pp 2064Multiple options can be specified, separated by commas: 2065.Bd -literal -offset indent 2066pass in proto tcp from any to any \e |
| 1972 port www flags S/SA keep state \e | 2067 port www keep state \e |
| 1973 (max 100, source-track rule, max-src-nodes 75, \e 1974 max-src-states 3, tcp.established 60, tcp.closing 5) 1975.Ed 1976.Pp 1977When the 1978.Ar source-track 1979keyword is specified, the number of states per source IP is tracked. 1980.Pp 1981.Bl -tag -width xxxx -compact 1982.It Ar source-track rule 1983The maximum number of states created by this rule is limited by the rule's 1984.Ar max-src-nodes 1985and | 2068 (max 100, source-track rule, max-src-nodes 75, \e 2069 max-src-states 3, tcp.established 60, tcp.closing 5) 2070.Ed 2071.Pp 2072When the 2073.Ar source-track 2074keyword is specified, the number of states per source IP is tracked. 2075.Pp 2076.Bl -tag -width xxxx -compact 2077.It Ar source-track rule 2078The maximum number of states created by this rule is limited by the rule's 2079.Ar max-src-nodes 2080and |
| 1986.Ar max-src-state | 2081.Ar max-src-states |
| 1987options. 1988Only state entries created by this particular rule count toward the rule's 1989limits. 1990.It Ar source-track global 1991The number of states created by all rules that use this option is limited. 1992Each rule can specify different 1993.Ar max-src-nodes 1994and 1995.Ar max-src-states 1996options, however state entries created by any participating rule count towards 1997each individual rule's limits. 1998.El 1999.Pp 2000The following limits can be set: 2001.Pp 2002.Bl -tag -width xxxx -compact | 2082options. 2083Only state entries created by this particular rule count toward the rule's 2084limits. 2085.It Ar source-track global 2086The number of states created by all rules that use this option is limited. 2087Each rule can specify different 2088.Ar max-src-nodes 2089and 2090.Ar max-src-states 2091options, however state entries created by any participating rule count towards 2092each individual rule's limits. 2093.El 2094.Pp 2095The following limits can be set: 2096.Pp 2097.Bl -tag -width xxxx -compact |
| 2003.It Ar max-src-nodes <number> | 2098.It Ar max-src-nodes Aq Ar number |
| 2004Limits the maximum number of source addresses which can simultaneously 2005have state table entries. | 2099Limits the maximum number of source addresses which can simultaneously 2100have state table entries. |
| 2006.It Ar max-src-states <number> | 2101.It Ar max-src-states Aq Ar number |
| 2007Limits the maximum number of simultaneous state entries that a single 2008source address can create with this rule. 2009.El 2010.Pp 2011For stateful TCP connections, limits on established connections (connections 2012which have completed the TCP 3-way handshake) can also be enforced 2013per source IP. 2014.Pp 2015.Bl -tag -width xxxx -compact | 2102Limits the maximum number of simultaneous state entries that a single 2103source address can create with this rule. 2104.El 2105.Pp 2106For stateful TCP connections, limits on established connections (connections 2107which have completed the TCP 3-way handshake) can also be enforced 2108per source IP. 2109.Pp 2110.Bl -tag -width xxxx -compact |
| 2016.It Ar max-src-conn <number> | 2111.It Ar max-src-conn Aq Ar number |
| 2017Limits the maximum number of simultaneous TCP connections which have 2018completed the 3-way handshake that a single host can make. | 2112Limits the maximum number of simultaneous TCP connections which have 2113completed the 3-way handshake that a single host can make. |
| 2019.It Ar max-src-conn-rate <number> / <seconds> | 2114.It Xo Ar max-src-conn-rate Aq Ar number 2115.No / Aq Ar seconds 2116.Xc |
| 2020Limit the rate of new connections over a time interval. 2021The connection rate is an approximation calculated as a moving average. 2022.El 2023.Pp 2024Because the 3-way handshake ensures that the source address is not being 2025spoofed, more aggressive action can be taken based on these limits. 2026With the | 2117Limit the rate of new connections over a time interval. 2118The connection rate is an approximation calculated as a moving average. 2119.El 2120.Pp 2121Because the 3-way handshake ensures that the source address is not being 2122spoofed, more aggressive action can be taken based on these limits. 2123With the |
| 2027.Ar overload <table> | 2124.Ar overload Aq Ar table |
| 2028state option, source IP addresses which hit either of the limits on 2029established connections will be added to the named table. 2030This table can be used in the ruleset to block further activity from 2031the offending host, redirect it to a tarpit process, or restrict its 2032bandwidth. 2033.Pp 2034The optional 2035.Ar flush 2036keyword kills all states created by the matching rule which originate 2037from the host which exceeds these limits. 2038The 2039.Ar global 2040modifier to the flush command kills all states originating from the 2041offending host, regardless of which rule created the state. 2042.Pp 2043For example, the following rules will protect the webserver against 2044hosts making more than 100 connections in 10 seconds. 2045Any host which connects faster than this rate will have its address added | 2125state option, source IP addresses which hit either of the limits on 2126established connections will be added to the named table. 2127This table can be used in the ruleset to block further activity from 2128the offending host, redirect it to a tarpit process, or restrict its 2129bandwidth. 2130.Pp 2131The optional 2132.Ar flush 2133keyword kills all states created by the matching rule which originate 2134from the host which exceeds these limits. 2135The 2136.Ar global 2137modifier to the flush command kills all states originating from the 2138offending host, regardless of which rule created the state. 2139.Pp 2140For example, the following rules will protect the webserver against 2141hosts making more than 100 connections in 10 seconds. 2142Any host which connects faster than this rate will have its address added |
| 2046to the <bad_hosts> table and have all states originating from it flushed. | 2143to the 2144.Aq bad_hosts 2145table and have all states originating from it flushed. |
| 2047Any new packets arriving from this host will be dropped unconditionally 2048by the block rule. 2049.Bd -literal -offset indent | 2146Any new packets arriving from this host will be dropped unconditionally 2147by the block rule. 2148.Bd -literal -offset indent |
| 2050block quick from <bad_hosts> 2051pass in on $ext_if proto tcp to $webserver port www flags S/SA keep state \e 2052 (max-src-conn-rate 100/10, overload <bad_hosts> flush global) | 2149block quick from \*(Ltbad_hosts\*(Gt 2150pass in on $ext_if proto tcp to $webserver port www keep state \e 2151 (max-src-conn-rate 100/10, overload \*(Ltbad_hosts\*(Gt flush global) |
| 2053.Ed 2054.Sh OPERATING SYSTEM FINGERPRINTING 2055Passive OS Fingerprinting is a mechanism to inspect nuances of a TCP 2056connection's initial SYN packet and guess at the host's operating system. 2057Unfortunately these nuances are easily spoofed by an attacker so the 2058fingerprint is not useful in making security decisions. 2059But the fingerprint is typically accurate enough to make policy decisions 2060upon. 2061.Pp 2062The fingerprints may be specified by operating system class, by 2063version, or by subtype/patchlevel. 2064The class of an operating system is typically the vendor or genre | 2152.Ed 2153.Sh OPERATING SYSTEM FINGERPRINTING 2154Passive OS Fingerprinting is a mechanism to inspect nuances of a TCP 2155connection's initial SYN packet and guess at the host's operating system. 2156Unfortunately these nuances are easily spoofed by an attacker so the 2157fingerprint is not useful in making security decisions. 2158But the fingerprint is typically accurate enough to make policy decisions 2159upon. 2160.Pp 2161The fingerprints may be specified by operating system class, by 2162version, or by subtype/patchlevel. 2163The class of an operating system is typically the vendor or genre |
| 2065and would be OpenBSD for the | 2164and would be 2165.Ox 2166for the |
| 2066.Xr pf 4 2067firewall itself. | 2167.Xr pf 4 2168firewall itself. |
| 2068The version of the oldest available OpenBSD release on the main ftp site | 2169The version of the oldest available 2170.Ox 2171release on the main FTP site |
| 2069would be 2.6 and the fingerprint would be written 2070.Pp 2071.Dl \&"OpenBSD 2.6\&" 2072.Pp 2073The subtype of an operating system is typically used to describe the 2074patchlevel if that patch led to changes in the TCP stack behavior. | 2172would be 2.6 and the fingerprint would be written 2173.Pp 2174.Dl \&"OpenBSD 2.6\&" 2175.Pp 2176The subtype of an operating system is typically used to describe the 2177patchlevel if that patch led to changes in the TCP stack behavior. |
| 2075In the case of OpenBSD, the only subtype is for a fingerprint that was | 2178In the case of 2179.Ox , 2180the only subtype is for a fingerprint that was |
| 2076normalized by the 2077.Ar no-df 2078scrub option and would be specified as 2079.Pp 2080.Dl \&"OpenBSD 3.3 no-df\&" 2081.Pp 2082Fingerprints for most popular operating systems are provided by 2083.Xr pf.os 5 . --- 11 unchanged lines hidden (view full) --- 2095.Pp 2096The 2097.Ar unknown 2098class can also be used as the fingerprint which will match packets for 2099which no operating system fingerprint is known. 2100.Pp 2101Examples: 2102.Bd -literal -offset indent | 2181normalized by the 2182.Ar no-df 2183scrub option and would be specified as 2184.Pp 2185.Dl \&"OpenBSD 3.3 no-df\&" 2186.Pp 2187Fingerprints for most popular operating systems are provided by 2188.Xr pf.os 5 . --- 11 unchanged lines hidden (view full) --- 2200.Pp 2201The 2202.Ar unknown 2203class can also be used as the fingerprint which will match packets for 2204which no operating system fingerprint is known. 2205.Pp 2206Examples: 2207.Bd -literal -offset indent |
| 2103pass out proto tcp from any os OpenBSD keep state | 2208pass out proto tcp from any os OpenBSD |
| 2104block out proto tcp from any os Doors 2105block out proto tcp from any os "Doors PT" 2106block out proto tcp from any os "Doors PT SP3" 2107block out from any os "unknown" | 2209block out proto tcp from any os Doors 2210block out proto tcp from any os "Doors PT" 2211block out proto tcp from any os "Doors PT SP3" 2212block out from any os "unknown" |
| 2108pass on lo0 proto tcp from any os "OpenBSD 3.3 lo0" keep state | 2213pass on lo0 proto tcp from any os "OpenBSD 3.3 lo0" |
| 2109.Ed 2110.Pp 2111Operating system fingerprinting is limited only to the TCP SYN packet. 2112This means that it will not work on other protocols and will not match 2113a currently established connection. 2114.Pp 2115Caveat: operating system fingerprints are occasionally wrong. 2116There are three problems: an attacker can trivially craft his packets to --- 132 unchanged lines hidden (view full) --- 2249translation rules, for example, may also be contained in any anchor. 2250.Pp 2251An anchor can reference another 2252.Ar anchor 2253attachment point 2254using the following kinds 2255of rules: 2256.Bl -tag -width xxxx | 2214.Ed 2215.Pp 2216Operating system fingerprinting is limited only to the TCP SYN packet. 2217This means that it will not work on other protocols and will not match 2218a currently established connection. 2219.Pp 2220Caveat: operating system fingerprints are occasionally wrong. 2221There are three problems: an attacker can trivially craft his packets to --- 132 unchanged lines hidden (view full) --- 2354translation rules, for example, may also be contained in any anchor. 2355.Pp 2356An anchor can reference another 2357.Ar anchor 2358attachment point 2359using the following kinds 2360of rules: 2361.Bl -tag -width xxxx |
| 2257.It Ar nat-anchor <name> | 2362.It Ar nat-anchor Aq Ar name |
| 2258Evaluates the 2259.Ar nat 2260rules in the specified 2261.Ar anchor . | 2363Evaluates the 2364.Ar nat 2365rules in the specified 2366.Ar anchor . |
| 2262.It Ar rdr-anchor <name> | 2367.It Ar rdr-anchor Aq Ar name |
| 2263Evaluates the 2264.Ar rdr 2265rules in the specified 2266.Ar anchor . | 2368Evaluates the 2369.Ar rdr 2370rules in the specified 2371.Ar anchor . |
| 2267.It Ar binat-anchor <name> | 2372.It Ar binat-anchor Aq Ar name |
| 2268Evaluates the 2269.Ar binat 2270rules in the specified 2271.Ar anchor . | 2373Evaluates the 2374.Ar binat 2375rules in the specified 2376.Ar anchor . |
| 2272.It Ar anchor <name> | 2377.It Ar anchor Aq Ar name |
| 2273Evaluates the filter rules in the specified 2274.Ar anchor . | 2378Evaluates the filter rules in the specified 2379.Ar anchor . |
| 2275.It Ar load anchor <name> from <file> | 2380.It Xo Ar load anchor 2381.Aq Ar name 2382.Ar from Aq Ar file 2383.Xc |
| 2276Loads the rules from the specified file into the 2277anchor 2278.Ar name . 2279.El 2280.Pp 2281When evaluation of the main ruleset reaches an 2282.Ar anchor 2283rule, 2284.Xr pf 4 2285will proceed to evaluate all rules specified in that anchor. 2286.Pp | 2384Loads the rules from the specified file into the 2385anchor 2386.Ar name . 2387.El 2388.Pp 2389When evaluation of the main ruleset reaches an 2390.Ar anchor 2391rule, 2392.Xr pf 4 2393will proceed to evaluate all rules specified in that anchor. 2394.Pp |
| 2287Matching filter and translation rules in anchors with the | 2395Matching filter and translation rules marked with the |
| 2288.Ar quick 2289option are final and abort the evaluation of the rules in other | 2396.Ar quick 2397option are final and abort the evaluation of the rules in other |
| 2290anchors 2291and the main ruleset. | 2398anchors and the main ruleset. 2399If the 2400.Ar anchor 2401itself is marked with the 2402.Ar quick 2403option, 2404ruleset evaluation will terminate when the anchor is exited if the packet is 2405matched by any rule within the anchor. |
| 2292.Pp 2293.Ar anchor 2294rules are evaluated relative to the anchor in which they are contained. 2295For example, all 2296.Ar anchor 2297rules specified in the main ruleset will reference anchor 2298attachment points underneath the main ruleset, and 2299.Ar anchor --- 7 unchanged lines hidden (view full) --- 2307is loaded, and later such anchors can be manipulated through 2308.Xr pfctl 8 2309without reloading the main ruleset or other anchors. 2310For example, 2311.Bd -literal -offset indent 2312ext_if = \&"kue0\&" 2313block on $ext_if all 2314anchor spam | 2406.Pp 2407.Ar anchor 2408rules are evaluated relative to the anchor in which they are contained. 2409For example, all 2410.Ar anchor 2411rules specified in the main ruleset will reference anchor 2412attachment points underneath the main ruleset, and 2413.Ar anchor --- 7 unchanged lines hidden (view full) --- 2421is loaded, and later such anchors can be manipulated through 2422.Xr pfctl 8 2423without reloading the main ruleset or other anchors. 2424For example, 2425.Bd -literal -offset indent 2426ext_if = \&"kue0\&" 2427block on $ext_if all 2428anchor spam |
| 2315pass out on $ext_if all keep state | 2429pass out on $ext_if all |
| 2316pass in on $ext_if proto tcp from any \e | 2430pass in on $ext_if proto tcp from any \e |
| 2317 to $ext_if port smtp keep state | 2431 to $ext_if port smtp |
| 2318.Ed 2319.Pp 2320blocks all packets on the external interface by default, then evaluates 2321all rules in the 2322.Ar anchor 2323named "spam", and finally passes all outgoing connections and 2324incoming connections to port 25. 2325.Bd -literal -offset indent --- 31 unchanged lines hidden (view full) --- 2357using the same syntax as filter rules. 2358When parameters are used, the 2359.Ar anchor 2360rule is only evaluated for matching packets. 2361This allows conditional evaluation of anchors, like: 2362.Bd -literal -offset indent 2363block on $ext_if all 2364anchor spam proto tcp from any to any port smtp | 2432.Ed 2433.Pp 2434blocks all packets on the external interface by default, then evaluates 2435all rules in the 2436.Ar anchor 2437named "spam", and finally passes all outgoing connections and 2438incoming connections to port 25. 2439.Bd -literal -offset indent --- 31 unchanged lines hidden (view full) --- 2471using the same syntax as filter rules. 2472When parameters are used, the 2473.Ar anchor 2474rule is only evaluated for matching packets. 2475This allows conditional evaluation of anchors, like: 2476.Bd -literal -offset indent 2477block on $ext_if all 2478anchor spam proto tcp from any to any port smtp |
| 2365pass out on $ext_if all keep state 2366pass in on $ext_if proto tcp from any to $ext_if port smtp keep state | 2479pass out on $ext_if all 2480pass in on $ext_if proto tcp from any to $ext_if port smtp |
| 2367.Ed 2368.Pp 2369The rules inside 2370.Ar anchor 2371spam are only evaluated for 2372.Ar tcp 2373packets with destination port 25. 2374Hence, --- 38 unchanged lines hidden (view full) --- 2413Evaluation of the main ruleset will lead into the 2414.Li spam/allowed 2415anchor, which will evaluate the rules in the 2416.Li spam/banned 2417anchor, if any, before finally evaluating the 2418.Ar pass 2419rule. 2420.Pp | 2481.Ed 2482.Pp 2483The rules inside 2484.Ar anchor 2485spam are only evaluated for 2486.Ar tcp 2487packets with destination port 25. 2488Hence, --- 38 unchanged lines hidden (view full) --- 2527Evaluation of the main ruleset will lead into the 2528.Li spam/allowed 2529anchor, which will evaluate the rules in the 2530.Li spam/banned 2531anchor, if any, before finally evaluating the 2532.Ar pass 2533rule. 2534.Pp |
| 2535Filter rule 2536.Ar anchors 2537can also be loaded inline in the ruleset within a brace ('{' '}') delimited 2538block. 2539Brace delimited blocks may contain rules or other brace-delimited blocks. 2540When anchors are loaded this way the anchor name becomes optional. 2541.Bd -literal -offset indent 2542anchor "external" on egress { 2543 block 2544 anchor out { 2545 pass proto tcp from any to port { 25, 80, 443 } 2546 } 2547 pass in proto tcp to any port 22 2548} 2549.Ed 2550.Pp |
|
| 2421Since the parser specification for anchor names is a string, any 2422reference to an anchor name containing solidus 2423.Pq Sq / 2424characters will require double quote 2425.Pq Sq \&" 2426characters around the anchor name. 2427.Sh TRANSLATION EXAMPLES 2428This example maps incoming requests on port 80 to port 8080, on 2429which a daemon is running (because, for example, it is not run as root, 2430and therefore lacks permission to bind to port 80). 2431.Bd -literal 2432# use a macro for the interface name, so it can be changed easily 2433ext_if = \&"ne3\&" 2434 2435# map daemon on 8080 to appear to be on 80 | 2551Since the parser specification for anchor names is a string, any 2552reference to an anchor name containing solidus 2553.Pq Sq / 2554characters will require double quote 2555.Pq Sq \&" 2556characters around the anchor name. 2557.Sh TRANSLATION EXAMPLES 2558This example maps incoming requests on port 80 to port 8080, on 2559which a daemon is running (because, for example, it is not run as root, 2560and therefore lacks permission to bind to port 80). 2561.Bd -literal 2562# use a macro for the interface name, so it can be changed easily 2563ext_if = \&"ne3\&" 2564 2565# map daemon on 8080 to appear to be on 80 |
| 2436rdr on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 port 8080 | 2566rdr on $ext_if proto tcp from any to any port 80 -\*(Gt 127.0.0.1 port 8080 |
| 2437.Ed 2438.Pp 2439If the 2440.Ar pass 2441modifier is given, packets matching the translation rule are passed without 2442inspecting the filter rules: 2443.Bd -literal | 2567.Ed 2568.Pp 2569If the 2570.Ar pass 2571modifier is given, packets matching the translation rule are passed without 2572inspecting the filter rules: 2573.Bd -literal |
| 2444rdr pass on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 \e | 2574rdr pass on $ext_if proto tcp from any to any port 80 -\*(Gt 127.0.0.1 \e |
| 2445 port 8080 2446.Ed 2447.Pp 2448In the example below, vlan12 is configured as 192.168.168.1; 2449the machine translates all packets coming from 192.168.168.0/24 to 204.92.77.111 2450when they are going out any interface except vlan12. 2451This has the net effect of making traffic from the 192.168.168.0/24 2452network appear as though it is the Internet routable address 2453204.92.77.111 to nodes behind any interface on the router except 2454for the nodes on vlan12. 2455(Thus, 192.168.168.1 can talk to the 192.168.168.0/24 nodes.) 2456.Bd -literal | 2575 port 8080 2576.Ed 2577.Pp 2578In the example below, vlan12 is configured as 192.168.168.1; 2579the machine translates all packets coming from 192.168.168.0/24 to 204.92.77.111 2580when they are going out any interface except vlan12. 2581This has the net effect of making traffic from the 192.168.168.0/24 2582network appear as though it is the Internet routable address 2583204.92.77.111 to nodes behind any interface on the router except 2584for the nodes on vlan12. 2585(Thus, 192.168.168.1 can talk to the 192.168.168.0/24 nodes.) 2586.Bd -literal |
| 2457nat on ! vlan12 from 192.168.168.0/24 to any -> 204.92.77.111 | 2587nat on ! vlan12 from 192.168.168.0/24 to any -\*(Gt 204.92.77.111 |
| 2458.Ed 2459.Pp 2460In the example below, the machine sits between a fake internal 144.19.74.* 2461network, and a routable external IP of 204.92.77.100. 2462The 2463.Ar no nat 2464rule excludes protocol AH from being translated. 2465.Bd -literal 2466# NO NAT 2467no nat on $ext_if proto ah from 144.19.74.0/24 to any | 2588.Ed 2589.Pp 2590In the example below, the machine sits between a fake internal 144.19.74.* 2591network, and a routable external IP of 204.92.77.100. 2592The 2593.Ar no nat 2594rule excludes protocol AH from being translated. 2595.Bd -literal 2596# NO NAT 2597no nat on $ext_if proto ah from 144.19.74.0/24 to any |
| 2468nat on $ext_if from 144.19.74.0/24 to any -> 204.92.77.100 | 2598nat on $ext_if from 144.19.74.0/24 to any -\*(Gt 204.92.77.100 |
| 2469.Ed 2470.Pp 2471In the example below, packets bound for one specific server, as well as those 2472generated by the sysadmins are not proxied; all other connections are. 2473.Bd -literal 2474# NO RDR 2475no rdr on $int_if proto { tcp, udp } from any to $server port 80 2476no rdr on $int_if proto { tcp, udp } from $sysadmins to any port 80 | 2599.Ed 2600.Pp 2601In the example below, packets bound for one specific server, as well as those 2602generated by the sysadmins are not proxied; all other connections are. 2603.Bd -literal 2604# NO RDR 2605no rdr on $int_if proto { tcp, udp } from any to $server port 80 2606no rdr on $int_if proto { tcp, udp } from $sysadmins to any port 80 |
| 2477rdr on $int_if proto { tcp, udp } from any to any port 80 -> 127.0.0.1 \e | 2607rdr on $int_if proto { tcp, udp } from any to any port 80 -\*(Gt 127.0.0.1 \e |
| 2478 port 80 2479.Ed 2480.Pp 2481This longer example uses both a NAT and a redirection. 2482The external interface has the address 157.161.48.183. | 2608 port 80 2609.Ed 2610.Pp 2611This longer example uses both a NAT and a redirection. 2612The external interface has the address 157.161.48.183. |
| 2483On the internal interface, we are running | 2613On localhost, we are running |
| 2484.Xr ftp-proxy 8 , | 2614.Xr ftp-proxy 8 , |
| 2485listening for outbound ftp sessions captured to port 8021. | 2615waiting for FTP sessions to be redirected to it. 2616The three mandatory anchors for 2617.Xr ftp-proxy 8 2618are omitted from this example; see the 2619.Xr ftp-proxy 8 2620manpage. |
| 2486.Bd -literal 2487# NAT 2488# Translate outgoing packets' source addresses (any protocol). 2489# In this case, any address but the gateway's external address is mapped. | 2621.Bd -literal 2622# NAT 2623# Translate outgoing packets' source addresses (any protocol). 2624# In this case, any address but the gateway's external address is mapped. |
| 2490nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if) | 2625nat on $ext_if inet from ! ($ext_if) to any -\*(Gt ($ext_if) |
| 2491 2492# NAT PROXYING 2493# Map outgoing packets' source port to an assigned proxy port instead of 2494# an arbitrary port. 2495# In this case, proxy outgoing isakmp with port 500 on the gateway. | 2626 2627# NAT PROXYING 2628# Map outgoing packets' source port to an assigned proxy port instead of 2629# an arbitrary port. 2630# In this case, proxy outgoing isakmp with port 500 on the gateway. |
| 2496nat on $ext_if inet proto udp from any port = isakmp to any -> ($ext_if) \e | 2631nat on $ext_if inet proto udp from any port = isakmp to any -\*(Gt ($ext_if) \e |
| 2497 port 500 2498 2499# BINAT 2500# Translate outgoing packets' source address (any protocol). 2501# Translate incoming packets' destination address to an internal machine 2502# (bidirectional). | 2632 port 500 2633 2634# BINAT 2635# Translate outgoing packets' source address (any protocol). 2636# Translate incoming packets' destination address to an internal machine 2637# (bidirectional). |
| 2503binat on $ext_if from 10.1.2.150 to any -> $ext_if | 2638binat on $ext_if from 10.1.2.150 to any -\*(Gt $ext_if |
| 2504 2505# RDR 2506# Translate incoming packets' destination addresses. 2507# As an example, redirect a TCP and UDP port to an internal machine. 2508rdr on $ext_if inet proto tcp from any to ($ext_if) port 8080 \e | 2639 2640# RDR 2641# Translate incoming packets' destination addresses. 2642# As an example, redirect a TCP and UDP port to an internal machine. 2643rdr on $ext_if inet proto tcp from any to ($ext_if) port 8080 \e |
| 2509 -> 10.1.2.151 port 22 | 2644 -\*(Gt 10.1.2.151 port 22 |
| 2510rdr on $ext_if inet proto udp from any to ($ext_if) port 8080 \e | 2645rdr on $ext_if inet proto udp from any to ($ext_if) port 8080 \e |
| 2511 -> 10.1.2.151 port 53 | 2646 -\*(Gt 10.1.2.151 port 53 |
| 2512 2513# RDR 2514# Translate outgoing ftp control connections to send them to localhost 2515# for proxying with ftp-proxy(8) running on port 8021. | 2647 2648# RDR 2649# Translate outgoing ftp control connections to send them to localhost 2650# for proxying with ftp-proxy(8) running on port 8021. |
| 2516rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 | 2651rdr on $int_if proto tcp from any to any port 21 -\*(Gt 127.0.0.1 port 8021 |
| 2517.Ed 2518.Pp 2519In this example, a NAT gateway is set up to translate internal addresses 2520using a pool of public addresses (192.0.2.16/28) and to redirect 2521incoming web server connections to a group of web servers on the internal 2522network. 2523.Bd -literal 2524# NAT LOAD BALANCE 2525# Translate outgoing packets' source addresses using an address pool. 2526# A given source address is always translated to the same pool address by 2527# using the source-hash keyword. | 2652.Ed 2653.Pp 2654In this example, a NAT gateway is set up to translate internal addresses 2655using a pool of public addresses (192.0.2.16/28) and to redirect 2656incoming web server connections to a group of web servers on the internal 2657network. 2658.Bd -literal 2659# NAT LOAD BALANCE 2660# Translate outgoing packets' source addresses using an address pool. 2661# A given source address is always translated to the same pool address by 2662# using the source-hash keyword. |
| 2528nat on $ext_if inet from any to any -> 192.0.2.16/28 source-hash | 2663nat on $ext_if inet from any to any -\*(Gt 192.0.2.16/28 source-hash |
| 2529 2530# RDR ROUND ROBIN 2531# Translate incoming web server connections to a group of web servers on 2532# the internal network. 2533rdr on $ext_if proto tcp from any to any port 80 \e | 2664 2665# RDR ROUND ROBIN 2666# Translate incoming web server connections to a group of web servers on 2667# the internal network. 2668rdr on $ext_if proto tcp from any to any port 80 \e |
| 2534 -> { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin | 2669 -\*(Gt { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin |
| 2535.Ed 2536.Sh FILTER EXAMPLES 2537.Bd -literal 2538# The external interface is kue0 2539# (157.161.48.183, the only routable address) 2540# and the private network is 10.0.0.0/8, for which we are doing NAT. 2541 2542# use a macro for the interface name, so it can be changed easily 2543ext_if = \&"kue0\&" 2544 2545# normalize all incoming traffic 2546scrub in on $ext_if all fragment reassemble 2547 2548# block and log everything by default 2549block return log on $ext_if all 2550 2551# block anything coming from source we have no back routes for 2552block in from no-route to any 2553 | 2670.Ed 2671.Sh FILTER EXAMPLES 2672.Bd -literal 2673# The external interface is kue0 2674# (157.161.48.183, the only routable address) 2675# and the private network is 10.0.0.0/8, for which we are doing NAT. 2676 2677# use a macro for the interface name, so it can be changed easily 2678ext_if = \&"kue0\&" 2679 2680# normalize all incoming traffic 2681scrub in on $ext_if all fragment reassemble 2682 2683# block and log everything by default 2684block return log on $ext_if all 2685 2686# block anything coming from source we have no back routes for 2687block in from no-route to any 2688 |
| 2689# block packets whose ingress interface does not match the one in 2690# the route back to their source address 2691block in from urpf-failed to any 2692 |
|
| 2554# block and log outgoing packets that do not have our address as source, 2555# they are either spoofed or something is misconfigured (NAT disabled, 2556# for instance), we want to be nice and do not send out garbage. 2557block out log quick on $ext_if from ! 157.161.48.183 to any 2558 2559# silently drop broadcasts (cable modem noise) 2560block in quick on $ext_if from any to 255.255.255.255 2561 --- 5 unchanged lines hidden (view full) --- 2567 2568# ICMP 2569 2570# pass out/in certain ICMP queries and keep state (ping) 2571# state matching is done on host addresses and ICMP id (not type/code), 2572# so replies (like 0/0 for 8/0) will match queries 2573# ICMP error messages (which always refer to a TCP/UDP packet) are 2574# handled by the TCP/UDP states | 2693# block and log outgoing packets that do not have our address as source, 2694# they are either spoofed or something is misconfigured (NAT disabled, 2695# for instance), we want to be nice and do not send out garbage. 2696block out log quick on $ext_if from ! 157.161.48.183 to any 2697 2698# silently drop broadcasts (cable modem noise) 2699block in quick on $ext_if from any to 255.255.255.255 2700 --- 5 unchanged lines hidden (view full) --- 2706 2707# ICMP 2708 2709# pass out/in certain ICMP queries and keep state (ping) 2710# state matching is done on host addresses and ICMP id (not type/code), 2711# so replies (like 0/0 for 8/0) will match queries 2712# ICMP error messages (which always refer to a TCP/UDP packet) are 2713# handled by the TCP/UDP states |
| 2575pass on $ext_if inet proto icmp all icmp-type 8 code 0 keep state | 2714pass on $ext_if inet proto icmp all icmp-type 8 code 0 |
| 2576 2577# UDP 2578 2579# pass out all UDP connections and keep state | 2715 2716# UDP 2717 2718# pass out all UDP connections and keep state |
| 2580pass out on $ext_if proto udp all keep state | 2719pass out on $ext_if proto udp all |
| 2581 2582# pass in certain UDP connections and keep state (DNS) | 2720 2721# pass in certain UDP connections and keep state (DNS) |
| 2583pass in on $ext_if proto udp from any to any port domain keep state | 2722pass in on $ext_if proto udp from any to any port domain |
| 2584 2585# TCP 2586 2587# pass out all TCP connections and modulate state 2588pass out on $ext_if proto tcp all modulate state 2589 2590# pass in certain TCP connections and keep state (SSH, SMTP, DNS, IDENT) 2591pass in on $ext_if proto tcp from any to any port { ssh, smtp, domain, \e | 2723 2724# TCP 2725 2726# pass out all TCP connections and modulate state 2727pass out on $ext_if proto tcp all modulate state 2728 2729# pass in certain TCP connections and keep state (SSH, SMTP, DNS, IDENT) 2730pass in on $ext_if proto tcp from any to any port { ssh, smtp, domain, \e |
| 2592 auth } flags S/SA keep state | 2731 auth } |
| 2593 | 2732 |
| 2594# pass in data mode connections for ftp-proxy running on this host. 2595# (see ftp-proxy(8) for details) 2596pass in on $ext_if proto tcp from any to 157.161.48.183 port >= 49152 \e 2597 flags S/SA keep state 2598 | |
| 2599# Do not allow Windows 9x SMTP connections since they are typically 2600# a viral worm. Alternately we could limit these OSes to 1 connection each. 2601block in on $ext_if proto tcp from any os {"Windows 95", "Windows 98"} \e 2602 to any port smtp 2603 | 2733# Do not allow Windows 9x SMTP connections since they are typically 2734# a viral worm. Alternately we could limit these OSes to 1 connection each. 2735block in on $ext_if proto tcp from any os {"Windows 95", "Windows 98"} \e 2736 to any port smtp 2737 |
| 2738# IPv6 2739# pass in/out all IPv6 traffic: note that we have to enable this in two 2740# different ways, on both our physical interface and our tunnel 2741pass quick on gif0 inet6 2742pass quick on $ext_if proto ipv6 2743 |
|
| 2604# Packet Tagging 2605 2606# three interfaces: $int_if, $ext_if, and $wifi_if (wireless). NAT is 2607# being done on $ext_if for all outgoing packets. tag packets in on 2608# $int_if and pass those tagged packets out on $ext_if. all other 2609# outgoing packets (i.e., packets from the wireless network) are only 2610# permitted to access port 80. 2611 | 2744# Packet Tagging 2745 2746# three interfaces: $int_if, $ext_if, and $wifi_if (wireless). NAT is 2747# being done on $ext_if for all outgoing packets. tag packets in on 2748# $int_if and pass those tagged packets out on $ext_if. all other 2749# outgoing packets (i.e., packets from the wireless network) are only 2750# permitted to access port 80. 2751 |
| 2612pass in on $int_if from any to any tag INTNET keep state 2613pass in on $wifi_if from any to any keep state | 2752pass in on $int_if from any to any tag INTNET 2753pass in on $wifi_if from any to any |
| 2614 2615block out on $ext_if from any to any | 2754 2755block out on $ext_if from any to any |
| 2616pass out quick on $ext_if tagged INTNET keep state 2617pass out on $ext_if proto tcp from any to any port 80 keep state | 2756pass out quick on $ext_if tagged INTNET 2757pass out on $ext_if proto tcp from any to any port 80 |
| 2618 2619# tag incoming packets as they are redirected to spamd(8). use the tag 2620# to pass those packets through the packet filter. 2621 | 2758 2759# tag incoming packets as they are redirected to spamd(8). use the tag 2760# to pass those packets through the packet filter. 2761 |
| 2622rdr on $ext_if inet proto tcp from <spammers> to port smtp \e 2623 tag SPAMD -> 127.0.0.1 port spamd | 2762rdr on $ext_if inet proto tcp from \*(Ltspammers\*(Gt to port smtp \e 2763 tag SPAMD -\*(Gt 127.0.0.1 port spamd |
| 2624 2625block in on $ext_if | 2764 2765block in on $ext_if |
| 2626pass in on $ext_if inet proto tcp tagged SPAMD keep state | 2766pass in on $ext_if inet proto tcp tagged SPAMD |
| 2627.Ed 2628.Sh GRAMMAR 2629Syntax for 2630.Nm 2631in BNF: 2632.Bd -literal 2633line = ( option | pf-rule | nat-rule | binat-rule | rdr-rule | | 2767.Ed 2768.Sh GRAMMAR 2769Syntax for 2770.Nm 2771in BNF: 2772.Bd -literal 2773line = ( option | pf-rule | nat-rule | binat-rule | rdr-rule | |
| 2634 antispoof-rule | altq-rule | queue-rule | anchor-rule | 2635 trans-anchors | load-anchors | table-rule ) | 2774 antispoof-rule | altq-rule | queue-rule | trans-anchors | 2775 anchor-rule | anchor-close | load-anchor | table-rule | ) |
| 2636 2637option = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] | | 2776 2777option = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] | |
| 2778 [ "ruleset-optimization" [ "none" | "basic" | "profile" ]] | |
|
| 2638 [ "optimization" [ "default" | "normal" | 2639 "high-latency" | "satellite" | 2640 "aggressive" | "conservative" ] ] 2641 [ "limit" ( limit-item | "{" limit-list "}" ) ] | 2642 [ "loginterface" ( interface-name | "none" ) ] | 2643 [ "block-policy" ( "drop" | "return" ) ] | | 2779 [ "optimization" [ "default" | "normal" | 2780 "high-latency" | "satellite" | 2781 "aggressive" | "conservative" ] ] 2782 [ "limit" ( limit-item | "{" limit-list "}" ) ] | 2783 [ "loginterface" ( interface-name | "none" ) ] | 2784 [ "block-policy" ( "drop" | "return" ) ] | |
| 2644 [ "state-policy" ( "if-bound" | "group-bound" | 2645 "floating" ) ] | 2785 [ "state-policy" ( "if-bound" | "floating" ) ] |
| 2646 [ "require-order" ( "yes" | "no" ) ] 2647 [ "fingerprints" filename ] | | 2786 [ "require-order" ( "yes" | "no" ) ] 2787 [ "fingerprints" filename ] | |
| 2788 [ "skip on" ( interface-name | "{" interface-list "}" ) ] | |
|
| 2648 [ "debug" ( "none" | "urgent" | "misc" | "loud" ) ] ) 2649 2650pf-rule = action [ ( "in" | "out" ) ] | 2789 [ "debug" ( "none" | "urgent" | "misc" | "loud" ) ] ) 2790 2791pf-rule = action [ ( "in" | "out" ) ] |
| 2651 [ "log" | "log-all" ] [ "quick" ] 2652 [ "on" ifspec ] [ route ] [ af ] [ protospec ] | 2792 [ "log" [ "(" logopts ")"] ] [ "quick" ] 2793 [ "on" ifspec ] [ "fastroute" | route ] [ af ] [ protospec ] |
| 2653 hosts [ filteropt-list ] 2654 | 2794 hosts [ filteropt-list ] 2795 |
| 2796logopts = logopt [ "," logopts ] 2797logopt = "all" | "user" | "to" interface-name 2798 |
|
| 2655filteropt-list = filteropt-list filteropt | filteropt 2656filteropt = user | group | flags | icmp-type | icmp6-type | tos | | 2799filteropt-list = filteropt-list filteropt | filteropt 2800filteropt = user | group | flags | icmp-type | icmp6-type | tos | |
| 2657 ( "keep" | "modulate" | "synproxy" ) "state" | 2801 ( "no" | "keep" | "modulate" | "synproxy" ) "state" |
| 2658 [ "(" state-opts ")" ] | 2659 "fragment" | "no-df" | "min-ttl" number | 2660 "max-mss" number | "random-id" | "reassemble tcp" | 2661 fragmentation | "allow-opts" | | 2802 [ "(" state-opts ")" ] | 2803 "fragment" | "no-df" | "min-ttl" number | 2804 "max-mss" number | "random-id" | "reassemble tcp" | 2805 fragmentation | "allow-opts" | |
| 2662 "label" string | "tag" string | [ ! ] "tagged" string | 2806 "label" string | "tag" string | [ ! ] "tagged" string | |
| 2663 "queue" ( string | "(" string [ [ "," ] string ] ")" ) | | 2807 "queue" ( string | "(" string [ [ "," ] string ] ")" ) | |
| 2664 "probability" number"%" | 2808 "rtable" number | "probability" number"%" |
| 2665 | 2809 |
| 2666nat-rule = [ "no" ] "nat" [ "pass" ] [ "on" ifspec ] [ af ] | 2810nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ] 2811 [ "on" ifspec ] [ af ] |
| 2667 [ protospec ] hosts [ "tag" string ] [ "tagged" string ] | 2812 [ protospec ] hosts [ "tag" string ] [ "tagged" string ] |
| 2668 [ "->" ( redirhost | "{" redirhost-list "}" ) | 2813 [ "-\*(Gt" ( redirhost | "{" redirhost-list "}" ) |
| 2669 [ portspec ] [ pooltype ] [ "static-port" ] ] 2670 | 2814 [ portspec ] [ pooltype ] [ "static-port" ] ] 2815 |
| 2671binat-rule = [ "no" ] "binat" [ "pass" ] [ "on" interface-name ] 2672 [ af ] [ "proto" ( proto-name | proto-number ) ] | 2816binat-rule = [ "no" ] "binat" [ "pass" [ "log" [ "(" logopts ")" ] ] ] 2817 [ "on" interface-name ] [ af ] 2818 [ "proto" ( proto-name | proto-number ) ] |
| 2673 "from" address [ "/" mask-bits ] "to" ipspec 2674 [ "tag" string ] [ "tagged" string ] | 2819 "from" address [ "/" mask-bits ] "to" ipspec 2820 [ "tag" string ] [ "tagged" string ] |
| 2675 [ "->" address [ "/" mask-bits ] ] | 2821 [ "-\*(Gt" address [ "/" mask-bits ] ] |
| 2676 | 2822 |
| 2677rdr-rule = [ "no" ] "rdr" [ "pass" ] [ "on" ifspec ] [ af ] | 2823rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ] 2824 [ "on" ifspec ] [ af ] |
| 2678 [ protospec ] hosts [ "tag" string ] [ "tagged" string ] | 2825 [ protospec ] hosts [ "tag" string ] [ "tagged" string ] |
| 2679 [ "->" ( redirhost | "{" redirhost-list "}" ) | 2826 [ "-\*(Gt" ( redirhost | "{" redirhost-list "}" ) |
| 2680 [ portspec ] [ pooltype ] ] 2681 2682antispoof-rule = "antispoof" [ "log" ] [ "quick" ] 2683 "for" ( interface-name | "{" interface-list "}" ) 2684 [ af ] [ "label" string ] 2685 | 2827 [ portspec ] [ pooltype ] ] 2828 2829antispoof-rule = "antispoof" [ "log" ] [ "quick" ] 2830 "for" ( interface-name | "{" interface-list "}" ) 2831 [ af ] [ "label" string ] 2832 |
| 2686table-rule = "table" "<" string ">" [ tableopts-list ] | 2833table-rule = "table" "\*(Lt" string "\*(Gt" [ tableopts-list ] |
| 2687tableopts-list = tableopts-list tableopts | tableopts 2688tableopts = "persist" | "const" | "file" string | 2689 "{" [ tableaddr-list ] "}" 2690tableaddr-list = tableaddr-list [ "," ] tableaddr-spec | tableaddr-spec 2691tableaddr-spec = [ "!" ] tableaddr [ "/" mask-bits ] 2692tableaddr = hostname | ipv4-dotted-quad | ipv6-coloned-hex | 2693 interface-name | "self" 2694 2695altq-rule = "altq on" interface-name queueopts-list 2696 "queue" subqueue 2697queue-rule = "queue" string [ "on" interface-name ] queueopts-list 2698 subqueue 2699 | 2834tableopts-list = tableopts-list tableopts | tableopts 2835tableopts = "persist" | "const" | "file" string | 2836 "{" [ tableaddr-list ] "}" 2837tableaddr-list = tableaddr-list [ "," ] tableaddr-spec | tableaddr-spec 2838tableaddr-spec = [ "!" ] tableaddr [ "/" mask-bits ] 2839tableaddr = hostname | ipv4-dotted-quad | ipv6-coloned-hex | 2840 interface-name | "self" 2841 2842altq-rule = "altq on" interface-name queueopts-list 2843 "queue" subqueue 2844queue-rule = "queue" string [ "on" interface-name ] queueopts-list 2845 subqueue 2846 |
| 2700anchor-rule = "anchor" string [ ( "in" | "out" ) ] [ "on" ifspec ] 2701 [ af ] [ "proto" ] [ protospec ] [ hosts ] | 2847anchor-rule = "anchor" [ string ] [ ( "in" | "out" ) ] [ "on" ifspec ] 2848 [ af ] [ protospec ] [ hosts ] [ "{" ] |
| 2702 | 2849 |
| 2850anchor-close = "}" 2851 |
|
| 2703trans-anchors = ( "nat-anchor" | "rdr-anchor" | "binat-anchor" ) string 2704 [ "on" ifspec ] [ af ] [ "proto" ] [ protospec ] [ hosts ] 2705 2706load-anchor = "load anchor" string "from" filename 2707 2708queueopts-list = queueopts-list queueopts | queueopts 2709queueopts = [ "bandwidth" bandwidth-spec ] | 2710 [ "qlimit" number ] | [ "tbrsize" number ] | 2711 [ "priority" number ] | [ schedulers ] 2712schedulers = ( cbq-def | priq-def | hfsc-def ) 2713bandwidth-spec = "number" ( "b" | "Kb" | "Mb" | "Gb" | "%" ) 2714 2715action = "pass" | "block" [ return ] | [ "no" ] "scrub" 2716return = "drop" | "return" | "return-rst" [ "( ttl" number ")" ] | | 2852trans-anchors = ( "nat-anchor" | "rdr-anchor" | "binat-anchor" ) string 2853 [ "on" ifspec ] [ af ] [ "proto" ] [ protospec ] [ hosts ] 2854 2855load-anchor = "load anchor" string "from" filename 2856 2857queueopts-list = queueopts-list queueopts | queueopts 2858queueopts = [ "bandwidth" bandwidth-spec ] | 2859 [ "qlimit" number ] | [ "tbrsize" number ] | 2860 [ "priority" number ] | [ schedulers ] 2861schedulers = ( cbq-def | priq-def | hfsc-def ) 2862bandwidth-spec = "number" ( "b" | "Kb" | "Mb" | "Gb" | "%" ) 2863 2864action = "pass" | "block" [ return ] | [ "no" ] "scrub" 2865return = "drop" | "return" | "return-rst" [ "( ttl" number ")" ] | |
| 2717 "return-icmp" [ "(" icmpcode ["," icmp6code ] ")" ] | | 2866 "return-icmp" [ "(" icmpcode [ [ "," ] icmp6code ] ")" ] | |
| 2718 "return-icmp6" [ "(" icmp6code ")" ] 2719icmpcode = ( icmp-code-name | icmp-code-number ) 2720icmp6code = ( icmp6-code-name | icmp6-code-number ) 2721 2722ifspec = ( [ "!" ] interface-name ) | "{" interface-list "}" 2723interface-list = [ "!" ] interface-name [ [ "," ] interface-list ] | 2867 "return-icmp6" [ "(" icmp6code ")" ] 2868icmpcode = ( icmp-code-name | icmp-code-number ) 2869icmp6code = ( icmp6-code-name | icmp6-code-number ) 2870 2871ifspec = ( [ "!" ] interface-name ) | "{" interface-list "}" 2872interface-list = [ "!" ] interface-name [ [ "," ] interface-list ] |
| 2724route = "fastroute" | 2725 ( "route-to" | "reply-to" | "dup-to" ) | 2873route = ( "route-to" | "reply-to" | "dup-to" ) |
| 2726 ( routehost | "{" routehost-list "}" ) 2727 [ pooltype ] 2728af = "inet" | "inet6" 2729 2730protospec = "proto" ( proto-name | proto-number | 2731 "{" proto-list "}" ) 2732proto-list = ( proto-name | proto-number ) [ [ "," ] proto-list ] 2733 2734hosts = "all" | | 2874 ( routehost | "{" routehost-list "}" ) 2875 [ pooltype ] 2876af = "inet" | "inet6" 2877 2878protospec = "proto" ( proto-name | proto-number | 2879 "{" proto-list "}" ) 2880proto-list = ( proto-name | proto-number ) [ [ "," ] proto-list ] 2881 2882hosts = "all" | |
| 2735 "from" ( "any" | "no-route" | "self" | host | | 2883 "from" ( "any" | "no-route" | "urpf-failed" | "self" | host | |
| 2736 "{" host-list "}" | "route" string ) [ port ] [ os ] 2737 "to" ( "any" | "no-route" | "self" | host | 2738 "{" host-list "}" | "route" string ) [ port ] 2739 2740ipspec = "any" | host | "{" host-list "}" | 2884 "{" host-list "}" | "route" string ) [ port ] [ os ] 2885 "to" ( "any" | "no-route" | "self" | host | 2886 "{" host-list "}" | "route" string ) [ port ] 2887 2888ipspec = "any" | host | "{" host-list "}" |
| 2741host = [ "!" ] ( address [ "/" mask-bits ] | "<" string ">" ) | 2889host = [ "!" ] ( address [ "/" mask-bits ] | "\*(Lt" string "\*(Gt" ) |
| 2742redirhost = address [ "/" mask-bits ] | 2890redirhost = address [ "/" mask-bits ] |
| 2743routehost = ( interface-name [ address [ "/" mask-bits ] ] ) | 2891routehost = "(" interface-name [ address [ "/" mask-bits ] ] ")" |
| 2744address = ( interface-name | "(" interface-name ")" | hostname | 2745 ipv4-dotted-quad | ipv6-coloned-hex ) 2746host-list = host [ [ "," ] host-list ] 2747redirhost-list = redirhost [ [ "," ] redirhost-list ] 2748routehost-list = routehost [ [ "," ] routehost-list ] 2749 2750port = "port" ( unary-op | binary-op | "{" op-list "}" ) 2751portspec = "port" ( number | name ) [ ":" ( "*" | number | name ) ] 2752os = "os" ( os-name | "{" os-list "}" ) 2753user = "user" ( unary-op | binary-op | "{" op-list "}" ) 2754group = "group" ( unary-op | binary-op | "{" op-list "}" ) 2755 | 2892address = ( interface-name | "(" interface-name ")" | hostname | 2893 ipv4-dotted-quad | ipv6-coloned-hex ) 2894host-list = host [ [ "," ] host-list ] 2895redirhost-list = redirhost [ [ "," ] redirhost-list ] 2896routehost-list = routehost [ [ "," ] routehost-list ] 2897 2898port = "port" ( unary-op | binary-op | "{" op-list "}" ) 2899portspec = "port" ( number | name ) [ ":" ( "*" | number | name ) ] 2900os = "os" ( os-name | "{" os-list "}" ) 2901user = "user" ( unary-op | binary-op | "{" op-list "}" ) 2902group = "group" ( unary-op | binary-op | "{" op-list "}" ) 2903 |
| 2756unary-op = [ "=" | "!=" | "<" | "<=" | ">" | ">=" ] | 2904unary-op = [ "=" | "!=" | "\*(Lt" | "\*(Le" | "\*(Gt" | "\*(Ge" ] |
| 2757 ( name | number ) | 2905 ( name | number ) |
| 2758binary-op = number ( "<>" | "><" | ":" ) number | 2906binary-op = number ( "\*(Lt\*(Gt" | "\*(Gt\*(Lt" | ":" ) number |
| 2759op-list = ( unary-op | binary-op ) [ [ "," ] op-list ] 2760 2761os-name = operating-system-name 2762os-list = os-name [ [ "," ] os-list ] 2763 | 2907op-list = ( unary-op | binary-op ) [ [ "," ] op-list ] 2908 2909os-name = operating-system-name 2910os-list = os-name [ [ "," ] os-list ] 2911 |
| 2764flags = "flags" [ flag-set ] "/" flag-set | 2912flags = "flags" ( [ flag-set ] "/" flag-set | "any" ) |
| 2765flag-set = [ "F" ] [ "S" ] [ "R" ] [ "P" ] [ "A" ] [ "U" ] [ "E" ] 2766 [ "W" ] 2767 2768icmp-type = "icmp-type" ( icmp-type-code | "{" icmp-list "}" ) 2769icmp6-type = "icmp6-type" ( icmp-type-code | "{" icmp-list "}" ) 2770icmp-type-code = ( icmp-type-name | icmp-type-number ) 2771 [ "code" ( icmp-code-name | icmp-code-number ) ] 2772icmp-list = icmp-type-code [ [ "," ] icmp-list ] 2773 2774tos = "tos" ( "lowdelay" | "throughput" | "reliability" | 2775 [ "0x" ] number ) 2776 2777state-opts = state-opt [ [ "," ] state-opts ] 2778state-opt = ( "max" number | "no-sync" | timeout | 2779 "source-track" [ ( "rule" | "global" ) ] | 2780 "max-src-nodes" number | "max-src-states" number | 2781 "max-src-conn" number | 2782 "max-src-conn-rate" number "/" number | | 2913flag-set = [ "F" ] [ "S" ] [ "R" ] [ "P" ] [ "A" ] [ "U" ] [ "E" ] 2914 [ "W" ] 2915 2916icmp-type = "icmp-type" ( icmp-type-code | "{" icmp-list "}" ) 2917icmp6-type = "icmp6-type" ( icmp-type-code | "{" icmp-list "}" ) 2918icmp-type-code = ( icmp-type-name | icmp-type-number ) 2919 [ "code" ( icmp-code-name | icmp-code-number ) ] 2920icmp-list = icmp-type-code [ [ "," ] icmp-list ] 2921 2922tos = "tos" ( "lowdelay" | "throughput" | "reliability" | 2923 [ "0x" ] number ) 2924 2925state-opts = state-opt [ [ "," ] state-opts ] 2926state-opt = ( "max" number | "no-sync" | timeout | 2927 "source-track" [ ( "rule" | "global" ) ] | 2928 "max-src-nodes" number | "max-src-states" number | 2929 "max-src-conn" number | 2930 "max-src-conn-rate" number "/" number | |
| 2783 "overload" "<" string ">" [ "flush" ] | 2784 "if-bound" | "group-bound" | "floating" ) | 2931 "overload" "\*(Lt" string "\*(Gt" [ "flush" ] | 2932 "if-bound" | "floating" ) |
| 2785 2786fragmentation = [ "fragment reassemble" | "fragment crop" | 2787 "fragment drop-ovl" ] 2788 2789timeout-list = timeout [ [ "," ] timeout-list ] 2790timeout = ( "tcp.first" | "tcp.opening" | "tcp.established" | 2791 "tcp.closing" | "tcp.finwait" | "tcp.closed" | 2792 "udp.first" | "udp.single" | "udp.multiple" | --- 41 unchanged lines hidden (view full) --- 2834.El 2835.Sh BUGS 2836Due to a lock order reversal (LOR) with the socket layer, the use of the 2837.Ar group 2838and 2839.Ar user 2840filter parameter in conjuction with a Giant-free netstack 2841can result in a deadlock. | 2933 2934fragmentation = [ "fragment reassemble" | "fragment crop" | 2935 "fragment drop-ovl" ] 2936 2937timeout-list = timeout [ [ "," ] timeout-list ] 2938timeout = ( "tcp.first" | "tcp.opening" | "tcp.established" | 2939 "tcp.closing" | "tcp.finwait" | "tcp.closed" | 2940 "udp.first" | "udp.single" | "udp.multiple" | --- 41 unchanged lines hidden (view full) --- 2982.El 2983.Sh BUGS 2984Due to a lock order reversal (LOR) with the socket layer, the use of the 2985.Ar group 2986and 2987.Ar user 2988filter parameter in conjuction with a Giant-free netstack 2989can result in a deadlock. |
| 2842If you have to use 2843.Ar group 2844or | 2990A workaround is available under the 2991.Va debug.pfugidhack 2992sysctl which is automatically enabled when a |
| 2845.Ar user | 2993.Ar user |
| 2846you must set 2847.Va debug.mpsafenet 2848to 2849.Dq 0 2850from the 2851.Xr loader 8 , 2852for the moment. 2853This workaround will still produce the LOR, but Giant will protect from the 2854deadlock. | 2994/ 2995.Ar group 2996rule is added or 2997.Ar log (user) 2998is specified. |
| 2855.Pp 2856Route labels are not supported by the 2857.Fx 2858.Xr route 4 2859system. 2860Rules with a route label do not match any traffic. 2861.Sh SEE ALSO 2862.Xr altq 4 , | 2999.Pp 3000Route labels are not supported by the 3001.Fx 3002.Xr route 4 3003system. 3004Rules with a route label do not match any traffic. 3005.Sh SEE ALSO 3006.Xr altq 4 , |
| 3007.Xr carp 4 , |
|
| 2863.Xr icmp 4 , 2864.Xr icmp6 4 , 2865.Xr ip 4 , 2866.Xr ip6 4 , 2867.Xr pf 4 , 2868.Xr pfsync 4 , 2869.Xr route 4 , 2870.Xr tcp 4 , --- 14 unchanged lines hidden --- | 3008.Xr icmp 4 , 3009.Xr icmp6 4 , 3010.Xr ip 4 , 3011.Xr ip6 4 , 3012.Xr pf 4 , 3013.Xr pfsync 4 , 3014.Xr route 4 , 3015.Xr tcp 4 , --- 14 unchanged lines hidden --- |