| pf.conf.5 (223637) | pf.conf.5 (240233) |
|---|---|
| 1.\" $FreeBSD: head/contrib/pf/man/pf.conf.5 223637 2011-06-28 11:57:25Z bz $ | 1.\" $FreeBSD: head/contrib/pf/man/pf.conf.5 240233 2012-09-08 06:41:54Z glebius $ |
| 2.\" $OpenBSD: pf.conf.5,v 1.406 2009/01/31 19:37:12 sobrado Exp $ 3.\" 4.\" Copyright (c) 2002, Daniel Hartmeier 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: --- 13 unchanged lines hidden (view full) --- 23.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 24.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 25.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 26.\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 28.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29.\" POSSIBILITY OF SUCH DAMAGE. 30.\" | 2.\" $OpenBSD: pf.conf.5,v 1.406 2009/01/31 19:37:12 sobrado Exp $ 3.\" 4.\" Copyright (c) 2002, Daniel Hartmeier 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: --- 13 unchanged lines hidden (view full) --- 23.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 24.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 25.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 26.\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 28.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29.\" POSSIBILITY OF SUCH DAMAGE. 30.\" |
| 31.Dd January 31 2009 | 31.Dd June 29 2012 |
| 32.Dt PF.CONF 5 33.Os 34.Sh NAME 35.Nm pf.conf 36.Nd packet filter configuration file 37.Sh DESCRIPTION 38The 39.Xr pf 4 --- 1376 unchanged lines hidden (view full) --- 1416.It Ar log (user) 1417Logs the 1418.Ux 1419user ID of the user that owns the socket and the PID of the process that 1420has the socket open where the packet is sourced from or destined to 1421(depending on which socket is local). 1422This is in addition to the normal information logged. 1423.Pp | 32.Dt PF.CONF 5 33.Os 34.Sh NAME 35.Nm pf.conf 36.Nd packet filter configuration file 37.Sh DESCRIPTION 38The 39.Xr pf 4 --- 1376 unchanged lines hidden (view full) --- 1416.It Ar log (user) 1417Logs the 1418.Ux 1419user ID of the user that owns the socket and the PID of the process that 1420has the socket open where the packet is sourced from or destined to 1421(depending on which socket is local). 1422This is in addition to the normal information logged. 1423.Pp |
| 1424Due to the problems described in the BUGS section only the first packet | 1424Only the first packet |
| 1425logged via 1426.Ar log (all, user) 1427will have the user credentials logged when using stateful matching. 1428.It Ar log (to Aq Ar interface ) 1429Send logs to the specified 1430.Xr pflog 4 1431interface instead of 1432.Ar pflog0 . --- 41 unchanged lines hidden (view full) --- 1474.Pp 1475Addresses can be specified in CIDR notation (matching netblocks), as 1476symbolic host names, interface names or interface group names, or as any 1477of the following keywords: 1478.Pp 1479.Bl -tag -width xxxxxxxxxxxxxx -compact 1480.It Ar any 1481Any address. | 1425logged via 1426.Ar log (all, user) 1427will have the user credentials logged when using stateful matching. 1428.It Ar log (to Aq Ar interface ) 1429Send logs to the specified 1430.Xr pflog 4 1431interface instead of 1432.Ar pflog0 . --- 41 unchanged lines hidden (view full) --- 1474.Pp 1475Addresses can be specified in CIDR notation (matching netblocks), as 1476symbolic host names, interface names or interface group names, or as any 1477of the following keywords: 1478.Pp 1479.Bl -tag -width xxxxxxxxxxxxxx -compact 1480.It Ar any 1481Any address. |
| 1482.It Ar route Aq Ar label 1483Any address whose associated route has label 1484.Aq Ar label . 1485See 1486.Xr route 4 1487and 1488.Xr route 8 . | |
| 1489.It Ar no-route 1490Any address which is not currently routable. 1491.It Ar urpf-failed 1492Any source address that fails a unicast reverse path forwarding (URPF) 1493check, i.e. packets coming in on an interface other than that which holds 1494the route back to the packet's source address. 1495.It Aq Ar table 1496Any address that matches the given table. --- 92 unchanged lines hidden (view full) --- 1589.Bd -literal -offset indent 1590pass in all 1591pass in from any to any 1592pass in proto tcp from any port \*(Le 1024 to any 1593pass in proto tcp from any to any port 25 1594pass in proto tcp from 10.0.0.0/8 port \*(Gt 1024 \e 1595 to ! 10.1.2.3 port != ssh 1596pass in proto tcp from any os "OpenBSD" | 1482.It Ar no-route 1483Any address which is not currently routable. 1484.It Ar urpf-failed 1485Any source address that fails a unicast reverse path forwarding (URPF) 1486check, i.e. packets coming in on an interface other than that which holds 1487the route back to the packet's source address. 1488.It Aq Ar table 1489Any address that matches the given table. --- 92 unchanged lines hidden (view full) --- 1582.Bd -literal -offset indent 1583pass in all 1584pass in from any to any 1585pass in proto tcp from any port \*(Le 1024 to any 1586pass in proto tcp from any to any port 25 1587pass in proto tcp from 10.0.0.0/8 port \*(Gt 1024 \e 1588 to ! 10.1.2.3 port != ssh 1589pass in proto tcp from any os "OpenBSD" |
| 1597pass in proto tcp from route "DTAG" | |
| 1598.Ed 1599.It Ar all 1600This is equivalent to "from any to any". 1601.It Ar group Aq Ar group 1602Similar to 1603.Ar user , 1604this rule only applies to packets of sockets owned by the specified group. 1605.It Ar user Aq Ar user --- 1338 unchanged lines hidden (view full) --- 2944af = "inet" | "inet6" 2945 2946protospec = "proto" ( proto-name | proto-number | 2947 "{" proto-list "}" ) 2948proto-list = ( proto-name | proto-number ) [ [ "," ] proto-list ] 2949 2950hosts = "all" | 2951 "from" ( "any" | "no-route" | "urpf-failed" | "self" | host | | 1590.Ed 1591.It Ar all 1592This is equivalent to "from any to any". 1593.It Ar group Aq Ar group 1594Similar to 1595.Ar user , 1596this rule only applies to packets of sockets owned by the specified group. 1597.It Ar user Aq Ar user --- 1338 unchanged lines hidden (view full) --- 2936af = "inet" | "inet6" 2937 2938protospec = "proto" ( proto-name | proto-number | 2939 "{" proto-list "}" ) 2940proto-list = ( proto-name | proto-number ) [ [ "," ] proto-list ] 2941 2942hosts = "all" | 2943 "from" ( "any" | "no-route" | "urpf-failed" | "self" | host | |
| 2952 "{" host-list "}" | "route" string ) [ port ] [ os ] | 2944 "{" host-list "}" ) [ port ] [ os ] |
| 2953 "to" ( "any" | "no-route" | "self" | host | | 2945 "to" ( "any" | "no-route" | "self" | host | |
| 2954 "{" host-list "}" | "route" string ) [ port ] | 2946 "{" host-list "}" ) [ port ] |
| 2955 2956ipspec = "any" | host | "{" host-list "}" 2957host = [ "!" ] ( address [ "/" mask-bits ] | "\*(Lt" string "\*(Gt" ) 2958redirhost = address [ "/" mask-bits ] 2959routehost = "(" interface-name [ address [ "/" mask-bits ] ] ")" 2960address = ( interface-name | interface-group | 2961 "(" ( interface-name | interface-group ) ")" | 2962 hostname | ipv4-dotted-quad | ipv6-coloned-hex ) --- 80 unchanged lines hidden (view full) --- 3043Default location of the ruleset file. 3044.It Pa /etc/pf.os 3045Default location of OS fingerprints. 3046.It Pa /etc/protocols 3047Protocol name database. 3048.It Pa /etc/services 3049Service name database. 3050.El | 2947 2948ipspec = "any" | host | "{" host-list "}" 2949host = [ "!" ] ( address [ "/" mask-bits ] | "\*(Lt" string "\*(Gt" ) 2950redirhost = address [ "/" mask-bits ] 2951routehost = "(" interface-name [ address [ "/" mask-bits ] ] ")" 2952address = ( interface-name | interface-group | 2953 "(" ( interface-name | interface-group ) ")" | 2954 hostname | ipv4-dotted-quad | ipv6-coloned-hex ) --- 80 unchanged lines hidden (view full) --- 3035Default location of the ruleset file. 3036.It Pa /etc/pf.os 3037Default location of OS fingerprints. 3038.It Pa /etc/protocols 3039Protocol name database. 3040.It Pa /etc/services 3041Service name database. 3042.El |
| 3051.Sh BUGS 3052Due to a lock order reversal (LOR) with the socket layer, the use of the 3053.Ar group 3054and 3055.Ar user 3056filter parameter in conjuction with a Giant-free netstack 3057can result in a deadlock. 3058A workaround is available under the 3059.Va debug.pfugidhack 3060sysctl which is automatically enabled when a 3061.Ar user 3062/ 3063.Ar group 3064rule is added or 3065.Ar log (user) 3066is specified. 3067.Pp 3068Route labels are not supported by the 3069.Fx 3070.Xr route 4 3071system. 3072Rules with a route label do not match any traffic. | |
| 3073.Sh SEE ALSO 3074.Xr altq 4 , 3075.Xr carp 4 , 3076.Xr icmp 4 , 3077.Xr icmp6 4 , 3078.Xr ip 4 , 3079.Xr ip6 4 , 3080.Xr pf 4 , 3081.Xr pflow 4 , 3082.Xr pfsync 4 , | 3043.Sh SEE ALSO 3044.Xr altq 4 , 3045.Xr carp 4 , 3046.Xr icmp 4 , 3047.Xr icmp6 4 , 3048.Xr ip 4 , 3049.Xr ip6 4 , 3050.Xr pf 4 , 3051.Xr pflow 4 , 3052.Xr pfsync 4 , |
| 3083.Xr route 4 , | |
| 3084.Xr tcp 4 , 3085.Xr udp 4 , 3086.Xr hosts 5 , 3087.Xr pf.os 5 , 3088.Xr protocols 5 , 3089.Xr services 5 , 3090.Xr ftp-proxy 8 , 3091.Xr pfctl 8 , 3092.Xr pflogd 8 , | 3053.Xr tcp 4 , 3054.Xr udp 4 , 3055.Xr hosts 5 , 3056.Xr pf.os 5 , 3057.Xr protocols 5 , 3058.Xr services 5 , 3059.Xr ftp-proxy 8 , 3060.Xr pfctl 8 , 3061.Xr pflogd 8 , |
| 3093.Xr route 8 | |
| 3094.Sh HISTORY 3095The 3096.Nm 3097file format first appeared in 3098.Ox 3.0 . | 3062.Sh HISTORY 3063The 3064.Nm 3065file format first appeared in 3066.Ox 3.0 . |