Changeset View
Changeset View
Standalone View
Standalone View
share/man/man5/pf.conf.5
Show All 35 Lines | |||||
.Nd packet filter configuration file | .Nd packet filter configuration file | ||||
.Sh DESCRIPTION | .Sh DESCRIPTION | ||||
The | The | ||||
.Xr pf 4 | .Xr pf 4 | ||||
packet filter modifies, drops or passes packets according to rules or | packet filter modifies, drops or passes packets according to rules or | ||||
definitions specified in | definitions specified in | ||||
.Nm pf.conf . | .Nm pf.conf . | ||||
.Sh STATEMENT ORDER | .Sh STATEMENT ORDER | ||||
There are seven types of statements in | There are eight types of statements in | ||||
.Nm pf.conf : | .Nm pf.conf : | ||||
.Bl -tag -width xxxx | .Bl -tag -width xxxx | ||||
.It Cm Macros | .It Cm Macros | ||||
User-defined variables may be defined and used later, simplifying | User-defined variables may be defined and used later, simplifying | ||||
the configuration file. | the configuration file. | ||||
Macros must be defined before they are referenced in | Macros must be defined before they are referenced in | ||||
.Nm pf.conf . | .Nm pf.conf . | ||||
.It Cm Tables | .It Cm Tables | ||||
Tables provide a mechanism for increasing the performance and flexibility of | Tables provide a mechanism for increasing the performance and flexibility of | ||||
rules with large numbers of source or destination addresses. | rules with large numbers of source or destination addresses. | ||||
.It Cm Options | .It Cm Options | ||||
Options tune the behaviour of the packet filtering engine. | Options tune the behaviour of the packet filtering engine. | ||||
.It Cm Ethernet Filtering | |||||
Ethernet filtering provides rule-based blocking or passing of Ethernet packets. | |||||
.It Cm Traffic Normalization Li (e.g. Em scrub ) | .It Cm Traffic Normalization Li (e.g. Em scrub ) | ||||
Traffic normalization protects internal machines against inconsistencies | Traffic normalization protects internal machines against inconsistencies | ||||
in Internet protocols and implementations. | in Internet protocols and implementations. | ||||
.It Cm Queueing | .It Cm Queueing | ||||
Queueing provides rule-based bandwidth control. | Queueing provides rule-based bandwidth control. | ||||
.It Cm Translation Li (Various forms of NAT) | .It Cm Translation Li (Various forms of NAT) | ||||
Translation rules specify how addresses are to be mapped or redirected to | Translation rules specify how addresses are to be mapped or redirected to | ||||
other addresses. | other addresses. | ||||
▲ Show 20 Lines • Show All 556 Lines • ▼ Show 20 Lines | |||||
.It Ar set keepcounters | .It Ar set keepcounters | ||||
Preserve rule counters across rule updates. | Preserve rule counters across rule updates. | ||||
Usually rule counters are reset to zero on every update of the ruleset. | Usually rule counters are reset to zero on every update of the ruleset. | ||||
With | With | ||||
.Ar keepcounters | .Ar keepcounters | ||||
set pf will attempt to find matching rules between old and new rulesets | set pf will attempt to find matching rules between old and new rulesets | ||||
and preserve the rule counters. | and preserve the rule counters. | ||||
.El | .El | ||||
.Sh ETHERNET FILTERING | |||||
.Xr pf 4 | |||||
has the ability to | |||||
.Ar block | |||||
and | |||||
.Ar pass | |||||
packets based on attributes of their Ethernet (layer 2) header. | |||||
.Pp | |||||
For each packet processed by the packet filter, the filter rules are | |||||
evaluated in sequential order, from first to last. | |||||
The last matching rule decides what action is taken. | |||||
bcr: s/waht/what/ | |||||
If no rule matches the packet, the default action is to pass | |||||
the packet. | |||||
.Pp | |||||
The folliwing actions can be used in the filter: | |||||
.Bl -tag -width xxxx | |||||
.It Ar block | |||||
The packet is blocked. | |||||
Unlike for layer 3 traffic the packet is always silently dropped. | |||||
.It Ar pass | |||||
The packet is passed; | |||||
no state is created for layer 2 traffic. | |||||
.El | |||||
.Sh PARAMETERS | |||||
The rule parameters specify the packets to which a rule applies. | |||||
A packet always comes in on, or goes out through, one interface. | |||||
Most parameters are optional. | |||||
If a parameter is specified, the rule only applies to packets with | |||||
matching attributes. | |||||
Certain parameters can be expressed as lists, in which case | |||||
.Xr pfctl 8 | |||||
generates all needed rule combinations. | |||||
.Bl -tag -width xxxx | |||||
.It Ar in No or Ar out | |||||
This rule applies to incoming or outgoing packets. | |||||
If neither | |||||
.Ar in | |||||
nor | |||||
.Ar out | |||||
are specified, the rule will match packets in both directions. | |||||
.It Ar quick | |||||
If a packet matches a rule which has the | |||||
.Ar quick | |||||
option set, this rule | |||||
is considered the last matching rule, and evaluation of subsequent rules | |||||
is skipped. | |||||
.It Ar on Aq Ar interface | |||||
This rule applies only to packets coming in on, or going out through, this | |||||
particular interface or interface group. | |||||
For more information on interface groups, | |||||
see the | |||||
.Ic group | |||||
keyword in | |||||
.Xr ifconfig 8 . | |||||
.It Ar proto Aq Ar protocol | |||||
This rule applies only to packets of this protocol. | |||||
Note that Ethernet protocol numbers are different from those used in | |||||
.Xr ip 4 | |||||
and | |||||
.Xr ip6 4 . | |||||
.It Xo | |||||
.Ar from Aq Ar source | |||||
.Ar to Aq Ar dest | |||||
.Xc | |||||
This rule applies only to packets with the specified source and destination | |||||
MAC addresses. | |||||
.It Xo Ar queue Aq Ar queue | |||||
.Xc | |||||
Packets matching this rule will be assigned to the specified queue. | |||||
See | |||||
.Sx QUEUEING | |||||
for setup details. | |||||
.Pp | |||||
.It Ar tag Aq Ar string | |||||
Packets matching this rule will be tagged with the | |||||
specified string. | |||||
The tag acts as an internal marker that can be used to | |||||
identify these packets later on. | |||||
This can be used, for example, to provide trust between | |||||
interfaces and to determine if packets have been | |||||
processed by translation rules. | |||||
Tags are | |||||
.Qq sticky , | |||||
meaning that the packet will be tagged even if the rule | |||||
is not the last matching rule. | |||||
Further matching rules can replace the tag with a | |||||
new one but will not remove a previously applied tag. | |||||
A packet is only ever assigned one tag at a time. | |||||
.Sh TRAFFIC NORMALIZATION | .Sh TRAFFIC NORMALIZATION | ||||
Traffic normalization is used to sanitize packet content in such | Traffic normalization is used to sanitize packet content in such | ||||
a way that there are no ambiguities in packet interpretation on | a way that there are no ambiguities in packet interpretation on | ||||
the receiving side. | the receiving side. | ||||
The normalizer does IP fragment reassembly to prevent attacks | The normalizer does IP fragment reassembly to prevent attacks | ||||
that confuse intrusion detection systems by sending overlapping | that confuse intrusion detection systems by sending overlapping | ||||
IP fragments. | IP fragments. | ||||
Packet normalization is invoked with the | Packet normalization is invoked with the | ||||
▲ Show 20 Lines • Show All 1,252 Lines • ▼ Show 20 Lines | |||||
meaning that the packet will be tagged even if the rule | meaning that the packet will be tagged even if the rule | ||||
is not the last matching rule. | is not the last matching rule. | ||||
Further matching rules can replace the tag with a | Further matching rules can replace the tag with a | ||||
new one but will not remove a previously applied tag. | new one but will not remove a previously applied tag. | ||||
A packet is only ever assigned one tag at a time. | A packet is only ever assigned one tag at a time. | ||||
Packet tagging can be done during | Packet tagging can be done during | ||||
.Ar nat , | .Ar nat , | ||||
.Ar rdr , | .Ar rdr , | ||||
or | |||||
.Ar binat | .Ar binat | ||||
or | |||||
.Ar ether | |||||
rules in addition to filter rules. | rules in addition to filter rules. | ||||
Tags take the same macros as labels (see above). | Tags take the same macros as labels (see above). | ||||
.It Ar tagged Aq Ar string | .It Ar tagged Aq Ar string | ||||
Used with filter, translation or scrub rules | Used with filter, translation or scrub rules | ||||
to specify that packets must already | to specify that packets must already | ||||
be tagged with the given tag in order to match the rule. | be tagged with the given tag in order to match the rule. | ||||
Inverse tag matching can also be done | Inverse tag matching can also be done | ||||
by specifying the | by specifying the | ||||
▲ Show 20 Lines • Show All 990 Lines • ▼ Show 20 Lines | |||||
block in on $ext_if | block in on $ext_if | ||||
pass in on $ext_if inet proto tcp tagged SPAMD | pass in on $ext_if inet proto tcp tagged SPAMD | ||||
.Ed | .Ed | ||||
.Sh GRAMMAR | .Sh GRAMMAR | ||||
Syntax for | Syntax for | ||||
.Nm | .Nm | ||||
in BNF: | in BNF: | ||||
.Bd -literal | .Bd -literal | ||||
line = ( option | pf-rule | nat-rule | binat-rule | rdr-rule | | line = ( option | ether-rule | pf-rule | nat-rule | binat-rule | | ||||
antispoof-rule | altq-rule | queue-rule | trans-anchors | | rdr-rule | antispoof-rule | altq-rule | queue-rule | | ||||
anchor-rule | anchor-close | load-anchor | table-rule | | trans-anchors | anchor-rule | anchor-close | load-anchor | | ||||
include ) | table-rule | include ) | ||||
option = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] | | option = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] | | ||||
[ "ruleset-optimization" [ "none" | "basic" | "profile" ]] | | [ "ruleset-optimization" [ "none" | "basic" | "profile" ]] | | ||||
[ "optimization" [ "default" | "normal" | | [ "optimization" [ "default" | "normal" | | ||||
"high-latency" | "satellite" | | "high-latency" | "satellite" | | ||||
"aggressive" | "conservative" ] ] | "aggressive" | "conservative" ] ] | ||||
[ "limit" ( limit-item | "{" limit-list "}" ) ] | | [ "limit" ( limit-item | "{" limit-list "}" ) ] | | ||||
[ "loginterface" ( interface-name | "none" ) ] | | [ "loginterface" ( interface-name | "none" ) ] | | ||||
[ "block-policy" ( "drop" | "return" ) ] | | [ "block-policy" ( "drop" | "return" ) ] | | ||||
[ "state-policy" ( "if-bound" | "floating" ) ] | [ "state-policy" ( "if-bound" | "floating" ) ] | ||||
[ "state-defaults" state-opts ] | [ "state-defaults" state-opts ] | ||||
[ "require-order" ( "yes" | "no" ) ] | [ "require-order" ( "yes" | "no" ) ] | ||||
[ "fingerprints" filename ] | | [ "fingerprints" filename ] | | ||||
[ "skip on" ifspec ] | | [ "skip on" ifspec ] | | ||||
[ "debug" ( "none" | "urgent" | "misc" | "loud" ) ] | [ "debug" ( "none" | "urgent" | "misc" | "loud" ) ] | ||||
[ "keepcounters" ] ) | [ "keepcounters" ] ) | ||||
ether-rule = "ether" etheraction [ ( "in" | "out" ) ] | |||||
[ "quick" ] [ "on" ifspec ] [ etherprotospec ] | |||||
etherhosts [ etherfilteropt-list ] | |||||
pf-rule = action [ ( "in" | "out" ) ] | pf-rule = action [ ( "in" | "out" ) ] | ||||
[ "log" [ "(" logopts ")"] ] [ "quick" ] | [ "log" [ "(" logopts ")"] ] [ "quick" ] | ||||
[ "on" ifspec ] [ route ] [ af ] [ protospec ] | [ "on" ifspec ] [ route ] [ af ] [ protospec ] | ||||
hosts [ filteropt-list ] | hosts [ filteropt-list ] | ||||
logopts = logopt [ "," logopts ] | logopts = logopt [ "," logopts ] | ||||
logopt = "all" | "user" | "to" interface-name | logopt = "all" | "user" | "to" interface-name | ||||
etherfilteropt-list = etherfilteropt-list etherfilteropt | etherfilteropt | |||||
etherfilteropt = "tag" string | "queue" ( string ) | |||||
filteropt-list = filteropt-list filteropt | filteropt | filteropt-list = filteropt-list filteropt | filteropt | ||||
filteropt = user | group | flags | icmp-type | icmp6-type | "tos" tos | | filteropt = user | group | flags | icmp-type | icmp6-type | "tos" tos | | ||||
( "no" | "keep" | "modulate" | "synproxy" ) "state" | ( "no" | "keep" | "modulate" | "synproxy" ) "state" | ||||
[ "(" state-opts ")" ] | | [ "(" state-opts ")" ] | | ||||
"fragment" | "no-df" | "min-ttl" number | "set-tos" tos | | "fragment" | "no-df" | "min-ttl" number | "set-tos" tos | | ||||
"max-mss" number | "random-id" | "reassemble tcp" | | "max-mss" number | "random-id" | "reassemble tcp" | | ||||
fragmentation | "allow-opts" | | fragmentation | "allow-opts" | | ||||
"label" string | "tag" string | [ ! ] "tagged" string | | "label" string | "tag" string | [ ! ] "tagged" string | | ||||
▲ Show 20 Lines • Show All 50 Lines • ▼ Show 20 Lines | |||||
queueopts-list = queueopts-list queueopts | queueopts | queueopts-list = queueopts-list queueopts | queueopts | ||||
queueopts = [ "bandwidth" bandwidth-spec ] | | queueopts = [ "bandwidth" bandwidth-spec ] | | ||||
[ "qlimit" number ] | [ "tbrsize" number ] | | [ "qlimit" number ] | [ "tbrsize" number ] | | ||||
[ "priority" number ] | [ schedulers ] | [ "priority" number ] | [ schedulers ] | ||||
schedulers = ( cbq-def | priq-def | hfsc-def ) | schedulers = ( cbq-def | priq-def | hfsc-def ) | ||||
bandwidth-spec = "number" ( "b" | "Kb" | "Mb" | "Gb" | "%" ) | bandwidth-spec = "number" ( "b" | "Kb" | "Mb" | "Gb" | "%" ) | ||||
etheraction = "pass" | "block" | |||||
action = "pass" | "block" [ return ] | [ "no" ] "scrub" | action = "pass" | "block" [ return ] | [ "no" ] "scrub" | ||||
return = "drop" | "return" | "return-rst" [ "( ttl" number ")" ] | | return = "drop" | "return" | "return-rst" [ "( ttl" number ")" ] | | ||||
"return-icmp" [ "(" icmpcode [ [ "," ] icmp6code ] ")" ] | | "return-icmp" [ "(" icmpcode [ [ "," ] icmp6code ] ")" ] | | ||||
"return-icmp6" [ "(" icmp6code ")" ] | "return-icmp6" [ "(" icmp6code ")" ] | ||||
icmpcode = ( icmp-code-name | icmp-code-number ) | icmpcode = ( icmp-code-name | icmp-code-number ) | ||||
icmp6code = ( icmp6-code-name | icmp6-code-number ) | icmp6code = ( icmp6-code-name | icmp6-code-number ) | ||||
ifspec = ( [ "!" ] ( interface-name | interface-group ) ) | | ifspec = ( [ "!" ] ( interface-name | interface-group ) ) | | ||||
"{" interface-list "}" | "{" interface-list "}" | ||||
interface-list = [ "!" ] ( interface-name | interface-group ) | interface-list = [ "!" ] ( interface-name | interface-group ) | ||||
[ [ "," ] interface-list ] | [ [ "," ] interface-list ] | ||||
route = ( "route-to" | "reply-to" | "dup-to" ) | route = ( "route-to" | "reply-to" | "dup-to" ) | ||||
( routehost | "{" routehost-list "}" ) | ( routehost | "{" routehost-list "}" ) | ||||
[ pooltype ] | [ pooltype ] | ||||
af = "inet" | "inet6" | af = "inet" | "inet6" | ||||
etherprotospec = "proto" ( proto-number | "{" proto-list "}" ) | |||||
protospec = "proto" ( proto-name | proto-number | | protospec = "proto" ( proto-name | proto-number | | ||||
"{" proto-list "}" ) | "{" proto-list "}" ) | ||||
proto-list = ( proto-name | proto-number ) [ [ "," ] proto-list ] | proto-list = ( proto-name | proto-number ) [ [ "," ] proto-list ] | ||||
etherhosts = "from" macaddress "to" macaddress | |||||
hosts = "all" | | hosts = "all" | | ||||
"from" ( "any" | "no-route" | "urpf-failed" | "self" | host | | "from" ( "any" | "no-route" | "urpf-failed" | "self" | host | | ||||
"{" host-list "}" ) [ port ] [ os ] | "{" host-list "}" ) [ port ] [ os ] | ||||
"to" ( "any" | "no-route" | "self" | host | | "to" ( "any" | "no-route" | "self" | host | | ||||
"{" host-list "}" ) [ port ] | "{" host-list "}" ) [ port ] | ||||
ipspec = "any" | host | "{" host-list "}" | ipspec = "any" | host | "{" host-list "}" | ||||
host = [ "!" ] ( address [ "/" mask-bits ] | "\*(Lt" string "\*(Gt" ) | host = [ "!" ] ( address [ "/" mask-bits ] | "\*(Lt" string "\*(Gt" ) | ||||
▲ Show 20 Lines • Show All 117 Lines • Show Last 20 Lines |
s/waht/what/