Page MenuHomeFreeBSD
Differential D31751 Diff 94434 share/man/man5/pf.conf.5

Changeset View

Standalone View

View Options

share/man/man5/pf.conf.5

Show All 35 Lines
.Nd packet filter configuration file .Nd packet filter configuration file
.Sh DESCRIPTION .Sh DESCRIPTION
The The
.Xr pf 4 .Xr pf 4
packet filter modifies, drops or passes packets according to rules or packet filter modifies, drops or passes packets according to rules or
definitions specified in definitions specified in
.Nm pf.conf . .Nm pf.conf .
.Sh STATEMENT ORDER .Sh STATEMENT ORDER
There are seven types of statements in There are eight types of statements in
.Nm pf.conf : .Nm pf.conf :
.Bl -tag -width xxxx .Bl -tag -width xxxx
.It Cm Macros .It Cm Macros
User-defined variables may be defined and used later, simplifying User-defined variables may be defined and used later, simplifying
the configuration file. the configuration file.
Macros must be defined before they are referenced in Macros must be defined before they are referenced in
.Nm pf.conf . .Nm pf.conf .
.It Cm Tables .It Cm Tables
Tables provide a mechanism for increasing the performance and flexibility of Tables provide a mechanism for increasing the performance and flexibility of
rules with large numbers of source or destination addresses. rules with large numbers of source or destination addresses.
.It Cm Options .It Cm Options
Options tune the behaviour of the packet filtering engine. Options tune the behaviour of the packet filtering engine.
.It Cm Ethernet Filtering
Ethernet filtering provides rule-based blocking or passing of Ethernet packets.
.It Cm Traffic Normalization Li (e.g. Em scrub ) .It Cm Traffic Normalization Li (e.g. Em scrub )
Traffic normalization protects internal machines against inconsistencies Traffic normalization protects internal machines against inconsistencies
in Internet protocols and implementations. in Internet protocols and implementations.
.It Cm Queueing .It Cm Queueing
Queueing provides rule-based bandwidth control. Queueing provides rule-based bandwidth control.
.It Cm Translation Li (Various forms of NAT) .It Cm Translation Li (Various forms of NAT)
Translation rules specify how addresses are to be mapped or redirected to Translation rules specify how addresses are to be mapped or redirected to
other addresses. other addresses.
▲ Show 20 LinesShow All 556 Lines▼ Show 20 Lines
.It Ar set keepcounters .It Ar set keepcounters
Preserve rule counters across rule updates. Preserve rule counters across rule updates.
Usually rule counters are reset to zero on every update of the ruleset. Usually rule counters are reset to zero on every update of the ruleset.
With With
.Ar keepcounters .Ar keepcounters
set pf will attempt to find matching rules between old and new rulesets set pf will attempt to find matching rules between old and new rulesets
and preserve the rule counters. and preserve the rule counters.
.El .El
.Sh ETHERNET FILTERING
.Xr pf 4
has the ability to
.Ar block
and
.Ar pass
packets based on attributes of their Ethernet (layer 2) header.
.Pp
For each packet processed by the packet filter, the filter rules are
evaluated in sequential order, from first to last.
The last matching rule decides what action is taken.
bcrUnsubmitted
Not Done
Inline Actions

s/waht/what/

bcr: s/waht/what/
If no rule matches the packet, the default action is to pass
the packet.
.Pp
The folliwing actions can be used in the filter:
.Bl -tag -width xxxx
.It Ar block
The packet is blocked.
Unlike for layer 3 traffic the packet is always silently dropped.
.It Ar pass
The packet is passed;
no state is created for layer 2 traffic.
.El
.Sh PARAMETERS
The rule parameters specify the packets to which a rule applies.
A packet always comes in on, or goes out through, one interface.
Most parameters are optional.
If a parameter is specified, the rule only applies to packets with
matching attributes.
Certain parameters can be expressed as lists, in which case
.Xr pfctl 8
generates all needed rule combinations.
.Bl -tag -width xxxx
.It Ar in No or Ar out
This rule applies to incoming or outgoing packets.
If neither
.Ar in
nor
.Ar out
are specified, the rule will match packets in both directions.
.It Ar quick
If a packet matches a rule which has the
.Ar quick
option set, this rule
is considered the last matching rule, and evaluation of subsequent rules
is skipped.
.It Ar on Aq Ar interface
This rule applies only to packets coming in on, or going out through, this
particular interface or interface group.
For more information on interface groups,
see the
.Ic group
keyword in
.Xr ifconfig 8 .
.It Ar proto Aq Ar protocol
This rule applies only to packets of this protocol.
Note that Ethernet protocol numbers are different from those used in
.Xr ip 4
and
.Xr ip6 4 .
.It Xo
.Ar from Aq Ar source
.Ar to Aq Ar dest
.Xc
This rule applies only to packets with the specified source and destination
MAC addresses.
.It Xo Ar queue Aq Ar queue
.Xc
Packets matching this rule will be assigned to the specified queue.
See
.Sx QUEUEING
for setup details.
.Pp
.It Ar tag Aq Ar string
Packets matching this rule will be tagged with the
specified string.
The tag acts as an internal marker that can be used to
identify these packets later on.
This can be used, for example, to provide trust between
interfaces and to determine if packets have been
processed by translation rules.
Tags are
.Qq sticky ,
meaning that the packet will be tagged even if the rule
is not the last matching rule.
Further matching rules can replace the tag with a
new one but will not remove a previously applied tag.
A packet is only ever assigned one tag at a time.
.Sh TRAFFIC NORMALIZATION .Sh TRAFFIC NORMALIZATION
Traffic normalization is used to sanitize packet content in such Traffic normalization is used to sanitize packet content in such
a way that there are no ambiguities in packet interpretation on a way that there are no ambiguities in packet interpretation on
the receiving side. the receiving side.
The normalizer does IP fragment reassembly to prevent attacks The normalizer does IP fragment reassembly to prevent attacks
that confuse intrusion detection systems by sending overlapping that confuse intrusion detection systems by sending overlapping
IP fragments. IP fragments.
Packet normalization is invoked with the Packet normalization is invoked with the
▲ Show 20 LinesShow All 1,252 Lines▼ Show 20 Lines
meaning that the packet will be tagged even if the rule meaning that the packet will be tagged even if the rule
is not the last matching rule. is not the last matching rule.
Further matching rules can replace the tag with a Further matching rules can replace the tag with a
new one but will not remove a previously applied tag. new one but will not remove a previously applied tag.
A packet is only ever assigned one tag at a time. A packet is only ever assigned one tag at a time.
Packet tagging can be done during Packet tagging can be done during
.Ar nat , .Ar nat ,
.Ar rdr , .Ar rdr ,
or
.Ar binat .Ar binat
or
.Ar ether
rules in addition to filter rules. rules in addition to filter rules.
Tags take the same macros as labels (see above). Tags take the same macros as labels (see above).
.It Ar tagged Aq Ar string .It Ar tagged Aq Ar string
Used with filter, translation or scrub rules Used with filter, translation or scrub rules
to specify that packets must already to specify that packets must already
be tagged with the given tag in order to match the rule. be tagged with the given tag in order to match the rule.
Inverse tag matching can also be done Inverse tag matching can also be done
by specifying the by specifying the
▲ Show 20 LinesShow All 990 Lines▼ Show 20 Lines
block in on $ext_if block in on $ext_if
pass in on $ext_if inet proto tcp tagged SPAMD pass in on $ext_if inet proto tcp tagged SPAMD
.Ed .Ed
.Sh GRAMMAR .Sh GRAMMAR
Syntax for Syntax for
.Nm .Nm
in BNF: in BNF:
.Bd -literal .Bd -literal
line = ( option | pf-rule | nat-rule | binat-rule | rdr-rule | line = ( option | ether-rule | pf-rule | nat-rule | binat-rule |
antispoof-rule | altq-rule | queue-rule | trans-anchors | rdr-rule | antispoof-rule | altq-rule | queue-rule |
anchor-rule | anchor-close | load-anchor | table-rule | trans-anchors | anchor-rule | anchor-close | load-anchor |
include ) table-rule | include )
option = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] | option = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] |
[ "ruleset-optimization" [ "none" | "basic" | "profile" ]] | [ "ruleset-optimization" [ "none" | "basic" | "profile" ]] |
[ "optimization" [ "default" | "normal" | [ "optimization" [ "default" | "normal" |
"high-latency" | "satellite" | "high-latency" | "satellite" |
"aggressive" | "conservative" ] ] "aggressive" | "conservative" ] ]
[ "limit" ( limit-item | "{" limit-list "}" ) ] | [ "limit" ( limit-item | "{" limit-list "}" ) ] |
[ "loginterface" ( interface-name | "none" ) ] | [ "loginterface" ( interface-name | "none" ) ] |
[ "block-policy" ( "drop" | "return" ) ] | [ "block-policy" ( "drop" | "return" ) ] |
[ "state-policy" ( "if-bound" | "floating" ) ] [ "state-policy" ( "if-bound" | "floating" ) ]
[ "state-defaults" state-opts ] [ "state-defaults" state-opts ]
[ "require-order" ( "yes" | "no" ) ] [ "require-order" ( "yes" | "no" ) ]
[ "fingerprints" filename ] | [ "fingerprints" filename ] |
[ "skip on" ifspec ] | [ "skip on" ifspec ] |
[ "debug" ( "none" | "urgent" | "misc" | "loud" ) ] [ "debug" ( "none" | "urgent" | "misc" | "loud" ) ]
[ "keepcounters" ] ) [ "keepcounters" ] )
ether-rule = "ether" etheraction [ ( "in" | "out" ) ]
[ "quick" ] [ "on" ifspec ] [ etherprotospec ]
etherhosts [ etherfilteropt-list ]
pf-rule = action [ ( "in" | "out" ) ] pf-rule = action [ ( "in" | "out" ) ]
[ "log" [ "(" logopts ")"] ] [ "quick" ] [ "log" [ "(" logopts ")"] ] [ "quick" ]
[ "on" ifspec ] [ route ] [ af ] [ protospec ] [ "on" ifspec ] [ route ] [ af ] [ protospec ]
hosts [ filteropt-list ] hosts [ filteropt-list ]
logopts = logopt [ "," logopts ] logopts = logopt [ "," logopts ]
logopt = "all" | "user" | "to" interface-name logopt = "all" | "user" | "to" interface-name
etherfilteropt-list = etherfilteropt-list etherfilteropt | etherfilteropt
etherfilteropt = "tag" string | "queue" ( string )
filteropt-list = filteropt-list filteropt | filteropt filteropt-list = filteropt-list filteropt | filteropt
filteropt = user | group | flags | icmp-type | icmp6-type | "tos" tos | filteropt = user | group | flags | icmp-type | icmp6-type | "tos" tos |
( "no" | "keep" | "modulate" | "synproxy" ) "state" ( "no" | "keep" | "modulate" | "synproxy" ) "state"
[ "(" state-opts ")" ] | [ "(" state-opts ")" ] |
"fragment" | "no-df" | "min-ttl" number | "set-tos" tos | "fragment" | "no-df" | "min-ttl" number | "set-tos" tos |
"max-mss" number | "random-id" | "reassemble tcp" | "max-mss" number | "random-id" | "reassemble tcp" |
fragmentation | "allow-opts" | fragmentation | "allow-opts" |
"label" string | "tag" string | [ ! ] "tagged" string | "label" string | "tag" string | [ ! ] "tagged" string |
▲ Show 20 LinesShow All 50 Lines▼ Show 20 Lines
queueopts-list = queueopts-list queueopts | queueopts queueopts-list = queueopts-list queueopts | queueopts
queueopts = [ "bandwidth" bandwidth-spec ] | queueopts = [ "bandwidth" bandwidth-spec ] |
[ "qlimit" number ] | [ "tbrsize" number ] | [ "qlimit" number ] | [ "tbrsize" number ] |
[ "priority" number ] | [ schedulers ] [ "priority" number ] | [ schedulers ]
schedulers = ( cbq-def | priq-def | hfsc-def ) schedulers = ( cbq-def | priq-def | hfsc-def )
bandwidth-spec = "number" ( "b" | "Kb" | "Mb" | "Gb" | "%" ) bandwidth-spec = "number" ( "b" | "Kb" | "Mb" | "Gb" | "%" )
etheraction = "pass" | "block"
action = "pass" | "block" [ return ] | [ "no" ] "scrub" action = "pass" | "block" [ return ] | [ "no" ] "scrub"
return = "drop" | "return" | "return-rst" [ "( ttl" number ")" ] | return = "drop" | "return" | "return-rst" [ "( ttl" number ")" ] |
"return-icmp" [ "(" icmpcode [ [ "," ] icmp6code ] ")" ] | "return-icmp" [ "(" icmpcode [ [ "," ] icmp6code ] ")" ] |
"return-icmp6" [ "(" icmp6code ")" ] "return-icmp6" [ "(" icmp6code ")" ]
icmpcode = ( icmp-code-name | icmp-code-number ) icmpcode = ( icmp-code-name | icmp-code-number )
icmp6code = ( icmp6-code-name | icmp6-code-number ) icmp6code = ( icmp6-code-name | icmp6-code-number )
ifspec = ( [ "!" ] ( interface-name | interface-group ) ) | ifspec = ( [ "!" ] ( interface-name | interface-group ) ) |
"{" interface-list "}" "{" interface-list "}"
interface-list = [ "!" ] ( interface-name | interface-group ) interface-list = [ "!" ] ( interface-name | interface-group )
[ [ "," ] interface-list ] [ [ "," ] interface-list ]
route = ( "route-to" | "reply-to" | "dup-to" ) route = ( "route-to" | "reply-to" | "dup-to" )
( routehost | "{" routehost-list "}" ) ( routehost | "{" routehost-list "}" )
[ pooltype ] [ pooltype ]
af = "inet" | "inet6" af = "inet" | "inet6"
etherprotospec = "proto" ( proto-number | "{" proto-list "}" )
protospec = "proto" ( proto-name | proto-number | protospec = "proto" ( proto-name | proto-number |
"{" proto-list "}" ) "{" proto-list "}" )
proto-list = ( proto-name | proto-number ) [ [ "," ] proto-list ] proto-list = ( proto-name | proto-number ) [ [ "," ] proto-list ]
etherhosts = "from" macaddress "to" macaddress
hosts = "all" | hosts = "all" |
"from" ( "any" | "no-route" | "urpf-failed" | "self" | host | "from" ( "any" | "no-route" | "urpf-failed" | "self" | host |
"{" host-list "}" ) [ port ] [ os ] "{" host-list "}" ) [ port ] [ os ]
"to" ( "any" | "no-route" | "self" | host | "to" ( "any" | "no-route" | "self" | host |
"{" host-list "}" ) [ port ] "{" host-list "}" ) [ port ]
ipspec = "any" | host | "{" host-list "}" ipspec = "any" | host | "{" host-list "}"
host = [ "!" ] ( address [ "/" mask-bits ] | "\*(Lt" string "\*(Gt" ) host = [ "!" ] ( address [ "/" mask-bits ] | "\*(Lt" string "\*(Gt" )
▲ Show 20 LinesShow All 117 LinesShow Last 20 Lines