Differential D31907 Diff 95621 share/man/man5/pf.conf.5

Changeset View

Standalone View

share/man/man5/pf.conf.5

Show All 22 Lines
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,		.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;		.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER		.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
.\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT		.\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN		.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE		.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.		.\" POSSIBILITY OF SUCH DAMAGE.
.\"		.\"
.Dd April 19, 2021		.Dd September 10, 2021
.Dt PF.CONF 5		.Dt PF.CONF 5
.Os		.Os
.Sh NAME		.Sh NAME
.Nm pf.conf		.Nm pf.conf
.Nd packet filter configuration file		.Nd packet filter configuration file
.Sh DESCRIPTION		.Sh DESCRIPTION
The		The
.Xr pf 4		.Xr pf 4
▲ Show 20 Lines • Show All 727 Lines • ▼ Show 20 Lines
The		The
.Ar no		.Ar no
option prefixed to a scrub rule causes matching packets to remain unscrubbed,		option prefixed to a scrub rule causes matching packets to remain unscrubbed,
much in the same way as		much in the same way as
.Ar drop quick		.Ar drop quick
works in the packet filter (see below).		works in the packet filter (see below).
This mechanism should be used when it is necessary to exclude specific packets		This mechanism should be used when it is necessary to exclude specific packets
from broader scrub rules.		from broader scrub rules.
.Sh QUEUEING		.Sh QUEUEING with ALTQ
The ALTQ system is currently not available in the GENERIC kernel nor as		The ALTQ system is currently not available in the GENERIC kernel nor as
loadable modules.		loadable modules.
In order to use the herein after called queueing options one has to use a		In order to use the herein after called queueing options one has to use a
custom built kernel.		custom built kernel.
Please refer to		Please refer to
.Xr altq 4		.Xr altq 4
to learn about the related kernel options.		to learn about the related kernel options.
.Pp		.Pp
▲ Show 20 Lines • Show All 315 Lines • ▼ Show 20 Lines	pass out on dc0 inet proto tcp from $developerhosts to any port 80 \e
queue developers		queue developers
pass out on dc0 inet proto tcp from $employeehosts to any port 80 \e		pass out on dc0 inet proto tcp from $employeehosts to any port 80 \e
queue employees		queue employees
pass out on dc0 inet proto tcp from any to any port 22 \e		pass out on dc0 inet proto tcp from any to any port 22 \e
queue(ssh_bulk, ssh_interactive)		queue(ssh_bulk, ssh_interactive)
pass out on dc0 inet proto tcp from any to any port 25 \e		pass out on dc0 inet proto tcp from any to any port 25 \e
queue mail		queue mail
.Ed		.Ed
		.Sh QUEUEING with dummynet
		Queueing can also be done with
		.Xr dummynet 4 .
		Queues and pipes can be created with
		.Xr dnctl 8 .
		.Pp
		Packets can be assigned to queues and pipes using
		.Ar dnqueue
		and
		.Ar dnpipe
		respectively.
		.Pp
		Both
		.Ar dnqueue
		and
		.Ar dnpipe
		take either a single pipe or queue number or two numbers as arguments.
		The first pipe or queue number will be used to shape the traffic in the rule
		direction, the second will be used to shape the traffic in the reverse
		direction.
		If the rule does not specify a direction the first packet to create state will
		be shaped according to the first number, and the response traffic according to
		the second.
		.Pp
		If the
		.Xr dummynet 4
		module is not loaded any traffic sent into a queue or pipe will be dropped.
.Sh TRANSLATION		.Sh TRANSLATION
Translation rules modify either the source or destination address of the		Translation rules modify either the source or destination address of the
packets associated with a stateful connection.		packets associated with a stateful connection.
A stateful connection is automatically created to track packets matching		A stateful connection is automatically created to track packets matching
such a rule as long as they are not blocked by the filtering section of		such a rule as long as they are not blocked by the filtering section of
.Nm pf.conf .		.Nm pf.conf .
The translation engine modifies the specified address and/or port in the		The translation engine modifies the specified address and/or port in the
packet, recalculates IP, TCP and UDP checksums as necessary, and passes it to		packet, recalculates IP, TCP and UDP checksums as necessary, and passes it to
▲ Show 20 Lines • Show All 204 Lines • ▼ Show 20 Lines
rules differ from		rules differ from
.Ar block		.Ar block
and		and
.Ar pass		.Ar pass
rules in that parameters are set every time a packet matches the rule, not only		rules in that parameters are set every time a packet matches the rule, not only
on the last matching rule.		on the last matching rule.
For the following parameters, this means that the parameter effectively becomes		For the following parameters, this means that the parameter effectively becomes
"sticky" until explicitly overridden:		"sticky" until explicitly overridden:
.Ar queue		.Ar queue ,
		.Ar dnpipe ,
		.Ar dnqueue
.		.
.It Ar pass		.It Ar pass
The packet is passed;		The packet is passed;
state is created unless the		state is created unless the
.Ar no state		.Ar no state
option is specified.		option is specified.
.El		.El
.Pp		.Pp
▲ Show 20 Lines • Show All 1,600 Lines • ▼ Show 20 Lines	filteropt = user \| group \| flags \| icmp-type \| icmp6-type \| "tos" tos \|
( "no" \| "keep" \| "modulate" \| "synproxy" ) "state"		( "no" \| "keep" \| "modulate" \| "synproxy" ) "state"
[ "(" state-opts ")" ] \|		[ "(" state-opts ")" ] \|
"fragment" \| "no-df" \| "min-ttl" number \| "set-tos" tos \|		"fragment" \| "no-df" \| "min-ttl" number \| "set-tos" tos \|
"max-mss" number \| "random-id" \| "reassemble tcp" \|		"max-mss" number \| "random-id" \| "reassemble tcp" \|
fragmentation \| "allow-opts" \|		fragmentation \| "allow-opts" \|
"label" string \| "tag" string \| [ ! ] "tagged" string \|		"label" string \| "tag" string \| [ ! ] "tagged" string \|
"set prio" ( number \| "(" number [ [ "," ] number ] ")" ) \|		"set prio" ( number \| "(" number [ [ "," ] number ] ")" ) \|
"queue" ( string \| "(" string [ [ "," ] string ] ")" ) \|		"queue" ( string \| "(" string [ [ "," ] string ] ")" ) \|
"rtable" number \| "probability" number"%" \| "prio" number		"rtable" number \| "probability" number"%" \| "prio" number \|
		"dnpipe" ( number \| "(" number "," number ")" ) \|
		"dnqueue" ( number \| "(" number "," number ")" )

nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]		nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
[ "on" ifspec ] [ af ]		[ "on" ifspec ] [ af ]
[ protospec ] hosts [ "tag" string ] [ "tagged" string ]		[ protospec ] hosts [ "tag" string ] [ "tagged" string ]
[ "-\*(Gt" ( redirhost \| "{" redirhost-list "}" )		[ "-\*(Gt" ( redirhost \| "{" redirhost-list "}" )
[ portspec ] [ pooltype ] [ "static-port" ]		[ portspec ] [ pooltype ] [ "static-port" ]
[ "map-e-portset" number "/" number "/" number ] ]		[ "map-e-portset" number "/" number "/" number ] ]

▲ Show 20 Lines • Show All 192 Lines • Show Last 20 Lines