2 .\" $OpenBSD: pf.conf.5,v 1.393 2008/02/11 07:46:32 jmc Exp $
4 .\" Copyright (c) 2002, Daniel Hartmeier
5 .\" All rights reserved.
7 .\" Redistribution and use in source and binary forms, with or without
8 .\" modification, are permitted provided that the following conditions
11 .\" - Redistributions of source code must retain the above copyright
12 .\" notice, this list of conditions and the following disclaimer.
13 .\" - Redistributions in binary form must reproduce the above
14 .\" copyright notice, this list of conditions and the following
15 .\" disclaimer in the documentation and/or other materials provided
16 .\" with the distribution.
18 .\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 .\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 .\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21 .\" FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22 .\" COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
23 .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
24 .\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
25 .\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 .\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
28 .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29 .\" POSSIBILITY OF SUCH DAMAGE.
36 .Nd packet filter configuration file
40 packet filter modifies, drops or passes packets according to rules or
41 definitions specified in
44 There are seven types of statements in
48 User-defined variables may be defined and used later, simplifying
49 the configuration file.
50 Macros must be defined before they are referenced in
53 Tables provide a mechanism for increasing the performance and flexibility of
54 rules with large numbers of source or destination addresses.
56 Options tune the behaviour of the packet filtering engine.
57 .It Cm Traffic Normalization Li (e.g. Em scrub )
58 Traffic normalization protects internal machines against inconsistencies
59 in Internet protocols and implementations.
61 Queueing provides rule-based bandwidth control.
62 .It Cm Translation Li (Various forms of NAT)
63 Translation rules specify how addresses are to be mapped or redirected to
65 .It Cm Packet Filtering
66 Packet filtering provides rule-based blocking or passing of packets.
73 the types of statements should be grouped and appear in
75 in the order shown above, as this matches the operation of the underlying
76 packet filtering engine.
79 enforces this order (see
83 Macros can be defined that will later be expanded in context.
84 Macro names must start with a letter, and may contain letters, digits
86 Macro names may not be reserved words (for example
90 Macros are not expanded inside quotes.
93 .Bd -literal -offset indent
95 all_ifs = \&"{\&" $ext_if lo0 \&"}\&"
96 pass out on $ext_if from any to any
97 pass in on $ext_if proto tcp from any to any port 25
100 Tables are named structures which can hold a collection of addresses and
102 Lookups against tables in
104 are relatively fast, making a single rule with tables much more efficient,
106 processor usage and memory consumption, than a large number of rules which
107 differ only in IP address (either created explicitly or automatically by rule
110 Tables can be used as the source or destination of filter rules,
114 translation rules such as
118 (see below for details on the various rule types).
119 Tables can also be used for the redirect address of
123 rules and in the routing options of filter rules, but only for
127 Tables can be defined with any of the following
130 As with macros, reserved words may not be used as table names.
131 .Bl -tag -width "manually"
133 Persistent tables can be manually created with the
139 before or after the ruleset has been loaded.
141 Table definitions can be placed directly in this file, and loaded at the
142 same time as other rules are loaded, atomically.
143 Table definitions inside
147 statement, and are especially useful to define non-persistent tables.
148 The contents of a pre-existing table defined without a list of addresses
149 to initialize it is not altered when
152 A table initialized with the empty list,
154 will be cleared on load.
157 Tables may be defined with the following two attributes:
158 .Bl -tag -width persist
162 flag forces the kernel to keep the table even when no rules refer to it.
163 If the flag is not set, the kernel will automatically remove the table
164 when the last rule referring to it is flushed.
168 flag prevents the user from altering the contents of the table once it
172 can be used to add or remove addresses from the table at any time, even
179 .Bd -literal -offset indent
180 table \*(Ltprivate\*(Gt const { 10/8, 172.16/12, 192.168/16 }
181 table \*(Ltbadhosts\*(Gt persist
182 block on fxp0 from { \*(Ltprivate\*(Gt, \*(Ltbadhosts\*(Gt } to any
185 creates a table called private, to hold RFC 1918 private network
186 blocks, and a table called badhosts, which is initially empty.
187 A filter rule is set up to block all traffic coming from addresses listed in
189 The private table cannot have its contents changed and the badhosts table
190 will exist even when no active filter rules reference it.
191 Addresses may later be added to the badhosts table, so that traffic from
192 these hosts can be blocked by using
193 .Bd -literal -offset indent
194 # pfctl -t badhosts -Tadd 204.92.77.111
197 A table can also be initialized with an address list specified in one or more
198 external files, using the following syntax:
199 .Bd -literal -offset indent
200 table \*(Ltspam\*(Gt persist file \&"/etc/spammers\&" file \&"/etc/openrelays\&"
201 block on fxp0 from \*(Ltspam\*(Gt to any
208 list IP addresses, one per line.
209 Any lines beginning with a # are treated as comments and ignored.
210 In addition to being specified by IP address, hosts may also be
211 specified by their hostname.
212 When the resolver is called to add a hostname to a table,
214 resulting IPv4 and IPv6 addresses are placed into the table.
215 IP addresses can also be entered in a table by specifying a valid interface
216 name, a valid interface group or the
218 keyword, in which case all addresses assigned to the interface(s) will be
222 may be tuned for various situations using the
228 .Bl -tag -width "src.track" -compact
230 Interval between purging expired states and fragments.
232 Seconds before an unassembled fragment is expired.
234 Length of time to retain a source tracking entry after the last state
238 When a packet matches a stateful connection, the seconds to live for the
239 connection will be updated to that of the
241 which corresponds to the connection state.
242 Each packet which matches this state will reset the TTL.
243 Tuning these values may improve the performance of the
244 firewall at the risk of dropping valid idle connections.
246 .Bl -tag -width xxxx -compact
248 The state after the first packet.
250 The state before the destination host ever sends a packet.
251 .It Ar tcp.established
252 The fully established state.
254 The state after the first FIN has been sent.
256 The state after both FINs have been exchanged and the connection is closed.
257 Some hosts (notably web servers on Solaris) send TCP packets even after closing
263 can prevent blocking of such packets.
265 The state after one endpoint sends an RST.
268 ICMP and UDP are handled in a fashion similar to TCP, but with a much more
269 limited set of states:
271 .Bl -tag -width xxxx -compact
273 The state after the first packet.
275 The state if the source host sends more than one packet but the destination
276 host has never sent one back.
278 The state if both hosts have sent packets.
280 The state after the first packet.
282 The state after an ICMP error came back in response to an ICMP packet.
285 Other protocols are handled similarly to UDP:
287 .Bl -tag -width xxxx -compact
290 .It Ar other.multiple
293 Timeout values can be reduced adaptively as the number of state table
296 .Bl -tag -width xxxx -compact
297 .It Ar adaptive.start
298 When the number of state entries exceeds this value, adaptive scaling
300 All timeout values are scaled linearly with factor
301 (adaptive.end - number of states) / (adaptive.end - adaptive.start).
303 When reaching this number of state entries, all timeout values become
304 zero, effectively purging all state entries immediately.
305 This value is used to define the scale factor, it should not actually
306 be reached (set a lower state limit, see below).
309 Adaptive timeouts are enabled by default, with an adaptive.start value
310 equal to 60% of the state limit, and an adaptive.end value equal to
311 120% of the state limit.
312 They can be disabled by setting both adaptive.start and adaptive.end to 0.
314 The adaptive timeout values can be defined both globally and for each rule.
315 When used on a per-rule basis, the values relate to the number of
316 states created by the rule, otherwise to the total number of
320 .Bd -literal -offset indent
321 set timeout tcp.first 120
322 set timeout tcp.established 86400
323 set timeout { adaptive.start 6000, adaptive.end 12000 }
324 set limit states 10000
327 With 9000 state table entries, the timeout values are scaled to 50%
328 (tcp.first 60, tcp.established 43200).
330 .It Ar set loginterface
331 Enable collection of packet and byte count statistics for the given interface.
332 These statistics can be viewed using
333 .Bd -literal -offset indent
339 collects statistics on the interface named dc0:
340 .Bd -literal -offset indent
344 One can disable the loginterface using:
345 .Bd -literal -offset indent
346 set loginterface none
350 Sets hard limits on the memory pools used by the packet filter.
353 for an explanation of memory pools.
356 .Bd -literal -offset indent
357 set limit states 20000
360 sets the maximum number of entries in the memory pool used by state table
361 entries (generated by
363 rules which do not specify
367 .Bd -literal -offset indent
368 set limit frags 20000
371 sets the maximum number of entries in the memory pool used for fragment
372 reassembly (generated by
376 .Bd -literal -offset indent
377 set limit src-nodes 2000
380 sets the maximum number of entries in the memory pool used for tracking
381 source IP addresses (generated by the
387 .Bd -literal -offset indent
388 set limit tables 1000
389 set limit table-entries 100000
392 sets limits on the memory pools used by tables.
393 The first limits the number of tables that can exist to 1000.
394 The second limits the overall number of addresses that can be stored
397 Various limits can be combined on a single line:
398 .Bd -literal -offset indent
399 set limit { states 20000, frags 20000, src-nodes 2000 }
402 .It Ar set ruleset-optimization
403 .Bl -tag -width xxxxxxxx -compact
405 Disable the ruleset optimizer.
406 This is the default behaviour.
408 Enable basic ruleset optimization, which does four things to improve the
409 performance of ruleset evaluations:
413 remove duplicate rules
415 remove rules that are a subset of another rule
417 combine multiple rules into a table when advantageous
419 re-order the rules to improve evaluation performance
423 Uses the currently loaded ruleset as a feedback profile to tailor the
424 ordering of quick rules to actual network traffic.
427 It is important to note that the ruleset optimizer will modify the ruleset
428 to improve performance.
429 A side effect of the ruleset modification is that per-rule accounting
430 statistics will have different meanings than before.
431 If per-rule accounting is important for billing purposes or whatnot,
432 either the ruleset optimizer should not be used or a label field should
433 be added to all of the accounting rules to act as optimization barriers.
435 Optimization can also be set as a command-line argument to
437 overriding the settings in
439 .It Ar set optimization
440 Optimize state timeouts for one of the following network environments:
442 .Bl -tag -width xxxx -compact
444 A normal network environment.
445 Suitable for almost all networks.
447 A high-latency environment (such as a satellite connection).
452 Aggressively expire connections.
453 This can greatly reduce the memory usage of the firewall at the cost of
454 dropping idle connections early.
456 Extremely conservative settings.
457 Avoid dropping legitimate connections at the
458 expense of greater memory utilization (possibly much greater on a busy
459 network) and slightly increased processor utilization.
463 .Bd -literal -offset indent
464 set optimization aggressive
467 .It Ar set block-policy
470 option sets the default behaviour for the packet
474 .Bl -tag -width xxxxxxxx -compact
476 Packet is silently dropped.
478 A TCP RST is returned for blocked TCP packets,
479 an ICMP UNREACHABLE is returned for blocked UDP packets,
480 and all other packets are silently dropped.
484 .Bd -literal -offset indent
485 set block-policy return
487 .It Ar set state-policy
490 option sets the default behaviour for states:
492 .Bl -tag -width group-bound -compact
494 States are bound to interface.
496 States can match packets on any interfaces (the default).
500 .Bd -literal -offset indent
501 set state-policy if-bound
506 identifies this firewall's state table entries to other firewalls
510 By default the hostid is set to a pseudo-random value, however it may be
511 desirable to manually configure it, for example to more easily identify the
512 source of state table entries.
513 .Bd -literal -offset indent
517 The hostid may be specified in either decimal or hexadecimal.
518 .It Ar set require-order
521 enforces an ordering of the statement types in the ruleset to:
527 Setting this option to
529 disables this enforcement.
530 There may be non-trivial and non-obvious implications to an out of
532 Consider carefully before disabling the order enforcement.
533 .It Ar set fingerprints
534 Load fingerprints of known operating systems from the given filename.
535 By default fingerprints of known operating systems are automatically
540 but can be overridden via this option.
541 Setting this option may leave a small period of time where the fingerprints
542 referenced by the currently active ruleset are inconsistent until the new
543 ruleset finishes loading.
547 .Dl set fingerprints \&"/etc/pf.os.devel\&"
549 .It Ar set skip on Aq Ar ifspec
550 List interfaces for which packets should not be filtered.
551 Packets passing in or out on such interfaces are passed as if pf was
552 disabled, i.e. pf does not process them in any way.
553 This can be useful on loopback and other virtual interfaces, when
554 packet filtering is not desired and can have unexpected effects.
562 to one of the following:
564 .Bl -tag -width xxxxxxxxxxxx -compact
566 Don't generate debug messages.
568 Generate debug messages only for serious errors.
570 Generate debug messages for various errors.
572 Generate debug messages for common conditions.
575 .Sh TRAFFIC NORMALIZATION
576 Traffic normalization is used to sanitize packet content in such
577 a way that there are no ambiguities in packet interpretation on
579 The normalizer does IP fragment reassembly to prevent attacks
580 that confuse intrusion detection systems by sending overlapping
582 Packet normalization is invoked with the
587 has the following options:
592 bit from a matching IP packet.
593 Some operating systems are known to generate fragmented packets with the
596 This is particularly true with NFS.
598 will drop such fragmented
604 Unfortunately some operating systems also generate their
606 packets with a zero IP identification field.
609 bit on packets with a zero IP ID may cause deleterious results if an
610 upstream router later fragments the packet.
613 modifier (see below) is recommended in combination with the
615 modifier to ensure unique IP identifiers.
616 .It Ar min-ttl Aq Ar number
617 Enforces a minimum TTL for matching IP packets.
618 .It Ar max-mss Aq Ar number
619 Enforces a maximum MSS for matching TCP packets.
621 Replaces the IP identification field with random values to compensate
622 for predictable values generated by many hosts.
623 This option only applies to packets that are not fragmented
624 after the optional fragment reassembly.
625 .It Ar fragment reassemble
628 rules, fragments can be reassembled by normalization.
629 In this case, fragments are buffered until they form a complete
630 packet, and only the completed packet is passed on to the filter.
631 The advantage is that filter rules have to deal only with complete
632 packets, and can ignore fragments.
633 The drawback of caching fragments is the additional memory cost.
634 But the full reassembly method is the only method that currently works
636 This is the default behavior of a
638 rule if no fragmentation modifier is supplied.
640 The default fragment reassembly method is expensive, hence the option
644 will track the fragments and cache a small range descriptor.
645 Duplicate fragments are dropped and overlaps are cropped.
646 Thus data will only occur once on the wire with ambiguities resolving to
647 the first occurrence.
649 .Ar fragment reassemble
650 modifier, fragments are not buffered, they are passed as soon as they
654 reassembly mechanism does not yet work with NAT.
656 .It Ar fragment drop-ovl
657 This option is similar to the
659 modifier except that all overlapping or duplicate fragments will be
660 dropped, and all further corresponding fragments will be
662 .It Ar reassemble tcp
663 Statefully normalizes TCP connections.
664 .Ar scrub reassemble tcp
665 rules may not have the direction (in/out) specified.
667 performs the following normalizations:
669 .Bl -tag -width timeout -compact
671 Neither side of the connection is allowed to reduce their IP TTL.
672 An attacker may send a packet such that it reaches the firewall, affects
673 the firewall state, and expires before reaching the destination host.
675 will raise the TTL of all packets back up to the highest value seen on
677 .It timestamp modulation
678 Modern TCP stacks will send a timestamp on every TCP packet and echo
679 the other endpoint's timestamp back to them.
680 Many operating systems will merely start the timestamp at zero when
681 first booted, and increment it several times a second.
682 The uptime of the host can be deduced by reading the timestamp and multiplying
684 Also observing several different timestamps can be used to count hosts
686 And spoofing TCP packets into a connection requires knowing or guessing
688 Timestamps merely need to be monotonically increasing and not derived off a
693 to modulate the TCP timestamps with a random number.
694 .It extended PAWS checks
695 There is a problem with TCP on long fat pipes, in that a packet might get
696 delayed for longer than it takes the connection to wrap its 32-bit sequence
698 In such an occurrence, the old packet would be indistinguishable from a
699 new packet and would be accepted as such.
700 The solution to this is called PAWS: Protection Against Wrapped Sequence
702 It protects against it by making sure the timestamp on each packet does
705 also makes sure the timestamp on the packet does not go forward more
709 artificially extends the security of TCP sequence numbers by 10 to 18
710 bits when the host uses appropriately randomized timestamps, since a
711 blind attacker would have to guess the timestamp as well.
716 .Bd -literal -offset indent
717 scrub in on $ext_if all fragment reassemble
722 option prefixed to a scrub rule causes matching packets to remain unscrubbed,
723 much in the same way as
725 works in the packet filter (see below).
726 This mechanism should be used when it is necessary to exclude specific packets
727 from broader scrub rules.
729 The ALTQ system is currently not available in the GENERIC kernel nor as
731 In order to use the herein after called queueing options one has to use a
735 to learn about the related kernel options.
737 Packets can be assigned to queues for the purpose of bandwidth
739 At least two declarations are required to configure queues, and later
740 any packet filtering rule can reference the defined queues by name.
741 During the filtering component of
745 name is where any packets from
747 rules will be queued, while for
749 rules it specifies where any resulting ICMP or TCP RST
750 packets should be queued.
753 defines the algorithm used to decide which packets get delayed, dropped, or
754 sent out immediately.
760 Class Based Queueing.
762 attached to an interface build a tree, thus each
764 can have further child
766 Each queue can have a
772 mainly controls the time packets take to get sent out, while
774 has primarily effects on throughput.
776 achieves both partitioning and sharing of link bandwidth
777 by hierarchically structured classes.
778 Each class has its own
780 and is assigned its share of
782 A child class can borrow bandwidth from its parent class
783 as long as excess bandwidth is available
790 are flat attached to the interface, thus,
792 cannot have further child
798 assigned, ranging from 0 to 15.
805 Hierarchical Fair Service Curve.
807 attached to an interface build a tree, thus each
809 can have further child
811 Each queue can have a
817 mainly controls the time packets take to get sent out, while
819 has primarily effects on throughput.
821 supports both link-sharing and guaranteed real-time services.
822 It employs a service curve based QoS model,
823 and its unique feature is an ability to decouple
830 The interfaces on which queueing should be activated are declared using
835 has the following keywords:
838 Queueing is enabled on the named interface.
840 Specifies which queueing scheduler to use.
841 Currently supported values
844 for Class Based Queueing,
846 for Priority Queueing and
848 for the Hierarchical Fair Service Curve scheduler.
849 .It Ar bandwidth Aq Ar bw
850 The maximum bitrate for all queues on an
851 interface may be specified using the
854 The value can be specified as an absolute value or as a
855 percentage of the interface bandwidth.
856 When using an absolute value, the suffixes
862 are used to represent bits, kilobits, megabits, and
863 gigabits per second, respectively.
864 The value must not exceed the interface bandwidth.
867 is not specified, the interface bandwidth is used
868 (but take note that some interfaces do not know their bandwidth,
869 or can adapt their bandwidth rates).
870 .It Ar qlimit Aq Ar limit
871 The maximum number of packets held in the queue.
873 .It Ar tbrsize Aq Ar size
874 Adjusts the size, in bytes, of the token bucket regulator.
875 If not specified, heuristics based on the
876 interface bandwidth are used to determine the size.
877 .It Ar queue Aq Ar list
878 Defines a list of subqueues to create on an interface.
881 In the following example, the interface dc0
882 should queue up to 5 Mbit/s in four second-level queues using
883 Class Based Queueing.
884 Those four queues will be shown in a later example.
885 .Bd -literal -offset indent
886 altq on dc0 cbq bandwidth 5Mb queue { std, http, mail, ssh }
889 Once interfaces are activated for queueing using the
891 directive, a sequence of
893 directives may be defined.
894 The name associated with a
896 must match a queue defined in the
898 directive (e.g. mail), or, except for the
904 The following keywords can be used:
906 .It Ar on Aq Ar interface
907 Specifies the interface the queue operates on.
908 If not given, it operates on all matching interfaces.
909 .It Ar bandwidth Aq Ar bw
910 Specifies the maximum bitrate to be processed by the queue.
911 This value must not exceed the value of the parent
913 and can be specified as an absolute value or a percentage of the parent
915 If not specified, defaults to 100% of the parent queue's bandwidth.
918 scheduler does not support bandwidth specification.
919 .It Ar priority Aq Ar level
920 Between queues a priority level can be set.
925 the range is 0 to 7 and for
927 the range is 0 to 15.
928 The default for all is 1.
930 queues with a higher priority are always served first.
934 queues with a higher priority are preferred in the case of overload.
935 .It Ar qlimit Aq Ar limit
936 The maximum number of packets held in the queue.
942 can get additional parameters with
944 .Pf ( Aq Ar parameters ) .
946 Parameters are as follows:
949 Packets not matched by another queue are assigned to this one.
950 Exactly one default queue is required.
952 Enable RED (Random Early Detection) on this queue.
953 RED drops packets with a probability proportional to the average
956 Enables RIO on this queue.
957 RIO is RED with IN/OUT, thus running
958 RED two times more than RIO would achieve the same effect.
959 RIO is currently not supported in the GENERIC kernel.
961 Enables ECN (Explicit Congestion Notification) on this queue.
968 supports an additional option:
971 The queue can borrow bandwidth from the parent.
977 supports some additional options:
979 .It Ar realtime Aq Ar sc
980 The minimum required bandwidth for the queue.
981 .It Ar upperlimit Aq Ar sc
982 The maximum allowed bandwidth for the queue.
983 .It Ar linkshare Aq Ar sc
984 The bandwidth share of a backlogged queue.
991 The format for service curve specifications is
992 .Ar ( m1 , d , m2 ) .
994 controls the bandwidth assigned to the queue.
998 are optional and can be used to control the initial bandwidth assignment.
1001 milliseconds the queue gets the bandwidth given as
1003 afterwards the value given in
1010 child queues can be specified as in an
1012 declaration, thus building a tree of queues using a part of
1013 their parent's bandwidth.
1015 Packets can be assigned to queues based on filter rules by using the
1020 is specified; when a second one is specified it will instead be used for
1021 packets which have a
1025 and for TCP ACKs with no data payload.
1027 To continue the previous example, the examples below would specify the
1029 queues, plus a few child queues.
1032 sessions get priority over bulk transfers like
1036 The queues may then be referenced by filtering rules (see
1037 .Sx PACKET FILTERING
1040 queue std bandwidth 10% cbq(default)
1041 queue http bandwidth 60% priority 2 cbq(borrow red) \e
1042 { employees, developers }
1043 queue developers bandwidth 75% cbq(borrow)
1044 queue employees bandwidth 15%
1045 queue mail bandwidth 10% priority 0 cbq(borrow ecn)
1046 queue ssh bandwidth 20% cbq(borrow) { ssh_interactive, ssh_bulk }
1047 queue ssh_interactive bandwidth 50% priority 7 cbq(borrow)
1048 queue ssh_bulk bandwidth 50% priority 0 cbq(borrow)
1050 block return out on dc0 inet all queue std
1051 pass out on dc0 inet proto tcp from $developerhosts to any port 80 \e
1053 pass out on dc0 inet proto tcp from $employeehosts to any port 80 \e
1055 pass out on dc0 inet proto tcp from any to any port 22 \e
1056 queue(ssh_bulk, ssh_interactive)
1057 pass out on dc0 inet proto tcp from any to any port 25 \e
1061 Translation rules modify either the source or destination address of the
1062 packets associated with a stateful connection.
1063 A stateful connection is automatically created to track packets matching
1064 such a rule as long as they are not blocked by the filtering section of
1066 The translation engine modifies the specified address and/or port in the
1067 packet, recalculates IP, TCP and UDP checksums as necessary, and passes it to
1068 the packet filter for evaluation.
1070 Since translation occurs before filtering the filter
1071 engine will see packets as they look after any
1072 addresses and ports have been translated.
1073 Filter rules will therefore have to filter based on the translated
1074 address and port number.
1075 Packets that match a translation rule are only automatically passed if
1078 modifier is given, otherwise they are
1085 The state entry created permits
1087 to keep track of the original address for traffic associated with that state
1088 and correctly direct return traffic for that connection.
1090 Various types of translation are possible with pf:
1091 .Bl -tag -width xxxx
1095 rule specifies a bidirectional mapping between an external IP netblock
1096 and an internal IP netblock.
1100 rule specifies that IP addresses are to be changed as the packet
1101 traverses the given interface.
1102 This technique allows one or more IP addresses
1103 on the translating host to support network traffic for a larger range of
1104 machines on an "inside" network.
1105 Although in theory any IP address can be used on the inside, it is strongly
1106 recommended that one of the address ranges defined by RFC 1918 be used.
1107 These netblocks are:
1109 10.0.0.0 - 10.255.255.255 (all of net 10, i.e., 10/8)
1110 172.16.0.0 - 172.31.255.255 (i.e., 172.16/12)
1111 192.168.0.0 - 192.168.255.255 (i.e., 192.168/16)
1114 The packet is redirected to another destination and possibly a
1117 rules can optionally specify port ranges instead of single ports.
1118 rdr ... port 2000:2999 -\*(Gt ... port 4000
1119 redirects ports 2000 to 2999 (inclusive) to port 4000.
1120 rdr ... port 2000:2999 -\*(Gt ... port 4000:*
1121 redirects port 2000 to 4000, 2001 to 4001, ..., 2999 to 4999.
1124 In addition to modifying the address, some translation rules may modify
1125 source or destination ports for
1129 connections; implicitly in the case of
1131 rules and explicitly in the case of
1134 Port numbers are never translated with a
1138 Evaluation order of the translation rules is dependent on the type
1139 of the translation rules and of the direction of a packet.
1141 rules are always evaluated first.
1144 rules are evaluated on an inbound packet or the
1146 rules on an outbound packet.
1147 Rules of the same type are evaluated in the same order in which they
1148 appear in the ruleset.
1149 The first matching rule decides what action is taken.
1153 option prefixed to a translation rule causes packets to remain untranslated,
1154 much in the same way as
1156 works in the packet filter (see below).
1157 If no rule matches the packet it is passed to the filter engine unmodified.
1159 Translation rules apply only to packets that pass through
1160 the specified interface, and if no interface is specified,
1161 translation is applied to packets on all interfaces.
1162 For instance, redirecting port 80 on an external interface to an internal
1163 web server will only work for connections originating from the outside.
1164 Connections to the address of the external interface from local hosts will
1165 not be redirected, since such packets do not actually pass through the
1167 Redirections cannot reflect packets back through the interface they arrive
1168 on, they can only be redirected to hosts connected to different interfaces
1169 or to the firewall itself.
1171 Note that redirecting external incoming connections to the loopback
1173 .Bd -literal -offset indent
1174 rdr on ne3 inet proto tcp to port spamd -\*(Gt 127.0.0.1 port smtp
1177 will effectively allow an external host to connect to daemons
1178 bound solely to the loopback address, circumventing the traditional
1179 blocking of such connections on a real interface.
1180 Unless this effect is desired, any of the local non-loopback addresses
1181 should be used as redirection target instead, which allows external
1182 connections only to daemons bound to this address or not bound to
1186 .Sx TRANSLATION EXAMPLES
1188 .Sh PACKET FILTERING
1194 packets based on attributes of their layer 3 (see
1204 In addition, packets may also be
1205 assigned to queues for the purpose of bandwidth control.
1207 For each packet processed by the packet filter, the filter rules are
1208 evaluated in sequential order, from first to last.
1209 The last matching rule decides what action is taken.
1210 If no rule matches the packet, the default action is to pass
1213 The following actions can be used in the filter:
1214 .Bl -tag -width xxxx
1216 The packet is blocked.
1217 There are a number of ways in which a
1219 rule can behave when blocking a packet.
1220 The default behaviour is to
1222 packets silently, however this can be overridden or made
1223 explicit either globally, by setting the
1225 option, or on a per-rule basis with one of the following options:
1227 .Bl -tag -width xxxx -compact
1229 The packet is silently dropped.
1231 This applies only to
1233 packets, and issues a TCP RST which closes the
1237 This causes ICMP messages to be returned for packets which match the rule.
1238 By default this is an ICMP UNREACHABLE message, however this
1239 can be overridden by specifying a message as a code or number.
1241 This causes a TCP RST to be returned for
1243 packets and an ICMP UNREACHABLE for UDP and other packets.
1246 Options returning ICMP packets currently have no effect if
1250 as the code to support this feature has not yet been implemented.
1252 The simplest mechanism to block everything by default and only pass
1253 packets that match explicit rules is specify a first filter rule of:
1254 .Bd -literal -offset indent
1258 The packet is passed;
1259 state is created state unless the
1261 option is specified.
1266 filters packets statefully; the first time a packet matches a
1268 rule, a state entry is created; for subsequent packets the filter checks
1269 whether the packet matches any state.
1270 If it does, the packet is passed without evaluation of any rules.
1271 After the connection is closed or times out, the state entry is automatically
1274 This has several advantages.
1275 For TCP connections, comparing a packet to a state involves checking
1276 its sequence numbers, as well as TCP timestamps if a
1277 .Ar scrub reassemble tcp
1278 rule applies to the connection.
1279 If these values are outside the narrow windows of expected
1280 values, the packet is dropped.
1281 This prevents spoofing attacks, such as when an attacker sends packets with
1282 a fake source address/port but does not know the connection's sequence
1286 knows how to match ICMP replies to states.
1288 .Bd -literal -offset indent
1289 pass out inet proto icmp all icmp-type echoreq
1292 allows echo requests (such as those created by
1294 out statefully, and matches incoming echo replies correctly to states.
1296 Also, looking up states is usually faster than evaluating rules.
1297 If there are 50 rules, all of them are evaluated sequentially in O(n).
1298 Even with 50000 states, only 16 comparisons are needed to match a
1299 state, since states are stored in a binary search tree that allows
1300 searches in O(log2 n).
1302 Furthermore, correct handling of ICMP error messages is critical to
1303 many protocols, particularly TCP.
1305 matches ICMP error messages to the correct connection, checks them against
1306 connection parameters, and passes them if appropriate.
1307 For example if an ICMP source quench message referring to a stateful TCP
1308 connection arrives, it will be matched to the state and get passed.
1310 Finally, state tracking is required for
1311 .Ar nat , binat No and Ar rdr
1312 rules, in order to track address and port translations and reverse the
1313 translation on returning packets.
1316 will also create state for other protocols which are effectively stateless by
1318 UDP packets are matched to states using only host addresses and ports,
1319 and other protocols are matched to states using only the host addresses.
1321 If stateless filtering of individual packets is desired,
1324 keyword can be used to specify that state will not be created
1325 if this is the last matching rule.
1326 A number of parameters can also be set to affect how
1328 handles state tracking.
1330 .Sx STATEFUL TRACKING OPTIONS
1331 below for further details.
1333 The rule parameters specify the packets to which a rule applies.
1334 A packet always comes in on, or goes out through, one interface.
1335 Most parameters are optional.
1336 If a parameter is specified, the rule only applies to packets with
1337 matching attributes.
1338 Certain parameters can be expressed as lists, in which case
1340 generates all needed rule combinations.
1341 .Bl -tag -width xxxx
1342 .It Ar in No or Ar out
1343 This rule applies to incoming or outgoing packets.
1348 are specified, the rule will match packets in both directions.
1350 In addition to the action specified, a log message is generated.
1351 Only the packet that establishes the state is logged,
1354 option is specified.
1355 The logged packets are sent to a
1357 interface, by default
1359 This interface is monitored by the
1361 logging daemon, which dumps the logged packets to the file
1367 Used to force logging of all packets for a connection.
1368 This is not necessary when
1370 is explicitly specified.
1373 packets are logged to
1378 user ID of the user that owns the socket and the PID of the process that
1379 has the socket open where the packet is sourced from or destined to
1380 (depending on which socket is local).
1381 This is in addition to the normal information logged.
1383 Due to the problems described in the BUGS section only the first packet
1386 will have the user credentials logged when using stateful matching.
1387 .It Ar log (to Aq Ar interface )
1388 Send logs to the specified
1390 interface instead of
1393 If a packet matches a rule which has the
1395 option set, this rule
1396 is considered the last matching rule, and evaluation of subsequent rules
1398 .It Ar on Aq Ar interface
1399 This rule applies only to packets coming in on, or going out through, this
1400 particular interface or interface group.
1401 For more information on interface groups,
1407 This rule applies only to packets of this address family.
1408 Supported values are
1412 .It Ar proto Aq Ar protocol
1413 This rule applies only to packets of this protocol.
1414 Common protocols are
1420 For a list of all the protocol name to number mappings used by
1423 .Em /etc/protocols .
1425 .Ar from Aq Ar source
1426 .Ar port Aq Ar source
1431 This rule applies only to packets with the specified source and destination
1432 addresses and ports.
1434 Addresses can be specified in CIDR notation (matching netblocks), as
1435 symbolic host names or interface names, or as any of the following keywords:
1437 .Bl -tag -width xxxxxxxxxxxxxx -compact
1440 .It Ar route Aq Ar label
1441 Any address whose associated route has label
1448 Any address which is not currently routable.
1450 Any source address that fails a unicast reverse path forwarding (URPF)
1451 check, i.e. packets coming in on an interface other than that which holds
1452 the route back to the packet's source address.
1454 Any address that matches the given table.
1457 Interface names can have modifiers appended:
1459 .Bl -tag -width xxxxxxxxxxxx -compact
1461 Translates to the network(s) attached to the interface.
1463 Translates to the interface's broadcast address(es).
1465 Translates to the point to point interface's peer address(es).
1467 Do not include interface aliases.
1470 Host names may also have the
1472 option appended to restrict the name resolution to the first of each
1473 v4 and v6 address found.
1475 Host name resolution and interface to address translation are done at
1477 When the address of an interface (or host name) changes (under DHCP or PPP,
1478 for instance), the ruleset must be reloaded for the change to be reflected
1480 Surrounding the interface name (and optional modifiers) in parentheses
1481 changes this behaviour.
1482 When the interface name is surrounded by parentheses, the rule is
1483 automatically updated whenever the interface changes its address.
1484 The ruleset does not need to be reloaded.
1485 This is especially useful with
1488 Ports can be specified either by number or by name.
1489 For example, port 80 can be specified as
1491 For a list of all port name to number mappings used by
1496 Ports and ranges of ports are specified by using these operators:
1497 .Bd -literal -offset indent
1501 \*(Le (less than or equal)
1502 \*(Gt (greater than)
1503 \*(Ge (greater than or equal)
1504 : (range including boundaries)
1505 \*(Gt\*(Lt (range excluding boundaries)
1506 \*(Lt\*(Gt (except range)
1513 are binary operators (they take two arguments).
1516 .It Ar port 2000:2004
1518 .Sq all ports \*(Ge 2000 and \*(Le 2004 ,
1519 hence ports 2000, 2001, 2002, 2003 and 2004.
1520 .It Ar port 2000 \*(Gt\*(Lt 2004
1522 .Sq all ports \*(Gt 2000 and \*(Lt 2004 ,
1523 hence ports 2001, 2002 and 2003.
1524 .It Ar port 2000 \*(Lt\*(Gt 2004
1526 .Sq all ports \*(Lt 2000 or \*(Gt 2004 ,
1527 hence ports 1-1999 and 2005-65535.
1530 The operating system of the source host can be specified in the case of TCP
1535 .Sx OPERATING SYSTEM FINGERPRINTING
1536 section for more information.
1538 The host, port and OS specifications are optional, as in the following examples:
1539 .Bd -literal -offset indent
1541 pass in from any to any
1542 pass in proto tcp from any port \*(Le 1024 to any
1543 pass in proto tcp from any to any port 25
1544 pass in proto tcp from 10.0.0.0/8 port \*(Gt 1024 \e
1545 to ! 10.1.2.3 port != ssh
1546 pass in proto tcp from any os "OpenBSD"
1547 pass in proto tcp from route "DTAG"
1550 This is equivalent to "from any to any".
1551 .It Ar group Aq Ar group
1554 this rule only applies to packets of sockets owned by the specified group.
1561 .Va debug.mpsafenet Ns = Ns 1
1562 environments may result in a deadlock.
1565 section for details.
1566 .It Ar user Aq Ar user
1567 This rule only applies to packets of sockets owned by the specified user.
1568 For outgoing connections initiated from the firewall, this is the user
1569 that opened the connection.
1570 For incoming connections to the firewall itself, this is the user that
1571 listens on the destination port.
1572 For forwarded connections, where the firewall is not a connection endpoint,
1573 the user and group are
1576 All packets, both outgoing and incoming, of one connection are associated
1577 with the same user and group.
1578 Only TCP and UDP packets can be associated with users; for other protocols
1579 these parameters are ignored.
1581 User and group refer to the effective (as opposed to the real) IDs, in
1582 case the socket is created by a setuid/setgid process.
1583 User and group IDs are stored when a socket is created;
1584 when a process creates a listening socket as root (for instance, by
1585 binding to a privileged port) and subsequently changes to another
1586 user ID (to drop privileges), the credentials will remain root.
1588 User and group IDs can be specified as either numbers or names.
1589 The syntax is similar to the one for ports.
1592 matches packets of forwarded connections.
1594 can only be used with the operators
1598 Other constructs like
1599 .Cm user \*(Ge unknown
1601 Forwarded packets with unknown user and group ID match only rules
1602 that explicitly compare against
1610 does not match forwarded packets.
1611 The following example allows only selected users to open outgoing
1613 .Bd -literal -offset indent
1614 block out proto { tcp, udp } all
1615 pass out proto { tcp, udp } all user { \*(Lt 1000, dhartmei }
1617 .It Xo Ar flags Aq Ar a
1619 .No \*(Ba / Ns Aq Ar b
1622 This rule only applies to TCP packets that have the flags
1626 Flags not specified in
1629 For stateful connections, the default is
1631 To indicate that flags should not be checkd at all, specify
1633 The flags are: (F)IN, (S)YN, (R)ST, (P)USH, (A)CK, (U)RG, (E)CE, and C(W)R.
1637 The other flags are ignored.
1639 This is the default setting for stateful connections.
1640 Out of SYN and ACK, exactly SYN may be set.
1641 SYN, SYN+PSH and SYN+RST match, but SYN+ACK, ACK and ACK+RST do not.
1642 This is more restrictive than the previous example.
1644 If the first set is not specified, it defaults to none.
1645 All of SYN, FIN, RST and ACK must be unset.
1650 is applied by default (unless
1652 is specified), only the initial SYN packet of a TCP handshake will create
1653 a state for a TCP connection.
1654 It is possible to be less restrictive, and allow state creation from
1657 packets, by specifying
1661 to synchronize to existing connections, for instance
1662 if one flushes the state table.
1663 However, states created from such intermediate packets may be missing
1664 connection details such as the TCP window scaling factor.
1665 States which modify the packet flow, such as those affected by
1666 .Ar nat , binat No or Ar rdr
1668 .Ar modulate No or Ar synproxy state
1669 options, or scrubbed with
1671 will also not be recoverable from intermediate packets.
1672 Such connections will stall and time out.
1673 .It Xo Ar icmp-type Aq Ar type
1676 .It Xo Ar icmp6-type Aq Ar type
1679 This rule only applies to ICMP or ICMPv6 packets with the specified type
1681 Text names for ICMP types and codes are listed in
1685 This parameter is only valid for rules that cover protocols ICMP or
1687 The protocol and the ICMP type indicator
1694 .It Xo Ar tos Aq Ar string
1695 .No \*(Ba Aq Ar number
1697 This rule applies to packets with the specified
1706 or as either hex or decimal.
1708 For example, the following rules are identical:
1709 .Bd -literal -offset indent
1710 pass all tos lowdelay
1715 By default, IPv4 packets with IP options or IPv6 packets with routing
1716 extension headers are blocked.
1721 rule, packets that pass the filter based on that rule (last matching)
1722 do so even if they contain IP options or routing extension headers.
1723 For packets that match state, the rule that initially created the
1727 rule that is used when a packet does not match any rules does not
1729 .It Ar label Aq Ar string
1730 Adds a label (name) to the rule, which can be used to identify the rule.
1733 shows per-rule statistics for rules that have labels.
1735 The following macros can be used in labels:
1737 .Bl -tag -width $srcaddr -compact -offset indent
1741 The source IP address.
1743 The destination IP address.
1745 The source port specification.
1747 The destination port specification.
1755 .Bd -literal -offset indent
1756 ips = \&"{ 1.2.3.4, 1.2.3.5 }\&"
1757 pass in proto tcp from any to $ips \e
1758 port \*(Gt 1023 label \&"$dstaddr:$dstport\&"
1762 .Bd -literal -offset indent
1763 pass in inet proto tcp from any to 1.2.3.4 \e
1764 port \*(Gt 1023 label \&"1.2.3.4:\*(Gt1023\&"
1765 pass in inet proto tcp from any to 1.2.3.5 \e
1766 port \*(Gt 1023 label \&"1.2.3.5:\*(Gt1023\&"
1769 The macro expansion for the
1771 directive occurs only at configuration file parse time, not during runtime.
1772 .It Xo Ar queue Aq Ar queue
1773 .No \*(Ba ( Aq Ar queue ,
1776 Packets matching this rule will be assigned to the specified queue.
1777 If two queues are given, packets which have a
1781 and TCP ACKs with no data payload will be assigned to the second one.
1787 .Bd -literal -offset indent
1788 pass in proto tcp to port 25 queue mail
1789 pass in proto tcp to port 22 queue(ssh_bulk, ssh_prio)
1791 .It Ar tag Aq Ar string
1792 Packets matching this rule will be tagged with the
1794 The tag acts as an internal marker that can be used to
1795 identify these packets later on.
1796 This can be used, for example, to provide trust between
1797 interfaces and to determine if packets have been
1798 processed by translation rules.
1801 meaning that the packet will be tagged even if the rule
1802 is not the last matching rule.
1803 Further matching rules can replace the tag with a
1804 new one but will not remove a previously applied tag.
1805 A packet is only ever assigned one tag at a time.
1806 Packet tagging can be done during
1811 rules in addition to filter rules.
1812 Tags take the same macros as labels (see above).
1813 .It Ar tagged Aq Ar string
1814 Used with filter or translation rules to specify that packets must already
1815 be tagged with the given tag in order to match the rule.
1816 Inverse tag matching can also be done
1822 .It Ar rtable Aq Ar number
1823 Used to select an alternate routing table for the routing lookup.
1824 Only effective before the route lookup happened, i.e. when filtering inbound.
1825 .It Ar probability Aq Ar number
1826 A probability attribute can be attached to a rule, with a value set between
1827 0 and 1, bounds not included.
1828 In that case, the rule will be honoured using the given probability value
1830 For example, the following rule will drop 20% of incoming ICMP packets:
1831 .Bd -literal -offset indent
1832 block in proto icmp probability 20%
1836 If a packet matches a rule with a route option set, the packet filter will
1837 route the packet according to the type of route option.
1838 When such a rule creates state, the route option is also applied to all
1839 packets matching the same connection.
1840 .Bl -tag -width xxxx
1844 option does a normal route lookup to find the next hop for the packet.
1848 option routes the packet to the specified interface with an optional address
1852 rule creates state, only packets that pass in the same direction as the
1853 filter rule specifies will be routed in this way.
1854 Packets passing in the opposite direction (replies) are not affected
1855 and are routed normally.
1859 option is similar to
1861 but routes packets that pass in the opposite direction (replies) to the
1862 specified interface.
1863 Opposite direction is only defined in the context of a state entry, and
1865 is useful only in rules that create state.
1866 It can be used on systems with multiple external connections to
1867 route all outgoing packets of a connection through the interface
1868 the incoming connection arrived through (symmetric routing enforcement).
1872 option creates a duplicate of the packet and routes it like
1874 The original packet gets routed as it normally would.
1881 rules, (as well as for the
1886 rule options) for which there is a single redirection address which has a
1887 subnet mask smaller than 32 for IPv4 or 128 for IPv6 (more than one IP
1888 address), a variety of different methods for assigning this address can be
1890 .Bl -tag -width xxxx
1894 option applies the network portion of the redirection address to the address
1895 to be modified (source with
1902 option selects an address at random within the defined block of addresses.
1906 option uses a hash of the source address to determine the redirection address,
1907 ensuring that the redirection address is always the same for a given source.
1908 An optional key can be specified after this keyword either in hex or as a
1911 randomly generates a key for source-hash every time the
1912 ruleset is reloaded.
1916 option loops through the redirection address(es).
1918 When more than one redirection address is specified,
1920 is the only permitted pool type.
1928 from modifying the source port on TCP and UDP packets.
1933 option can be specified to help ensure that multiple connections from the
1934 same source are mapped to the same redirection address.
1935 This option can be used with the
1940 Note that by default these associations are destroyed as soon as there are
1941 no longer states which refer to them; in order to make the mappings last
1942 beyond the lifetime of the states, increase the global options with
1943 .Ar set timeout source-track
1945 .Sx STATEFUL TRACKING OPTIONS
1946 for more ways to control the source tracking.
1947 .Sh STATE MODULATION
1948 Much of the security derived from TCP is attributable to how well the
1949 initial sequence numbers (ISNs) are chosen.
1950 Some popular stack implementations choose
1952 poor ISNs and thus are normally susceptible to ISN prediction exploits.
1955 rule to a TCP connection,
1957 will create a high quality random sequence number for each connection
1962 directive implicitly keeps state on the rule and is
1963 only applicable to TCP connections.
1966 .Bd -literal -offset indent
1968 pass out proto tcp from any to any modulate state
1969 pass in proto tcp from any to any port 25 flags S/SFRA modulate state
1972 Note that modulated connections will not recover when the state table
1973 is lost (firewall reboot, flushing the state table, etc...).
1975 will not be able to infer a connection again after the state table flushes
1976 the connection's modulator.
1977 When the state is lost, the connection may be left dangling until the
1978 respective endpoints time out the connection.
1979 It is possible on a fast local network for the endpoints to start an ACK
1980 storm while trying to resynchronize after the loss of the modulator.
1983 settings (or a more strict equivalent) should be used on
1985 rules to prevent ACK storms.
1987 Note that alternative methods are available
1988 to prevent loss of the state table
1989 and allow for firewall failover.
1994 for further information.
1998 passes packets that are part of a
2000 handshake between the endpoints.
2003 option can be used to cause
2005 itself to complete the handshake with the active endpoint, perform a handshake
2006 with the passive endpoint, and then forward packets between the endpoints.
2008 No packets are sent to the passive endpoint before the active endpoint has
2009 completed the handshake, hence so-called SYN floods with spoofed source
2010 addresses will not reach the passive endpoint, as the sender can't complete the
2013 The proxy is transparent to both endpoints, they each see a single
2014 connection from/to the other endpoint.
2016 chooses random initial sequence numbers for both handshakes.
2017 Once the handshakes are completed, the sequence number modulators
2018 (see previous section) are used to translate further packets of the
2022 .Ar modulate state .
2032 .Bd -literal -offset indent
2033 pass in proto tcp from any to any port www synproxy state
2035 .Sh STATEFUL TRACKING OPTIONS
2036 A number of options related to stateful tracking can be applied on a
2042 support these options, and
2044 must be specified explicitly to apply options to a rule.
2046 .Bl -tag -width xxxx -compact
2047 .It Ar max Aq Ar number
2048 Limits the number of concurrent states the rule may create.
2049 When this limit is reached, further packets matching the rule that would
2050 create state are dropped, until existing states time out.
2052 Prevent state changes for states created by this rule from appearing on the
2055 .It Xo Aq Ar timeout
2058 Changes the timeout values used for states created by this rule.
2059 For a list of all valid timeout names, see
2063 Uses a sloppy TCP connection tracker that does not check sequence
2064 numbers at all, which makes insertion and ICMP teardown attacks way
2066 This is intended to be used in situations where one does not see all
2067 packets of a connection, i.e. in asymmetric routing situations.
2068 Cannot be used with modulate or synproxy state.
2071 Multiple options can be specified, separated by commas:
2072 .Bd -literal -offset indent
2073 pass in proto tcp from any to any \e
2074 port www keep state \e
2075 (max 100, source-track rule, max-src-nodes 75, \e
2076 max-src-states 3, tcp.established 60, tcp.closing 5)
2081 keyword is specified, the number of states per source IP is tracked.
2083 .Bl -tag -width xxxx -compact
2084 .It Ar source-track rule
2085 The maximum number of states created by this rule is limited by the rule's
2090 Only state entries created by this particular rule count toward the rule's
2092 .It Ar source-track global
2093 The number of states created by all rules that use this option is limited.
2094 Each rule can specify different
2098 options, however state entries created by any participating rule count towards
2099 each individual rule's limits.
2102 The following limits can be set:
2104 .Bl -tag -width xxxx -compact
2105 .It Ar max-src-nodes Aq Ar number
2106 Limits the maximum number of source addresses which can simultaneously
2107 have state table entries.
2108 .It Ar max-src-states Aq Ar number
2109 Limits the maximum number of simultaneous state entries that a single
2110 source address can create with this rule.
2113 For stateful TCP connections, limits on established connections (connections
2114 which have completed the TCP 3-way handshake) can also be enforced
2117 .Bl -tag -width xxxx -compact
2118 .It Ar max-src-conn Aq Ar number
2119 Limits the maximum number of simultaneous TCP connections which have
2120 completed the 3-way handshake that a single host can make.
2121 .It Xo Ar max-src-conn-rate Aq Ar number
2124 Limit the rate of new connections over a time interval.
2125 The connection rate is an approximation calculated as a moving average.
2128 Because the 3-way handshake ensures that the source address is not being
2129 spoofed, more aggressive action can be taken based on these limits.
2131 .Ar overload Aq Ar table
2132 state option, source IP addresses which hit either of the limits on
2133 established connections will be added to the named table.
2134 This table can be used in the ruleset to block further activity from
2135 the offending host, redirect it to a tarpit process, or restrict its
2140 keyword kills all states created by the matching rule which originate
2141 from the host which exceeds these limits.
2144 modifier to the flush command kills all states originating from the
2145 offending host, regardless of which rule created the state.
2147 For example, the following rules will protect the webserver against
2148 hosts making more than 100 connections in 10 seconds.
2149 Any host which connects faster than this rate will have its address added
2152 table and have all states originating from it flushed.
2153 Any new packets arriving from this host will be dropped unconditionally
2155 .Bd -literal -offset indent
2156 block quick from \*(Ltbad_hosts\*(Gt
2157 pass in on $ext_if proto tcp to $webserver port www keep state \e
2158 (max-src-conn-rate 100/10, overload \*(Ltbad_hosts\*(Gt flush global)
2160 .Sh OPERATING SYSTEM FINGERPRINTING
2161 Passive OS Fingerprinting is a mechanism to inspect nuances of a TCP
2162 connection's initial SYN packet and guess at the host's operating system.
2163 Unfortunately these nuances are easily spoofed by an attacker so the
2164 fingerprint is not useful in making security decisions.
2165 But the fingerprint is typically accurate enough to make policy decisions
2168 The fingerprints may be specified by operating system class, by
2169 version, or by subtype/patchlevel.
2170 The class of an operating system is typically the vendor or genre
2176 The version of the oldest available
2178 release on the main FTP site
2179 would be 2.6 and the fingerprint would be written
2181 .Dl \&"OpenBSD 2.6\&"
2183 The subtype of an operating system is typically used to describe the
2184 patchlevel if that patch led to changes in the TCP stack behavior.
2187 the only subtype is for a fingerprint that was
2190 scrub option and would be specified as
2192 .Dl \&"OpenBSD 3.3 no-df\&"
2194 Fingerprints for most popular operating systems are provided by
2198 is running, a complete list of known operating system fingerprints may
2199 be listed by running:
2203 Filter rules can enforce policy at any level of operating system specification
2204 assuming a fingerprint is present.
2205 Policy could limit traffic to approved operating systems or even ban traffic
2206 from hosts that aren't at the latest service pack.
2210 class can also be used as the fingerprint which will match packets for
2211 which no operating system fingerprint is known.
2214 .Bd -literal -offset indent
2215 pass out proto tcp from any os OpenBSD
2216 block out proto tcp from any os Doors
2217 block out proto tcp from any os "Doors PT"
2218 block out proto tcp from any os "Doors PT SP3"
2219 block out from any os "unknown"
2220 pass on lo0 proto tcp from any os "OpenBSD 3.3 lo0"
2223 Operating system fingerprinting is limited only to the TCP SYN packet.
2224 This means that it will not work on other protocols and will not match
2225 a currently established connection.
2227 Caveat: operating system fingerprints are occasionally wrong.
2228 There are three problems: an attacker can trivially craft his packets to
2229 appear as any operating system he chooses;
2230 an operating system patch could change the stack behavior and no fingerprints
2231 will match it until the database is updated;
2232 and multiple operating systems may have the same fingerprint.
2233 .Sh BLOCKING SPOOFED TRAFFIC
2234 "Spoofing" is the faking of IP addresses, typically for malicious
2238 directive expands to a set of filter rules which will block all
2239 traffic with a source IP from the network(s) directly connected
2240 to the specified interface(s) from entering the system through
2241 any other interface.
2243 For example, the line
2244 .Bd -literal -offset indent
2249 .Bd -literal -offset indent
2250 block drop in on ! lo0 inet from 127.0.0.1/8 to any
2251 block drop in on ! lo0 inet6 from ::1 to any
2254 For non-loopback interfaces, there are additional rules to block incoming
2255 packets with a source IP address identical to the interface's IP(s).
2256 For example, assuming the interface wi0 had an IP address of 10.0.0.1 and a
2257 netmask of 255.255.255.0,
2259 .Bd -literal -offset indent
2260 antispoof for wi0 inet
2264 .Bd -literal -offset indent
2265 block drop in on ! wi0 inet from 10.0.0.0/24 to any
2266 block drop in inet from 10.0.0.1 to any
2269 Caveat: Rules created by the
2271 directive interfere with packets sent over loopback interfaces
2273 One should pass these explicitly.
2274 .Sh FRAGMENT HANDLING
2275 The size of IP datagrams (packets) can be significantly larger than the
2276 maximum transmission unit (MTU) of the network.
2277 In cases when it is necessary or more efficient to send such large packets,
2278 the large packet will be fragmented into many smaller packets that will each
2280 Unfortunately for a firewalling device, only the first logical fragment will
2281 contain the necessary header information for the subprotocol that allows
2283 to filter on things such as TCP ports or to perform NAT.
2287 rules as described in
2288 .Sx TRAFFIC NORMALIZATION
2289 above, there are three options for handling fragments in the packet filter.
2291 One alternative is to filter individual fragments with filter rules.
2294 rule applies to a fragment, it is passed to the filter.
2295 Filter rules with matching IP header parameters decide whether the
2296 fragment is passed or blocked, in the same way as complete packets
2298 Without reassembly, fragments can only be filtered based on IP header
2299 fields (source/destination address, protocol), since subprotocol header
2300 fields are not available (TCP/UDP port numbers, ICMP code/type).
2303 option can be used to restrict filter rules to apply only to
2304 fragments, but not complete packets.
2305 Filter rules without the
2307 option still apply to fragments, if they only specify IP header fields.
2308 For instance, the rule
2309 .Bd -literal -offset indent
2310 pass in proto tcp from any to any port 80
2313 never applies to a fragment, even if the fragment is part of a TCP
2314 packet with destination port 80, because without reassembly this information
2315 is not available for each fragment.
2316 This also means that fragments cannot create new or match existing
2317 state table entries, which makes stateful filtering and address
2318 translation (NAT, redirection) for fragments impossible.
2320 It's also possible to reassemble only certain fragments by specifying
2321 source or destination addresses or protocols as parameters in
2325 In most cases, the benefits of reassembly outweigh the additional
2326 memory cost, and it's recommended to use
2329 all fragments via the
2330 .Ar fragment reassemble
2333 The memory allocated for fragment caching can be limited using
2335 Once this limit is reached, fragments that would have to be cached
2336 are dropped until other entries time out.
2337 The timeout value can also be adjusted.
2339 Currently, only IPv4 fragments are supported and IPv6 fragments
2340 are blocked unconditionally.
2342 Besides the main ruleset,
2344 can load rulesets into
2349 is a container that can hold rules, address tables, and other anchors.
2353 has a name which specifies the path where
2355 can be used to access the anchor to perform operations on it, such as
2356 attaching child anchors to it or loading rules into it.
2357 Anchors may be nested, with components separated by
2359 characters, similar to how file system hierarchies are laid out.
2360 The main ruleset is actually the default anchor, so filter and
2361 translation rules, for example, may also be contained in any anchor.
2363 An anchor can reference another
2366 using the following kinds
2368 .Bl -tag -width xxxx
2369 .It Ar nat-anchor Aq Ar name
2372 rules in the specified
2374 .It Ar rdr-anchor Aq Ar name
2377 rules in the specified
2379 .It Ar binat-anchor Aq Ar name
2382 rules in the specified
2384 .It Ar anchor Aq Ar name
2385 Evaluates the filter rules in the specified
2387 .It Xo Ar load anchor
2391 Loads the rules from the specified file into the
2396 When evaluation of the main ruleset reaches an
2400 will proceed to evaluate all rules specified in that anchor.
2402 Matching filter and translation rules marked with the
2404 option are final and abort the evaluation of the rules in other
2405 anchors and the main ruleset.
2408 itself is marked with the
2411 ruleset evaluation will terminate when the anchor is exited if the packet is
2412 matched by any rule within the anchor.
2415 rules are evaluated relative to the anchor in which they are contained.
2418 rules specified in the main ruleset will reference anchor
2419 attachment points underneath the main ruleset, and
2421 rules specified in a file loaded from a
2423 rule will be attached under that anchor point.
2425 Rules may be contained in
2427 attachment points which do not contain any rules when the main ruleset
2428 is loaded, and later such anchors can be manipulated through
2430 without reloading the main ruleset or other anchors.
2432 .Bd -literal -offset indent
2434 block on $ext_if all
2436 pass out on $ext_if all
2437 pass in on $ext_if proto tcp from any \e
2438 to $ext_if port smtp
2441 blocks all packets on the external interface by default, then evaluates
2444 named "spam", and finally passes all outgoing connections and
2445 incoming connections to port 25.
2446 .Bd -literal -offset indent
2447 # echo \&"block in quick from 1.2.3.4 to any\&" \&| \e
2451 This loads a single rule into the
2453 which blocks all packets from a specific address.
2455 The anchor can also be populated by adding a
2460 .Bd -literal -offset indent
2462 load anchor spam from "/etc/pf-spam.conf"
2469 it will also load all the rules from the file
2470 .Pa /etc/pf-spam.conf
2475 rules can specify the parameter's
2476 direction, interface, address family, protocol and source/destination
2478 using the same syntax as filter rules.
2479 When parameters are used, the
2481 rule is only evaluated for matching packets.
2482 This allows conditional evaluation of anchors, like:
2483 .Bd -literal -offset indent
2484 block on $ext_if all
2485 anchor spam proto tcp from any to any port smtp
2486 pass out on $ext_if all
2487 pass in on $ext_if proto tcp from any to $ext_if port smtp
2492 spam are only evaluated for
2494 packets with destination port 25.
2496 .Bd -literal -offset indent
2497 # echo \&"block in quick from 1.2.3.4 to any" \&| \e
2501 will only block connections from 1.2.3.4 to port 25.
2503 Anchors may end with the asterisk
2505 character, which signifies that all anchors attached at that point
2506 should be evaluated in the alphabetical ordering of their anchor name.
2508 .Bd -literal -offset indent
2512 will evaluate each rule in each anchor attached to the
2515 Note that it will only evaluate anchors that are directly attached to the
2517 anchor, and will not descend to evaluate anchors recursively.
2519 Since anchors are evaluated relative to the anchor in which they are
2520 contained, there is a mechanism for accessing the parent and ancestor
2521 anchors of a given anchor.
2522 Similar to file system path name resolution, if the sequence
2524 appears as an anchor path component, the parent anchor of the current
2525 anchor in the path evaluation at that point will become the new current
2527 As an example, consider the following:
2528 .Bd -literal -offset indent
2529 # echo ' anchor "spam/allowed" ' | pfctl -f -
2530 # echo -e ' anchor "../banned" \en pass' | \e
2531 pfctl -a spam/allowed -f -
2534 Evaluation of the main ruleset will lead into the
2536 anchor, which will evaluate the rules in the
2538 anchor, if any, before finally evaluating the
2544 can also be loaded inline in the ruleset within a brace ('{' '}') delimited
2546 Brace delimited blocks may contain rules or other brace-delimited blocks.
2547 When anchors are loaded this way the anchor name becomes optional.
2548 .Bd -literal -offset indent
2549 anchor "external" on egress {
2552 pass proto tcp from any to port { 25, 80, 443 }
2554 pass in proto tcp to any port 22
2558 Since the parser specification for anchor names is a string, any
2559 reference to an anchor name containing
2561 characters will require double quote
2563 characters around the anchor name.
2564 .Sh TRANSLATION EXAMPLES
2565 This example maps incoming requests on port 80 to port 8080, on
2566 which a daemon is running (because, for example, it is not run as root,
2567 and therefore lacks permission to bind to port 80).
2569 # use a macro for the interface name, so it can be changed easily
2572 # map daemon on 8080 to appear to be on 80
2573 rdr on $ext_if proto tcp from any to any port 80 -\*(Gt 127.0.0.1 port 8080
2578 modifier is given, packets matching the translation rule are passed without
2579 inspecting the filter rules:
2581 rdr pass on $ext_if proto tcp from any to any port 80 -\*(Gt 127.0.0.1 \e
2585 In the example below, vlan12 is configured as 192.168.168.1;
2586 the machine translates all packets coming from 192.168.168.0/24 to 204.92.77.111
2587 when they are going out any interface except vlan12.
2588 This has the net effect of making traffic from the 192.168.168.0/24
2589 network appear as though it is the Internet routable address
2590 204.92.77.111 to nodes behind any interface on the router except
2591 for the nodes on vlan12.
2592 (Thus, 192.168.168.1 can talk to the 192.168.168.0/24 nodes.)
2594 nat on ! vlan12 from 192.168.168.0/24 to any -\*(Gt 204.92.77.111
2597 In the example below, the machine sits between a fake internal 144.19.74.*
2598 network, and a routable external IP of 204.92.77.100.
2601 rule excludes protocol AH from being translated.
2604 no nat on $ext_if proto ah from 144.19.74.0/24 to any
2605 nat on $ext_if from 144.19.74.0/24 to any -\*(Gt 204.92.77.100
2608 In the example below, packets bound for one specific server, as well as those
2609 generated by the sysadmins are not proxied; all other connections are.
2612 no rdr on $int_if proto { tcp, udp } from any to $server port 80
2613 no rdr on $int_if proto { tcp, udp } from $sysadmins to any port 80
2614 rdr on $int_if proto { tcp, udp } from any to any port 80 -\*(Gt 127.0.0.1 \e
2618 This longer example uses both a NAT and a redirection.
2619 The external interface has the address 157.161.48.183.
2620 On localhost, we are running
2622 waiting for FTP sessions to be redirected to it.
2623 The three mandatory anchors for
2625 are omitted from this example; see the
2630 # Translate outgoing packets' source addresses (any protocol).
2631 # In this case, any address but the gateway's external address is mapped.
2632 nat on $ext_if inet from ! ($ext_if) to any -\*(Gt ($ext_if)
2635 # Map outgoing packets' source port to an assigned proxy port instead of
2636 # an arbitrary port.
2637 # In this case, proxy outgoing isakmp with port 500 on the gateway.
2638 nat on $ext_if inet proto udp from any port = isakmp to any -\*(Gt ($ext_if) \e
2642 # Translate outgoing packets' source address (any protocol).
2643 # Translate incoming packets' destination address to an internal machine
2645 binat on $ext_if from 10.1.2.150 to any -\*(Gt $ext_if
2648 # Translate incoming packets' destination addresses.
2649 # As an example, redirect a TCP and UDP port to an internal machine.
2650 rdr on $ext_if inet proto tcp from any to ($ext_if) port 8080 \e
2651 -\*(Gt 10.1.2.151 port 22
2652 rdr on $ext_if inet proto udp from any to ($ext_if) port 8080 \e
2653 -\*(Gt 10.1.2.151 port 53
2656 # Translate outgoing ftp control connections to send them to localhost
2657 # for proxying with ftp-proxy(8) running on port 8021.
2658 rdr on $int_if proto tcp from any to any port 21 -\*(Gt 127.0.0.1 port 8021
2661 In this example, a NAT gateway is set up to translate internal addresses
2662 using a pool of public addresses (192.0.2.16/28) and to redirect
2663 incoming web server connections to a group of web servers on the internal
2667 # Translate outgoing packets' source addresses using an address pool.
2668 # A given source address is always translated to the same pool address by
2669 # using the source-hash keyword.
2670 nat on $ext_if inet from any to any -\*(Gt 192.0.2.16/28 source-hash
2673 # Translate incoming web server connections to a group of web servers on
2674 # the internal network.
2675 rdr on $ext_if proto tcp from any to any port 80 \e
2676 -\*(Gt { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin
2680 # The external interface is kue0
2681 # (157.161.48.183, the only routable address)
2682 # and the private network is 10.0.0.0/8, for which we are doing NAT.
2684 # use a macro for the interface name, so it can be changed easily
2687 # normalize all incoming traffic
2688 scrub in on $ext_if all fragment reassemble
2690 # block and log everything by default
2691 block return log on $ext_if all
2693 # block anything coming from source we have no back routes for
2694 block in from no-route to any
2696 # block packets whose ingress interface does not match the one in
2697 # the route back to their source address
2698 block in from urpf-failed to any
2700 # block and log outgoing packets that do not have our address as source,
2701 # they are either spoofed or something is misconfigured (NAT disabled,
2702 # for instance), we want to be nice and do not send out garbage.
2703 block out log quick on $ext_if from ! 157.161.48.183 to any
2705 # silently drop broadcasts (cable modem noise)
2706 block in quick on $ext_if from any to 255.255.255.255
2708 # block and log incoming packets from reserved address space and invalid
2709 # addresses, they are either spoofed or misconfigured, we cannot reply to
2710 # them anyway (hence, no return-rst).
2711 block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, \e
2712 192.168.0.0/16, 255.255.255.255/32 } to any
2716 # pass out/in certain ICMP queries and keep state (ping)
2717 # state matching is done on host addresses and ICMP id (not type/code),
2718 # so replies (like 0/0 for 8/0) will match queries
2719 # ICMP error messages (which always refer to a TCP/UDP packet) are
2720 # handled by the TCP/UDP states
2721 pass on $ext_if inet proto icmp all icmp-type 8 code 0
2725 # pass out all UDP connections and keep state
2726 pass out on $ext_if proto udp all
2728 # pass in certain UDP connections and keep state (DNS)
2729 pass in on $ext_if proto udp from any to any port domain
2733 # pass out all TCP connections and modulate state
2734 pass out on $ext_if proto tcp all modulate state
2736 # pass in certain TCP connections and keep state (SSH, SMTP, DNS, IDENT)
2737 pass in on $ext_if proto tcp from any to any port { ssh, smtp, domain, \e
2740 # Do not allow Windows 9x SMTP connections since they are typically
2741 # a viral worm. Alternately we could limit these OSes to 1 connection each.
2742 block in on $ext_if proto tcp from any os {"Windows 95", "Windows 98"} \e
2746 # pass in/out all IPv6 traffic: note that we have to enable this in two
2747 # different ways, on both our physical interface and our tunnel
2748 pass quick on gif0 inet6
2749 pass quick on $ext_if proto ipv6
2753 # three interfaces: $int_if, $ext_if, and $wifi_if (wireless). NAT is
2754 # being done on $ext_if for all outgoing packets. tag packets in on
2755 # $int_if and pass those tagged packets out on $ext_if. all other
2756 # outgoing packets (i.e., packets from the wireless network) are only
2757 # permitted to access port 80.
2759 pass in on $int_if from any to any tag INTNET
2760 pass in on $wifi_if from any to any
2762 block out on $ext_if from any to any
2763 pass out quick on $ext_if tagged INTNET
2764 pass out on $ext_if proto tcp from any to any port 80
2766 # tag incoming packets as they are redirected to spamd(8). use the tag
2767 # to pass those packets through the packet filter.
2769 rdr on $ext_if inet proto tcp from \*(Ltspammers\*(Gt to port smtp \e
2770 tag SPAMD -\*(Gt 127.0.0.1 port spamd
2773 pass in on $ext_if inet proto tcp tagged SPAMD
2780 line = ( option | pf-rule | nat-rule | binat-rule | rdr-rule |
2781 antispoof-rule | altq-rule | queue-rule | trans-anchors |
2782 anchor-rule | anchor-close | load-anchor | table-rule | )
2784 option = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] |
2785 [ "ruleset-optimization" [ "none" | "basic" | "profile" ]] |
2786 [ "optimization" [ "default" | "normal" |
2787 "high-latency" | "satellite" |
2788 "aggressive" | "conservative" ] ]
2789 [ "limit" ( limit-item | "{" limit-list "}" ) ] |
2790 [ "loginterface" ( interface-name | "none" ) ] |
2791 [ "block-policy" ( "drop" | "return" ) ] |
2792 [ "state-policy" ( "if-bound" | "floating" ) ]
2793 [ "require-order" ( "yes" | "no" ) ]
2794 [ "fingerprints" filename ] |
2795 [ "skip on" ( interface-name | "{" interface-list "}" ) ] |
2796 [ "debug" ( "none" | "urgent" | "misc" | "loud" ) ] )
2798 pf-rule = action [ ( "in" | "out" ) ]
2799 [ "log" [ "(" logopts ")"] ] [ "quick" ]
2800 [ "on" ifspec ] [ "fastroute" | route ] [ af ] [ protospec ]
2801 hosts [ filteropt-list ]
2803 logopts = logopt [ "," logopts ]
2804 logopt = "all" | "user" | "to" interface-name
2806 filteropt-list = filteropt-list filteropt | filteropt
2807 filteropt = user | group | flags | icmp-type | icmp6-type | tos |
2808 ( "no" | "keep" | "modulate" | "synproxy" ) "state"
2809 [ "(" state-opts ")" ] |
2810 "fragment" | "no-df" | "min-ttl" number |
2811 "max-mss" number | "random-id" | "reassemble tcp" |
2812 fragmentation | "allow-opts" |
2813 "label" string | "tag" string | [ ! ] "tagged" string |
2814 "queue" ( string | "(" string [ [ "," ] string ] ")" ) |
2815 "rtable" number | "probability" number"%"
2817 nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
2818 [ "on" ifspec ] [ af ]
2819 [ protospec ] hosts [ "tag" string ] [ "tagged" string ]
2820 [ "-\*(Gt" ( redirhost | "{" redirhost-list "}" )
2821 [ portspec ] [ pooltype ] [ "static-port" ] ]
2823 binat-rule = [ "no" ] "binat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
2824 [ "on" interface-name ] [ af ]
2825 [ "proto" ( proto-name | proto-number ) ]
2826 "from" address [ "/" mask-bits ] "to" ipspec
2827 [ "tag" string ] [ "tagged" string ]
2828 [ "-\*(Gt" address [ "/" mask-bits ] ]
2830 rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
2831 [ "on" ifspec ] [ af ]
2832 [ protospec ] hosts [ "tag" string ] [ "tagged" string ]
2833 [ "-\*(Gt" ( redirhost | "{" redirhost-list "}" )
2834 [ portspec ] [ pooltype ] ]
2836 antispoof-rule = "antispoof" [ "log" ] [ "quick" ]
2837 "for" ( interface-name | "{" interface-list "}" )
2838 [ af ] [ "label" string ]
2840 table-rule = "table" "\*(Lt" string "\*(Gt" [ tableopts-list ]
2841 tableopts-list = tableopts-list tableopts | tableopts
2842 tableopts = "persist" | "const" | "file" string |
2843 "{" [ tableaddr-list ] "}"
2844 tableaddr-list = tableaddr-list [ "," ] tableaddr-spec | tableaddr-spec
2845 tableaddr-spec = [ "!" ] tableaddr [ "/" mask-bits ]
2846 tableaddr = hostname | ipv4-dotted-quad | ipv6-coloned-hex |
2847 interface-name | "self"
2849 altq-rule = "altq on" interface-name queueopts-list
2851 queue-rule = "queue" string [ "on" interface-name ] queueopts-list
2854 anchor-rule = "anchor" [ string ] [ ( "in" | "out" ) ] [ "on" ifspec ]
2855 [ af ] [ protospec ] [ hosts ] [ "{" ]
2859 trans-anchors = ( "nat-anchor" | "rdr-anchor" | "binat-anchor" ) string
2860 [ "on" ifspec ] [ af ] [ "proto" ] [ protospec ] [ hosts ]
2862 load-anchor = "load anchor" string "from" filename
2864 queueopts-list = queueopts-list queueopts | queueopts
2865 queueopts = [ "bandwidth" bandwidth-spec ] |
2866 [ "qlimit" number ] | [ "tbrsize" number ] |
2867 [ "priority" number ] | [ schedulers ]
2868 schedulers = ( cbq-def | priq-def | hfsc-def )
2869 bandwidth-spec = "number" ( "b" | "Kb" | "Mb" | "Gb" | "%" )
2871 action = "pass" | "block" [ return ] | [ "no" ] "scrub"
2872 return = "drop" | "return" | "return-rst" [ "( ttl" number ")" ] |
2873 "return-icmp" [ "(" icmpcode [ [ "," ] icmp6code ] ")" ] |
2874 "return-icmp6" [ "(" icmp6code ")" ]
2875 icmpcode = ( icmp-code-name | icmp-code-number )
2876 icmp6code = ( icmp6-code-name | icmp6-code-number )
2878 ifspec = ( [ "!" ] interface-name ) | "{" interface-list "}"
2879 interface-list = [ "!" ] interface-name [ [ "," ] interface-list ]
2880 route = ( "route-to" | "reply-to" | "dup-to" )
2881 ( routehost | "{" routehost-list "}" )
2883 af = "inet" | "inet6"
2885 protospec = "proto" ( proto-name | proto-number |
2886 "{" proto-list "}" )
2887 proto-list = ( proto-name | proto-number ) [ [ "," ] proto-list ]
2890 "from" ( "any" | "no-route" | "urpf-failed" | "self" | host |
2891 "{" host-list "}" | "route" string ) [ port ] [ os ]
2892 "to" ( "any" | "no-route" | "self" | host |
2893 "{" host-list "}" | "route" string ) [ port ]
2895 ipspec = "any" | host | "{" host-list "}"
2896 host = [ "!" ] ( address [ "/" mask-bits ] | "\*(Lt" string "\*(Gt" )
2897 redirhost = address [ "/" mask-bits ]
2898 routehost = "(" interface-name [ address [ "/" mask-bits ] ] ")"
2899 address = ( interface-name | "(" interface-name ")" | hostname |
2900 ipv4-dotted-quad | ipv6-coloned-hex )
2901 host-list = host [ [ "," ] host-list ]
2902 redirhost-list = redirhost [ [ "," ] redirhost-list ]
2903 routehost-list = routehost [ [ "," ] routehost-list ]
2905 port = "port" ( unary-op | binary-op | "{" op-list "}" )
2906 portspec = "port" ( number | name ) [ ":" ( "*" | number | name ) ]
2907 os = "os" ( os-name | "{" os-list "}" )
2908 user = "user" ( unary-op | binary-op | "{" op-list "}" )
2909 group = "group" ( unary-op | binary-op | "{" op-list "}" )
2911 unary-op = [ "=" | "!=" | "\*(Lt" | "\*(Le" | "\*(Gt" | "\*(Ge" ]
2913 binary-op = number ( "\*(Lt\*(Gt" | "\*(Gt\*(Lt" | ":" ) number
2914 op-list = ( unary-op | binary-op ) [ [ "," ] op-list ]
2916 os-name = operating-system-name
2917 os-list = os-name [ [ "," ] os-list ]
2919 flags = "flags" ( [ flag-set ] "/" flag-set | "any" )
2920 flag-set = [ "F" ] [ "S" ] [ "R" ] [ "P" ] [ "A" ] [ "U" ] [ "E" ]
2923 icmp-type = "icmp-type" ( icmp-type-code | "{" icmp-list "}" )
2924 icmp6-type = "icmp6-type" ( icmp-type-code | "{" icmp-list "}" )
2925 icmp-type-code = ( icmp-type-name | icmp-type-number )
2926 [ "code" ( icmp-code-name | icmp-code-number ) ]
2927 icmp-list = icmp-type-code [ [ "," ] icmp-list ]
2929 tos = "tos" ( "lowdelay" | "throughput" | "reliability" |
2932 state-opts = state-opt [ [ "," ] state-opts ]
2933 state-opt = ( "max" number | "no-sync" | timeout | sloppy |
2934 "source-track" [ ( "rule" | "global" ) ] |
2935 "max-src-nodes" number | "max-src-states" number |
2936 "max-src-conn" number |
2937 "max-src-conn-rate" number "/" number |
2938 "overload" "\*(Lt" string "\*(Gt" [ "flush" ] |
2939 "if-bound" | "floating" )
2941 fragmentation = [ "fragment reassemble" | "fragment crop" |
2942 "fragment drop-ovl" ]
2944 timeout-list = timeout [ [ "," ] timeout-list ]
2945 timeout = ( "tcp.first" | "tcp.opening" | "tcp.established" |
2946 "tcp.closing" | "tcp.finwait" | "tcp.closed" |
2947 "udp.first" | "udp.single" | "udp.multiple" |
2948 "icmp.first" | "icmp.error" |
2949 "other.first" | "other.single" | "other.multiple" |
2950 "frag" | "interval" | "src.track" |
2951 "adaptive.start" | "adaptive.end" ) number
2953 limit-list = limit-item [ [ "," ] limit-list ]
2954 limit-item = ( "states" | "frags" | "src-nodes" ) number
2956 pooltype = ( "bitmask" | "random" |
2957 "source-hash" [ ( hex-key | string-key ) ] |
2958 "round-robin" ) [ sticky-address ]
2960 subqueue = string | "{" queue-list "}"
2961 queue-list = string [ [ "," ] string ]
2962 cbq-def = "cbq" [ "(" cbq-opt [ [ "," ] cbq-opt ] ")" ]
2963 priq-def = "priq" [ "(" priq-opt [ [ "," ] priq-opt ] ")" ]
2964 hfsc-def = "hfsc" [ "(" hfsc-opt [ [ "," ] hfsc-opt ] ")" ]
2965 cbq-opt = ( "default" | "borrow" | "red" | "ecn" | "rio" )
2966 priq-opt = ( "default" | "red" | "ecn" | "rio" )
2967 hfsc-opt = ( "default" | "red" | "ecn" | "rio" |
2968 linkshare-sc | realtime-sc | upperlimit-sc )
2969 linkshare-sc = "linkshare" sc-spec
2970 realtime-sc = "realtime" sc-spec
2971 upperlimit-sc = "upperlimit" sc-spec
2972 sc-spec = ( bandwidth-spec |
2973 "(" bandwidth-spec number bandwidth-spec ")" )
2976 .Bl -tag -width "/usr/share/examples/pf" -compact
2980 Default location of the ruleset file.
2982 Default location of OS fingerprints.
2983 .It Pa /etc/protocols
2984 Protocol name database.
2985 .It Pa /etc/services
2986 Service name database.
2987 .It Pa /usr/share/examples/pf
2991 Due to a lock order reversal (LOR) with the socket layer, the use of the
2995 filter parameter in conjuction with a Giant-free netstack
2996 can result in a deadlock.
2997 A workaround is available under the
2998 .Va debug.pfugidhack
2999 sysctl which is automatically enabled when a
3007 Route labels are not supported by the
3011 Rules with a route label do not match any traffic.
3035 file format first appeared in