Lines Matching +full:packet +full:- +full:based
10 .\" - Redistributions of source code must retain the above copyright
12 .\" - Redistributions in binary form must reproduce the above
35 .Nd packet filter configuration file
39 packet filter modifies, drops or passes packets according to rules or
45 .Bl -tag -width xxxx
47 User-defined variables may be defined and used later, simplifying
55 Options tune the behaviour of the packet filtering engine.
57 Ethernet filtering provides rule-based blocking or passing of Ethernet packets.
62 Queueing provides rule-based bandwidth control.
66 .It Cm Packet Filtering
67 Packet filtering provides rule-based blocking or passing of packets.
77 packet filtering engine.
81 .Ar set require-order
91 .Bd -literal -offset indent
107 .Bd -literal -offset indent
114 srv_lan_range = "'198.51.100.0 - 198.51.100.255'"
116 nat on $ext_if from $nat_ranges to any -> ($ext_if)
150 .Bl -tag -width "manually"
166 statement, and are especially useful to define non-persistent tables.
167 The contents of a pre-existing table defined without a list of addresses
177 .Bl -tag -width counters
198 flag enables per-address packet and byte counters which can be displayed with
204 .Bd -literal -offset indent
218 .Bd -literal -offset indent
219 # pfctl -t badhosts -Tadd 204.92.77.111
224 .Bd -literal -offset indent
250 .Bl -tag -width xxxx
253 .Bl -tag -width "src.track" -compact
263 When a packet matches a stateful connection, the seconds to live for the
267 Each packet which matches this state will reset the TTL.
271 .Bl -tag -width xxxx -compact
273 The state after the first packet.
275 The state after the second packet but before both endpoints have
296 .Bl -tag -width xxxx -compact
298 The state after the first packet.
300 The state before the destination host ever sends a packet.
312 .Bl -tag -width xxxx -compact
314 The state after the first packet.
316 The state if the source host sends more than one packet but the destination
321 The state after the first packet.
323 The state after an ICMP error came back in response to an ICMP packet.
328 .Bl -tag -width xxxx -compact
337 .Bl -tag -width xxxx -compact
342 (adaptive.end - number of states) / (adaptive.end - adaptive.start).
356 When used on a per-rule basis, the values relate to the number of
361 .Bd -literal -offset indent
371 Enable collection of packet and byte count statistics for the given
374 .Bd -literal -offset indent
375 # pfctl -s info
381 .Bd -literal -offset indent
386 .Bd -literal -offset indent
390 Sets hard limits on the memory pools used by the packet filter.
396 .Bd -literal -offset indent
407 .Bd -literal -offset indent
418 .Bd -literal -offset indent
419 set limit src-nodes 2000
424 .Ar sticky-address
429 .Bd -literal -offset indent
430 set limit table-entries 100000
437 .Bd -literal -offset indent
438 set limit { states 20000, frags 20000, src-nodes 2000 }
440 .It Ar set ruleset-optimization
441 .Bl -tag -width xxxxxxxx -compact
450 .Bl -enum -compact
458 re-order the rules to improve evaluation performance
468 A side effect of the ruleset modification is that per-rule accounting
470 If per-rule accounting is important for billing purposes or whatnot,
474 Optimization can also be set as a command-line argument to
481 .Bl -tag -width xxxx -compact
485 .It Ar high-latency
486 A high-latency environment (such as a satellite connection).
489 .Ar high-latency .
502 .Bd -literal -offset indent
505 .It Ar set reassemble yes | no Op Cm no-df
514 .Cm no-df
516 .Dq dont-fragment
519 the reassembled packet will have the
520 .Dq dont-fragment
525 This option is ignored if there are pre-FreeBSD 14
528 .It Ar set block-policy
530 .Ar block-policy
531 option sets the default behaviour for the packet
535 .Bl -tag -width xxxxxxxx -compact
537 Packet is silently dropped.
549 .Bd -literal -offset indent
550 set block-policy return
552 .It Ar set fail-policy
554 .Ar fail-policy
555 option sets the behaviour of rules which should pass a packet but were
557 This might happen when a nat or route-to rule uses an empty table as list
563 .Bl -tag -width xxxxxxxx -compact
565 Incoming packet is silently dropped.
567 Incoming packet is dropped and TCP RST is returned for TCP packets,
574 .Bd -literal -offset indent
575 set fail-policy return
577 .It Ar set state-policy
579 .Ar state-policy
582 .Bl -tag -width group-bound -compact
583 .It Ar if-bound
590 .Bd -literal -offset indent
591 set state-policy if-bound
607 .Bl -tag -width adaptive -compact
614 is used up by half-open TCP connections, as in, those that saw the initial
617 .Bd -literal -offset indent
621 .It Ar set state-defaults
623 .Ar state-defaults
628 .Bd -literal -offset indent
629 set state-defaults no-sync
632 The 32-bit
638 By default the hostid is set to a pseudo-random value, however it may be
641 .Bd -literal -offset indent
646 .It Ar set require-order
658 There may be non-trivial and non-obvious implications to an out of
683 packet filtering is not desired and can have unexpected effects.
692 .Bl -tag -width xxxxxxxxxxxx -compact
716 packets based on attributes of their Ethernet (layer 2) header.
718 Each time a packet processed by the packet filter comes in on or
722 If no rule matches the packet, the default action is to pass
723 the packet without creating a state.
726 .Bl -tag -width xxxx
728 The packet is blocked.
729 Unlike for layer 3 traffic the packet is always silently dropped.
731 The packet is passed;
736 A packet always comes in on, or goes out through, one interface.
746 .Bl -tag -width xxxx
755 If a packet matches a rule which has the
770 .It Ar bridge-to Aq interface
802 meaning that the packet will be tagged even if the rule
806 A packet is only ever assigned one tag at a time.
815 for aspects of the packet filter which deal with
816 verifying packets, packet fragments, spoofed traffic,
819 Scrub involves sanitising packet content in such a way
820 that there are no ambiguities in packet interpretation on the receiving side.
827 .Bl -tag -width xxxx
828 .It Ar no-df
830 .Ar dont-fragment
831 bit from a matching IP packet.
833 .Ar dont-fragment
838 .Ar dont-fragment
840 .Ar no-df
844 .Ar dont-fragment
847 .Ar dont-fragment
849 upstream router later fragments the packet.
851 .Ar random-id
853 .Ar no-df
855 .It Ar min-ttl Aq Ar number
857 .It Ar max-mss Aq Ar number
859 .It Xo Ar set-tos Aq Ar string
880 .It Ar random-id
890 .Bl -tag -width timeout -compact
893 An attacker may send a packet such that it reaches the firewall, affects
899 Modern TCP stacks will send a timestamp on every TCP packet and echo
916 There is a problem with TCP on long fat pipes, in that a packet might get
917 delayed for longer than it takes the connection to wrap its 32-bit sequence
919 In such an occurrence, the old packet would be indistinguishable from a
920 new packet and would be accepted as such.
923 It protects against it by making sure the timestamp on each packet does
926 also makes sure the timestamp on the packet does not go forward more
937 .Bd -literal -offset indent
938 match in all scrub (no-df random-id max-mss 1440)
940 .Ss Scrub ruleset (pre-FreeBSD 14)
947 If there are such rules present they determine packet reassembly behaviour.
956 .Bl -tag -width xxxx
962 packet, and only the completed packet is passed on to the filter.
972 .Bd -literal -offset indent
981 works in the packet filter (see below).
988 ruleset are evaluated for every packet before stateful filtering.
1004 any packet filtering rule can reference the defined queues by name.
1022 .Bl -tag -width xxxx
1024 Class Based Queueing.
1085 supports both link-sharing and guaranteed real-time services.
1086 It employs a service curve based QoS model,
1100 .Bl -tag -width xxxx
1108 for Class Based Queueing,
1139 If not specified, heuristics based on the
1146 should queue up to 5Mbps in four second-level queues using
1147 Class Based Queueing.
1149 .Bd -literal -offset indent
1169 .Bl -tag -width xxxx
1211 .Bl -tag -width Fl
1233 .Bl -tag -width Fl
1242 .Bl -tag -width Fl
1279 Packets can be assigned to queues based on filter rules by using the
1301 .Sx PACKET FILTERING
1303 .Bd -literal
1344 If the rule does not specify a direction the first packet to create state will
1355 modifies the specified address and/or port in the packet and recalculates
1362 These rules will therefore have to filter based on the translated
1371 .Bl -tag -width xxxx
1372 .It Ar af-to
1375 .Ar af-to
1379 .Ar af-to
1391 part is 32-bit long.
1400 .Bd -literal -offset indent
1401 pass in inet af-to inet6 from 2001:db8::1 to 2001:db8::/96
1402 pass in inet af-to inet6 from 2001:db8::1
1411 .Bd -literal -offset indent
1412 pass in inet6 from any to 64:ff9b::/96 af-to inet \e
1414 pass in inet6 from any to 64:ff9b::/96 af-to inet \e
1426 .Ar binat-to
1430 .Ar nat-to
1432 .Ar rdr-to
1434 .It Ar nat-to
1436 .Ar nat-to
1437 option specifies that IP addresses are to be changed as the packet
1445 .Bd -literal -offset indent
1446 10.0.0.0 - 10.255.255.255 (all of net 10.0.0.0, i.e., 10.0.0.0/8)
1447 172.16.0.0 - 172.31.255.255 (i.e., 172.16.0.0/12)
1448 192.168.0.0 - 192.168.255.255 (i.e., 192.168.0.0/16)
1451 .Ar nat-to
1453 If applied inbound, nat-to to a local IP address is not supported.
1454 .It Pa rdr-to
1455 The packet is redirected to another destination and possibly a
1457 .Ar rdr-to
1460 .Bd -literal -offset indent
1461 match in ... port 2000:2999 rdr-to ... port 4000
1464 .Bd -literal -offset indent
1465 qmatch in ... port 2000:2999 rdr-to ... port 4000:*
1470 .Ar rdr-to
1472 If applied outbound, rdr-to to a local IP address is not supported.
1479 .Ar nat-to
1481 .Ar rdr-to
1484 .Ar rdr-to
1487 A random source port in the range 50001-65535 is chosen in this case.
1489 .Ar binat-to
1494 .Bd -literal -offset indent
1496 rdr-to 127.0.0.1 port spamd
1502 Unless this effect is desired, any of the local non-loopback addresses
1510 .Ss NAT ruleset (pre-FreeBSD 15)
1520 Filter rules will therefore have to filter based on the translated
1538 .Ar binat-to ,
1539 .Ar nat-to
1541 .Ar rdr-to
1549 works in the packet filter.
1550 If no rule matches the packet it is passed to the filter engine unmodified.
1553 of the translation rules and of the direction of a packet.
1558 rules are evaluated on an inbound packet or the
1560 rules on an outbound packet.
1580 .Sh PACKET FILTERING
1588 packets based on attributes of their layer 3 (see
1602 For each packet processed by the packet filter, the filter rules are
1611 , rules are evaluated every time they match; the pass/block state of a packet
1613 If no rule matches the packet, the default action is to pass
1614 the packet.
1617 .Bl -tag -width xxxx
1619 The packet is blocked.
1622 rule can behave when blocking a packet.
1627 .Ar block-policy
1628 option, or on a per-rule basis with one of the following options:
1630 .Bl -tag -width xxxx -compact
1632 The packet is silently dropped.
1633 .It Ar return-rst
1638 .It Ar return-icmp
1639 .It Ar return-icmp6
1658 .Bd -literal -offset indent
1662 The packet is matched.
1664 block/pass state of a packet.
1670 rules in that parameters are set for every rule a packet matches, not only
1674 .Ar nat-to ,
1675 .Ar binat-to ,
1676 .Ar rdr-to ,
1684 The packet is passed;
1692 filters packets statefully; the first time a packet matches a
1695 whether the packet matches any state.
1696 If it does, the packet is passed without evaluation of any rules.
1701 For TCP connections, comparing a packet to a state involves checking
1706 values, the packet is dropped.
1714 .Bd -literal -offset indent
1715 pass out inet proto icmp all icmp-type echoreq
1756 A packet always comes in on, or goes out through, one interface.
1763 .Bl -tag -width xxxx
1773 log the packet.
1774 Only the packet that establishes the state is logged,
1806 it logs the packet on all subsequent matching rules.
1816 has the socket open where the packet is sourced from or destined to
1820 Only the first packet
1829 If a packet matches a rule which has the
1877 .Bl -tag -width xxxxxxxxxxxxxx -compact
1880 .It Ar no-route
1882 .It Ar urpf-failed
1885 the route back to the packet's source address.
1893 .Sq -
1896 .Dq 10.1.1.10 - 10.1.1.12
1904 .Bl -tag -width xxxxxxxxxxxx -compact
1910 Translates to the point-to-point interface's peer address(es).
1918 v4 and non-link-local v6 address found.
1921 ruleset load-time.
1942 .Bd -literal -offset indent
1960 .Bl -tag -width Fl
1972 hence ports 1-1999 and 2005-65535.
1984 .Bd -literal -offset indent
2046 .Bd -literal -offset indent
2053 .Bd -literal -offset indent
2082 .Bl -tag -width Fl
2100 is specified), only the initial SYN packet of a TCP handshake will create
2104 .Pq non-SYN
2113 States which modify the packet flow, such as those affected by
2114 .Ar af-to ,
2124 .It Xo Ar icmp-type Aq Ar type
2127 .It Xo Ar icmp6-type Aq Ar type
2140 .Ar icmp-type
2142 .Ar icmp6-type
2168 .Bd -literal -offset indent
2173 .It Ar allow-opts
2174 By default, packets with IPv4 options or IPv6 hop-by-hop or destination
2177 .Ar allow-opts
2180 rule, packets that pass the filter based on that rule (last matching)
2186 rule, that is used when a packet does not match
2192 pfctl -s labels
2193 shows per-rule statistics for rules that have labels.
2197 .Bl -tag -width $srcaddr -compact -offset indent
2215 .Bd -literal -offset indent
2222 .Bd -literal -offset indent
2235 .It Cm max-pkt-rate Ar number Ns / Ns Ar seconds
2242 .Bd -literal -offset indent
2244 pass in proto icmp max-pkt-rate 100/10
2250 .It Ar max-pkt-size Aq Ar number
2251 Limit each packet to be no more than the specified number of bytes.
2268 .Bd -literal -offset indent
2275 If the packet is transmitted on a
2285 .Bd -literal -offset indent
2289 .It Oo Cm \&! Oc Ns Cm received-on Ar interface
2305 meaning that the packet will be tagged even if the rule
2309 A packet is only ever assigned one tag at a time.
2310 Packet tagging can be done during
2325 .It Xo Ar divert-to Aq Ar host
2339 If a packet is re-injected and does not change direction then it will not be
2340 re-diverted.
2341 .It Ar divert-reply
2350 .Bd -literal -offset indent
2357 If a packet matches a rule with a route option set, the packet filter will
2358 route the packet according to the type of route option.
2361 .Bl -tag -width xxxx
2362 .It Ar route-to
2364 .Ar route-to
2365 option routes the packet to the specified interface with an optional address
2368 .Ar route-to
2373 .It Ar reply-to
2375 .Ar reply-to
2377 .Ar route-to ,
2381 .Ar reply-to
2386 .It Ar dup-to
2388 .Ar dup-to
2389 option creates a duplicate of the packet and routes it like
2390 .Ar route-to .
2391 The original packet gets routed as it normally would.
2399 .Ar route-to ,
2400 .Ar reply-to
2402 .Ar dup-to
2407 .Bl -tag -width xxxx
2420 .It Ar source-hash
2422 .Ar source-hash
2428 randomly generates a key for source-hash every time the
2430 .It Ar round-robin
2432 .Ar round-robin
2438 .It Ar static-port
2442 .Ar static-port
2446 .It Xo Ar map-e-portset Aq Ar psid-offset
2447 .No / Aq Ar psid-len
2453 .Ar map-e-portset
2454 option enables the source port translation of MAP-E (RFC 7597) Customer Edge.
2455 In order to make the host act as a MAP-E Customer Edge, setting up a tunneling
2457 to the map-e-portset nat rule.
2460 .Bd -literal -offset indent
2462 -> $ipv4_mape_src map-e-portset 6/8/0x34
2466 .It Ar endpoint-independent
2470 .Ar endpoint-independent
2475 This feature implements "full-cone" NAT behavior.
2479 .Ar sticky-address
2485 .Ar round-robin
2513 .Bd -literal -offset indent
2556 completed the handshake, hence so-called SYN floods with spoofed source
2580 .Bd -literal -offset indent
2585 per-rule basis.
2594 .Bl -tag -width xxxx -compact
2599 .It Ar no-sync
2621 .It Ar allow-related
2628 .Bd -literal -offset indent
2631 (max 100, source-track rule, max-src-nodes 75, \e
2632 max-src-states 3, tcp.established 60, tcp.closing 5)
2636 .Ar source-track
2639 .Bl -tag -width xxxx -compact
2640 .It Ar source-track rule
2642 .Ar max-src-nodes
2644 .Ar max-src-states
2648 .It Ar source-track global
2651 .Ar max-src-nodes
2653 .Ar max-src-states
2660 .Bl -tag -width xxxx -compact
2661 .It Ar max-src-nodes Aq Ar number
2664 .It Ar max-src-states Aq Ar number
2670 which have completed the TCP 3-way handshake) can also be enforced
2673 .Bl -tag -width xxxx -compact
2674 .It Ar max-src-conn Aq Ar number
2676 completed the 3-way handshake that a single host can make.
2677 .It Xo Ar max-src-conn-rate Aq Ar number
2687 Because the 3-way handshake ensures that the source address is not being
2688 spoofed, more aggressive action can be taken based on these limits.
2714 .Bd -literal -offset indent
2717 (max-src-conn-rate 100/10, overload <bad_hosts> flush global)
2721 connection's initial SYN packet and guess at the host's operating system.
2748 .Ar no-df
2751 .Dl \&"OpenBSD 3.3 no-df\&"
2760 .Dl # pfctl -so
2773 .Bd -literal -offset indent
2782 Operating system fingerprinting is limited only to the TCP SYN packet.
2803 .Bd -literal -offset indent
2808 .Bd -literal -offset indent
2813 For non-loopback interfaces, there are additional rules to block incoming
2818 .Bd -literal -offset indent
2823 .Bd -literal -offset indent
2837 the large packet will be fragmented into many smaller packets that will each
2850 above, there are three options for handling fragments in the packet filter.
2863 Without reassembly, fragments can only be filtered based on IP header
2874 .Bd -literal -offset indent
2879 packet with destination port 80, because without reassembly this information
2937 .Bl -tag -width xxxx
2938 .It Ar nat-anchor Aq Ar name
2943 .It Ar rdr-anchor Aq Ar name
2948 .It Ar binat-anchor Aq Ar name
2980 ruleset evaluation will terminate when the anchor is exited if the packet is
3001 .Bd -literal -offset indent
3015 .Bd -literal -offset indent
3017 pfctl -a spam -f -
3029 .Bd -literal -offset indent
3031 load anchor spam from "/etc/pf-spam.conf"
3039 .Pa /etc/pf-spam.conf
3044 rules can specify packet filtering parameters using the same syntax as
3050 .Bd -literal -offset indent
3063 .Bd -literal -offset indent
3065 pfctl -a spam -f -
3075 .Bd -literal -offset indent
3095 .Bd -literal -offset indent
3096 # echo ' anchor "spam/allowed" ' | pfctl -f -
3097 # echo -e ' anchor "../banned" \en pass' | \e
3098 pfctl -a spam/allowed -f -
3111 rule can also contain a filter ruleset in a brace-delimited block.
3114 Brace delimited blocks may contain rules or other brace-delimited blocks.
3116 .Bd -literal -offset indent
3144 .Bd -literal -offset indent
3150 rdr-to 127.0.0.1 port 8080
3159 .Bd -literal -offset indent
3161 rdr-to 127.0.0.1 port 8080
3172 .Bd -literal -offset indent
3173 match out on ! vlan12 from 192.168.168.0/24 to any nat-to 204.92.77.111
3179 .Xr ftp-proxy 8 ,
3182 .Xr ftp-proxy 8
3184 .Xr ftp-proxy 8
3186 .Bd -literal -offset indent
3190 pass out on $ext_if inet from ! ($ext_if) to any nat-to ($ext_if)
3197 nat-to ($ext_if) port 500
3203 pass on $ext_if from 10.1.2.150 to any binat-to $ext_if
3207 pass on $peer_if from 172.21.16.0/20 to any binat-to 172.22.16.0/20
3213 rdr-to 10.1.2.151 port 22
3215 rdr-to 10.1.2.151 port 53
3219 # for proxying with ftp-proxy(8) running on port 8021.
3221 rdr-to 127.0.0.1 port 8021
3228 .Bd -literal -offset indent
3232 # using the source-hash keyword.
3233 pass out on $ext_if inet from any to any nat-to 192.0.2.16/28 source-hash
3239 rdr-to { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin
3247 .Bd -literal -offset indent
3250 nat on $ext_if from 144.19.74.0/24 to any -> 204.92.77.100
3255 .Bd -literal -offset indent
3260 -> 127.0.0.1 port 80
3263 .Bd -literal -offset indent
3278 block in from no-route to any
3282 block in from urpf-failed to any
3294 # them anyway (hence, no return-rst).
3303 # ICMP error messages (which always refer to a TCP/UDP packet) are
3305 pass on $ext_if inet proto icmp all icmp-type 8 code 0
3335 # Packet Tagging
3351 # to pass those packets through the packet filter.
3354 tag SPAMD -> 127.0.0.1 port spamd
3361 translates an internal IPv4 subnet to IPv6 using the well-known
3363 .Bd -literal -offset 4n
3364 pass in on $v4_if inet af-to inet6 from ($v6_if) to 64:ff9b::/96
3370 .Bd -literal -offset 4n
3371 pass in on $v6_if inet6 to 64:ff9b::/96 af-to inet from ($v4_if)
3377 .Bd -literal
3378 line = ( option | ether-rule | pf-rule | nat-rule | binat-rule |
3379 rdr-rule | antispoof-rule | altq-rule | queue-rule |
3380 trans-anchors | anchor-rule | anchor-close | load-anchor |
3381 table-rule | include )
3383 option = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] |
3384 [ "ruleset-optimization" [ "none" | "basic" | "profile" ]] |
3386 "high-latency" | "satellite" |
3388 [ "limit" ( limit-item | "{" limit-list "}" ) ] |
3389 [ "loginterface" ( interface-name | "none" ) ] |
3390 [ "block-policy" ( "drop" | "return" ) ] |
3391 [ "state-policy" ( "if-bound" | "floating" ) ]
3392 [ "state-defaults" state-opts ]
3393 [ "require-order" ( "yes" | "no" ) ]
3399 ether-rule = "ether" etheraction [ ( "in" | "out" ) ]
3400 [ "quick" ] [ "on" ifspec ] [ "bridge-to" interface-name ]
3402 [ etherfilteropt-list ]
3404 pf-rule = action [ ( "in" | "out" ) ]
3407 [ hosts ] [ filteropt-list ]
3410 logopt = "all" | "matches" | "user" | "to" interface-name
3412 etherfilteropt-list = etherfilteropt-list etherfilteropt | etherfilteropt
3416 filteropt-list = filteropt-list filteropt | filteropt
3417 filteropt = user | group | flags | icmp-type | icmp6-type | "tos" tos |
3418 "af-to" af "from" ( redirhost | "{" redirhost-list "}" )
3419 [ "to" ( redirhost | "{" redirhost-list "}" ) ] |
3421 [ "(" state-opts ")" ] |
3422 "fragment" | "no-df" | "min-ttl" number | "set-tos" tos |
3423 "max-mss" number | "random-id" | "reassemble tcp" |
3424 fragmentation | "allow-opts" |
3426 "max-pkt-rate" number "/" seconds |
3428 "max-pkt-size" number |
3434 [ ! ] "received-on" ( interface-name | interface-group )
3436 nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3439 [ "->" ( redirhost | "{" redirhost-list "}" )
3440 [ portspec ] [ pooltype ] [ "static-port" ]
3441 [ "map-e-portset" number "/" number "/" number ] ]
3443 binat-rule = [ "no" ] "binat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3444 [ "on" interface-name ] [ af ]
3445 [ "proto" ( proto-name | proto-number ) ]
3446 "from" address [ "/" mask-bits ] "to" ipspec
3448 [ "->" address [ "/" mask-bits ] ]
3450 rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3453 [ "->" ( redirhost | "{" redirhost-list "}" )
3456 antispoof-rule = "antispoof" [ "log" ] [ "quick" ]
3460 table-rule = "table" "<" string ">" [ tableopts-list ]
3461 tableopts-list = tableopts-list tableopts | tableopts
3463 "{" [ tableaddr-list ] "}"
3464 tableaddr-list = tableaddr-list [ "," ] tableaddr-spec | tableaddr-spec
3465 tableaddr-spec = [ "!" ] tableaddr [ "/" mask-bits ]
3467 ipv4-dotted-quad | ipv6-coloned-hex
3469 altq-rule = "altq on" interface-name queueopts-list
3471 queue-rule = "queue" string [ "on" interface-name ] queueopts-list
3474 anchor-rule = "anchor" [ string ] [ ( "in" | "out" ) ] [ "on" ifspec ]
3475 [ af ] [ protospec ] [ hosts ] [ filteropt-list ] [ "{" ]
3477 anchor-close = "}"
3479 trans-anchors = ( "nat-anchor" | "rdr-anchor" | "binat-anchor" ) string
3482 load-anchor = "load anchor" string "from" filename
3484 queueopts-list = queueopts-list queueopts | queueopts
3485 queueopts = [ "bandwidth" bandwidth-spec ] |
3488 schedulers = ( cbq-def | priq-def | hfsc-def )
3489 bandwidth-spec = "number" ( "b" | "Kb" | "Mb" | "Gb" | "%" )
3493 return = "drop" | "return" | "return-rst" [ "( ttl" number ")" ] |
3494 "return-icmp" [ "(" icmpcode [ [ "," ] icmp6code ] ")" ] |
3495 "return-icmp6" [ "(" icmp6code ")" ]
3496 icmpcode = ( icmp-code-name | icmp-code-number )
3497 icmp6code = ( icmp6-code-name | icmp6-code-number )
3499 ifspec = ( [ "!" ] ( interface-name | interface-group ) ) |
3500 "{" interface-list "}"
3501 interface-list = [ "!" ] ( interface-name | interface-group )
3502 [ [ "," ] interface-list ]
3503 route = ( "route-to" | "reply-to" | "dup-to" )
3504 ( routehost | "{" routehost-list "}" )
3508 etherprotospec = "proto" ( proto-number | "{" etherproto-list "}" )
3509 etherproto-list = proto-number [ [ "," ] etherproto-list ]
3510 protospec = "proto" ( proto-name | proto-number |
3511 "{" proto-list "}" )
3512 proto-list = ( proto-name | proto-number ) [ [ "," ] proto-list ]
3518 "from" ( "any" | "no-route" | "urpf-failed" | "self" | host |
3519 "{" host-list "}" ) [ port ] [ os ]
3520 "to" ( "any" | "no-route" | "self" | host |
3521 "{" host-list "}" ) [ port ]
3523 ipspec = "any" | host | "{" host-list "}"
3524 host = [ "!" ] ( address [ "/" mask-bits ] | "<" string ">" )
3525 redirhost = address [ "/" mask-bits ]
3526 routehost = "(" interface-name [ address [ "/" mask-bits ] ] ")"
3527 address = ( interface-name | interface-group |
3528 "(" ( interface-name | interface-group ) ")" |
3529 hostname | ipv4-dotted-quad | ipv6-coloned-hex )
3530 host-list = host [ [ "," ] host-list ]
3531 redirhost-list = redirhost [ [ "," ] redirhost-list ]
3532 routehost-list = routehost [ [ "," ] routehost-list ]
3534 port = "port" ( unary-op | binary-op | "{" op-list "}" )
3536 os = "os" ( os-name | "{" os-list "}" )
3537 user = "user" ( unary-op | binary-op | "{" op-list "}" )
3538 group = "group" ( unary-op | binary-op | "{" op-list "}" )
3540 unary-op = [ "=" | "!=" | "<" | "<=" | ">" | ">=" ]
3542 binary-op = number ( "<>" | "><" | ":" ) number
3543 op-list = ( unary-op | binary-op ) [ [ "," ] op-list ]
3545 os-name = operating-system-name
3546 os-list = os-name [ [ "," ] os-list ]
3548 flags = "flags" ( [ flag-set ] "/" flag-set | "any" )
3549 flag-set = [ "F" ] [ "S" ] [ "R" ] [ "P" ] [ "A" ] [ "U" ] [ "E" ]
3552 icmp-type = "icmp-type" ( icmp-type-code | "{" icmp-list "}" )
3553 icmp6-type = "icmp6-type" ( icmp-type-code | "{" icmp-list "}" )
3554 icmp-type-code = ( icmp-type-name | icmp-type-number )
3555 [ "code" ( icmp-code-name | icmp-code-number ) ]
3556 icmp-list = icmp-type-code [ [ "," ] icmp-list ]
3561 state-opts = state-opt [ [ "," ] state-opts ]
3562 state-opt = ( "max" number | "no-sync" | timeout | "sloppy" |
3563 "source-track" [ ( "rule" | "global" ) ] |
3564 "max-src-nodes" number | "max-src-states" number |
3565 "max-src-conn" number |
3566 "max-src-conn-rate" number "/" number |
3568 "if-bound" | "floating" | "pflow" )
3572 timeout-list = timeout [ [ "," ] timeout-list ]
3583 limit-list = limit-item [ [ "," ] limit-list ]
3584 limit-item = ( "states" | "frags" | "src-nodes" ) number
3587 "source-hash" [ ( hex-key | string-key ) ] |
3588 "round-robin" ) [ sticky-address ]
3590 subqueue = string | "{" queue-list "}"
3591 queue-list = string [ [ "," ] string ]
3592 cbq-def = "cbq" [ "(" cbq-opt [ [ "," ] cbq-opt ] ")" ]
3593 priq-def = "priq" [ "(" priq-opt [ [ "," ] priq-opt ] ")" ]
3594 hfsc-def = "hfsc" [ "(" hfsc-opt [ [ "," ] hfsc-opt ] ")" ]
3595 cbq-opt = ( "default" | "borrow" | "red" | "ecn" | "rio" )
3596 priq-opt = ( "default" | "red" | "ecn" | "rio" )
3597 hfsc-opt = ( "default" | "red" | "ecn" | "rio" |
3598 linkshare-sc | realtime-sc | upperlimit-sc )
3599 linkshare-sc = "linkshare" sc-spec
3600 realtime-sc = "realtime" sc-spec
3601 upperlimit-sc = "upperlimit" sc-spec
3602 sc-spec = ( bandwidth-spec |
3603 "(" bandwidth-spec number bandwidth-spec ")" )
3607 .Bl -tag -width "/etc/protocols" -compact
3638 .Xr ftp-proxy 8 ,