Lines Matching +full:block +full:- +full:number
10 .\" - Redistributions of source code must retain the above copyright
12 .\" - Redistributions in binary form must reproduce the above
45 .Bl -tag -width xxxx
47 User-defined variables may be defined and used later, simplifying
57 Ethernet filtering provides rule-based blocking or passing of Ethernet packets.
62 Queueing provides rule-based bandwidth control.
67 Packet filtering provides rule-based blocking or passing of packets.
81 .Ar set require-order
91 .Bd -literal -offset indent
107 .Bd -literal -offset indent
114 srv_lan_range = "'198.51.100.0 - 198.51.100.255'"
116 nat on $ext_if from $nat_ranges to any -> ($ext_if)
125 processor usage and memory consumption, than a large number of rules which
150 .Bl -tag -width "manually"
166 statement, and are especially useful to define non-persistent tables.
167 The contents of a pre-existing table defined without a list of addresses
177 .Bl -tag -width counters
198 flag enables per-address packet and byte counters which can be displayed with
204 .Bd -literal -offset indent
207 block on fxp0 from { <private>, <badhosts> } to any
212 A filter rule is set up to block all traffic coming from addresses listed in
218 .Bd -literal -offset indent
219 # pfctl -t badhosts -Tadd 204.92.77.111
224 .Bd -literal -offset indent
226 block on fxp0 from <spam> to any
250 .Bl -tag -width xxxx
253 .Bl -tag -width "src.track" -compact
271 .Bl -tag -width xxxx -compact
296 .Bl -tag -width xxxx -compact
312 .Bl -tag -width xxxx -compact
328 .Bl -tag -width xxxx -compact
334 Timeout values can be reduced adaptively as the number of state table
337 .Bl -tag -width xxxx -compact
339 When the number of state entries exceeds this value, adaptive scaling
342 (adaptive.end - number of states) / (adaptive.end - adaptive.start).
344 When reaching this number of state entries, all timeout values become
356 When used on a per-rule basis, the values relate to the number of
357 states created by the rule, otherwise to the total number of
361 .Bd -literal -offset indent
374 .Bd -literal -offset indent
375 # pfctl -s info
381 .Bd -literal -offset indent
386 .Bd -literal -offset indent
396 .Bd -literal -offset indent
400 sets the maximum number of entries in the memory pool used by state table
407 .Bd -literal -offset indent
411 sets the maximum number of entries in the memory pool used for fragment
418 .Bd -literal -offset indent
419 set limit src-nodes 2000
422 sets the maximum number of entries in the memory pool used for tracking
424 .Ar sticky-address
429 .Bd -literal -offset indent
430 set limit table-entries 100000
433 sets the limit on the overall number of addresses that can be stored
437 .Bd -literal -offset indent
438 set limit { states 20000, frags 20000, src-nodes 2000 }
440 .It Ar set ruleset-optimization
441 .Bl -tag -width xxxxxxxx -compact
450 .Bl -enum -compact
458 re-order the rules to improve evaluation performance
468 A side effect of the ruleset modification is that per-rule accounting
470 If per-rule accounting is important for billing purposes or whatnot,
474 Optimization can also be set as a command-line argument to
481 .Bl -tag -width xxxx -compact
485 .It Ar high-latency
486 A high-latency environment (such as a satellite connection).
489 .Ar high-latency .
502 .Bd -literal -offset indent
505 .It Ar set reassemble yes | no Op Cm no-df
514 .Cm no-df
516 .Dq dont-fragment
520 .Dq dont-fragment
525 This option is ignored if there are pre-FreeBSD 14
528 .It Ar set block-policy
530 .Ar block-policy
532 .Ar block
535 .Bl -tag -width xxxxxxxx -compact
546 .Bd -literal -offset indent
547 set block-policy return
549 .It Ar set fail-policy
551 .Ar fail-policy
554 This might happen when a nat or route-to rule uses an empty table as list
557 .Ar block
560 .Bl -tag -width xxxxxxxx -compact
571 .Bd -literal -offset indent
572 set fail-policy return
574 .It Ar set state-policy
576 .Ar state-policy
579 .Bl -tag -width group-bound -compact
580 .It Ar if-bound
587 .Bd -literal -offset indent
588 set state-policy if-bound
604 .Bl -tag -width adaptive -compact
611 is used up by half-open TCP connections, as in, those that saw the initial
614 .Bd -literal -offset indent
618 .It Ar set state-defaults
620 .Ar state-defaults
625 .Bd -literal -offset indent
626 set state-defaults no-sync
629 The 32-bit
635 By default the hostid is set to a pseudo-random value, however it may be
638 .Bd -literal -offset indent
643 .It Ar set require-order
655 There may be non-trivial and non-obvious implications to an out of
687 .Bl -tag -width xxxxxxxxxxxx -compact
708 .Ar block
721 .Bl -tag -width xxxx
722 .It Ar block
741 .Bl -tag -width xxxx
765 .It Ar bridge-to Aq interface
822 .Bl -tag -width xxxx
823 .It Ar no-df
825 .Ar dont-fragment
828 .Ar dont-fragment
833 .Ar dont-fragment
835 .Ar no-df
839 .Ar dont-fragment
842 .Ar dont-fragment
846 .Ar random-id
848 .Ar no-df
850 .It Ar min-ttl Aq Ar number
852 .It Ar max-mss Aq Ar number
854 .It Xo Ar set-tos Aq Ar string
855 .No \*(Ba Aq Ar number
875 .It Ar random-id
885 .Bl -tag -width timeout -compact
909 to modulate the TCP timestamps with a random number.
912 delayed for longer than it takes the connection to wrap its 32-bit sequence
932 .Bd -literal -offset indent
933 match in all scrub (no-df random-id max-mss 1440)
935 .Ss Scrub ruleset (pre-FreeBSD 14)
951 .Bl -tag -width xxxx
967 .Bd -literal -offset indent
1007 .Ar block
1017 .Bl -tag -width xxxx
1080 supports both link-sharing and guaranteed real-time services.
1095 .Bl -tag -width xxxx
1130 The maximum number of packets held in the queue.
1141 should queue up to 5Mbps in four second-level queues using
1144 .Bd -literal -offset indent
1164 .Bl -tag -width xxxx
1195 The maximum number of packets held in the queue.
1206 .Bl -tag -width Fl
1228 .Bl -tag -width Fl
1237 .Bl -tag -width Fl
1298 .Bd -literal
1309 block return out on dc0 inet all queue std
1335 take either a single pipe or queue number or two numbers as arguments.
1336 The first pipe or queue number will be used to shape the traffic in the rule
1340 be shaped according to the first number, and the response traffic according to
1358 address and port number.
1366 .Bl -tag -width xxxx
1367 .It Ar af-to
1370 .Ar af-to
1374 .Ar af-to
1386 part is 32-bit long.
1395 .Bd -literal -offset indent
1396 pass in inet af-to inet6 from 2001:db8::1 to 2001:db8::/96
1397 pass in inet af-to inet6 from 2001:db8::1
1406 .Bd -literal -offset indent
1407 pass in inet6 from any to 64:ff9b::/96 af-to inet \e
1409 pass in inet6 from any to 64:ff9b::/96 af-to inet \e
1421 .Ar binat-to
1425 .Ar nat-to
1427 .Ar rdr-to
1429 .It Ar nat-to
1431 .Ar nat-to
1440 .Bd -literal -offset indent
1441 10.0.0.0 - 10.255.255.255 (all of net 10.0.0.0, i.e., 10.0.0.0/8)
1442 172.16.0.0 - 172.31.255.255 (i.e., 172.16.0.0/12)
1443 192.168.0.0 - 192.168.255.255 (i.e., 192.168.0.0/16)
1446 .Ar nat-to
1448 If applied inbound, nat-to to a local IP address is not supported.
1449 .It Pa rdr-to
1452 .Ar rdr-to
1455 .Bd -literal -offset indent
1456 match in ... port 2000:2999 rdr-to ... port 4000
1459 .Bd -literal -offset indent
1460 qmatch in ... port 2000:2999 rdr-to ... port 4000:*
1465 .Ar rdr-to
1467 If applied outbound, rdr-to to a local IP address is not supported.
1474 .Ar nat-to
1476 .Ar rdr-to
1479 .Ar rdr-to
1482 A random source port in the range 50001-65535 is chosen in this case.
1484 .Ar binat-to
1489 .Bd -literal -offset indent
1491 rdr-to 127.0.0.1 port spamd
1497 Unless this effect is desired, any of the local non-loopback addresses
1505 .Ss NAT ruleset (pre-FreeBSD 15)
1516 address and port number.
1522 .Ar block
1533 .Ar binat-to ,
1534 .Ar nat-to
1536 .Ar rdr-to
1578 .Ar block
1600 .Ar block
1606 , rules are evaluated every time they match; the pass/block state of a packet
1612 .Bl -tag -width xxxx
1613 .It Ar block
1615 There are a number of ways in which a
1616 .Ar block
1622 .Ar block-policy
1623 option, or on a per-rule basis with one of the following options:
1625 .Bl -tag -width xxxx -compact
1628 .It Ar return-rst
1633 .It Ar return-icmp
1634 .It Ar return-icmp6
1637 can be overridden by specifying a message as a code or number.
1651 The simplest mechanism to block everything by default and only pass
1653 .Bd -literal -offset indent
1654 block all
1659 block/pass state of a packet.
1662 .Ar block
1669 .Ar nat-to ,
1670 .Ar binat-to ,
1671 .Ar rdr-to ,
1709 .Bd -literal -offset indent
1710 pass out inet proto icmp all icmp-type echoreq
1743 A number of parameters can also be set to affect how
1758 .Bl -tag -width xxxx
1854 For a list of all the protocol name to number mappings used by
1872 .Bl -tag -width xxxxxxxxxxxxxx -compact
1875 .It Ar no-route
1877 .It Ar urpf-failed
1888 .Sq -
1891 .Dq 10.1.1.10 - 10.1.1.12
1899 .Bl -tag -width xxxxxxxxxxxx -compact
1905 Translates to the point-to-point interface's peer address(es).
1913 v4 and non-link-local v6 address found.
1916 ruleset load-time.
1928 Ports can be specified either by number or by name.
1931 For a list of all port name to number mappings used by
1937 .Bd -literal -offset indent
1955 .Bl -tag -width Fl
1967 hence ports 1-1999 and 2005-65535.
1979 .Bd -literal -offset indent
2041 .Bd -literal -offset indent
2042 block out proto { tcp, udp } all
2062 .Bl -tag -width Fl
2084 .Pq non-SYN
2094 .Ar af-to ,
2104 .It Xo Ar icmp-type Aq Ar type
2107 .It Xo Ar icmp6-type Aq Ar type
2120 .Ar icmp-type
2122 .Ar icmp6-type
2126 .No \*(Ba Aq Ar number
2148 .Bd -literal -offset indent
2153 .It Ar allow-opts
2154 By default, packets with IPv4 options or IPv6 hop-by-hop or destination
2157 .Ar allow-opts
2172 pfctl -s labels
2173 shows per-rule statistics for rules that have labels.
2177 .Bl -tag -width $srcaddr -compact -offset indent
2191 The rule number.
2195 .Bd -literal -offset indent
2202 .Bd -literal -offset indent
2212 .It Ar ridentifier Aq Ar number
2213 Add an identifier (number) to the rule, which can be used to correlate the rule
2215 .It Cm max-pkt-rate Ar number Ns / Ns Ar seconds
2222 .Bd -literal -offset indent
2223 block in proto icmp
2224 pass in proto icmp max-pkt-rate 100/10
2230 .It Ar max-pkt-size Aq Ar number
2231 Limit each packet to be no more than the specified number of bytes.
2248 .Bd -literal -offset indent
2265 .Bd -literal -offset indent
2269 .It Oo Cm \&! Oc Ns Cm received-on Ar interface
2302 .It Ar rtable Aq Ar number
2305 .It Xo Ar divert-to Aq Ar host
2319 If a packet is re-injected and does not change direction then it will not be
2320 re-diverted.
2321 .It Ar divert-reply
2324 .It Ar probability Aq Ar number
2330 .Bd -literal -offset indent
2331 block in proto icmp probability 20%
2333 .It Ar prio Aq Ar number
2341 .Bl -tag -width xxxx
2342 .It Ar route-to
2344 .Ar route-to
2348 .Ar route-to
2353 .It Ar reply-to
2355 .Ar reply-to
2357 .Ar route-to ,
2361 .Ar reply-to
2366 .It Ar dup-to
2368 .Ar dup-to
2370 .Ar route-to .
2379 .Ar route-to ,
2380 .Ar reply-to
2382 .Ar dup-to
2387 .Bl -tag -width xxxx
2399 option selects an address at random within the defined block of addresses.
2400 .It Ar source-hash
2402 .Ar source-hash
2408 randomly generates a key for source-hash every time the
2410 .It Ar round-robin
2412 .Ar round-robin
2418 .It Ar static-port
2422 .Ar static-port
2426 .It Xo Ar map-e-portset Aq Ar psid-offset
2427 .No / Aq Ar psid-len
2433 .Ar map-e-portset
2434 option enables the source port translation of MAP-E (RFC 7597) Customer Edge.
2435 In order to make the host act as a MAP-E Customer Edge, setting up a tunneling
2437 to the map-e-portset nat rule.
2440 .Bd -literal -offset indent
2442 -> $ipv4_mape_src map-e-portset 6/8/0x34
2446 .It Ar endpoint-independent
2450 .Ar endpoint-independent
2455 This feature implements "full-cone" NAT behavior.
2459 .Ar sticky-address
2465 .Ar round-robin
2484 will create a high quality random sequence number for each connection
2493 .Bd -literal -offset indent
2494 block all
2536 completed the handshake, hence so-called SYN floods with spoofed source
2544 Once the handshakes are completed, the sequence number modulators
2559 .Bd -literal -offset indent
2563 A number of options related to stateful tracking can be applied on a
2564 per-rule basis.
2573 .Bl -tag -width xxxx -compact
2574 .It Ar max Aq Ar number
2575 Limits the number of concurrent states the rule may create.
2578 .It Ar no-sync
2600 .It Ar allow-related
2607 .Bd -literal -offset indent
2610 (max 100, source-track rule, max-src-nodes 75, \e
2611 max-src-states 3, tcp.established 60, tcp.closing 5)
2615 .Ar source-track
2616 keyword is specified, the number of states per source IP is tracked.
2618 .Bl -tag -width xxxx -compact
2619 .It Ar source-track rule
2620 The maximum number of states created by this rule is limited by the rule's
2621 .Ar max-src-nodes
2623 .Ar max-src-states
2627 .It Ar source-track global
2628 The number of states created by all rules that use this option is limited.
2630 .Ar max-src-nodes
2632 .Ar max-src-states
2639 .Bl -tag -width xxxx -compact
2640 .It Ar max-src-nodes Aq Ar number
2641 Limits the maximum number of source addresses which can simultaneously
2643 .It Ar max-src-states Aq Ar number
2644 Limits the maximum number of simultaneous state entries that a single
2649 which have completed the TCP 3-way handshake) can also be enforced
2652 .Bl -tag -width xxxx -compact
2653 .It Ar max-src-conn Aq Ar number
2654 Limits the maximum number of simultaneous TCP connections which have
2655 completed the 3-way handshake that a single host can make.
2656 .It Xo Ar max-src-conn-rate Aq Ar number
2666 Because the 3-way handshake ensures that the source address is not being
2672 This table can be used in the ruleset to block further activity from
2692 by the block rule.
2693 .Bd -literal -offset indent
2694 block quick from <bad_hosts>
2696 (max-src-conn-rate 100/10, overload <bad_hosts> flush global)
2727 .Ar no-df
2730 .Dl \&"OpenBSD 3.3 no-df\&"
2739 .Dl # pfctl -so
2752 .Bd -literal -offset indent
2754 block out proto tcp from any os Doors
2755 block out proto tcp from any os "Doors PT"
2756 block out proto tcp from any os "Doors PT SP3"
2757 block out from any os "unknown"
2776 directive expands to a set of filter rules which will block all
2782 .Bd -literal -offset indent
2787 .Bd -literal -offset indent
2788 block drop in on ! lo0 inet from 127.0.0.1/8 to any
2789 block drop in on ! lo0 inet6 from ::1 to any
2792 For non-loopback interfaces, there are additional rules to block incoming
2797 .Bd -literal -offset indent
2802 .Bd -literal -offset indent
2803 block drop in on ! wi0 inet from 10.0.0.0/24 to any
2804 block drop in inet from 10.0.0.1 to any
2853 .Bd -literal -offset indent
2916 .Bl -tag -width xxxx
2917 .It Ar nat-anchor Aq Ar name
2922 .It Ar rdr-anchor Aq Ar name
2927 .It Ar binat-anchor Aq Ar name
2980 .Bd -literal -offset indent
2982 block on $ext_if all
2994 .Bd -literal -offset indent
2995 # echo \&"block in quick from 1.2.3.4 to any\&" \&| \e
2996 pfctl -a spam -f -
3008 .Bd -literal -offset indent
3010 load anchor spam from "/etc/pf-spam.conf"
3018 .Pa /etc/pf-spam.conf
3029 .Bd -literal -offset indent
3030 block on $ext_if all
3042 .Bd -literal -offset indent
3043 # echo \&"block in quick from 1.2.3.4 to any" \&| \e
3044 pfctl -a spam -f -
3047 will only block connections from 1.2.3.4 to port 25.
3054 .Bd -literal -offset indent
3074 .Bd -literal -offset indent
3075 # echo ' anchor "spam/allowed" ' | pfctl -f -
3076 # echo -e ' anchor "../banned" \en pass' | \e
3077 pfctl -a spam/allowed -f -
3090 rule can also contain a filter ruleset in a brace-delimited block.
3093 Brace delimited blocks may contain rules or other brace-delimited blocks.
3095 .Bd -literal -offset indent
3123 .Bd -literal -offset indent
3129 rdr-to 127.0.0.1 port 8080
3138 .Bd -literal -offset indent
3140 rdr-to 127.0.0.1 port 8080
3151 .Bd -literal -offset indent
3152 match out on ! vlan12 from 192.168.168.0/24 to any nat-to 204.92.77.111
3158 .Xr ftp-proxy 8 ,
3161 .Xr ftp-proxy 8
3163 .Xr ftp-proxy 8
3165 .Bd -literal -offset indent
3169 pass out on $ext_if inet from ! ($ext_if) to any nat-to ($ext_if)
3176 nat-to ($ext_if) port 500
3182 pass on $ext_if from 10.1.2.150 to any binat-to $ext_if
3186 pass on $peer_if from 172.21.16.0/20 to any binat-to 172.22.16.0/20
3192 rdr-to 10.1.2.151 port 22
3194 rdr-to 10.1.2.151 port 53
3198 # for proxying with ftp-proxy(8) running on port 8021.
3200 rdr-to 127.0.0.1 port 8021
3207 .Bd -literal -offset indent
3211 # using the source-hash keyword.
3212 pass out on $ext_if inet from any to any nat-to 192.0.2.16/28 source-hash
3218 rdr-to { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin
3226 .Bd -literal -offset indent
3229 nat on $ext_if from 144.19.74.0/24 to any -> 204.92.77.100
3234 .Bd -literal -offset indent
3239 -> 127.0.0.1 port 80
3242 .Bd -literal -offset indent
3253 # block and log everything by default
3254 block return log on $ext_if all
3256 # block anything coming from source we have no back routes for
3257 block in from no-route to any
3259 # block packets whose ingress interface does not match the one in
3261 block in from urpf-failed to any
3263 # block and log outgoing packets that do not have our address as source,
3266 block out log quick on $ext_if from ! 157.161.48.183 to any
3269 block in quick on $ext_if from any to 255.255.255.255
3271 # block and log incoming packets from reserved address space and invalid
3273 # them anyway (hence, no return-rst).
3274 block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, \e
3284 pass on $ext_if inet proto icmp all icmp-type 8 code 0
3305 block in on $ext_if proto tcp from any os {"Windows 95", "Windows 98"} \e
3325 block out on $ext_if from any to any
3333 tag SPAMD -> 127.0.0.1 port spamd
3335 block in on $ext_if
3340 translates an internal IPv4 subnet to IPv6 using the well-known
3342 .Bd -literal -offset 4n
3343 pass in on $v4_if inet af-to inet6 from ($v6_if) to 64:ff9b::/96
3349 .Bd -literal -offset 4n
3350 pass in on $v6_if inet6 to 64:ff9b::/96 af-to inet from ($v4_if)
3356 .Bd -literal
3357 line = ( option | ether-rule | pf-rule | nat-rule | binat-rule |
3358 rdr-rule | antispoof-rule | altq-rule | queue-rule |
3359 trans-anchors | anchor-rule | anchor-close | load-anchor |
3360 table-rule | include )
3362 option = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] |
3363 [ "ruleset-optimization" [ "none" | "basic" | "profile" ]] |
3365 "high-latency" | "satellite" |
3367 [ "limit" ( limit-item | "{" limit-list "}" ) ] |
3368 [ "loginterface" ( interface-name | "none" ) ] |
3369 [ "block-policy" ( "drop" | "return" ) ] |
3370 [ "state-policy" ( "if-bound" | "floating" ) ]
3371 [ "state-defaults" state-opts ]
3372 [ "require-order" ( "yes" | "no" ) ]
3378 ether-rule = "ether" etheraction [ ( "in" | "out" ) ]
3379 [ "quick" ] [ "on" ifspec ] [ "bridge-to" interface-name ]
3381 [ etherfilteropt-list ]
3383 pf-rule = action [ ( "in" | "out" ) ]
3386 [ hosts ] [ filteropt-list ]
3389 logopt = "all" | "matches" | "user" | "to" interface-name
3391 etherfilteropt-list = etherfilteropt-list etherfilteropt | etherfilteropt
3393 "ridentifier" number | "label" string
3395 filteropt-list = filteropt-list filteropt | filteropt
3396 filteropt = user | group | flags | icmp-type | icmp6-type | "tos" tos |
3397 "af-to" af "from" ( redirhost | "{" redirhost-list "}" )
3398 [ "to" ( redirhost | "{" redirhost-list "}" ) ] |
3400 [ "(" state-opts ")" ] |
3401 "fragment" | "no-df" | "min-ttl" number | "set-tos" tos |
3402 "max-mss" number | "random-id" | "reassemble tcp" |
3403 fragmentation | "allow-opts" |
3405 "max-pkt-rate" number "/" seconds |
3406 "set prio" ( number | "(" number [ [ "," ] number ] ")" ) |
3407 "max-pkt-size" number |
3409 "rtable" number | "probability" number"%" | "prio" number |
3410 "dnpipe" ( number | "(" number "," number ")" ) |
3411 "dnqueue" ( number | "(" number "," number ")" ) |
3412 "ridentifier" number |
3413 [ ! ] "received-on" ( interface-name | interface-group )
3415 nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3418 [ "->" ( redirhost | "{" redirhost-list "}" )
3419 [ portspec ] [ pooltype ] [ "static-port" ]
3420 [ "map-e-portset" number "/" number "/" number ] ]
3422 binat-rule = [ "no" ] "binat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3423 [ "on" interface-name ] [ af ]
3424 [ "proto" ( proto-name | proto-number ) ]
3425 "from" address [ "/" mask-bits ] "to" ipspec
3427 [ "->" address [ "/" mask-bits ] ]
3429 rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3432 [ "->" ( redirhost | "{" redirhost-list "}" )
3435 antispoof-rule = "antispoof" [ "log" ] [ "quick" ]
3437 [ "ridentifier" number ]
3439 table-rule = "table" "<" string ">" [ tableopts-list ]
3440 tableopts-list = tableopts-list tableopts | tableopts
3442 "{" [ tableaddr-list ] "}"
3443 tableaddr-list = tableaddr-list [ "," ] tableaddr-spec | tableaddr-spec
3444 tableaddr-spec = [ "!" ] tableaddr [ "/" mask-bits ]
3446 ipv4-dotted-quad | ipv6-coloned-hex
3448 altq-rule = "altq on" interface-name queueopts-list
3450 queue-rule = "queue" string [ "on" interface-name ] queueopts-list
3453 anchor-rule = "anchor" [ string ] [ ( "in" | "out" ) ] [ "on" ifspec ]
3454 [ af ] [ protospec ] [ hosts ] [ filteropt-list ] [ "{" ]
3456 anchor-close = "}"
3458 trans-anchors = ( "nat-anchor" | "rdr-anchor" | "binat-anchor" ) string
3461 load-anchor = "load anchor" string "from" filename
3463 queueopts-list = queueopts-list queueopts | queueopts
3464 queueopts = [ "bandwidth" bandwidth-spec ] |
3465 [ "qlimit" number ] | [ "tbrsize" number ] |
3466 [ "priority" number ] | [ schedulers ]
3467 schedulers = ( cbq-def | priq-def | hfsc-def )
3468 bandwidth-spec = "number" ( "b" | "Kb" | "Mb" | "Gb" | "%" )
3470 etheraction = "pass" | "block"
3471 action = "pass" | "match" | "block" [ return ] | [ "no" ] "scrub"
3472 return = "drop" | "return" | "return-rst" [ "( ttl" number ")" ] |
3473 "return-icmp" [ "(" icmpcode [ [ "," ] icmp6code ] ")" ] |
3474 "return-icmp6" [ "(" icmp6code ")" ]
3475 icmpcode = ( icmp-code-name | icmp-code-number )
3476 icmp6code = ( icmp6-code-name | icmp6-code-number )
3478 ifspec = ( [ "!" ] ( interface-name | interface-group ) ) |
3479 "{" interface-list "}"
3480 interface-list = [ "!" ] ( interface-name | interface-group )
3481 [ [ "," ] interface-list ]
3482 route = ( "route-to" | "reply-to" | "dup-to" )
3483 ( routehost | "{" routehost-list "}" )
3487 etherprotospec = "proto" ( proto-number | "{" etherproto-list "}" )
3488 etherproto-list = proto-number [ [ "," ] etherproto-list ]
3489 protospec = "proto" ( proto-name | proto-number |
3490 "{" proto-list "}" )
3491 proto-list = ( proto-name | proto-number ) [ [ "," ] proto-list ]
3497 "from" ( "any" | "no-route" | "urpf-failed" | "self" | host |
3498 "{" host-list "}" ) [ port ] [ os ]
3499 "to" ( "any" | "no-route" | "self" | host |
3500 "{" host-list "}" ) [ port ]
3502 ipspec = "any" | host | "{" host-list "}"
3503 host = [ "!" ] ( address [ "/" mask-bits ] | "<" string ">" )
3504 redirhost = address [ "/" mask-bits ]
3505 routehost = "(" interface-name [ address [ "/" mask-bits ] ] ")"
3506 address = ( interface-name | interface-group |
3507 "(" ( interface-name | interface-group ) ")" |
3508 hostname | ipv4-dotted-quad | ipv6-coloned-hex )
3509 host-list = host [ [ "," ] host-list ]
3510 redirhost-list = redirhost [ [ "," ] redirhost-list ]
3511 routehost-list = routehost [ [ "," ] routehost-list ]
3513 port = "port" ( unary-op | binary-op | "{" op-list "}" )
3514 portspec = "port" ( number | name ) [ ":" ( "*" | number | name ) ]
3515 os = "os" ( os-name | "{" os-list "}" )
3516 user = "user" ( unary-op | binary-op | "{" op-list "}" )
3517 group = "group" ( unary-op | binary-op | "{" op-list "}" )
3519 unary-op = [ "=" | "!=" | "<" | "<=" | ">" | ">=" ]
3520 ( name | number )
3521 binary-op = number ( "<>" | "><" | ":" ) number
3522 op-list = ( unary-op | binary-op ) [ [ "," ] op-list ]
3524 os-name = operating-system-name
3525 os-list = os-name [ [ "," ] os-list ]
3527 flags = "flags" ( [ flag-set ] "/" flag-set | "any" )
3528 flag-set = [ "F" ] [ "S" ] [ "R" ] [ "P" ] [ "A" ] [ "U" ] [ "E" ]
3531 icmp-type = "icmp-type" ( icmp-type-code | "{" icmp-list "}" )
3532 icmp6-type = "icmp6-type" ( icmp-type-code | "{" icmp-list "}" )
3533 icmp-type-code = ( icmp-type-name | icmp-type-number )
3534 [ "code" ( icmp-code-name | icmp-code-number ) ]
3535 icmp-list = icmp-type-code [ [ "," ] icmp-list ]
3538 [ "0x" ] number )
3540 state-opts = state-opt [ [ "," ] state-opts ]
3541 state-opt = ( "max" number | "no-sync" | timeout | "sloppy" |
3542 "source-track" [ ( "rule" | "global" ) ] |
3543 "max-src-nodes" number | "max-src-states" number |
3544 "max-src-conn" number |
3545 "max-src-conn-rate" number "/" number |
3547 "if-bound" | "floating" | "pflow" )
3551 timeout-list = timeout [ [ "," ] timeout-list ]
3560 "adaptive.start" | "adaptive.end" ) number
3562 limit-list = limit-item [ [ "," ] limit-list ]
3563 limit-item = ( "states" | "frags" | "src-nodes" ) number
3566 "source-hash" [ ( hex-key | string-key ) ] |
3567 "round-robin" ) [ sticky-address ]
3569 subqueue = string | "{" queue-list "}"
3570 queue-list = string [ [ "," ] string ]
3571 cbq-def = "cbq" [ "(" cbq-opt [ [ "," ] cbq-opt ] ")" ]
3572 priq-def = "priq" [ "(" priq-opt [ [ "," ] priq-opt ] ")" ]
3573 hfsc-def = "hfsc" [ "(" hfsc-opt [ [ "," ] hfsc-opt ] ")" ]
3574 cbq-opt = ( "default" | "borrow" | "red" | "ecn" | "rio" )
3575 priq-opt = ( "default" | "red" | "ecn" | "rio" )
3576 hfsc-opt = ( "default" | "red" | "ecn" | "rio" |
3577 linkshare-sc | realtime-sc | upperlimit-sc )
3578 linkshare-sc = "linkshare" sc-spec
3579 realtime-sc = "realtime" sc-spec
3580 upperlimit-sc = "upperlimit" sc-spec
3581 sc-spec = ( bandwidth-spec |
3582 "(" bandwidth-spec number bandwidth-spec ")" )
3586 .Bl -tag -width "/etc/protocols" -compact
3617 .Xr ftp-proxy 8 ,