Lines Matching +full:ports +full:- +full:block +full:- +full:group +full:- +full:count
10 .\" - Redistributions of source code must retain the above copyright
12 .\" - Redistributions in binary form must reproduce the above
45 .Bl -tag -width xxxx
47 User-defined variables may be defined and used later, simplifying
57 Ethernet filtering provides rule-based blocking or passing of Ethernet packets.
62 Queueing provides rule-based bandwidth control.
67 Packet filtering provides rule-based blocking or passing of packets.
81 .Ar set require-order
91 .Bd -literal -offset indent
105 .Bd -literal -offset indent
143 .Bl -tag -width "manually"
159 statement, and are especially useful to define non-persistent tables.
160 The contents of a pre-existing table defined without a list of addresses
170 .Bl -tag -width persist
191 flag enables per-address packet and byte counters which can be displayed with
197 .Bd -literal -offset indent
200 block on fxp0 from { <private>, <badhosts> } to any
205 A filter rule is set up to block all traffic coming from addresses listed in
211 .Bd -literal -offset indent
212 # pfctl -t badhosts -Tadd 204.92.77.111
217 .Bd -literal -offset indent
219 block on fxp0 from <spam> to any
234 name, a valid interface group or the
243 .Bl -tag -width xxxx
246 .Bl -tag -width "src.track" -compact
264 .Bl -tag -width xxxx -compact
289 .Bl -tag -width xxxx -compact
305 .Bl -tag -width xxxx -compact
321 .Bl -tag -width xxxx -compact
330 .Bl -tag -width xxxx -compact
335 (adaptive.end - number of states) / (adaptive.end - adaptive.start).
349 When used on a per-rule basis, the values relate to the number of
354 .Bd -literal -offset indent
364 Enable collection of packet and byte count statistics for the given
365 interface or interface group.
367 .Bd -literal -offset indent
368 # pfctl -s info
374 .Bd -literal -offset indent
379 .Bd -literal -offset indent
389 .Bd -literal -offset indent
400 .Bd -literal -offset indent
411 .Bd -literal -offset indent
412 set limit src-nodes 2000
417 .Ar sticky-address
422 .Bd -literal -offset indent
423 set limit table-entries 100000
430 .Bd -literal -offset indent
431 set limit { states 20000, frags 20000, src-nodes 2000 }
433 .It Ar set ruleset-optimization
434 .Bl -tag -width xxxxxxxx -compact
443 .Bl -enum -compact
451 re-order the rules to improve evaluation performance
461 A side effect of the ruleset modification is that per-rule accounting
463 If per-rule accounting is important for billing purposes or whatnot,
467 Optimization can also be set as a command-line argument to
474 .Bl -tag -width xxxx -compact
478 .It Ar high-latency
479 A high-latency environment (such as a satellite connection).
482 .Ar high-latency .
495 .Bd -literal -offset indent
498 .It Ar set reassemble yes | no Op Cm no-df
507 .Cm no-df
509 .Dq dont-fragment
513 .Dq dont-fragment
518 This option is ignored if there are pre-FreeBSD 14
521 .It Ar set block-policy
523 .Ar block-policy
525 .Ar block
528 .Bl -tag -width xxxxxxxx -compact
539 .Bd -literal -offset indent
540 set block-policy return
542 .It Ar set fail-policy
544 .Ar fail-policy
547 This might happen when a nat or route-to rule uses an empty table as list
550 .Ar block
553 .Bl -tag -width xxxxxxxx -compact
564 .Bd -literal -offset indent
565 set fail-policy return
567 .It Ar set state-policy
569 .Ar state-policy
572 .Bl -tag -width group-bound -compact
573 .It Ar if-bound
580 .Bd -literal -offset indent
581 set state-policy if-bound
597 .Bl -tag -width adaptive -compact
604 is used up by half-open TCP connections, as in, those that saw the initial
607 .Bd -literal -offset indent
611 .It Ar set state-defaults
613 .Ar state-defaults
618 .Bd -literal -offset indent
619 set state-defaults no-sync
622 The 32-bit
628 By default the hostid is set to a pseudo-random value, however it may be
631 .Bd -literal -offset indent
636 .It Ar set require-order
648 There may be non-trivial and non-obvious implications to an out of
680 .Bl -tag -width xxxxxxxxxxxx -compact
701 .Ar block
713 .Bl -tag -width xxxx
714 .It Ar block
730 .Bl -tag -width xxxx
746 particular interface or interface group.
749 .Ic group
754 .It Ar bridge-to Aq interface
811 .Bl -tag -width xxxx
812 .It Ar no-df
814 .Ar dont-fragment
817 .Ar dont-fragment
822 .Ar dont-fragment
824 .Ar no-df
828 .Ar dont-fragment
831 .Ar dont-fragment
835 .Ar random-id
837 .Ar no-df
839 .It Ar min-ttl Aq Ar number
841 .It Ar max-mss Aq Ar number
843 .It Xo Ar set-tos Aq Ar string
864 .It Ar random-id
874 .Bl -tag -width timeout -compact
889 Also observing several different timestamps can be used to count hosts
901 delayed for longer than it takes the connection to wrap its 32-bit sequence
921 .Bd -literal -offset indent
922 match in all scrub (no-df random-id max-mss 1440)
924 .Ss Scrub ruleset (pre-FreeBSD 14)
940 .Bl -tag -width xxxx
956 .Bd -literal -offset indent
996 .Ar block
1006 .Bl -tag -width xxxx
1069 supports both link-sharing and guaranteed real-time services.
1084 .Bl -tag -width xxxx
1130 should queue up to 5Mbps in four second-level queues using
1133 .Bd -literal -offset indent
1153 .Bl -tag -width xxxx
1195 .Bl -tag -width Fl
1217 .Bl -tag -width Fl
1226 .Bl -tag -width Fl
1287 .Bd -literal
1298 block return out on dc0 inet all queue std
1347 addresses and ports have been translated.
1355 .Ar block
1366 .Bl -tag -width xxxx
1367 .It Ar af-to
1370 .Ar af-to
1374 .Ar af-to
1386 part is 32-bit long.
1395 .Bd -literal -offset indent
1396 pass in inet af-to inet6 from 2001:db8::1 to 2001:db8::/96
1397 pass in inet af-to inet6 from 2001:db8::1
1406 .Bd -literal -offset indent
1407 pass in inet6 af-to inet from 198.51.100.1 to 0.0.0.0/0
1408 pass in inet6 af-to inet from 198.51.100.1
1433 .Bd -literal
1434 10.0.0.0 - 10.255.255.255 (all of net 10, i.e., 10/8)
1435 172.16.0.0 - 172.31.255.255 (i.e., 172.16/12)
1436 192.168.0.0 - 192.168.255.255 (i.e., 192.168/16)
1442 rules can optionally specify port ranges instead of single ports.
1443 rdr ... port 2000:2999 -> ... port 4000
1444 redirects ports 2000 to 2999 (inclusive) to port 4000.
1445 rdr ... port 2000:2999 -> ... port 4000:*
1450 source or destination ports for
1463 A random source port in the range 50001-65535 is chosen in this case; to
1507 .Bd -literal -offset indent
1508 rdr on ne3 inet proto tcp to port smtp -> 127.0.0.1 port spamd
1514 Unless this effect is desired, any of the local non-loopback addresses
1525 .Ar block
1547 .Ar block
1553 , rules are evaluated every time they match; the pass/block state of a packet
1559 .Bl -tag -width xxxx
1560 .It Ar block
1563 .Ar block
1569 .Ar block-policy
1570 option, or on a per-rule basis with one of the following options:
1572 .Bl -tag -width xxxx -compact
1575 .It Ar return-rst
1580 .It Ar return-icmp
1581 .It Ar return-icmp6
1598 The simplest mechanism to block everything by default and only pass
1600 .Bd -literal -offset indent
1601 block all
1606 block/pass state of a packet.
1609 .Ar block
1653 .Bd -literal -offset indent
1654 pass out inet proto icmp all icmp-type echoreq
1683 UDP packets are matched to states using only host addresses and ports,
1706 .Bl -tag -width xxxx
1779 particular interface or interface group.
1782 .Ic group
1814 addresses and ports.
1817 symbolic host names, interface names or interface group names, or as any
1820 .Bl -tag -width xxxxxxxxxxxxxx -compact
1823 .It Ar no-route
1825 .It Ar urpf-failed
1836 .Sq -
1839 .Dq 10.1.1.10 - 10.1.1.12
1843 Interface names and interface group names, and
1847 .Bl -tag -width xxxxxxxxxxxx -compact
1853 Translates to the point-to-point interface's peer address(es).
1861 v4 and non-link-local v6 address found.
1864 ruleset load-time.
1876 Ports can be specified either by number or by name.
1884 Ports and ranges of ports are specified by using these operators:
1885 .Bd -literal -offset indent
1903 .Bl -tag -width Fl
1906 .Sq all ports >= 2000 and <= 2004 ,
1907 hence ports 2000, 2001, 2002, 2003 and 2004.
1910 .Sq all ports > 2000 and < 2004 ,
1911 hence ports 2001, 2002 and 2003.
1914 .Sq all ports < 2000 or > 2004 ,
1915 hence ports 1-1999 and 2005-65535.
1927 .Bd -literal -offset indent
1938 .It Ar group Aq Ar group
1941 this rule only applies to packets of sockets owned by the specified group.
1949 the user and group are
1953 with the same user and group.
1957 User and group refer to the effective (as opposed to the real) IDs, in
1959 User and group IDs are stored when a socket is created;
1964 User and group IDs can be specified as either numbers or names.
1965 The syntax is similar to the one for ports.
1977 Forwarded packets with unknown user and group ID match only rules
1989 .Bd -literal -offset indent
1990 block out proto { tcp, udp } all
2010 .Bl -tag -width Fl
2032 .Pq non-SYN
2042 .Ar af-to,
2052 .It Xo Ar icmp-type Aq Ar type
2055 .It Xo Ar icmp6-type Aq Ar type
2068 .Ar icmp-type
2070 .Ar icmp6-type
2096 .Bd -literal -offset indent
2101 .It Ar allow-opts
2105 .Ar allow-opts
2119 pfctl -s labels
2120 shows per-rule statistics for rules that have labels.
2124 .Bl -tag -width $srcaddr -compact -offset indent
2142 .Bd -literal -offset indent
2149 .Bd -literal -offset indent
2177 .Bd -literal -offset indent
2193 .Bd -literal -offset indent
2197 .It Ar received-on Aq Ar interface
2200 (or interface group).
2239 .It Xo Ar divert-to Aq Ar host
2253 If a packet is re-injected and does not change direction then it will not be
2254 re-diverted.
2255 .It Ar divert-reply
2264 .Bd -literal -offset indent
2265 block in proto icmp probability 20%
2275 .Bl -tag -width xxxx
2276 .It Ar route-to
2278 .Ar route-to
2282 .Ar route-to
2287 .It Ar reply-to
2289 .Ar reply-to
2291 .Ar route-to ,
2295 .Ar reply-to
2300 .It Ar dup-to
2302 .Ar dup-to
2304 .Ar route-to .
2313 .Ar route-to ,
2314 .Ar reply-to
2316 .Ar dup-to
2321 .Bl -tag -width xxxx
2333 option selects an address at random within the defined block of addresses.
2334 .It Ar source-hash
2336 .Ar source-hash
2342 randomly generates a key for source-hash every time the
2344 .It Ar round-robin
2346 .Ar round-robin
2352 .It Ar static-port
2356 .Ar static-port
2360 .It Xo Ar map-e-portset Aq Ar psid-offset
2361 .No / Aq Ar psid-len
2367 .Ar map-e-portset
2368 option enables the source port translation of MAP-E (RFC 7597) Customer Edge.
2369 In order to make the host act as a MAP-E Customer Edge, setting up a tunneling
2371 to the map-e-portset nat rule.
2374 .Bd -literal -offset indent
2376 -> $ipv4_mape_src map-e-portset 6/8/0x34
2380 .It Ar endpoint-independent
2384 .Ar endpoint-independent
2389 This feature implements "full-cone" NAT behavior.
2393 .Ar sticky-address
2399 .Ar round-robin
2427 .Bd -literal -offset indent
2428 block all
2470 completed the handshake, hence so-called SYN floods with spoofed source
2493 .Bd -literal -offset indent
2498 per-rule basis.
2507 .Bl -tag -width xxxx -compact
2512 .It Ar no-sync
2534 .It Ar allow-related
2541 .Bd -literal -offset indent
2544 (max 100, source-track rule, max-src-nodes 75, \e
2545 max-src-states 3, tcp.established 60, tcp.closing 5)
2549 .Ar source-track
2552 .Bl -tag -width xxxx -compact
2553 .It Ar source-track rule
2555 .Ar max-src-nodes
2557 .Ar max-src-states
2559 Only state entries created by this particular rule count toward the rule's
2561 .It Ar source-track global
2564 .Ar max-src-nodes
2566 .Ar max-src-states
2567 options, however state entries created by any participating rule count towards
2573 .Bl -tag -width xxxx -compact
2574 .It Ar max-src-nodes Aq Ar number
2577 .It Ar max-src-states Aq Ar number
2583 which have completed the TCP 3-way handshake) can also be enforced
2586 .Bl -tag -width xxxx -compact
2587 .It Ar max-src-conn Aq Ar number
2589 completed the 3-way handshake that a single host can make.
2590 .It Xo Ar max-src-conn-rate Aq Ar number
2600 Because the 3-way handshake ensures that the source address is not being
2606 This table can be used in the ruleset to block further activity from
2626 by the block rule.
2627 .Bd -literal -offset indent
2628 block quick from <bad_hosts>
2630 (max-src-conn-rate 100/10, overload <bad_hosts> flush global)
2661 .Ar no-df
2664 .Dl \&"OpenBSD 3.3 no-df\&"
2673 .Dl # pfctl -so
2686 .Bd -literal -offset indent
2688 block out proto tcp from any os Doors
2689 block out proto tcp from any os "Doors PT"
2690 block out proto tcp from any os "Doors PT SP3"
2691 block out from any os "unknown"
2710 directive expands to a set of filter rules which will block all
2716 .Bd -literal -offset indent
2721 .Bd -literal -offset indent
2722 block drop in on ! lo0 inet from 127.0.0.1/8 to any
2723 block drop in on ! lo0 inet6 from ::1 to any
2726 For non-loopback interfaces, there are additional rules to block incoming
2731 .Bd -literal -offset indent
2736 .Bd -literal -offset indent
2737 block drop in on ! wi0 inet from 10.0.0.0/24 to any
2738 block drop in inet from 10.0.0.1 to any
2755 to filter on things such as TCP ports or to perform NAT.
2787 .Bd -literal -offset indent
2850 .Bl -tag -width xxxx
2851 .It Ar nat-anchor Aq Ar name
2856 .It Ar rdr-anchor Aq Ar name
2861 .It Ar binat-anchor Aq Ar name
2914 .Bd -literal -offset indent
2916 block on $ext_if all
2928 .Bd -literal -offset indent
2929 # echo \&"block in quick from 1.2.3.4 to any\&" \&| \e
2930 pfctl -a spam -f -
2942 .Bd -literal -offset indent
2944 load anchor spam from "/etc/pf-spam.conf"
2952 .Pa /etc/pf-spam.conf
2963 .Bd -literal -offset indent
2964 block on $ext_if all
2976 .Bd -literal -offset indent
2977 # echo \&"block in quick from 1.2.3.4 to any" \&| \e
2978 pfctl -a spam -f -
2981 will only block connections from 1.2.3.4 to port 25.
2988 .Bd -literal -offset indent
3008 .Bd -literal -offset indent
3009 # echo ' anchor "spam/allowed" ' | pfctl -f -
3010 # echo -e ' anchor "../banned" \en pass' | \e
3011 pfctl -a spam/allowed -f -
3025 block.
3026 Brace delimited blocks may contain rules or other brace-delimited blocks.
3028 .Bd -literal -offset indent
3049 It can match ports, track state and NAT SCTP traffic.
3056 .Bd -literal
3061 rdr on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 port 8080
3068 .Bd -literal
3069 rdr pass on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 \e
3081 .Bd -literal
3082 nat on ! vlan12 from 192.168.168.0/24 to any -> 204.92.77.111
3090 .Bd -literal
3093 nat on $ext_if from 144.19.74.0/24 to any -> 204.92.77.100
3098 .Bd -literal
3102 rdr on $int_if proto { tcp, udp } from any to any port 80 -> 127.0.0.1 \e
3109 .Xr ftp-proxy 8 ,
3112 .Xr ftp-proxy 8
3114 .Xr ftp-proxy 8
3116 .Bd -literal
3120 nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
3126 nat on $ext_if inet proto udp from any port = isakmp to any -> ($ext_if) \e
3133 binat on $ext_if from 10.1.2.150 to any -> $ext_if
3137 binat on $peer_if from 172.21.16.0/20 to any -> 172.22.16.0/20
3143 -> 10.1.2.151 port 22
3145 -> 10.1.2.151 port 53
3149 # for proxying with ftp-proxy(8) running on port 8021.
3150 rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
3155 incoming web server connections to a group of web servers on the internal
3157 .Bd -literal
3161 # using the source-hash keyword.
3162 nat on $ext_if inet from any to any -> 192.0.2.16/28 source-hash
3165 # Translate incoming web server connections to a group of web servers on
3168 -> { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin
3171 .Bd -literal
3182 # block and log everything by default
3183 block return log on $ext_if all
3185 # block anything coming from source we have no back routes for
3186 block in from no-route to any
3188 # block packets whose ingress interface does not match the one in
3190 block in from urpf-failed to any
3192 # block and log outgoing packets that do not have our address as source,
3195 block out log quick on $ext_if from ! 157.161.48.183 to any
3198 block in quick on $ext_if from any to 255.255.255.255
3200 # block and log incoming packets from reserved address space and invalid
3202 # them anyway (hence, no return-rst).
3203 block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, \e
3213 pass on $ext_if inet proto icmp all icmp-type 8 code 0
3234 block in on $ext_if proto tcp from any os {"Windows 95", "Windows 98"} \e
3254 block out on $ext_if from any to any
3262 tag SPAMD -> 127.0.0.1 port spamd
3264 block in on $ext_if
3269 translates an internal IPv4 subnet to IPv6 using the well-known
3271 .Bd -literal -offset 4n
3272 pass in on $v4_if inet af-to inet6 from ($v6_if) to 64:ff9b::/96
3278 .Bd -literal -offset 4n
3279 pass in on $v6_if inet6 to 64:ff9b::/96 af-to inet from ($v4_if)
3285 .Bd -literal
3286 line = ( option | ether-rule | pf-rule | nat-rule | binat-rule |
3287 rdr-rule | antispoof-rule | altq-rule | queue-rule |
3288 trans-anchors | anchor-rule | anchor-close | load-anchor |
3289 table-rule | include )
3291 option = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] |
3292 [ "ruleset-optimization" [ "none" | "basic" | "profile" ]] |
3294 "high-latency" | "satellite" |
3296 [ "limit" ( limit-item | "{" limit-list "}" ) ] |
3297 [ "loginterface" ( interface-name | "none" ) ] |
3298 [ "block-policy" ( "drop" | "return" ) ] |
3299 [ "state-policy" ( "if-bound" | "floating" ) ]
3300 [ "state-defaults" state-opts ]
3301 [ "require-order" ( "yes" | "no" ) ]
3307 ether-rule = "ether" etheraction [ ( "in" | "out" ) ]
3308 [ "quick" ] [ "on" ifspec ] [ "bridge-to" interface-name ]
3310 [ etherfilteropt-list ]
3312 pf-rule = action [ ( "in" | "out" ) ]
3315 hosts [ filteropt-list ]
3318 logopt = "all" | "matches" | "user" | "to" interface-name
3320 etherfilteropt-list = etherfilteropt-list etherfilteropt | etherfilteropt
3324 filteropt-list = filteropt-list filteropt | filteropt
3325 filteropt = user | group | flags | icmp-type | icmp6-type | "tos" tos |
3326 "af-to" af "from" ( redirhost | "{" redirhost-list "}" )
3327 [ "to" ( redirhost | "{" redirhost-list "}" ) ] |
3329 [ "(" state-opts ")" ] |
3330 "fragment" | "no-df" | "min-ttl" number | "set-tos" tos |
3331 "max-mss" number | "random-id" | "reassemble tcp" |
3332 fragmentation | "allow-opts" |
3340 [ ! ] "received-on" ( interface-name | interface-group )
3342 nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3345 [ "->" ( redirhost | "{" redirhost-list "}" )
3346 [ portspec ] [ pooltype ] [ "static-port" ]
3347 [ "map-e-portset" number "/" number "/" number ] ]
3349 binat-rule = [ "no" ] "binat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3350 [ "on" interface-name ] [ af ]
3351 [ "proto" ( proto-name | proto-number ) ]
3352 "from" address [ "/" mask-bits ] "to" ipspec
3354 [ "->" address [ "/" mask-bits ] ]
3356 rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3359 [ "->" ( redirhost | "{" redirhost-list "}" )
3362 antispoof-rule = "antispoof" [ "log" ] [ "quick" ]
3366 table-rule = "table" "<" string ">" [ tableopts-list ]
3367 tableopts-list = tableopts-list tableopts | tableopts
3369 "{" [ tableaddr-list ] "}"
3370 tableaddr-list = tableaddr-list [ "," ] tableaddr-spec | tableaddr-spec
3371 tableaddr-spec = [ "!" ] tableaddr [ "/" mask-bits ]
3373 ipv4-dotted-quad | ipv6-coloned-hex
3375 altq-rule = "altq on" interface-name queueopts-list
3377 queue-rule = "queue" string [ "on" interface-name ] queueopts-list
3380 anchor-rule = "anchor" [ string ] [ ( "in" | "out" ) ] [ "on" ifspec ]
3381 [ af ] [ protospec ] [ hosts ] [ filteropt-list ] [ "{" ]
3383 anchor-close = "}"
3385 trans-anchors = ( "nat-anchor" | "rdr-anchor" | "binat-anchor" ) string
3388 load-anchor = "load anchor" string "from" filename
3390 queueopts-list = queueopts-list queueopts | queueopts
3391 queueopts = [ "bandwidth" bandwidth-spec ] |
3394 schedulers = ( cbq-def | priq-def | hfsc-def )
3395 bandwidth-spec = "number" ( "b" | "Kb" | "Mb" | "Gb" | "%" )
3397 etheraction = "pass" | "block"
3398 action = "pass" | "match" | "block" [ return ] | [ "no" ] "scrub"
3399 return = "drop" | "return" | "return-rst" [ "( ttl" number ")" ] |
3400 "return-icmp" [ "(" icmpcode [ [ "," ] icmp6code ] ")" ] |
3401 "return-icmp6" [ "(" icmp6code ")" ]
3402 icmpcode = ( icmp-code-name | icmp-code-number )
3403 icmp6code = ( icmp6-code-name | icmp6-code-number )
3405 ifspec = ( [ "!" ] ( interface-name | interface-group ) ) |
3406 "{" interface-list "}"
3407 interface-list = [ "!" ] ( interface-name | interface-group )
3408 [ [ "," ] interface-list ]
3409 route = ( "route-to" | "reply-to" | "dup-to" )
3410 ( routehost | "{" routehost-list "}" )
3414 etherprotospec = "proto" ( proto-number | "{" etherproto-list "}" )
3415 etherproto-list = proto-number [ [ "," ] etherproto-list ]
3416 protospec = "proto" ( proto-name | proto-number |
3417 "{" proto-list "}" )
3418 proto-list = ( proto-name | proto-number ) [ [ "," ] proto-list ]
3424 "from" ( "any" | "no-route" | "urpf-failed" | "self" | host |
3425 "{" host-list "}" ) [ port ] [ os ]
3426 "to" ( "any" | "no-route" | "self" | host |
3427 "{" host-list "}" ) [ port ]
3429 ipspec = "any" | host | "{" host-list "}"
3430 host = [ "!" ] ( address [ "/" mask-bits ] | "<" string ">" )
3431 redirhost = address [ "/" mask-bits ]
3432 routehost = "(" interface-name [ address [ "/" mask-bits ] ] ")"
3433 address = ( interface-name | interface-group |
3434 "(" ( interface-name | interface-group ) ")" |
3435 hostname | ipv4-dotted-quad | ipv6-coloned-hex )
3436 host-list = host [ [ "," ] host-list ]
3437 redirhost-list = redirhost [ [ "," ] redirhost-list ]
3438 routehost-list = routehost [ [ "," ] routehost-list ]
3440 port = "port" ( unary-op | binary-op | "{" op-list "}" )
3442 os = "os" ( os-name | "{" os-list "}" )
3443 user = "user" ( unary-op | binary-op | "{" op-list "}" )
3444 group = "group" ( unary-op | binary-op | "{" op-list "}" )
3446 unary-op = [ "=" | "!=" | "<" | "<=" | ">" | ">=" ]
3448 binary-op = number ( "<>" | "><" | ":" ) number
3449 op-list = ( unary-op | binary-op ) [ [ "," ] op-list ]
3451 os-name = operating-system-name
3452 os-list = os-name [ [ "," ] os-list ]
3454 flags = "flags" ( [ flag-set ] "/" flag-set | "any" )
3455 flag-set = [ "F" ] [ "S" ] [ "R" ] [ "P" ] [ "A" ] [ "U" ] [ "E" ]
3458 icmp-type = "icmp-type" ( icmp-type-code | "{" icmp-list "}" )
3459 icmp6-type = "icmp6-type" ( icmp-type-code | "{" icmp-list "}" )
3460 icmp-type-code = ( icmp-type-name | icmp-type-number )
3461 [ "code" ( icmp-code-name | icmp-code-number ) ]
3462 icmp-list = icmp-type-code [ [ "," ] icmp-list ]
3467 state-opts = state-opt [ [ "," ] state-opts ]
3468 state-opt = ( "max" number | "no-sync" | timeout | "sloppy" |
3469 "source-track" [ ( "rule" | "global" ) ] |
3470 "max-src-nodes" number | "max-src-states" number |
3471 "max-src-conn" number |
3472 "max-src-conn-rate" number "/" number |
3474 "if-bound" | "floating" | "pflow" )
3478 timeout-list = timeout [ [ "," ] timeout-list ]
3489 limit-list = limit-item [ [ "," ] limit-list ]
3490 limit-item = ( "states" | "frags" | "src-nodes" ) number
3493 "source-hash" [ ( hex-key | string-key ) ] |
3494 "round-robin" ) [ sticky-address ]
3496 subqueue = string | "{" queue-list "}"
3497 queue-list = string [ [ "," ] string ]
3498 cbq-def = "cbq" [ "(" cbq-opt [ [ "," ] cbq-opt ] ")" ]
3499 priq-def = "priq" [ "(" priq-opt [ [ "," ] priq-opt ] ")" ]
3500 hfsc-def = "hfsc" [ "(" hfsc-opt [ [ "," ] hfsc-opt ] ")" ]
3501 cbq-opt = ( "default" | "borrow" | "red" | "ecn" | "rio" )
3502 priq-opt = ( "default" | "red" | "ecn" | "rio" )
3503 hfsc-opt = ( "default" | "red" | "ecn" | "rio" |
3504 linkshare-sc | realtime-sc | upperlimit-sc )
3505 linkshare-sc = "linkshare" sc-spec
3506 realtime-sc = "realtime" sc-spec
3507 upperlimit-sc = "upperlimit" sc-spec
3508 sc-spec = ( bandwidth-spec |
3509 "(" bandwidth-spec number bandwidth-spec ")" )
3513 .Bl -tag -width "/etc/protocols" -compact
3544 .Xr ftp-proxy 8 ,