Lines Matching +full:scaled +full:- +full:sync
10 .\" - Redistributions of source code must retain the above copyright
12 .\" - Redistributions in binary form must reproduce the above
45 .Bl -tag -width xxxx
47 User-defined variables may be defined and used later, simplifying
57 Ethernet filtering provides rule-based blocking or passing of Ethernet packets.
62 Queueing provides rule-based bandwidth control.
67 Packet filtering provides rule-based blocking or passing of packets.
81 .Ar set require-order
91 .Bd -literal -offset indent
105 .Bd -literal -offset indent
143 .Bl -tag -width "manually"
159 statement, and are especially useful to define non-persistent tables.
160 The contents of a pre-existing table defined without a list of addresses
170 .Bl -tag -width persist
191 flag enables per-address packet and byte counters which can be displayed with
197 .Bd -literal -offset indent
211 .Bd -literal -offset indent
212 # pfctl -t badhosts -Tadd 204.92.77.111
217 .Bd -literal -offset indent
243 .Bl -tag -width xxxx
246 .Bl -tag -width "src.track" -compact
264 .Bl -tag -width xxxx -compact
289 .Bl -tag -width xxxx -compact
305 .Bl -tag -width xxxx -compact
321 .Bl -tag -width xxxx -compact
330 .Bl -tag -width xxxx -compact
334 All timeout values are scaled linearly with factor
335 (adaptive.end - number of states) / (adaptive.end - adaptive.start).
349 When used on a per-rule basis, the values relate to the number of
354 .Bd -literal -offset indent
361 With 9000 state table entries, the timeout values are scaled to 50%
367 .Bd -literal -offset indent
368 # pfctl -s info
374 .Bd -literal -offset indent
379 .Bd -literal -offset indent
389 .Bd -literal -offset indent
400 .Bd -literal -offset indent
411 .Bd -literal -offset indent
412 set limit src-nodes 2000
417 .Ar sticky-address
422 .Bd -literal -offset indent
423 set limit table-entries 100000
430 .Bd -literal -offset indent
431 set limit { states 20000, frags 20000, src-nodes 2000 }
433 .It Ar set ruleset-optimization
434 .Bl -tag -width xxxxxxxx -compact
443 .Bl -enum -compact
451 re-order the rules to improve evaluation performance
461 A side effect of the ruleset modification is that per-rule accounting
463 If per-rule accounting is important for billing purposes or whatnot,
467 Optimization can also be set as a command-line argument to
474 .Bl -tag -width xxxx -compact
478 .It Ar high-latency
479 A high-latency environment (such as a satellite connection).
482 .Ar high-latency .
495 .Bd -literal -offset indent
498 .It Ar set reassemble yes | no Op Cm no-df
507 .Cm no-df
509 .Dq dont-fragment
513 .Dq dont-fragment
518 This option is ignored if there are pre-FreeBSD 14
521 .It Ar set block-policy
523 .Ar block-policy
528 .Bl -tag -width xxxxxxxx -compact
539 .Bd -literal -offset indent
540 set block-policy return
542 .It Ar set fail-policy
544 .Ar fail-policy
547 This might happen when a nat or route-to rule uses an empty table as list
553 .Bl -tag -width xxxxxxxx -compact
564 .Bd -literal -offset indent
565 set fail-policy return
567 .It Ar set state-policy
569 .Ar state-policy
572 .Bl -tag -width group-bound -compact
573 .It Ar if-bound
580 .Bd -literal -offset indent
581 set state-policy if-bound
597 .Bl -tag -width adaptive -compact
604 is used up by half-open TCP connections, as in, those that saw the initial
607 .Bd -literal -offset indent
611 .It Ar set state-defaults
613 .Ar state-defaults
618 .Bd -literal -offset indent
619 set state-defaults no-sync
622 The 32-bit
628 By default the hostid is set to a pseudo-random value, however it may be
631 .Bd -literal -offset indent
636 .It Ar set require-order
648 There may be non-trivial and non-obvious implications to an out of
680 .Bl -tag -width xxxxxxxxxxxx -compact
713 .Bl -tag -width xxxx
730 .Bl -tag -width xxxx
754 .It Ar bridge-to Aq interface
811 .Bl -tag -width xxxx
812 .It Ar no-df
814 .Ar dont-fragment
817 .Ar dont-fragment
822 .Ar dont-fragment
824 .Ar no-df
828 .Ar dont-fragment
831 .Ar dont-fragment
835 .Ar random-id
837 .Ar no-df
839 .It Ar min-ttl Aq Ar number
841 .It Ar max-mss Aq Ar number
843 .It Xo Ar set-tos Aq Ar string
864 .It Ar random-id
874 .Bl -tag -width timeout -compact
901 delayed for longer than it takes the connection to wrap its 32-bit sequence
921 .Bd -literal -offset indent
922 match in all scrub (no-df random-id max-mss 1440)
924 .Ss Scrub ruleset (pre-FreeBSD 14)
940 .Bl -tag -width xxxx
956 .Bd -literal -offset indent
1006 .Bl -tag -width xxxx
1069 supports both link-sharing and guaranteed real-time services.
1084 .Bl -tag -width xxxx
1130 should queue up to 5Mbps in four second-level queues using
1133 .Bd -literal -offset indent
1153 .Bl -tag -width xxxx
1195 .Bl -tag -width Fl
1217 .Bl -tag -width Fl
1226 .Bl -tag -width Fl
1287 .Bd -literal
1366 .Bl -tag -width xxxx
1367 .It Ar af-to
1370 .Ar af-to
1374 .Ar af-to
1386 part is 32-bit long.
1395 .Bd -literal -offset indent
1396 pass in inet af-to inet6 from 2001:db8::1 to 2001:db8::/96
1397 pass in inet af-to inet6 from 2001:db8::1
1406 .Bd -literal -offset indent
1407 pass in inet6 af-to inet from 198.51.100.1 to 0.0.0.0/0
1408 pass in inet6 af-to inet from 198.51.100.1
1433 .Bd -literal
1434 10.0.0.0 - 10.255.255.255 (all of net 10, i.e., 10/8)
1435 172.16.0.0 - 172.31.255.255 (i.e., 172.16/12)
1436 192.168.0.0 - 192.168.255.255 (i.e., 192.168/16)
1443 rdr ... port 2000:2999 -> ... port 4000
1445 rdr ... port 2000:2999 -> ... port 4000:*
1463 A random source port in the range 50001-65535 is chosen in this case; to
1507 .Bd -literal -offset indent
1508 rdr on ne3 inet proto tcp to port smtp -> 127.0.0.1 port spamd
1514 Unless this effect is desired, any of the local non-loopback addresses
1559 .Bl -tag -width xxxx
1569 .Ar block-policy
1570 option, or on a per-rule basis with one of the following options:
1572 .Bl -tag -width xxxx -compact
1575 .It Ar return-rst
1580 .It Ar return-icmp
1581 .It Ar return-icmp6
1600 .Bd -literal -offset indent
1653 .Bd -literal -offset indent
1654 pass out inet proto icmp all icmp-type echoreq
1706 .Bl -tag -width xxxx
1820 .Bl -tag -width xxxxxxxxxxxxxx -compact
1823 .It Ar no-route
1825 .It Ar urpf-failed
1836 .Sq -
1839 .Dq 10.1.1.10 - 10.1.1.12
1847 .Bl -tag -width xxxxxxxxxxxx -compact
1853 Translates to the point-to-point interface's peer address(es).
1861 v4 and non-link-local v6 address found.
1864 ruleset load-time.
1885 .Bd -literal -offset indent
1903 .Bl -tag -width Fl
1915 hence ports 1-1999 and 2005-65535.
1927 .Bd -literal -offset indent
1989 .Bd -literal -offset indent
2010 .Bl -tag -width Fl
2032 .Pq non-SYN
2042 .Ar af-to,
2052 .It Xo Ar icmp-type Aq Ar type
2055 .It Xo Ar icmp6-type Aq Ar type
2068 .Ar icmp-type
2070 .Ar icmp6-type
2096 .Bd -literal -offset indent
2101 .It Ar allow-opts
2105 .Ar allow-opts
2119 pfctl -s labels
2120 shows per-rule statistics for rules that have labels.
2124 .Bl -tag -width $srcaddr -compact -offset indent
2142 .Bd -literal -offset indent
2149 .Bd -literal -offset indent
2177 .Bd -literal -offset indent
2193 .Bd -literal -offset indent
2197 .It Ar received-on Aq Ar interface
2239 .It Xo Ar divert-to Aq Ar host
2253 If a packet is re-injected and does not change direction then it will not be
2254 re-diverted.
2255 .It Ar divert-reply
2264 .Bd -literal -offset indent
2275 .Bl -tag -width xxxx
2276 .It Ar route-to
2278 .Ar route-to
2282 .Ar route-to
2287 .It Ar reply-to
2289 .Ar reply-to
2291 .Ar route-to ,
2295 .Ar reply-to
2300 .It Ar dup-to
2302 .Ar dup-to
2304 .Ar route-to .
2313 .Ar route-to ,
2314 .Ar reply-to
2316 .Ar dup-to
2321 .Bl -tag -width xxxx
2334 .It Ar source-hash
2336 .Ar source-hash
2342 randomly generates a key for source-hash every time the
2344 .It Ar round-robin
2346 .Ar round-robin
2352 .It Ar static-port
2356 .Ar static-port
2360 .It Xo Ar map-e-portset Aq Ar psid-offset
2361 .No / Aq Ar psid-len
2367 .Ar map-e-portset
2368 option enables the source port translation of MAP-E (RFC 7597) Customer Edge.
2369 In order to make the host act as a MAP-E Customer Edge, setting up a tunneling
2371 to the map-e-portset nat rule.
2374 .Bd -literal -offset indent
2376 -> $ipv4_mape_src map-e-portset 6/8/0x34
2380 .It Ar endpoint-independent
2384 .Ar endpoint-independent
2389 This feature implements "full-cone" NAT behavior.
2393 .Ar sticky-address
2399 .Ar round-robin
2427 .Bd -literal -offset indent
2470 completed the handshake, hence so-called SYN floods with spoofed source
2493 .Bd -literal -offset indent
2498 per-rule basis.
2507 .Bl -tag -width xxxx -compact
2512 .It Ar no-sync
2534 .It Ar allow-related
2541 .Bd -literal -offset indent
2544 (max 100, source-track rule, max-src-nodes 75, \e
2545 max-src-states 3, tcp.established 60, tcp.closing 5)
2549 .Ar source-track
2552 .Bl -tag -width xxxx -compact
2553 .It Ar source-track rule
2555 .Ar max-src-nodes
2557 .Ar max-src-states
2561 .It Ar source-track global
2564 .Ar max-src-nodes
2566 .Ar max-src-states
2573 .Bl -tag -width xxxx -compact
2574 .It Ar max-src-nodes Aq Ar number
2577 .It Ar max-src-states Aq Ar number
2583 which have completed the TCP 3-way handshake) can also be enforced
2586 .Bl -tag -width xxxx -compact
2587 .It Ar max-src-conn Aq Ar number
2589 completed the 3-way handshake that a single host can make.
2590 .It Xo Ar max-src-conn-rate Aq Ar number
2600 Because the 3-way handshake ensures that the source address is not being
2627 .Bd -literal -offset indent
2630 (max-src-conn-rate 100/10, overload <bad_hosts> flush global)
2661 .Ar no-df
2664 .Dl \&"OpenBSD 3.3 no-df\&"
2673 .Dl # pfctl -so
2686 .Bd -literal -offset indent
2716 .Bd -literal -offset indent
2721 .Bd -literal -offset indent
2726 For non-loopback interfaces, there are additional rules to block incoming
2731 .Bd -literal -offset indent
2736 .Bd -literal -offset indent
2787 .Bd -literal -offset indent
2850 .Bl -tag -width xxxx
2851 .It Ar nat-anchor Aq Ar name
2856 .It Ar rdr-anchor Aq Ar name
2861 .It Ar binat-anchor Aq Ar name
2914 .Bd -literal -offset indent
2928 .Bd -literal -offset indent
2930 pfctl -a spam -f -
2942 .Bd -literal -offset indent
2944 load anchor spam from "/etc/pf-spam.conf"
2952 .Pa /etc/pf-spam.conf
2963 .Bd -literal -offset indent
2976 .Bd -literal -offset indent
2978 pfctl -a spam -f -
2988 .Bd -literal -offset indent
3008 .Bd -literal -offset indent
3009 # echo ' anchor "spam/allowed" ' | pfctl -f -
3010 # echo -e ' anchor "../banned" \en pass' | \e
3011 pfctl -a spam/allowed -f -
3026 Brace delimited blocks may contain rules or other brace-delimited blocks.
3028 .Bd -literal -offset indent
3056 .Bd -literal
3061 rdr on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 port 8080
3068 .Bd -literal
3069 rdr pass on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 \e
3081 .Bd -literal
3082 nat on ! vlan12 from 192.168.168.0/24 to any -> 204.92.77.111
3090 .Bd -literal
3093 nat on $ext_if from 144.19.74.0/24 to any -> 204.92.77.100
3098 .Bd -literal
3102 rdr on $int_if proto { tcp, udp } from any to any port 80 -> 127.0.0.1 \e
3109 .Xr ftp-proxy 8 ,
3112 .Xr ftp-proxy 8
3114 .Xr ftp-proxy 8
3116 .Bd -literal
3120 nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
3126 nat on $ext_if inet proto udp from any port = isakmp to any -> ($ext_if) \e
3133 binat on $ext_if from 10.1.2.150 to any -> $ext_if
3137 binat on $peer_if from 172.21.16.0/20 to any -> 172.22.16.0/20
3143 -> 10.1.2.151 port 22
3145 -> 10.1.2.151 port 53
3149 # for proxying with ftp-proxy(8) running on port 8021.
3150 rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
3157 .Bd -literal
3161 # using the source-hash keyword.
3162 nat on $ext_if inet from any to any -> 192.0.2.16/28 source-hash
3168 -> { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin
3171 .Bd -literal
3186 block in from no-route to any
3190 block in from urpf-failed to any
3202 # them anyway (hence, no return-rst).
3213 pass on $ext_if inet proto icmp all icmp-type 8 code 0
3262 tag SPAMD -> 127.0.0.1 port spamd
3269 translates an internal IPv4 subnet to IPv6 using the well-known
3271 .Bd -literal -offset 4n
3272 pass in on $v4_if inet af-to inet6 from ($v6_if) to 64:ff9b::/96
3278 .Bd -literal -offset 4n
3279 pass in on $v6_if inet6 to 64:ff9b::/96 af-to inet from ($v4_if)
3285 .Bd -literal
3286 line = ( option | ether-rule | pf-rule | nat-rule | binat-rule |
3287 rdr-rule | antispoof-rule | altq-rule | queue-rule |
3288 trans-anchors | anchor-rule | anchor-close | load-anchor |
3289 table-rule | include )
3291 option = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] |
3292 [ "ruleset-optimization" [ "none" | "basic" | "profile" ]] |
3294 "high-latency" | "satellite" |
3296 [ "limit" ( limit-item | "{" limit-list "}" ) ] |
3297 [ "loginterface" ( interface-name | "none" ) ] |
3298 [ "block-policy" ( "drop" | "return" ) ] |
3299 [ "state-policy" ( "if-bound" | "floating" ) ]
3300 [ "state-defaults" state-opts ]
3301 [ "require-order" ( "yes" | "no" ) ]
3307 ether-rule = "ether" etheraction [ ( "in" | "out" ) ]
3308 [ "quick" ] [ "on" ifspec ] [ "bridge-to" interface-name ]
3310 [ etherfilteropt-list ]
3312 pf-rule = action [ ( "in" | "out" ) ]
3315 hosts [ filteropt-list ]
3318 logopt = "all" | "matches" | "user" | "to" interface-name
3320 etherfilteropt-list = etherfilteropt-list etherfilteropt | etherfilteropt
3324 filteropt-list = filteropt-list filteropt | filteropt
3325 filteropt = user | group | flags | icmp-type | icmp6-type | "tos" tos |
3326 "af-to" af "from" ( redirhost | "{" redirhost-list "}" )
3327 [ "to" ( redirhost | "{" redirhost-list "}" ) ] |
3329 [ "(" state-opts ")" ] |
3330 "fragment" | "no-df" | "min-ttl" number | "set-tos" tos |
3331 "max-mss" number | "random-id" | "reassemble tcp" |
3332 fragmentation | "allow-opts" |
3340 [ ! ] "received-on" ( interface-name | interface-group )
3342 nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3345 [ "->" ( redirhost | "{" redirhost-list "}" )
3346 [ portspec ] [ pooltype ] [ "static-port" ]
3347 [ "map-e-portset" number "/" number "/" number ] ]
3349 binat-rule = [ "no" ] "binat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3350 [ "on" interface-name ] [ af ]
3351 [ "proto" ( proto-name | proto-number ) ]
3352 "from" address [ "/" mask-bits ] "to" ipspec
3354 [ "->" address [ "/" mask-bits ] ]
3356 rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3359 [ "->" ( redirhost | "{" redirhost-list "}" )
3362 antispoof-rule = "antispoof" [ "log" ] [ "quick" ]
3366 table-rule = "table" "<" string ">" [ tableopts-list ]
3367 tableopts-list = tableopts-list tableopts | tableopts
3369 "{" [ tableaddr-list ] "}"
3370 tableaddr-list = tableaddr-list [ "," ] tableaddr-spec | tableaddr-spec
3371 tableaddr-spec = [ "!" ] tableaddr [ "/" mask-bits ]
3373 ipv4-dotted-quad | ipv6-coloned-hex
3375 altq-rule = "altq on" interface-name queueopts-list
3377 queue-rule = "queue" string [ "on" interface-name ] queueopts-list
3380 anchor-rule = "anchor" [ string ] [ ( "in" | "out" ) ] [ "on" ifspec ]
3381 [ af ] [ protospec ] [ hosts ] [ filteropt-list ] [ "{" ]
3383 anchor-close = "}"
3385 trans-anchors = ( "nat-anchor" | "rdr-anchor" | "binat-anchor" ) string
3388 load-anchor = "load anchor" string "from" filename
3390 queueopts-list = queueopts-list queueopts | queueopts
3391 queueopts = [ "bandwidth" bandwidth-spec ] |
3394 schedulers = ( cbq-def | priq-def | hfsc-def )
3395 bandwidth-spec = "number" ( "b" | "Kb" | "Mb" | "Gb" | "%" )
3399 return = "drop" | "return" | "return-rst" [ "( ttl" number ")" ] |
3400 "return-icmp" [ "(" icmpcode [ [ "," ] icmp6code ] ")" ] |
3401 "return-icmp6" [ "(" icmp6code ")" ]
3402 icmpcode = ( icmp-code-name | icmp-code-number )
3403 icmp6code = ( icmp6-code-name | icmp6-code-number )
3405 ifspec = ( [ "!" ] ( interface-name | interface-group ) ) |
3406 "{" interface-list "}"
3407 interface-list = [ "!" ] ( interface-name | interface-group )
3408 [ [ "," ] interface-list ]
3409 route = ( "route-to" | "reply-to" | "dup-to" )
3410 ( routehost | "{" routehost-list "}" )
3414 etherprotospec = "proto" ( proto-number | "{" etherproto-list "}" )
3415 etherproto-list = proto-number [ [ "," ] etherproto-list ]
3416 protospec = "proto" ( proto-name | proto-number |
3417 "{" proto-list "}" )
3418 proto-list = ( proto-name | proto-number ) [ [ "," ] proto-list ]
3424 "from" ( "any" | "no-route" | "urpf-failed" | "self" | host |
3425 "{" host-list "}" ) [ port ] [ os ]
3426 "to" ( "any" | "no-route" | "self" | host |
3427 "{" host-list "}" ) [ port ]
3429 ipspec = "any" | host | "{" host-list "}"
3430 host = [ "!" ] ( address [ "/" mask-bits ] | "<" string ">" )
3431 redirhost = address [ "/" mask-bits ]
3432 routehost = "(" interface-name [ address [ "/" mask-bits ] ] ")"
3433 address = ( interface-name | interface-group |
3434 "(" ( interface-name | interface-group ) ")" |
3435 hostname | ipv4-dotted-quad | ipv6-coloned-hex )
3436 host-list = host [ [ "," ] host-list ]
3437 redirhost-list = redirhost [ [ "," ] redirhost-list ]
3438 routehost-list = routehost [ [ "," ] routehost-list ]
3440 port = "port" ( unary-op | binary-op | "{" op-list "}" )
3442 os = "os" ( os-name | "{" os-list "}" )
3443 user = "user" ( unary-op | binary-op | "{" op-list "}" )
3444 group = "group" ( unary-op | binary-op | "{" op-list "}" )
3446 unary-op = [ "=" | "!=" | "<" | "<=" | ">" | ">=" ]
3448 binary-op = number ( "<>" | "><" | ":" ) number
3449 op-list = ( unary-op | binary-op ) [ [ "," ] op-list ]
3451 os-name = operating-system-name
3452 os-list = os-name [ [ "," ] os-list ]
3454 flags = "flags" ( [ flag-set ] "/" flag-set | "any" )
3455 flag-set = [ "F" ] [ "S" ] [ "R" ] [ "P" ] [ "A" ] [ "U" ] [ "E" ]
3458 icmp-type = "icmp-type" ( icmp-type-code | "{" icmp-list "}" )
3459 icmp6-type = "icmp6-type" ( icmp-type-code | "{" icmp-list "}" )
3460 icmp-type-code = ( icmp-type-name | icmp-type-number )
3461 [ "code" ( icmp-code-name | icmp-code-number ) ]
3462 icmp-list = icmp-type-code [ [ "," ] icmp-list ]
3467 state-opts = state-opt [ [ "," ] state-opts ]
3468 state-opt = ( "max" number | "no-sync" | timeout | "sloppy" |
3469 "source-track" [ ( "rule" | "global" ) ] |
3470 "max-src-nodes" number | "max-src-states" number |
3471 "max-src-conn" number |
3472 "max-src-conn-rate" number "/" number |
3474 "if-bound" | "floating" | "pflow" )
3478 timeout-list = timeout [ [ "," ] timeout-list ]
3489 limit-list = limit-item [ [ "," ] limit-list ]
3490 limit-item = ( "states" | "frags" | "src-nodes" ) number
3493 "source-hash" [ ( hex-key | string-key ) ] |
3494 "round-robin" ) [ sticky-address ]
3496 subqueue = string | "{" queue-list "}"
3497 queue-list = string [ [ "," ] string ]
3498 cbq-def = "cbq" [ "(" cbq-opt [ [ "," ] cbq-opt ] ")" ]
3499 priq-def = "priq" [ "(" priq-opt [ [ "," ] priq-opt ] ")" ]
3500 hfsc-def = "hfsc" [ "(" hfsc-opt [ [ "," ] hfsc-opt ] ")" ]
3501 cbq-opt = ( "default" | "borrow" | "red" | "ecn" | "rio" )
3502 priq-opt = ( "default" | "red" | "ecn" | "rio" )
3503 hfsc-opt = ( "default" | "red" | "ecn" | "rio" |
3504 linkshare-sc | realtime-sc | upperlimit-sc )
3505 linkshare-sc = "linkshare" sc-spec
3506 realtime-sc = "realtime" sc-spec
3507 upperlimit-sc = "upperlimit" sc-spec
3508 sc-spec = ( bandwidth-spec |
3509 "(" bandwidth-spec number bandwidth-spec ")" )
3513 .Bl -tag -width "/etc/protocols" -compact
3544 .Xr ftp-proxy 8 ,