1.\" $FreeBSD$ 2.\" $OpenBSD: pf.conf.5,v 1.406 2009/01/31 19:37:12 sobrado Exp $ 3.\" 4.\" Copyright (c) 2002, Daniel Hartmeier 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 11.\" - Redistributions of source code must retain the above copyright 12.\" notice, this list of conditions and the following disclaimer. 13.\" - Redistributions in binary form must reproduce the above 14.\" copyright notice, this list of conditions and the following 15.\" disclaimer in the documentation and/or other materials provided 16.\" with the distribution. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 21.\" FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 22.\" COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 23.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 24.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 25.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 26.\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 28.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29.\" POSSIBILITY OF SUCH DAMAGE. 30.\" 31.Dd November 24, 2022 32.Dt PF.CONF 5 33.Os 34.Sh NAME 35.Nm pf.conf 36.Nd packet filter configuration file 37.Sh DESCRIPTION 38The 39.Xr pf 4 40packet filter modifies, drops or passes packets according to rules or 41definitions specified in 42.Nm pf.conf . 43.Sh STATEMENT ORDER 44There are eight types of statements in 45.Nm pf.conf : 46.Bl -tag -width xxxx 47.It Cm Macros 48User-defined variables may be defined and used later, simplifying 49the configuration file. 50Macros must be defined before they are referenced in 51.Nm pf.conf . 52.It Cm Tables 53Tables provide a mechanism for increasing the performance and flexibility of 54rules with large numbers of source or destination addresses. 55.It Cm Options 56Options tune the behaviour of the packet filtering engine. 57.It Cm Ethernet Filtering 58Ethernet filtering provides rule-based blocking or passing of Ethernet packets. 59.It Cm Traffic Normalization Li (e.g. Em scrub ) 60Traffic normalization protects internal machines against inconsistencies 61in Internet protocols and implementations. 62.It Cm Queueing 63Queueing provides rule-based bandwidth control. 64.It Cm Translation Li (Various forms of NAT) 65Translation rules specify how addresses are to be mapped or redirected to 66other addresses. 67.It Cm Packet Filtering 68Packet filtering provides rule-based blocking or passing of packets. 69.El 70.Pp 71With the exception of 72.Cm macros 73and 74.Cm tables , 75the types of statements should be grouped and appear in 76.Nm pf.conf 77in the order shown above, as this matches the operation of the underlying 78packet filtering engine. 79By default 80.Xr pfctl 8 81enforces this order (see 82.Ar set require-order 83below). 84.Pp 85Comments can be put anywhere in the file using a hash mark 86.Pq Sq # , 87and extend to the end of the current line. 88.Pp 89Additional configuration files can be included with the 90.Ic include 91keyword, for example: 92.Bd -literal -offset indent 93include "/etc/pf/sub.filter.conf" 94.Ed 95.Sh MACROS 96Macros can be defined that will later be expanded in context. 97Macro names must start with a letter, and may contain letters, digits 98and underscores. 99Macro names may not be reserved words (for example 100.Ar pass , 101.Ar in , 102.Ar out ) . 103Macros are not expanded inside quotes. 104.Pp 105For example, 106.Bd -literal -offset indent 107ext_if = \&"kue0\&" 108all_ifs = \&"{\&" $ext_if lo0 \&"}\&" 109pass out on $ext_if from any to any 110pass in on $ext_if proto tcp from any to any port 25 111.Ed 112.Sh TABLES 113Tables are named structures which can hold a collection of addresses and 114networks. 115Lookups against tables in 116.Xr pf 4 117are relatively fast, making a single rule with tables much more efficient, 118in terms of 119processor usage and memory consumption, than a large number of rules which 120differ only in IP address (either created explicitly or automatically by rule 121expansion). 122.Pp 123Tables can be used as the source or destination of filter rules, 124.Ar scrub 125rules 126or 127translation rules such as 128.Ar nat 129or 130.Ar rdr 131(see below for details on the various rule types). 132Tables can also be used for the redirect address of 133.Ar nat 134and 135.Ar rdr 136rules and in the routing options of filter rules, but only for 137.Ar round-robin 138pools. 139.Pp 140Tables can be defined with any of the following 141.Xr pfctl 8 142mechanisms. 143As with macros, reserved words may not be used as table names. 144.Bl -tag -width "manually" 145.It Ar manually 146Persistent tables can be manually created with the 147.Ar add 148or 149.Ar replace 150option of 151.Xr pfctl 8 , 152before or after the ruleset has been loaded. 153.It Pa pf.conf 154Table definitions can be placed directly in this file, and loaded at the 155same time as other rules are loaded, atomically. 156Table definitions inside 157.Nm pf.conf 158use the 159.Ar table 160statement, and are especially useful to define non-persistent tables. 161The contents of a pre-existing table defined without a list of addresses 162to initialize it is not altered when 163.Nm pf.conf 164is loaded. 165A table initialized with the empty list, 166.Li { } , 167will be cleared on load. 168.El 169.Pp 170Tables may be defined with the following attributes: 171.Bl -tag -width persist 172.It Ar persist 173The 174.Ar persist 175flag forces the kernel to keep the table even when no rules refer to it. 176If the flag is not set, the kernel will automatically remove the table 177when the last rule referring to it is flushed. 178.It Ar const 179The 180.Ar const 181flag prevents the user from altering the contents of the table once it 182has been created. 183Without that flag, 184.Xr pfctl 8 185can be used to add or remove addresses from the table at any time, even 186when running with 187.Xr securelevel 7 188= 2. 189.It Ar counters 190The 191.Ar counters 192flag enables per-address packet and byte counters which can be displayed with 193.Xr pfctl 8 . 194Note that this feature carries significant memory overhead for large tables. 195.El 196.Pp 197For example, 198.Bd -literal -offset indent 199table \*(Ltprivate\*(Gt const { 10/8, 172.16/12, 192.168/16 } 200table \*(Ltbadhosts\*(Gt persist 201block on fxp0 from { \*(Ltprivate\*(Gt, \*(Ltbadhosts\*(Gt } to any 202.Ed 203.Pp 204creates a table called private, to hold RFC 1918 private network 205blocks, and a table called badhosts, which is initially empty. 206A filter rule is set up to block all traffic coming from addresses listed in 207either table. 208The private table cannot have its contents changed and the badhosts table 209will exist even when no active filter rules reference it. 210Addresses may later be added to the badhosts table, so that traffic from 211these hosts can be blocked by using 212.Bd -literal -offset indent 213# pfctl -t badhosts -Tadd 204.92.77.111 214.Ed 215.Pp 216A table can also be initialized with an address list specified in one or more 217external files, using the following syntax: 218.Bd -literal -offset indent 219table \*(Ltspam\*(Gt persist file \&"/etc/spammers\&" file \&"/etc/openrelays\&" 220block on fxp0 from \*(Ltspam\*(Gt to any 221.Ed 222.Pp 223The files 224.Pa /etc/spammers 225and 226.Pa /etc/openrelays 227list IP addresses, one per line. 228Any lines beginning with a # are treated as comments and ignored. 229In addition to being specified by IP address, hosts may also be 230specified by their hostname. 231When the resolver is called to add a hostname to a table, 232.Em all 233resulting IPv4 and IPv6 addresses are placed into the table. 234IP addresses can also be entered in a table by specifying a valid interface 235name, a valid interface group or the 236.Em self 237keyword, in which case all addresses assigned to the interface(s) will be 238added to the table. 239.Sh OPTIONS 240.Xr pf 4 241may be tuned for various situations using the 242.Ar set 243command. 244.Bl -tag -width xxxx 245.It Ar set timeout 246.Pp 247.Bl -tag -width "src.track" -compact 248.It Ar interval 249Interval between purging expired states and fragments. 250.It Ar frag 251Seconds before an unassembled fragment is expired. 252.It Ar src.track 253Length of time to retain a source tracking entry after the last state 254expires. 255.El 256.Pp 257When a packet matches a stateful connection, the seconds to live for the 258connection will be updated to that of the 259.Ar proto.modifier 260which corresponds to the connection state. 261Each packet which matches this state will reset the TTL. 262Tuning these values may improve the performance of the 263firewall at the risk of dropping valid idle connections. 264.Pp 265.Bl -tag -width xxxx -compact 266.It Ar tcp.first 267The state after the first packet. 268.It Ar tcp.opening 269The state before the destination host ever sends a packet. 270.It Ar tcp.established 271The fully established state. 272.It Ar tcp.closing 273The state after the first FIN has been sent. 274.It Ar tcp.finwait 275The state after both FINs have been exchanged and the connection is closed. 276Some hosts (notably web servers on Solaris) send TCP packets even after closing 277the connection. 278Increasing 279.Ar tcp.finwait 280(and possibly 281.Ar tcp.closing ) 282can prevent blocking of such packets. 283.It Ar tcp.closed 284The state after one endpoint sends an RST. 285.El 286.Pp 287ICMP and UDP are handled in a fashion similar to TCP, but with a much more 288limited set of states: 289.Pp 290.Bl -tag -width xxxx -compact 291.It Ar udp.first 292The state after the first packet. 293.It Ar udp.single 294The state if the source host sends more than one packet but the destination 295host has never sent one back. 296.It Ar udp.multiple 297The state if both hosts have sent packets. 298.It Ar icmp.first 299The state after the first packet. 300.It Ar icmp.error 301The state after an ICMP error came back in response to an ICMP packet. 302.El 303.Pp 304Other protocols are handled similarly to UDP: 305.Pp 306.Bl -tag -width xxxx -compact 307.It Ar other.first 308.It Ar other.single 309.It Ar other.multiple 310.El 311.Pp 312Timeout values can be reduced adaptively as the number of state table 313entries grows. 314.Pp 315.Bl -tag -width xxxx -compact 316.It Ar adaptive.start 317When the number of state entries exceeds this value, adaptive scaling 318begins. 319All timeout values are scaled linearly with factor 320(adaptive.end - number of states) / (adaptive.end - adaptive.start). 321.It Ar adaptive.end 322When reaching this number of state entries, all timeout values become 323zero, effectively purging all state entries immediately. 324This value is used to define the scale factor, it should not actually 325be reached (set a lower state limit, see below). 326.El 327.Pp 328Adaptive timeouts are enabled by default, with an adaptive.start value 329equal to 60% of the state limit, and an adaptive.end value equal to 330120% of the state limit. 331They can be disabled by setting both adaptive.start and adaptive.end to 0. 332.Pp 333The adaptive timeout values can be defined both globally and for each rule. 334When used on a per-rule basis, the values relate to the number of 335states created by the rule, otherwise to the total number of 336states. 337.Pp 338For example: 339.Bd -literal -offset indent 340set timeout tcp.first 120 341set timeout tcp.established 86400 342set timeout { adaptive.start 6000, adaptive.end 12000 } 343set limit states 10000 344.Ed 345.Pp 346With 9000 state table entries, the timeout values are scaled to 50% 347(tcp.first 60, tcp.established 43200). 348.It Ar set loginterface 349Enable collection of packet and byte count statistics for the given 350interface or interface group. 351These statistics can be viewed using 352.Bd -literal -offset indent 353# pfctl -s info 354.Ed 355.Pp 356In this example 357.Xr pf 4 358collects statistics on the interface named dc0: 359.Bd -literal -offset indent 360set loginterface dc0 361.Ed 362.Pp 363One can disable the loginterface using: 364.Bd -literal -offset indent 365set loginterface none 366.Ed 367.It Ar set limit 368Sets hard limits on the memory pools used by the packet filter. 369See 370.Xr zone 9 371for an explanation of memory pools. 372.Pp 373For example, 374.Bd -literal -offset indent 375set limit states 20000 376.Ed 377.Pp 378sets the maximum number of entries in the memory pool used by state table 379entries (generated by 380.Ar pass 381rules which do not specify 382.Ar no state ) 383to 20000. 384Using 385.Bd -literal -offset indent 386set limit frags 20000 387.Ed 388.Pp 389sets the maximum number of entries in the memory pool used for fragment 390reassembly (generated by 391.Ar scrub 392rules) to 20000. 393Using 394.Bd -literal -offset indent 395set limit src-nodes 2000 396.Ed 397.Pp 398sets the maximum number of entries in the memory pool used for tracking 399source IP addresses (generated by the 400.Ar sticky-address 401and 402.Ar src.track 403options) to 2000. 404Using 405.Bd -literal -offset indent 406set limit tables 1000 407set limit table-entries 100000 408.Ed 409.Pp 410sets limits on the memory pools used by tables. 411The first limits the number of tables that can exist to 1000. 412The second limits the overall number of addresses that can be stored 413in tables to 100000. 414.Pp 415Various limits can be combined on a single line: 416.Bd -literal -offset indent 417set limit { states 20000, frags 20000, src-nodes 2000 } 418.Ed 419.It Ar set ruleset-optimization 420.Bl -tag -width xxxxxxxx -compact 421.It Ar none 422Disable the ruleset optimizer. 423.It Ar basic 424Enable basic ruleset optimization. 425This is the default behaviour. 426Basic ruleset optimization does four things to improve the 427performance of ruleset evaluations: 428.Pp 429.Bl -enum -compact 430.It 431remove duplicate rules 432.It 433remove rules that are a subset of another rule 434.It 435combine multiple rules into a table when advantageous 436.It 437re-order the rules to improve evaluation performance 438.El 439.Pp 440.It Ar profile 441Uses the currently loaded ruleset as a feedback profile to tailor the 442ordering of quick rules to actual network traffic. 443.El 444.Pp 445It is important to note that the ruleset optimizer will modify the ruleset 446to improve performance. 447A side effect of the ruleset modification is that per-rule accounting 448statistics will have different meanings than before. 449If per-rule accounting is important for billing purposes or whatnot, 450either the ruleset optimizer should not be used or a label field should 451be added to all of the accounting rules to act as optimization barriers. 452.Pp 453Optimization can also be set as a command-line argument to 454.Xr pfctl 8 , 455overriding the settings in 456.Nm . 457.It Ar set optimization 458Optimize state timeouts for one of the following network environments: 459.Pp 460.Bl -tag -width xxxx -compact 461.It Ar normal 462A normal network environment. 463Suitable for almost all networks. 464.It Ar high-latency 465A high-latency environment (such as a satellite connection). 466.It Ar satellite 467Alias for 468.Ar high-latency . 469.It Ar aggressive 470Aggressively expire connections. 471This can greatly reduce the memory usage of the firewall at the cost of 472dropping idle connections early. 473.It Ar conservative 474Extremely conservative settings. 475Avoid dropping legitimate connections at the 476expense of greater memory utilization (possibly much greater on a busy 477network) and slightly increased processor utilization. 478.El 479.Pp 480For example: 481.Bd -literal -offset indent 482set optimization aggressive 483.Ed 484.It Ar set block-policy 485The 486.Ar block-policy 487option sets the default behaviour for the packet 488.Ar block 489action: 490.Pp 491.Bl -tag -width xxxxxxxx -compact 492.It Ar drop 493Packet is silently dropped. 494.It Ar return 495A TCP RST is returned for blocked TCP packets, 496an ICMP UNREACHABLE is returned for blocked UDP packets, 497and all other packets are silently dropped. 498.El 499.Pp 500For example: 501.Bd -literal -offset indent 502set block-policy return 503.Ed 504.It Ar set fail-policy 505The 506.Ar fail-policy 507option sets the behaviour of rules which should pass a packet but were 508unable to do so. 509This might happen when a nat or route-to rule uses an empty table as list 510of targets or if a rule fails to create state or source node. 511The following 512.Ar block 513actions are possible: 514.Pp 515.Bl -tag -width xxxxxxxx -compact 516.It Ar drop 517Incoming packet is silently dropped. 518.It Ar return 519Incoming packet is dropped and TCP RST is returned for TCP packets, 520an ICMP UNREACHABLE is returned for UDP packets, 521and no response is sent for other packets. 522.El 523.Pp 524For example: 525.Bd -literal -offset indent 526set fail-policy return 527.Ed 528.It Ar set state-policy 529The 530.Ar state-policy 531option sets the default behaviour for states: 532.Pp 533.Bl -tag -width group-bound -compact 534.It Ar if-bound 535States are bound to interface. 536.It Ar floating 537States can match packets on any interfaces (the default). 538.El 539.Pp 540For example: 541.Bd -literal -offset indent 542set state-policy if-bound 543.Ed 544.It Ar set syncookies never | always | adaptive 545When 546.Cm syncookies 547are active, pf will answer each incoming TCP SYN with a syncookie SYNACK, 548without allocating any resources. 549Upon reception of the client's ACK in response to the syncookie 550SYNACK, pf will evaluate the ruleset and create state if the ruleset 551permits it, complete the three way handshake with the target host and 552continue the connection with synproxy in place. 553This allows pf to be resilient against large synflood attacks which would 554run the state table against its limits otherwise. 555Due to the blind answers to every incoming SYN syncookies share the caveats of 556synproxy, namely seemingly accepting connections that will be dropped later on. 557.Pp 558.Bl -tag -width adaptive -compact 559.It Cm never 560pf will never send syncookie SYNACKs (the default). 561.It Cm always 562pf will always send syncookie SYNACKs. 563.It Cm adaptive 564pf will enable syncookie mode when a given percentage of the state table 565is used up by half-open TCP connections, as in, those that saw the initial 566SYN but didn't finish the three way handshake. 567The thresholds for entering and leaving syncookie mode can be specified using 568.Bd -literal -offset indent 569set syncookies adaptive (start 25%, end 12%) 570.Ed 571.El 572.It Ar set state-defaults 573The 574.Ar state-defaults 575option sets the state options for states created from rules 576without an explicit 577.Ar keep state . 578For example: 579.Bd -literal -offset indent 580set state-defaults no-sync 581.Ed 582.It Ar set hostid 583The 32-bit 584.Ar hostid 585identifies this firewall's state table entries to other firewalls 586in a 587.Xr pfsync 4 588failover cluster. 589By default the hostid is set to a pseudo-random value, however it may be 590desirable to manually configure it, for example to more easily identify the 591source of state table entries. 592.Bd -literal -offset indent 593set hostid 1 594.Ed 595.Pp 596The hostid may be specified in either decimal or hexadecimal. 597.It Ar set require-order 598By default 599.Xr pfctl 8 600enforces an ordering of the statement types in the ruleset to: 601.Em options , 602.Em normalization , 603.Em queueing , 604.Em translation , 605.Em filtering . 606Setting this option to 607.Ar no 608disables this enforcement. 609There may be non-trivial and non-obvious implications to an out of 610order ruleset. 611Consider carefully before disabling the order enforcement. 612.It Ar set fingerprints 613Load fingerprints of known operating systems from the given filename. 614By default fingerprints of known operating systems are automatically 615loaded from 616.Xr pf.os 5 617in 618.Pa /etc 619but can be overridden via this option. 620Setting this option may leave a small period of time where the fingerprints 621referenced by the currently active ruleset are inconsistent until the new 622ruleset finishes loading. 623.Pp 624For example: 625.Pp 626.Dl set fingerprints \&"/etc/pf.os.devel\&" 627.It Ar set skip on Aq Ar ifspec 628List interfaces for which packets should not be filtered. 629Packets passing in or out on such interfaces are passed as if pf was 630disabled, i.e. pf does not process them in any way. 631This can be useful on loopback and other virtual interfaces, when 632packet filtering is not desired and can have unexpected effects. 633For example: 634.Pp 635.Dl set skip on lo0 636.It Ar set debug 637Set the debug 638.Ar level 639to one of the following: 640.Pp 641.Bl -tag -width xxxxxxxxxxxx -compact 642.It Ar none 643Don't generate debug messages. 644.It Ar urgent 645Generate debug messages only for serious errors. 646.It Ar misc 647Generate debug messages for various errors. 648.It Ar loud 649Generate debug messages for common conditions. 650.El 651.It Ar set keepcounters 652Preserve rule counters across rule updates. 653Usually rule counters are reset to zero on every update of the ruleset. 654With 655.Ar keepcounters 656set pf will attempt to find matching rules between old and new rulesets 657and preserve the rule counters. 658.El 659.Sh ETHERNET FILTERING 660.Xr pf 4 661has the ability to 662.Ar block 663and 664.Ar pass 665packets based on attributes of their Ethernet (layer 2) header. 666.Pp 667For each packet processed by the packet filter, the filter rules are 668evaluated in sequential order, from first to last. 669The last matching rule decides what action is taken. 670If no rule matches the packet, the default action is to pass 671the packet. 672.Pp 673The folliwing actions can be used in the filter: 674.Bl -tag -width xxxx 675.It Ar block 676The packet is blocked. 677Unlike for layer 3 traffic the packet is always silently dropped. 678.It Ar pass 679The packet is passed; 680no state is created for layer 2 traffic. 681.El 682.Sh PARAMETERS 683The rule parameters specify the packets to which a rule applies. 684A packet always comes in on, or goes out through, one interface. 685Most parameters are optional. 686If a parameter is specified, the rule only applies to packets with 687matching attributes. 688Certain parameters can be expressed as lists, in which case 689.Xr pfctl 8 690generates all needed rule combinations. 691.Bl -tag -width xxxx 692.It Ar in No or Ar out 693This rule applies to incoming or outgoing packets. 694If neither 695.Ar in 696nor 697.Ar out 698are specified, the rule will match packets in both directions. 699.It Ar quick 700If a packet matches a rule which has the 701.Ar quick 702option set, this rule 703is considered the last matching rule, and evaluation of subsequent rules 704is skipped. 705.It Ar on Aq Ar interface 706This rule applies only to packets coming in on, or going out through, this 707particular interface or interface group. 708For more information on interface groups, 709see the 710.Ic group 711keyword in 712.Xr ifconfig 8 . 713.It Ar bridge-to Aq interface 714Packets matching this rule will be sent out of the specified interface without 715futher processing. 716.It Ar proto Aq Ar protocol 717This rule applies only to packets of this protocol. 718Note that Ethernet protocol numbers are different from those used in 719.Xr ip 4 720and 721.Xr ip6 4 . 722.It Xo 723.Ar from Aq Ar source 724.Ar to Aq Ar dest 725.Xc 726This rule applies only to packets with the specified source and destination 727MAC addresses. 728.It Xo Ar queue Aq Ar queue 729.Xc 730Packets matching this rule will be assigned to the specified queue. 731See 732.Sx QUEUEING 733for setup details. 734.Pp 735.It Ar tag Aq Ar string 736Packets matching this rule will be tagged with the 737specified string. 738The tag acts as an internal marker that can be used to 739identify these packets later on. 740This can be used, for example, to provide trust between 741interfaces and to determine if packets have been 742processed by translation rules. 743Tags are 744.Qq sticky , 745meaning that the packet will be tagged even if the rule 746is not the last matching rule. 747Further matching rules can replace the tag with a 748new one but will not remove a previously applied tag. 749A packet is only ever assigned one tag at a time. 750.It Ar tagged Aq Ar string 751Used to specify that packets must already be tagged with the given tag in order 752to match the rule. 753Inverse tag matching can also be done by specifying the ! operator before the 754tagged keyword. 755.Sh TRAFFIC NORMALIZATION 756Traffic normalization is used to sanitize packet content in such 757a way that there are no ambiguities in packet interpretation on 758the receiving side. 759The normalizer does IP fragment reassembly to prevent attacks 760that confuse intrusion detection systems by sending overlapping 761IP fragments. 762Packet normalization is invoked with the 763.Ar scrub 764directive. 765.Pp 766.Ar scrub 767has the following options: 768.Bl -tag -width xxxx 769.It Ar no-df 770Clears the 771.Ar dont-fragment 772bit from a matching IP packet. 773Some operating systems are known to generate fragmented packets with the 774.Ar dont-fragment 775bit set. 776This is particularly true with NFS. 777.Ar Scrub 778will drop such fragmented 779.Ar dont-fragment 780packets unless 781.Ar no-df 782is specified. 783.Pp 784Unfortunately some operating systems also generate their 785.Ar dont-fragment 786packets with a zero IP identification field. 787Clearing the 788.Ar dont-fragment 789bit on packets with a zero IP ID may cause deleterious results if an 790upstream router later fragments the packet. 791Using the 792.Ar random-id 793modifier (see below) is recommended in combination with the 794.Ar no-df 795modifier to ensure unique IP identifiers. 796.It Ar min-ttl Aq Ar number 797Enforces a minimum TTL for matching IP packets. 798.It Ar max-mss Aq Ar number 799Enforces a maximum MSS for matching TCP packets. 800.It Xo Ar set-tos Aq Ar string 801.No \*(Ba Aq Ar number 802.Xc 803Enforces a 804.Em TOS 805for matching IP packets. 806.Em TOS 807may be 808given as one of 809.Ar critical , 810.Ar inetcontrol , 811.Ar lowdelay , 812.Ar netcontrol , 813.Ar throughput , 814.Ar reliability , 815or one of the DiffServ Code Points: 816.Ar ef , 817.Ar va , 818.Ar af11 No ... Ar af43 , 819.Ar cs0 No ... Ar cs7 ; 820or as either hex or decimal. 821.It Ar random-id 822Replaces the IP identification field with random values to compensate 823for predictable values generated by many hosts. 824This option only applies to packets that are not fragmented 825after the optional fragment reassembly. 826.It Ar fragment reassemble 827Using 828.Ar scrub 829rules, fragments can be reassembled by normalization. 830In this case, fragments are buffered until they form a complete 831packet, and only the completed packet is passed on to the filter. 832The advantage is that filter rules have to deal only with complete 833packets, and can ignore fragments. 834The drawback of caching fragments is the additional memory cost. 835This is the default behaviour unless no fragment reassemble is specified. 836.It Ar no fragment reassemble 837Do not reassemble fragments. 838.It Ar reassemble tcp 839Statefully normalizes TCP connections. 840.Ar scrub reassemble tcp 841rules may not have the direction (in/out) specified. 842.Ar reassemble tcp 843performs the following normalizations: 844.Pp 845.Bl -tag -width timeout -compact 846.It ttl 847Neither side of the connection is allowed to reduce their IP TTL. 848An attacker may send a packet such that it reaches the firewall, affects 849the firewall state, and expires before reaching the destination host. 850.Ar reassemble tcp 851will raise the TTL of all packets back up to the highest value seen on 852the connection. 853.It timestamp modulation 854Modern TCP stacks will send a timestamp on every TCP packet and echo 855the other endpoint's timestamp back to them. 856Many operating systems will merely start the timestamp at zero when 857first booted, and increment it several times a second. 858The uptime of the host can be deduced by reading the timestamp and multiplying 859by a constant. 860Also observing several different timestamps can be used to count hosts 861behind a NAT device. 862And spoofing TCP packets into a connection requires knowing or guessing 863valid timestamps. 864Timestamps merely need to be monotonically increasing and not derived off a 865guessable base time. 866.Ar reassemble tcp 867will cause 868.Ar scrub 869to modulate the TCP timestamps with a random number. 870.It extended PAWS checks 871There is a problem with TCP on long fat pipes, in that a packet might get 872delayed for longer than it takes the connection to wrap its 32-bit sequence 873space. 874In such an occurrence, the old packet would be indistinguishable from a 875new packet and would be accepted as such. 876The solution to this is called PAWS: Protection Against Wrapped Sequence 877numbers. 878It protects against it by making sure the timestamp on each packet does 879not go backwards. 880.Ar reassemble tcp 881also makes sure the timestamp on the packet does not go forward more 882than the RFC allows. 883By doing this, 884.Xr pf 4 885artificially extends the security of TCP sequence numbers by 10 to 18 886bits when the host uses appropriately randomized timestamps, since a 887blind attacker would have to guess the timestamp as well. 888.El 889.El 890.Pp 891For example, 892.Bd -literal -offset indent 893scrub in on $ext_if all fragment reassemble 894.Ed 895.Pp 896The 897.Ar no 898option prefixed to a scrub rule causes matching packets to remain unscrubbed, 899much in the same way as 900.Ar drop quick 901works in the packet filter (see below). 902This mechanism should be used when it is necessary to exclude specific packets 903from broader scrub rules. 904.Sh QUEUEING with ALTQ 905The ALTQ system is currently not available in the GENERIC kernel nor as 906loadable modules. 907In order to use the herein after called queueing options one has to use a 908custom built kernel. 909Please refer to 910.Xr altq 4 911to learn about the related kernel options. 912.Pp 913Packets can be assigned to queues for the purpose of bandwidth 914control. 915At least two declarations are required to configure queues, and later 916any packet filtering rule can reference the defined queues by name. 917During the filtering component of 918.Nm pf.conf , 919the last referenced 920.Ar queue 921name is where any packets from 922.Ar pass 923rules will be queued, while for 924.Ar block 925rules it specifies where any resulting ICMP or TCP RST 926packets should be queued. 927The 928.Ar scheduler 929defines the algorithm used to decide which packets get delayed, dropped, or 930sent out immediately. 931There are three 932.Ar schedulers 933currently supported. 934.Bl -tag -width xxxx 935.It Ar cbq 936Class Based Queueing. 937.Ar Queues 938attached to an interface build a tree, thus each 939.Ar queue 940can have further child 941.Ar queues . 942Each queue can have a 943.Ar priority 944and a 945.Ar bandwidth 946assigned. 947.Ar Priority 948mainly controls the time packets take to get sent out, while 949.Ar bandwidth 950has primarily effects on throughput. 951.Ar cbq 952achieves both partitioning and sharing of link bandwidth 953by hierarchically structured classes. 954Each class has its own 955.Ar queue 956and is assigned its share of 957.Ar bandwidth . 958A child class can borrow bandwidth from its parent class 959as long as excess bandwidth is available 960(see the option 961.Ar borrow , 962below). 963.It Ar priq 964Priority Queueing. 965.Ar Queues 966are flat attached to the interface, thus, 967.Ar queues 968cannot have further child 969.Ar queues . 970Each 971.Ar queue 972has a unique 973.Ar priority 974assigned, ranging from 0 to 15. 975Packets in the 976.Ar queue 977with the highest 978.Ar priority 979are processed first. 980.It Ar hfsc 981Hierarchical Fair Service Curve. 982.Ar Queues 983attached to an interface build a tree, thus each 984.Ar queue 985can have further child 986.Ar queues . 987Each queue can have a 988.Ar priority 989and a 990.Ar bandwidth 991assigned. 992.Ar Priority 993mainly controls the time packets take to get sent out, while 994.Ar bandwidth 995primarily affects throughput. 996.Ar hfsc 997supports both link-sharing and guaranteed real-time services. 998It employs a service curve based QoS model, 999and its unique feature is an ability to decouple 1000.Ar delay 1001and 1002.Ar bandwidth 1003allocation. 1004.El 1005.Pp 1006The interfaces on which queueing should be activated are declared using 1007the 1008.Ar altq on 1009declaration. 1010.Ar altq on 1011has the following keywords: 1012.Bl -tag -width xxxx 1013.It Aq Ar interface 1014Queueing is enabled on the named interface. 1015.It Aq Ar scheduler 1016Specifies which queueing scheduler to use. 1017Currently supported values 1018are 1019.Ar cbq 1020for Class Based Queueing, 1021.Ar priq 1022for Priority Queueing and 1023.Ar hfsc 1024for the Hierarchical Fair Service Curve scheduler. 1025.It Ar bandwidth Aq Ar bw 1026The maximum bitrate for all queues on an 1027interface may be specified using the 1028.Ar bandwidth 1029keyword. 1030The value can be specified as an absolute value or as a 1031percentage of the interface bandwidth. 1032When using an absolute value, the suffixes 1033.Ar b , 1034.Ar Kb , 1035.Ar Mb , 1036and 1037.Ar Gb 1038are used to represent bits, kilobits, megabits, and 1039gigabits per second, respectively. 1040The value must not exceed the interface bandwidth. 1041If 1042.Ar bandwidth 1043is not specified, the interface bandwidth is used 1044(but take note that some interfaces do not know their bandwidth, 1045or can adapt their bandwidth rates). 1046.It Ar qlimit Aq Ar limit 1047The maximum number of packets held in the queue. 1048The default is 50. 1049.It Ar tbrsize Aq Ar size 1050Adjusts the size, in bytes, of the token bucket regulator. 1051If not specified, heuristics based on the 1052interface bandwidth are used to determine the size. 1053.It Ar queue Aq Ar list 1054Defines a list of subqueues to create on an interface. 1055.El 1056.Pp 1057In the following example, the interface dc0 1058should queue up to 5Mbps in four second-level queues using 1059Class Based Queueing. 1060Those four queues will be shown in a later example. 1061.Bd -literal -offset indent 1062altq on dc0 cbq bandwidth 5Mb queue { std, http, mail, ssh } 1063.Ed 1064.Pp 1065Once interfaces are activated for queueing using the 1066.Ar altq 1067directive, a sequence of 1068.Ar queue 1069directives may be defined. 1070The name associated with a 1071.Ar queue 1072must match a queue defined in the 1073.Ar altq 1074directive (e.g. mail), or, except for the 1075.Ar priq 1076.Ar scheduler , 1077in a parent 1078.Ar queue 1079declaration. 1080The following keywords can be used: 1081.Bl -tag -width xxxx 1082.It Ar on Aq Ar interface 1083Specifies the interface the queue operates on. 1084If not given, it operates on all matching interfaces. 1085.It Ar bandwidth Aq Ar bw 1086Specifies the maximum bitrate to be processed by the queue. 1087This value must not exceed the value of the parent 1088.Ar queue 1089and can be specified as an absolute value or a percentage of the parent 1090queue's bandwidth. 1091If not specified, defaults to 100% of the parent queue's bandwidth. 1092The 1093.Ar priq 1094scheduler does not support bandwidth specification. 1095.It Ar priority Aq Ar level 1096Between queues a priority level can be set. 1097For 1098.Ar cbq 1099and 1100.Ar hfsc , 1101the range is 0 to 7 and for 1102.Ar priq , 1103the range is 0 to 15. 1104The default for all is 1. 1105.Ar Priq 1106queues with a higher priority are always served first. 1107.Ar Cbq 1108and 1109.Ar Hfsc 1110queues with a higher priority are preferred in the case of overload. 1111.It Ar qlimit Aq Ar limit 1112The maximum number of packets held in the queue. 1113The default is 50. 1114.El 1115.Pp 1116The 1117.Ar scheduler 1118can get additional parameters with 1119.Xo Aq Ar scheduler 1120.Pf ( Aq Ar parameters ) . 1121.Xc 1122Parameters are as follows: 1123.Bl -tag -width Fl 1124.It Ar default 1125Packets not matched by another queue are assigned to this one. 1126Exactly one default queue is required. 1127.It Ar red 1128Enable RED (Random Early Detection) on this queue. 1129RED drops packets with a probability proportional to the average 1130queue length. 1131.It Ar rio 1132Enables RIO on this queue. 1133RIO is RED with IN/OUT, thus running 1134RED two times more than RIO would achieve the same effect. 1135RIO is currently not supported in the GENERIC kernel. 1136.It Ar ecn 1137Enables ECN (Explicit Congestion Notification) on this queue. 1138ECN implies RED. 1139.El 1140.Pp 1141The 1142.Ar cbq 1143.Ar scheduler 1144supports an additional option: 1145.Bl -tag -width Fl 1146.It Ar borrow 1147The queue can borrow bandwidth from the parent. 1148.El 1149.Pp 1150The 1151.Ar hfsc 1152.Ar scheduler 1153supports some additional options: 1154.Bl -tag -width Fl 1155.It Ar realtime Aq Ar sc 1156The minimum required bandwidth for the queue. 1157.It Ar upperlimit Aq Ar sc 1158The maximum allowed bandwidth for the queue. 1159.It Ar linkshare Aq Ar sc 1160The bandwidth share of a backlogged queue. 1161.El 1162.Pp 1163.Aq Ar sc 1164is an acronym for 1165.Ar service curve . 1166.Pp 1167The format for service curve specifications is 1168.Ar ( m1 , d , m2 ) . 1169.Ar m2 1170controls the bandwidth assigned to the queue. 1171.Ar m1 1172and 1173.Ar d 1174are optional and can be used to control the initial bandwidth assignment. 1175For the first 1176.Ar d 1177milliseconds the queue gets the bandwidth given as 1178.Ar m1 , 1179afterwards the value given in 1180.Ar m2 . 1181.Pp 1182Furthermore, with 1183.Ar cbq 1184and 1185.Ar hfsc , 1186child queues can be specified as in an 1187.Ar altq 1188declaration, thus building a tree of queues using a part of 1189their parent's bandwidth. 1190.Pp 1191Packets can be assigned to queues based on filter rules by using the 1192.Ar queue 1193keyword. 1194Normally only one 1195.Ar queue 1196is specified; when a second one is specified it will instead be used for 1197packets which have a 1198.Em TOS 1199of 1200.Em lowdelay 1201and for TCP ACKs with no data payload. 1202.Pp 1203To continue the previous example, the examples below would specify the 1204four referenced 1205queues, plus a few child queues. 1206Interactive 1207.Xr ssh 1 1208sessions get priority over bulk transfers like 1209.Xr scp 1 1210and 1211.Xr sftp 1 . 1212The queues may then be referenced by filtering rules (see 1213.Sx PACKET FILTERING 1214below). 1215.Bd -literal 1216queue std bandwidth 10% cbq(default) 1217queue http bandwidth 60% priority 2 cbq(borrow red) \e 1218 { employees, developers } 1219queue developers bandwidth 75% cbq(borrow) 1220queue employees bandwidth 15% 1221queue mail bandwidth 10% priority 0 cbq(borrow ecn) 1222queue ssh bandwidth 20% cbq(borrow) { ssh_interactive, ssh_bulk } 1223queue ssh_interactive bandwidth 50% priority 7 cbq(borrow) 1224queue ssh_bulk bandwidth 50% priority 0 cbq(borrow) 1225 1226block return out on dc0 inet all queue std 1227pass out on dc0 inet proto tcp from $developerhosts to any port 80 \e 1228 queue developers 1229pass out on dc0 inet proto tcp from $employeehosts to any port 80 \e 1230 queue employees 1231pass out on dc0 inet proto tcp from any to any port 22 \e 1232 queue(ssh_bulk, ssh_interactive) 1233pass out on dc0 inet proto tcp from any to any port 25 \e 1234 queue mail 1235.Ed 1236.Sh QUEUEING with dummynet 1237Queueing can also be done with 1238.Xr dummynet 4 . 1239Queues and pipes can be created with 1240.Xr dnctl 8 . 1241.Pp 1242Packets can be assigned to queues and pipes using 1243.Ar dnqueue 1244and 1245.Ar dnpipe 1246respectively. 1247.Pp 1248Both 1249.Ar dnqueue 1250and 1251.Ar dnpipe 1252take either a single pipe or queue number or two numbers as arguments. 1253The first pipe or queue number will be used to shape the traffic in the rule 1254direction, the second will be used to shape the traffic in the reverse 1255direction. 1256If the rule does not specify a direction the first packet to create state will 1257be shaped according to the first number, and the response traffic according to 1258the second. 1259.Pp 1260If the 1261.Xr dummynet 4 1262module is not loaded any traffic sent into a queue or pipe will be dropped. 1263.Sh TRANSLATION 1264Translation rules modify either the source or destination address of the 1265packets associated with a stateful connection. 1266A stateful connection is automatically created to track packets matching 1267such a rule as long as they are not blocked by the filtering section of 1268.Nm pf.conf . 1269The translation engine modifies the specified address and/or port in the 1270packet, recalculates IP, TCP and UDP checksums as necessary, and passes it to 1271the packet filter for evaluation. 1272.Pp 1273Since translation occurs before filtering the filter 1274engine will see packets as they look after any 1275addresses and ports have been translated. 1276Filter rules will therefore have to filter based on the translated 1277address and port number. 1278Packets that match a translation rule are only automatically passed if 1279the 1280.Ar pass 1281modifier is given, otherwise they are 1282still subject to 1283.Ar block 1284and 1285.Ar pass 1286rules. 1287.Pp 1288The state entry created permits 1289.Xr pf 4 1290to keep track of the original address for traffic associated with that state 1291and correctly direct return traffic for that connection. 1292.Pp 1293Various types of translation are possible with pf: 1294.Bl -tag -width xxxx 1295.It Ar binat 1296A 1297.Ar binat 1298rule specifies a bidirectional mapping between an external IP netblock 1299and an internal IP netblock. 1300.It Ar nat 1301A 1302.Ar nat 1303rule specifies that IP addresses are to be changed as the packet 1304traverses the given interface. 1305This technique allows one or more IP addresses 1306on the translating host to support network traffic for a larger range of 1307machines on an "inside" network. 1308Although in theory any IP address can be used on the inside, it is strongly 1309recommended that one of the address ranges defined by RFC 1918 be used. 1310These netblocks are: 1311.Bd -literal 131210.0.0.0 - 10.255.255.255 (all of net 10, i.e., 10/8) 1313172.16.0.0 - 172.31.255.255 (i.e., 172.16/12) 1314192.168.0.0 - 192.168.255.255 (i.e., 192.168/16) 1315.Ed 1316.It Pa rdr 1317The packet is redirected to another destination and possibly a 1318different port. 1319.Ar rdr 1320rules can optionally specify port ranges instead of single ports. 1321rdr ... port 2000:2999 -\*(Gt ... port 4000 1322redirects ports 2000 to 2999 (inclusive) to port 4000. 1323rdr ... port 2000:2999 -\*(Gt ... port 4000:* 1324redirects port 2000 to 4000, 2001 to 4001, ..., 2999 to 4999. 1325.El 1326.Pp 1327In addition to modifying the address, some translation rules may modify 1328source or destination ports for 1329.Xr tcp 4 1330or 1331.Xr udp 4 1332connections; implicitly in the case of 1333.Ar nat 1334rules and explicitly in the case of 1335.Ar rdr 1336rules. 1337Port numbers are never translated with a 1338.Ar binat 1339rule. 1340.Pp 1341Evaluation order of the translation rules is dependent on the type 1342of the translation rules and of the direction of a packet. 1343.Ar binat 1344rules are always evaluated first. 1345Then either the 1346.Ar rdr 1347rules are evaluated on an inbound packet or the 1348.Ar nat 1349rules on an outbound packet. 1350Rules of the same type are evaluated in the same order in which they 1351appear in the ruleset. 1352The first matching rule decides what action is taken. 1353.Pp 1354The 1355.Ar no 1356option prefixed to a translation rule causes packets to remain untranslated, 1357much in the same way as 1358.Ar drop quick 1359works in the packet filter (see below). 1360If no rule matches the packet it is passed to the filter engine unmodified. 1361.Pp 1362Translation rules apply only to packets that pass through 1363the specified interface, and if no interface is specified, 1364translation is applied to packets on all interfaces. 1365For instance, redirecting port 80 on an external interface to an internal 1366web server will only work for connections originating from the outside. 1367Connections to the address of the external interface from local hosts will 1368not be redirected, since such packets do not actually pass through the 1369external interface. 1370Redirections cannot reflect packets back through the interface they arrive 1371on, they can only be redirected to hosts connected to different interfaces 1372or to the firewall itself. 1373.Pp 1374Note that redirecting external incoming connections to the loopback 1375address, as in 1376.Bd -literal -offset indent 1377rdr on ne3 inet proto tcp to port smtp -\*(Gt 127.0.0.1 port spamd 1378.Ed 1379.Pp 1380will effectively allow an external host to connect to daemons 1381bound solely to the loopback address, circumventing the traditional 1382blocking of such connections on a real interface. 1383Unless this effect is desired, any of the local non-loopback addresses 1384should be used as redirection target instead, which allows external 1385connections only to daemons bound to this address or not bound to 1386any address. 1387.Pp 1388See 1389.Sx TRANSLATION EXAMPLES 1390below. 1391.Sh PACKET FILTERING 1392.Xr pf 4 1393has the ability to 1394.Ar block 1395, 1396.Ar pass 1397and 1398.Ar match 1399packets based on attributes of their layer 3 (see 1400.Xr ip 4 1401and 1402.Xr ip6 4 ) 1403and layer 4 (see 1404.Xr icmp 4 , 1405.Xr icmp6 4 , 1406.Xr tcp 4 , 1407.Xr udp 4 ) 1408headers. 1409In addition, packets may also be 1410assigned to queues for the purpose of bandwidth control. 1411.Pp 1412For each packet processed by the packet filter, the filter rules are 1413evaluated in sequential order, from first to last. 1414For 1415.Ar block 1416and 1417.Ar pass 1418, the last matching rule decides what action is taken. 1419For 1420.Ar match 1421, rules are evaulated every time they match; the pass/block state of a packet 1422remains unchanged. 1423If no rule matches the packet, the default action is to pass 1424the packet. 1425.Pp 1426The following actions can be used in the filter: 1427.Bl -tag -width xxxx 1428.It Ar block 1429The packet is blocked. 1430There are a number of ways in which a 1431.Ar block 1432rule can behave when blocking a packet. 1433The default behaviour is to 1434.Ar drop 1435packets silently, however this can be overridden or made 1436explicit either globally, by setting the 1437.Ar block-policy 1438option, or on a per-rule basis with one of the following options: 1439.Pp 1440.Bl -tag -width xxxx -compact 1441.It Ar drop 1442The packet is silently dropped. 1443.It Ar return-rst 1444This applies only to 1445.Xr tcp 4 1446packets, and issues a TCP RST which closes the 1447connection. 1448.It Ar return-icmp 1449.It Ar return-icmp6 1450This causes ICMP messages to be returned for packets which match the rule. 1451By default this is an ICMP UNREACHABLE message, however this 1452can be overridden by specifying a message as a code or number. 1453.It Ar return 1454This causes a TCP RST to be returned for 1455.Xr tcp 4 1456packets and an ICMP UNREACHABLE for UDP and other packets. 1457.El 1458.Pp 1459Options returning ICMP packets currently have no effect if 1460.Xr pf 4 1461operates on a 1462.Xr if_bridge 4 , 1463as the code to support this feature has not yet been implemented. 1464.Pp 1465The simplest mechanism to block everything by default and only pass 1466packets that match explicit rules is specify a first filter rule of: 1467.Bd -literal -offset indent 1468block all 1469.Ed 1470.It Ar match 1471The packet is matched. 1472This mechanism is used to provide fine grained filtering without altering the 1473block/pass state of a packet. 1474.Ar match 1475rules differ from 1476.Ar block 1477and 1478.Ar pass 1479rules in that parameters are set every time a packet matches the rule, not only 1480on the last matching rule. 1481For the following parameters, this means that the parameter effectively becomes 1482"sticky" until explicitly overridden: 1483.Ar queue , 1484.Ar dnpipe , 1485.Ar dnqueue 1486. 1487.It Ar pass 1488The packet is passed; 1489state is created unless the 1490.Ar no state 1491option is specified. 1492.El 1493.Pp 1494By default 1495.Xr pf 4 1496filters packets statefully; the first time a packet matches a 1497.Ar pass 1498rule, a state entry is created; for subsequent packets the filter checks 1499whether the packet matches any state. 1500If it does, the packet is passed without evaluation of any rules. 1501After the connection is closed or times out, the state entry is automatically 1502removed. 1503.Pp 1504This has several advantages. 1505For TCP connections, comparing a packet to a state involves checking 1506its sequence numbers, as well as TCP timestamps if a 1507.Ar scrub reassemble tcp 1508rule applies to the connection. 1509If these values are outside the narrow windows of expected 1510values, the packet is dropped. 1511This prevents spoofing attacks, such as when an attacker sends packets with 1512a fake source address/port but does not know the connection's sequence 1513numbers. 1514Similarly, 1515.Xr pf 4 1516knows how to match ICMP replies to states. 1517For example, 1518.Bd -literal -offset indent 1519pass out inet proto icmp all icmp-type echoreq 1520.Ed 1521.Pp 1522allows echo requests (such as those created by 1523.Xr ping 8 ) 1524out statefully, and matches incoming echo replies correctly to states. 1525.Pp 1526Also, looking up states is usually faster than evaluating rules. 1527If there are 50 rules, all of them are evaluated sequentially in O(n). 1528Even with 50000 states, only 16 comparisons are needed to match a 1529state, since states are stored in a binary search tree that allows 1530searches in O(log2 n). 1531.Pp 1532Furthermore, correct handling of ICMP error messages is critical to 1533many protocols, particularly TCP. 1534.Xr pf 4 1535matches ICMP error messages to the correct connection, checks them against 1536connection parameters, and passes them if appropriate. 1537For example if an ICMP source quench message referring to a stateful TCP 1538connection arrives, it will be matched to the state and get passed. 1539.Pp 1540Finally, state tracking is required for 1541.Ar nat , binat No and Ar rdr 1542rules, in order to track address and port translations and reverse the 1543translation on returning packets. 1544.Pp 1545.Xr pf 4 1546will also create state for other protocols which are effectively stateless by 1547nature. 1548UDP packets are matched to states using only host addresses and ports, 1549and other protocols are matched to states using only the host addresses. 1550.Pp 1551If stateless filtering of individual packets is desired, 1552the 1553.Ar no state 1554keyword can be used to specify that state will not be created 1555if this is the last matching rule. 1556A number of parameters can also be set to affect how 1557.Xr pf 4 1558handles state tracking. 1559See 1560.Sx STATEFUL TRACKING OPTIONS 1561below for further details. 1562.Sh PARAMETERS 1563The rule parameters specify the packets to which a rule applies. 1564A packet always comes in on, or goes out through, one interface. 1565Most parameters are optional. 1566If a parameter is specified, the rule only applies to packets with 1567matching attributes. 1568Certain parameters can be expressed as lists, in which case 1569.Xr pfctl 8 1570generates all needed rule combinations. 1571.Bl -tag -width xxxx 1572.It Ar in No or Ar out 1573This rule applies to incoming or outgoing packets. 1574If neither 1575.Ar in 1576nor 1577.Ar out 1578are specified, the rule will match packets in both directions. 1579.It Ar log 1580In addition to the action specified, a log message is generated. 1581Only the packet that establishes the state is logged, 1582unless the 1583.Ar no state 1584option is specified. 1585The logged packets are sent to a 1586.Xr pflog 4 1587interface, by default 1588.Ar pflog0 . 1589This interface is monitored by the 1590.Xr pflogd 8 1591logging daemon, which dumps the logged packets to the file 1592.Pa /var/log/pflog 1593in 1594.Xr pcap 3 1595binary format. 1596.It Ar log (all) 1597Used to force logging of all packets for a connection. 1598This is not necessary when 1599.Ar no state 1600is explicitly specified. 1601As with 1602.Ar log , 1603packets are logged to 1604.Xr pflog 4 . 1605.It Ar log (user) 1606Logs the 1607.Ux 1608user ID of the user that owns the socket and the PID of the process that 1609has the socket open where the packet is sourced from or destined to 1610(depending on which socket is local). 1611This is in addition to the normal information logged. 1612.Pp 1613Only the first packet 1614logged via 1615.Ar log (all, user) 1616will have the user credentials logged when using stateful matching. 1617.It Ar log (to Aq Ar interface ) 1618Send logs to the specified 1619.Xr pflog 4 1620interface instead of 1621.Ar pflog0 . 1622.It Ar quick 1623If a packet matches a rule which has the 1624.Ar quick 1625option set, this rule 1626is considered the last matching rule, and evaluation of subsequent rules 1627is skipped. 1628.It Ar on Aq Ar interface 1629This rule applies only to packets coming in on, or going out through, this 1630particular interface or interface group. 1631For more information on interface groups, 1632see the 1633.Ic group 1634keyword in 1635.Xr ifconfig 8 . 1636.It Aq Ar af 1637This rule applies only to packets of this address family. 1638Supported values are 1639.Ar inet 1640and 1641.Ar inet6 . 1642.It Ar proto Aq Ar protocol 1643This rule applies only to packets of this protocol. 1644Common protocols are 1645.Xr icmp 4 , 1646.Xr icmp6 4 , 1647.Xr tcp 4 , 1648and 1649.Xr udp 4 . 1650For a list of all the protocol name to number mappings used by 1651.Xr pfctl 8 , 1652see the file 1653.Pa /etc/protocols . 1654.It Xo 1655.Ar from Aq Ar source 1656.Ar port Aq Ar source 1657.Ar os Aq Ar source 1658.Ar to Aq Ar dest 1659.Ar port Aq Ar dest 1660.Xc 1661This rule applies only to packets with the specified source and destination 1662addresses and ports. 1663.Pp 1664Addresses can be specified in CIDR notation (matching netblocks), as 1665symbolic host names, interface names or interface group names, or as any 1666of the following keywords: 1667.Pp 1668.Bl -tag -width xxxxxxxxxxxxxx -compact 1669.It Ar any 1670Any address. 1671.It Ar no-route 1672Any address which is not currently routable. 1673.It Ar urpf-failed 1674Any source address that fails a unicast reverse path forwarding (URPF) 1675check, i.e. packets coming in on an interface other than that which holds 1676the route back to the packet's source address. 1677.It Aq Ar table 1678Any address that matches the given table. 1679.El 1680.Pp 1681Ranges of addresses are specified by using the 1682.Sq - 1683operator. 1684For instance: 1685.Dq 10.1.1.10 - 10.1.1.12 1686means all addresses from 10.1.1.10 to 10.1.1.12, 1687hence addresses 10.1.1.10, 10.1.1.11, and 10.1.1.12. 1688.Pp 1689Interface names and interface group names can have modifiers appended: 1690.Pp 1691.Bl -tag -width xxxxxxxxxxxx -compact 1692.It Ar :network 1693Translates to the network(s) attached to the interface. 1694.It Ar :broadcast 1695Translates to the interface's broadcast address(es). 1696.It Ar :peer 1697Translates to the point-to-point interface's peer address(es). 1698.It Ar :0 1699Do not include interface aliases. 1700.El 1701.Pp 1702Host names may also have the 1703.Ar :0 1704option appended to restrict the name resolution to the first of each 1705v4 and non-link-local v6 address found. 1706.Pp 1707Host name resolution and interface to address translation are done at 1708ruleset load-time. 1709When the address of an interface (or host name) changes (under DHCP or PPP, 1710for instance), the ruleset must be reloaded for the change to be reflected 1711in the kernel. 1712Surrounding the interface name (and optional modifiers) in parentheses 1713changes this behaviour. 1714When the interface name is surrounded by parentheses, the rule is 1715automatically updated whenever the interface changes its address. 1716The ruleset does not need to be reloaded. 1717This is especially useful with 1718.Ar nat . 1719.Pp 1720Ports can be specified either by number or by name. 1721For example, port 80 can be specified as 1722.Em www . 1723For a list of all port name to number mappings used by 1724.Xr pfctl 8 , 1725see the file 1726.Pa /etc/services . 1727.Pp 1728Ports and ranges of ports are specified by using these operators: 1729.Bd -literal -offset indent 1730= (equal) 1731!= (unequal) 1732\*(Lt (less than) 1733\*(Le (less than or equal) 1734\*(Gt (greater than) 1735\*(Ge (greater than or equal) 1736: (range including boundaries) 1737\*(Gt\*(Lt (range excluding boundaries) 1738\*(Lt\*(Gt (except range) 1739.Ed 1740.Pp 1741.Sq \*(Gt\*(Lt , 1742.Sq \*(Lt\*(Gt 1743and 1744.Sq \&: 1745are binary operators (they take two arguments). 1746For instance: 1747.Bl -tag -width Fl 1748.It Ar port 2000:2004 1749means 1750.Sq all ports \*(Ge 2000 and \*(Le 2004 , 1751hence ports 2000, 2001, 2002, 2003 and 2004. 1752.It Ar port 2000 \*(Gt\*(Lt 2004 1753means 1754.Sq all ports \*(Gt 2000 and \*(Lt 2004 , 1755hence ports 2001, 2002 and 2003. 1756.It Ar port 2000 \*(Lt\*(Gt 2004 1757means 1758.Sq all ports \*(Lt 2000 or \*(Gt 2004 , 1759hence ports 1-1999 and 2005-65535. 1760.El 1761.Pp 1762The operating system of the source host can be specified in the case of TCP 1763rules with the 1764.Ar OS 1765modifier. 1766See the 1767.Sx OPERATING SYSTEM FINGERPRINTING 1768section for more information. 1769.Pp 1770The host, port and OS specifications are optional, as in the following examples: 1771.Bd -literal -offset indent 1772pass in all 1773pass in from any to any 1774pass in proto tcp from any port \*(Le 1024 to any 1775pass in proto tcp from any to any port 25 1776pass in proto tcp from 10.0.0.0/8 port \*(Gt 1024 \e 1777 to ! 10.1.2.3 port != ssh 1778pass in proto tcp from any os "OpenBSD" 1779.Ed 1780.It Ar all 1781This is equivalent to "from any to any". 1782.It Ar group Aq Ar group 1783Similar to 1784.Ar user , 1785this rule only applies to packets of sockets owned by the specified group. 1786.It Ar user Aq Ar user 1787This rule only applies to packets of sockets owned by the specified user. 1788For outgoing connections initiated from the firewall, this is the user 1789that opened the connection. 1790For incoming connections to the firewall itself, this is the user that 1791listens on the destination port. 1792For forwarded connections, where the firewall is not a connection endpoint, 1793the user and group are 1794.Em unknown . 1795.Pp 1796All packets, both outgoing and incoming, of one connection are associated 1797with the same user and group. 1798Only TCP and UDP packets can be associated with users; for other protocols 1799these parameters are ignored. 1800.Pp 1801User and group refer to the effective (as opposed to the real) IDs, in 1802case the socket is created by a setuid/setgid process. 1803User and group IDs are stored when a socket is created; 1804when a process creates a listening socket as root (for instance, by 1805binding to a privileged port) and subsequently changes to another 1806user ID (to drop privileges), the credentials will remain root. 1807.Pp 1808User and group IDs can be specified as either numbers or names. 1809The syntax is similar to the one for ports. 1810The value 1811.Em unknown 1812matches packets of forwarded connections. 1813.Em unknown 1814can only be used with the operators 1815.Cm = 1816and 1817.Cm != . 1818Other constructs like 1819.Cm user \*(Ge unknown 1820are invalid. 1821Forwarded packets with unknown user and group ID match only rules 1822that explicitly compare against 1823.Em unknown 1824with the operators 1825.Cm = 1826or 1827.Cm != . 1828For instance 1829.Cm user \*(Ge 0 1830does not match forwarded packets. 1831The following example allows only selected users to open outgoing 1832connections: 1833.Bd -literal -offset indent 1834block out proto { tcp, udp } all 1835pass out proto { tcp, udp } all user { \*(Lt 1000, dhartmei } 1836.Ed 1837.It Xo Ar flags Aq Ar a 1838.Pf / Ns Aq Ar b 1839.No \*(Ba / Ns Aq Ar b 1840.No \*(Ba any 1841.Xc 1842This rule only applies to TCP packets that have the flags 1843.Aq Ar a 1844set out of set 1845.Aq Ar b . 1846Flags not specified in 1847.Aq Ar b 1848are ignored. 1849For stateful connections, the default is 1850.Ar flags S/SA . 1851To indicate that flags should not be checked at all, specify 1852.Ar flags any . 1853The flags are: (F)IN, (S)YN, (R)ST, (P)USH, (A)CK, (U)RG, (E)CE, and C(W)R. 1854.Bl -tag -width Fl 1855.It Ar flags S/S 1856Flag SYN is set. 1857The other flags are ignored. 1858.It Ar flags S/SA 1859This is the default setting for stateful connections. 1860Out of SYN and ACK, exactly SYN may be set. 1861SYN, SYN+PSH and SYN+RST match, but SYN+ACK, ACK and ACK+RST do not. 1862This is more restrictive than the previous example. 1863.It Ar flags /SFRA 1864If the first set is not specified, it defaults to none. 1865All of SYN, FIN, RST and ACK must be unset. 1866.El 1867.Pp 1868Because 1869.Ar flags S/SA 1870is applied by default (unless 1871.Ar no state 1872is specified), only the initial SYN packet of a TCP handshake will create 1873a state for a TCP connection. 1874It is possible to be less restrictive, and allow state creation from 1875intermediate 1876.Pq non-SYN 1877packets, by specifying 1878.Ar flags any . 1879This will cause 1880.Xr pf 4 1881to synchronize to existing connections, for instance 1882if one flushes the state table. 1883However, states created from such intermediate packets may be missing 1884connection details such as the TCP window scaling factor. 1885States which modify the packet flow, such as those affected by 1886.Ar nat , binat No or Ar rdr 1887rules, 1888.Ar modulate No or Ar synproxy state 1889options, or scrubbed with 1890.Ar reassemble tcp 1891will also not be recoverable from intermediate packets. 1892Such connections will stall and time out. 1893.It Xo Ar icmp-type Aq Ar type 1894.Ar code Aq Ar code 1895.Xc 1896.It Xo Ar icmp6-type Aq Ar type 1897.Ar code Aq Ar code 1898.Xc 1899This rule only applies to ICMP or ICMPv6 packets with the specified type 1900and code. 1901Text names for ICMP types and codes are listed in 1902.Xr icmp 4 1903and 1904.Xr icmp6 4 . 1905This parameter is only valid for rules that cover protocols ICMP or 1906ICMP6. 1907The protocol and the ICMP type indicator 1908.Po 1909.Ar icmp-type 1910or 1911.Ar icmp6-type 1912.Pc 1913must match. 1914.It Xo Ar tos Aq Ar string 1915.No \*(Ba Aq Ar number 1916.Xc 1917This rule applies to packets with the specified 1918.Em TOS 1919bits set. 1920.Em TOS 1921may be 1922given as one of 1923.Ar critical , 1924.Ar inetcontrol , 1925.Ar lowdelay , 1926.Ar netcontrol , 1927.Ar throughput , 1928.Ar reliability , 1929or one of the DiffServ Code Points: 1930.Ar ef , 1931.Ar va , 1932.Ar af11 No ... Ar af43 , 1933.Ar cs0 No ... Ar cs7 ; 1934or as either hex or decimal. 1935.Pp 1936For example, the following rules are identical: 1937.Bd -literal -offset indent 1938pass all tos lowdelay 1939pass all tos 0x10 1940pass all tos 16 1941.Ed 1942.It Ar allow-opts 1943By default, IPv4 packets with IP options or IPv6 packets with routing 1944extension headers are blocked. 1945When 1946.Ar allow-opts 1947is specified for a 1948.Ar pass 1949rule, packets that pass the filter based on that rule (last matching) 1950do so even if they contain IP options or routing extension headers. 1951For packets that match state, the rule that initially created the 1952state is used. 1953The implicit 1954.Ar pass 1955rule that is used when a packet does not match any rules does not 1956allow IP options. 1957.It Ar label Aq Ar string 1958Adds a label (name) to the rule, which can be used to identify the rule. 1959For instance, 1960pfctl -s labels 1961shows per-rule statistics for rules that have labels. 1962.Pp 1963The following macros can be used in labels: 1964.Pp 1965.Bl -tag -width $srcaddr -compact -offset indent 1966.It Ar $if 1967The interface. 1968.It Ar $srcaddr 1969The source IP address. 1970.It Ar $dstaddr 1971The destination IP address. 1972.It Ar $srcport 1973The source port specification. 1974.It Ar $dstport 1975The destination port specification. 1976.It Ar $proto 1977The protocol name. 1978.It Ar $nr 1979The rule number. 1980.El 1981.Pp 1982For example: 1983.Bd -literal -offset indent 1984ips = \&"{ 1.2.3.4, 1.2.3.5 }\&" 1985pass in proto tcp from any to $ips \e 1986 port \*(Gt 1023 label \&"$dstaddr:$dstport\&" 1987.Ed 1988.Pp 1989expands to 1990.Bd -literal -offset indent 1991pass in inet proto tcp from any to 1.2.3.4 \e 1992 port \*(Gt 1023 label \&"1.2.3.4:\*(Gt1023\&" 1993pass in inet proto tcp from any to 1.2.3.5 \e 1994 port \*(Gt 1023 label \&"1.2.3.5:\*(Gt1023\&" 1995.Ed 1996.Pp 1997The macro expansion for the 1998.Ar label 1999directive occurs only at configuration file parse time, not during runtime. 2000.It Ar ridentifier Aq Ar number 2001Add an identifier (number) to the rule, which can be used to correlate the rule 2002to pflog entries, even after ruleset updates. 2003.It Xo Ar queue Aq Ar queue 2004.No \*(Ba ( Aq Ar queue , 2005.Aq Ar queue ) 2006.Xc 2007Packets matching this rule will be assigned to the specified queue. 2008If two queues are given, packets which have a 2009.Em TOS 2010of 2011.Em lowdelay 2012and TCP ACKs with no data payload will be assigned to the second one. 2013See 2014.Sx QUEUEING 2015for setup details. 2016.Pp 2017For example: 2018.Bd -literal -offset indent 2019pass in proto tcp to port 25 queue mail 2020pass in proto tcp to port 22 queue(ssh_bulk, ssh_prio) 2021.Ed 2022.It Cm set prio Ar priority | Pq Ar priority , priority 2023Packets matching this rule will be assigned a specific queueing priority. 2024Priorities are assigned as integers 0 through 7. 2025If the packet is transmitted on a 2026.Xr vlan 4 2027interface, the queueing priority will be written as the priority 2028code point in the 802.1Q VLAN header. 2029If two priorities are given, packets which have a TOS of 2030.Cm lowdelay 2031and TCP ACKs with no data payload will be assigned to the second one. 2032.Pp 2033For example: 2034.Bd -literal -offset indent 2035pass in proto tcp to port 25 set prio 2 2036pass in proto tcp to port 22 set prio (2, 5) 2037.Ed 2038.It Ar tag Aq Ar string 2039Packets matching this rule will be tagged with the 2040specified string. 2041The tag acts as an internal marker that can be used to 2042identify these packets later on. 2043This can be used, for example, to provide trust between 2044interfaces and to determine if packets have been 2045processed by translation rules. 2046Tags are 2047.Qq sticky , 2048meaning that the packet will be tagged even if the rule 2049is not the last matching rule. 2050Further matching rules can replace the tag with a 2051new one but will not remove a previously applied tag. 2052A packet is only ever assigned one tag at a time. 2053Packet tagging can be done during 2054.Ar nat , 2055.Ar rdr , 2056.Ar binat 2057or 2058.Ar ether 2059rules in addition to filter rules. 2060Tags take the same macros as labels (see above). 2061.It Ar tagged Aq Ar string 2062Used with filter, translation or scrub rules 2063to specify that packets must already 2064be tagged with the given tag in order to match the rule. 2065Inverse tag matching can also be done 2066by specifying the 2067.Cm !\& 2068operator before the 2069.Ar tagged 2070keyword. 2071.It Ar rtable Aq Ar number 2072Used to select an alternate routing table for the routing lookup. 2073Only effective before the route lookup happened, i.e. when filtering inbound. 2074.It Xo Ar divert-to Aq Ar host 2075.Ar port Aq Ar port 2076.Xc 2077Used to redirect packets to a local socket bound to 2078.Ar host 2079and 2080.Ar port . 2081The packets will not be modified, so 2082.Xr getsockname 2 2083on the socket will return the original destination address of the packet. 2084.It Ar divert-reply 2085Used to receive replies for sockets that are bound to addresses 2086which are not local to the machine. 2087See 2088.Xr setsockopt 2 2089for information on how to bind these sockets. 2090.It Ar probability Aq Ar number 2091A probability attribute can be attached to a rule, with a value set between 20920 and 1, bounds not included. 2093In that case, the rule will be honoured using the given probability value 2094only. 2095For example, the following rule will drop 20% of incoming ICMP packets: 2096.Bd -literal -offset indent 2097block in proto icmp probability 20% 2098.Ed 2099.It Ar prio Aq Ar number 2100Only match packets which have the given queueing priority assigned. 2101.El 2102.Sh ROUTING 2103If a packet matches a rule with a route option set, the packet filter will 2104route the packet according to the type of route option. 2105When such a rule creates state, the route option is also applied to all 2106packets matching the same connection. 2107.Bl -tag -width xxxx 2108.It Ar route-to 2109The 2110.Ar route-to 2111option routes the packet to the specified interface with an optional address 2112for the next hop. 2113When a 2114.Ar route-to 2115rule creates state, only packets that pass in the same direction as the 2116filter rule specifies will be routed in this way. 2117Packets passing in the opposite direction (replies) are not affected 2118and are routed normally. 2119.It Ar reply-to 2120The 2121.Ar reply-to 2122option is similar to 2123.Ar route-to , 2124but routes packets that pass in the opposite direction (replies) to the 2125specified interface. 2126Opposite direction is only defined in the context of a state entry, and 2127.Ar reply-to 2128is useful only in rules that create state. 2129It can be used on systems with multiple external connections to 2130route all outgoing packets of a connection through the interface 2131the incoming connection arrived through (symmetric routing enforcement). 2132.It Ar dup-to 2133The 2134.Ar dup-to 2135option creates a duplicate of the packet and routes it like 2136.Ar route-to . 2137The original packet gets routed as it normally would. 2138.El 2139.Sh POOL OPTIONS 2140For 2141.Ar nat 2142and 2143.Ar rdr 2144rules, (as well as for the 2145.Ar route-to , 2146.Ar reply-to 2147and 2148.Ar dup-to 2149rule options) for which there is a single redirection address which has a 2150subnet mask smaller than 32 for IPv4 or 128 for IPv6 (more than one IP 2151address), a variety of different methods for assigning this address can be 2152used: 2153.Bl -tag -width xxxx 2154.It Ar bitmask 2155The 2156.Ar bitmask 2157option applies the network portion of the redirection address to the address 2158to be modified (source with 2159.Ar nat , 2160destination with 2161.Ar rdr ) . 2162.It Ar random 2163The 2164.Ar random 2165option selects an address at random within the defined block of addresses. 2166.It Ar source-hash 2167The 2168.Ar source-hash 2169option uses a hash of the source address to determine the redirection address, 2170ensuring that the redirection address is always the same for a given source. 2171An optional key can be specified after this keyword either in hex or as a 2172string; by default 2173.Xr pfctl 8 2174randomly generates a key for source-hash every time the 2175ruleset is reloaded. 2176.It Ar round-robin 2177The 2178.Ar round-robin 2179option loops through the redirection address(es). 2180.Pp 2181When more than one redirection address is specified, 2182.Ar round-robin 2183is the only permitted pool type. 2184.It Ar static-port 2185With 2186.Ar nat 2187rules, the 2188.Ar static-port 2189option prevents 2190.Xr pf 4 2191from modifying the source port on TCP and UDP packets. 2192.It Xo Ar map-e-portset Aq Ar psid-offset 2193.No / Aq Ar psid-len 2194.No / Aq Ar psid 2195.Xc 2196With 2197.Ar nat 2198rules, the 2199.Ar map-e-portset 2200option enables the source port translation of MAP-E (RFC 7597) Customer Edge. 2201In order to make the host act as a MAP-E Customer Edge, setting up a tunneling 2202interface and pass rules for encapsulated packets are required in addition 2203to the map-e-portset nat rule. 2204.Pp 2205For example: 2206.Bd -literal -offset indent 2207nat on $gif_mape_if from $int_if:network to any \e 2208 -> $ipv4_mape_src map-e-portset 6/8/0x34 2209.Ed 2210.Pp 2211sets PSID offset 6, PSID length 8, PSID 0x34. 2212.El 2213.Pp 2214Additionally, the 2215.Ar sticky-address 2216option can be specified to help ensure that multiple connections from the 2217same source are mapped to the same redirection address. 2218This option can be used with the 2219.Ar random 2220and 2221.Ar round-robin 2222pool options. 2223Note that by default these associations are destroyed as soon as there are 2224no longer states which refer to them; in order to make the mappings last 2225beyond the lifetime of the states, increase the global options with 2226.Ar set timeout src.track . 2227See 2228.Sx STATEFUL TRACKING OPTIONS 2229for more ways to control the source tracking. 2230.Sh STATE MODULATION 2231Much of the security derived from TCP is attributable to how well the 2232initial sequence numbers (ISNs) are chosen. 2233Some popular stack implementations choose 2234.Em very 2235poor ISNs and thus are normally susceptible to ISN prediction exploits. 2236By applying a 2237.Ar modulate state 2238rule to a TCP connection, 2239.Xr pf 4 2240will create a high quality random sequence number for each connection 2241endpoint. 2242.Pp 2243The 2244.Ar modulate state 2245directive implicitly keeps state on the rule and is 2246only applicable to TCP connections. 2247.Pp 2248For instance: 2249.Bd -literal -offset indent 2250block all 2251pass out proto tcp from any to any modulate state 2252pass in proto tcp from any to any port 25 flags S/SFRA modulate state 2253.Ed 2254.Pp 2255Note that modulated connections will not recover when the state table 2256is lost (firewall reboot, flushing the state table, etc...). 2257.Xr pf 4 2258will not be able to infer a connection again after the state table flushes 2259the connection's modulator. 2260When the state is lost, the connection may be left dangling until the 2261respective endpoints time out the connection. 2262It is possible on a fast local network for the endpoints to start an ACK 2263storm while trying to resynchronize after the loss of the modulator. 2264The default 2265.Ar flags 2266settings (or a more strict equivalent) should be used on 2267.Ar modulate state 2268rules to prevent ACK storms. 2269.Pp 2270Note that alternative methods are available 2271to prevent loss of the state table 2272and allow for firewall failover. 2273See 2274.Xr carp 4 2275and 2276.Xr pfsync 4 2277for further information. 2278.Sh SYN PROXY 2279By default, 2280.Xr pf 4 2281passes packets that are part of a 2282.Xr tcp 4 2283handshake between the endpoints. 2284The 2285.Ar synproxy state 2286option can be used to cause 2287.Xr pf 4 2288itself to complete the handshake with the active endpoint, perform a handshake 2289with the passive endpoint, and then forward packets between the endpoints. 2290.Pp 2291No packets are sent to the passive endpoint before the active endpoint has 2292completed the handshake, hence so-called SYN floods with spoofed source 2293addresses will not reach the passive endpoint, as the sender can't complete the 2294handshake. 2295.Pp 2296The proxy is transparent to both endpoints, they each see a single 2297connection from/to the other endpoint. 2298.Xr pf 4 2299chooses random initial sequence numbers for both handshakes. 2300Once the handshakes are completed, the sequence number modulators 2301(see previous section) are used to translate further packets of the 2302connection. 2303.Ar synproxy state 2304includes 2305.Ar modulate state . 2306.Pp 2307Rules with 2308.Ar synproxy 2309will not work if 2310.Xr pf 4 2311operates on a 2312.Xr bridge 4 . 2313.Pp 2314Example: 2315.Bd -literal -offset indent 2316pass in proto tcp from any to any port www synproxy state 2317.Ed 2318.Sh STATEFUL TRACKING OPTIONS 2319A number of options related to stateful tracking can be applied on a 2320per-rule basis. 2321.Ar keep state , 2322.Ar modulate state 2323and 2324.Ar synproxy state 2325support these options, and 2326.Ar keep state 2327must be specified explicitly to apply options to a rule. 2328.Pp 2329.Bl -tag -width xxxx -compact 2330.It Ar max Aq Ar number 2331Limits the number of concurrent states the rule may create. 2332When this limit is reached, further packets that would create 2333state will not match this rule until existing states time out. 2334.It Ar no-sync 2335Prevent state changes for states created by this rule from appearing on the 2336.Xr pfsync 4 2337interface. 2338.It Xo Aq Ar timeout 2339.Aq Ar seconds 2340.Xc 2341Changes the timeout values used for states created by this rule. 2342For a list of all valid timeout names, see 2343.Sx OPTIONS 2344above. 2345.It Ar sloppy 2346Uses a sloppy TCP connection tracker that does not check sequence 2347numbers at all, which makes insertion and ICMP teardown attacks way 2348easier. 2349This is intended to be used in situations where one does not see all 2350packets of a connection, e.g. in asymmetric routing situations. 2351Cannot be used with modulate or synproxy state. 2352.El 2353.Pp 2354Multiple options can be specified, separated by commas: 2355.Bd -literal -offset indent 2356pass in proto tcp from any to any \e 2357 port www keep state \e 2358 (max 100, source-track rule, max-src-nodes 75, \e 2359 max-src-states 3, tcp.established 60, tcp.closing 5) 2360.Ed 2361.Pp 2362When the 2363.Ar source-track 2364keyword is specified, the number of states per source IP is tracked. 2365.Pp 2366.Bl -tag -width xxxx -compact 2367.It Ar source-track rule 2368The maximum number of states created by this rule is limited by the rule's 2369.Ar max-src-nodes 2370and 2371.Ar max-src-states 2372options. 2373Only state entries created by this particular rule count toward the rule's 2374limits. 2375.It Ar source-track global 2376The number of states created by all rules that use this option is limited. 2377Each rule can specify different 2378.Ar max-src-nodes 2379and 2380.Ar max-src-states 2381options, however state entries created by any participating rule count towards 2382each individual rule's limits. 2383.El 2384.Pp 2385The following limits can be set: 2386.Pp 2387.Bl -tag -width xxxx -compact 2388.It Ar max-src-nodes Aq Ar number 2389Limits the maximum number of source addresses which can simultaneously 2390have state table entries. 2391.It Ar max-src-states Aq Ar number 2392Limits the maximum number of simultaneous state entries that a single 2393source address can create with this rule. 2394.El 2395.Pp 2396For stateful TCP connections, limits on established connections (connections 2397which have completed the TCP 3-way handshake) can also be enforced 2398per source IP. 2399.Pp 2400.Bl -tag -width xxxx -compact 2401.It Ar max-src-conn Aq Ar number 2402Limits the maximum number of simultaneous TCP connections which have 2403completed the 3-way handshake that a single host can make. 2404.It Xo Ar max-src-conn-rate Aq Ar number 2405.No / Aq Ar seconds 2406.Xc 2407Limit the rate of new connections over a time interval. 2408The connection rate is an approximation calculated as a moving average. 2409.El 2410.Pp 2411Because the 3-way handshake ensures that the source address is not being 2412spoofed, more aggressive action can be taken based on these limits. 2413With the 2414.Ar overload Aq Ar table 2415state option, source IP addresses which hit either of the limits on 2416established connections will be added to the named table. 2417This table can be used in the ruleset to block further activity from 2418the offending host, redirect it to a tarpit process, or restrict its 2419bandwidth. 2420.Pp 2421The optional 2422.Ar flush 2423keyword kills all states created by the matching rule which originate 2424from the host which exceeds these limits. 2425The 2426.Ar global 2427modifier to the flush command kills all states originating from the 2428offending host, regardless of which rule created the state. 2429.Pp 2430For example, the following rules will protect the webserver against 2431hosts making more than 100 connections in 10 seconds. 2432Any host which connects faster than this rate will have its address added 2433to the 2434.Aq bad_hosts 2435table and have all states originating from it flushed. 2436Any new packets arriving from this host will be dropped unconditionally 2437by the block rule. 2438.Bd -literal -offset indent 2439block quick from \*(Ltbad_hosts\*(Gt 2440pass in on $ext_if proto tcp to $webserver port www keep state \e 2441 (max-src-conn-rate 100/10, overload \*(Ltbad_hosts\*(Gt flush global) 2442.Ed 2443.Sh OPERATING SYSTEM FINGERPRINTING 2444Passive OS Fingerprinting is a mechanism to inspect nuances of a TCP 2445connection's initial SYN packet and guess at the host's operating system. 2446Unfortunately these nuances are easily spoofed by an attacker so the 2447fingerprint is not useful in making security decisions. 2448But the fingerprint is typically accurate enough to make policy decisions 2449upon. 2450.Pp 2451The fingerprints may be specified by operating system class, by 2452version, or by subtype/patchlevel. 2453The class of an operating system is typically the vendor or genre 2454and would be 2455.Ox 2456for the 2457.Xr pf 4 2458firewall itself. 2459The version of the oldest available 2460.Ox 2461release on the main FTP site 2462would be 2.6 and the fingerprint would be written 2463.Pp 2464.Dl \&"OpenBSD 2.6\&" 2465.Pp 2466The subtype of an operating system is typically used to describe the 2467patchlevel if that patch led to changes in the TCP stack behavior. 2468In the case of 2469.Ox , 2470the only subtype is for a fingerprint that was 2471normalized by the 2472.Ar no-df 2473scrub option and would be specified as 2474.Pp 2475.Dl \&"OpenBSD 3.3 no-df\&" 2476.Pp 2477Fingerprints for most popular operating systems are provided by 2478.Xr pf.os 5 . 2479Once 2480.Xr pf 4 2481is running, a complete list of known operating system fingerprints may 2482be listed by running: 2483.Pp 2484.Dl # pfctl -so 2485.Pp 2486Filter rules can enforce policy at any level of operating system specification 2487assuming a fingerprint is present. 2488Policy could limit traffic to approved operating systems or even ban traffic 2489from hosts that aren't at the latest service pack. 2490.Pp 2491The 2492.Ar unknown 2493class can also be used as the fingerprint which will match packets for 2494which no operating system fingerprint is known. 2495.Pp 2496Examples: 2497.Bd -literal -offset indent 2498pass out proto tcp from any os OpenBSD 2499block out proto tcp from any os Doors 2500block out proto tcp from any os "Doors PT" 2501block out proto tcp from any os "Doors PT SP3" 2502block out from any os "unknown" 2503pass on lo0 proto tcp from any os "OpenBSD 3.3 lo0" 2504.Ed 2505.Pp 2506Operating system fingerprinting is limited only to the TCP SYN packet. 2507This means that it will not work on other protocols and will not match 2508a currently established connection. 2509.Pp 2510Caveat: operating system fingerprints are occasionally wrong. 2511There are three problems: an attacker can trivially craft his packets to 2512appear as any operating system he chooses; 2513an operating system patch could change the stack behavior and no fingerprints 2514will match it until the database is updated; 2515and multiple operating systems may have the same fingerprint. 2516.Sh BLOCKING SPOOFED TRAFFIC 2517"Spoofing" is the faking of IP addresses, typically for malicious 2518purposes. 2519The 2520.Ar antispoof 2521directive expands to a set of filter rules which will block all 2522traffic with a source IP from the network(s) directly connected 2523to the specified interface(s) from entering the system through 2524any other interface. 2525.Pp 2526For example, the line 2527.Bd -literal -offset indent 2528antispoof for lo0 2529.Ed 2530.Pp 2531expands to 2532.Bd -literal -offset indent 2533block drop in on ! lo0 inet from 127.0.0.1/8 to any 2534block drop in on ! lo0 inet6 from ::1 to any 2535.Ed 2536.Pp 2537For non-loopback interfaces, there are additional rules to block incoming 2538packets with a source IP address identical to the interface's IP(s). 2539For example, assuming the interface wi0 had an IP address of 10.0.0.1 and a 2540netmask of 255.255.255.0, 2541the line 2542.Bd -literal -offset indent 2543antispoof for wi0 inet 2544.Ed 2545.Pp 2546expands to 2547.Bd -literal -offset indent 2548block drop in on ! wi0 inet from 10.0.0.0/24 to any 2549block drop in inet from 10.0.0.1 to any 2550.Ed 2551.Pp 2552Caveat: Rules created by the 2553.Ar antispoof 2554directive interfere with packets sent over loopback interfaces 2555to local addresses. 2556One should pass these explicitly. 2557.Sh FRAGMENT HANDLING 2558The size of IP datagrams (packets) can be significantly larger than the 2559maximum transmission unit (MTU) of the network. 2560In cases when it is necessary or more efficient to send such large packets, 2561the large packet will be fragmented into many smaller packets that will each 2562fit onto the wire. 2563Unfortunately for a firewalling device, only the first logical fragment will 2564contain the necessary header information for the subprotocol that allows 2565.Xr pf 4 2566to filter on things such as TCP ports or to perform NAT. 2567.Pp 2568Besides the use of 2569.Ar scrub 2570rules as described in 2571.Sx TRAFFIC NORMALIZATION 2572above, there are three options for handling fragments in the packet filter. 2573.Pp 2574One alternative is to filter individual fragments with filter rules. 2575If no 2576.Ar scrub 2577rule applies to a fragment, it is passed to the filter. 2578Filter rules with matching IP header parameters decide whether the 2579fragment is passed or blocked, in the same way as complete packets 2580are filtered. 2581Without reassembly, fragments can only be filtered based on IP header 2582fields (source/destination address, protocol), since subprotocol header 2583fields are not available (TCP/UDP port numbers, ICMP code/type). 2584The 2585.Ar fragment 2586option can be used to restrict filter rules to apply only to 2587fragments, but not complete packets. 2588Filter rules without the 2589.Ar fragment 2590option still apply to fragments, if they only specify IP header fields. 2591For instance, the rule 2592.Bd -literal -offset indent 2593pass in proto tcp from any to any port 80 2594.Ed 2595.Pp 2596never applies to a fragment, even if the fragment is part of a TCP 2597packet with destination port 80, because without reassembly this information 2598is not available for each fragment. 2599This also means that fragments cannot create new or match existing 2600state table entries, which makes stateful filtering and address 2601translation (NAT, redirection) for fragments impossible. 2602.Pp 2603It's also possible to reassemble only certain fragments by specifying 2604source or destination addresses or protocols as parameters in 2605.Ar scrub 2606rules. 2607.Pp 2608In most cases, the benefits of reassembly outweigh the additional 2609memory cost, and it's recommended to use 2610.Ar scrub 2611rules to reassemble 2612all fragments via the 2613.Ar fragment reassemble 2614modifier. 2615.Pp 2616The memory allocated for fragment caching can be limited using 2617.Xr pfctl 8 . 2618Once this limit is reached, fragments that would have to be cached 2619are dropped until other entries time out. 2620The timeout value can also be adjusted. 2621.Pp 2622When forwarding reassembled IPv6 packets, pf refragments them with 2623the original maximum fragment size. 2624This allows the sender to determine the optimal fragment size by 2625path MTU discovery. 2626.Sh ANCHORS 2627Besides the main ruleset, 2628.Xr pfctl 8 2629can load rulesets into 2630.Ar anchor 2631attachment points. 2632An 2633.Ar anchor 2634is a container that can hold rules, address tables, and other anchors. 2635.Pp 2636An 2637.Ar anchor 2638has a name which specifies the path where 2639.Xr pfctl 8 2640can be used to access the anchor to perform operations on it, such as 2641attaching child anchors to it or loading rules into it. 2642Anchors may be nested, with components separated by 2643.Sq / 2644characters, similar to how file system hierarchies are laid out. 2645The main ruleset is actually the default anchor, so filter and 2646translation rules, for example, may also be contained in any anchor. 2647.Pp 2648An anchor can reference another 2649.Ar anchor 2650attachment point 2651using the following kinds 2652of rules: 2653.Bl -tag -width xxxx 2654.It Ar nat-anchor Aq Ar name 2655Evaluates the 2656.Ar nat 2657rules in the specified 2658.Ar anchor . 2659.It Ar rdr-anchor Aq Ar name 2660Evaluates the 2661.Ar rdr 2662rules in the specified 2663.Ar anchor . 2664.It Ar binat-anchor Aq Ar name 2665Evaluates the 2666.Ar binat 2667rules in the specified 2668.Ar anchor . 2669.It Ar anchor Aq Ar name 2670Evaluates the filter rules in the specified 2671.Ar anchor . 2672.It Xo Ar load anchor 2673.Aq Ar name 2674.Ar from Aq Ar file 2675.Xc 2676Loads the rules from the specified file into the 2677anchor 2678.Ar name . 2679.El 2680.Pp 2681When evaluation of the main ruleset reaches an 2682.Ar anchor 2683rule, 2684.Xr pf 4 2685will proceed to evaluate all rules specified in that anchor. 2686.Pp 2687Matching filter and translation rules marked with the 2688.Ar quick 2689option are final and abort the evaluation of the rules in other 2690anchors and the main ruleset. 2691If the 2692.Ar anchor 2693itself is marked with the 2694.Ar quick 2695option, 2696ruleset evaluation will terminate when the anchor is exited if the packet is 2697matched by any rule within the anchor. 2698.Pp 2699.Ar anchor 2700rules are evaluated relative to the anchor in which they are contained. 2701For example, all 2702.Ar anchor 2703rules specified in the main ruleset will reference anchor 2704attachment points underneath the main ruleset, and 2705.Ar anchor 2706rules specified in a file loaded from a 2707.Ar load anchor 2708rule will be attached under that anchor point. 2709.Pp 2710Rules may be contained in 2711.Ar anchor 2712attachment points which do not contain any rules when the main ruleset 2713is loaded, and later such anchors can be manipulated through 2714.Xr pfctl 8 2715without reloading the main ruleset or other anchors. 2716For example, 2717.Bd -literal -offset indent 2718ext_if = \&"kue0\&" 2719block on $ext_if all 2720anchor spam 2721pass out on $ext_if all 2722pass in on $ext_if proto tcp from any \e 2723 to $ext_if port smtp 2724.Ed 2725.Pp 2726blocks all packets on the external interface by default, then evaluates 2727all rules in the 2728.Ar anchor 2729named "spam", and finally passes all outgoing connections and 2730incoming connections to port 25. 2731.Bd -literal -offset indent 2732# echo \&"block in quick from 1.2.3.4 to any\&" \&| \e 2733 pfctl -a spam -f - 2734.Ed 2735.Pp 2736This loads a single rule into the 2737.Ar anchor , 2738which blocks all packets from a specific address. 2739.Pp 2740The anchor can also be populated by adding a 2741.Ar load anchor 2742rule after the 2743.Ar anchor 2744rule: 2745.Bd -literal -offset indent 2746anchor spam 2747load anchor spam from "/etc/pf-spam.conf" 2748.Ed 2749.Pp 2750When 2751.Xr pfctl 8 2752loads 2753.Nm pf.conf , 2754it will also load all the rules from the file 2755.Pa /etc/pf-spam.conf 2756into the anchor. 2757.Pp 2758Optionally, 2759.Ar anchor 2760rules can specify packet filtering parameters using the same syntax as 2761filter rules. 2762When parameters are used, the 2763.Ar anchor 2764rule is only evaluated for matching packets. 2765This allows conditional evaluation of anchors, like: 2766.Bd -literal -offset indent 2767block on $ext_if all 2768anchor spam proto tcp from any to any port smtp 2769pass out on $ext_if all 2770pass in on $ext_if proto tcp from any to $ext_if port smtp 2771.Ed 2772.Pp 2773The rules inside 2774.Ar anchor 2775spam are only evaluated for 2776.Ar tcp 2777packets with destination port 25. 2778Hence, 2779.Bd -literal -offset indent 2780# echo \&"block in quick from 1.2.3.4 to any" \&| \e 2781 pfctl -a spam -f - 2782.Ed 2783.Pp 2784will only block connections from 1.2.3.4 to port 25. 2785.Pp 2786Anchors may end with the asterisk 2787.Pq Sq * 2788character, which signifies that all anchors attached at that point 2789should be evaluated in the alphabetical ordering of their anchor name. 2790For example, 2791.Bd -literal -offset indent 2792anchor "spam/*" 2793.Ed 2794.Pp 2795will evaluate each rule in each anchor attached to the 2796.Li spam 2797anchor. 2798Note that it will only evaluate anchors that are directly attached to the 2799.Li spam 2800anchor, and will not descend to evaluate anchors recursively. 2801.Pp 2802Since anchors are evaluated relative to the anchor in which they are 2803contained, there is a mechanism for accessing the parent and ancestor 2804anchors of a given anchor. 2805Similar to file system path name resolution, if the sequence 2806.Dq .. 2807appears as an anchor path component, the parent anchor of the current 2808anchor in the path evaluation at that point will become the new current 2809anchor. 2810As an example, consider the following: 2811.Bd -literal -offset indent 2812# echo ' anchor "spam/allowed" ' | pfctl -f - 2813# echo -e ' anchor "../banned" \en pass' | \e 2814 pfctl -a spam/allowed -f - 2815.Ed 2816.Pp 2817Evaluation of the main ruleset will lead into the 2818.Li spam/allowed 2819anchor, which will evaluate the rules in the 2820.Li spam/banned 2821anchor, if any, before finally evaluating the 2822.Ar pass 2823rule. 2824.Pp 2825Filter rule 2826.Ar anchors 2827can also be loaded inline in the ruleset within a brace ('{' '}') delimited 2828block. 2829Brace delimited blocks may contain rules or other brace-delimited blocks. 2830When anchors are loaded this way the anchor name becomes optional. 2831.Bd -literal -offset indent 2832anchor "external" on $ext_if { 2833 block 2834 anchor out { 2835 pass proto tcp from any to port { 25, 80, 443 } 2836 } 2837 pass in proto tcp to any port 22 2838} 2839.Ed 2840.Pp 2841Since the parser specification for anchor names is a string, any 2842reference to an anchor name containing 2843.Sq / 2844characters will require double quote 2845.Pq Sq \&" 2846characters around the anchor name. 2847.Sh TRANSLATION EXAMPLES 2848This example maps incoming requests on port 80 to port 8080, on 2849which a daemon is running (because, for example, it is not run as root, 2850and therefore lacks permission to bind to port 80). 2851.Bd -literal 2852# use a macro for the interface name, so it can be changed easily 2853ext_if = \&"ne3\&" 2854 2855# map daemon on 8080 to appear to be on 80 2856rdr on $ext_if proto tcp from any to any port 80 -\*(Gt 127.0.0.1 port 8080 2857.Ed 2858.Pp 2859If the 2860.Ar pass 2861modifier is given, packets matching the translation rule are passed without 2862inspecting the filter rules: 2863.Bd -literal 2864rdr pass on $ext_if proto tcp from any to any port 80 -\*(Gt 127.0.0.1 \e 2865 port 8080 2866.Ed 2867.Pp 2868In the example below, vlan12 is configured as 192.168.168.1; 2869the machine translates all packets coming from 192.168.168.0/24 to 204.92.77.111 2870when they are going out any interface except vlan12. 2871This has the net effect of making traffic from the 192.168.168.0/24 2872network appear as though it is the Internet routable address 2873204.92.77.111 to nodes behind any interface on the router except 2874for the nodes on vlan12. 2875(Thus, 192.168.168.1 can talk to the 192.168.168.0/24 nodes.) 2876.Bd -literal 2877nat on ! vlan12 from 192.168.168.0/24 to any -\*(Gt 204.92.77.111 2878.Ed 2879.Pp 2880In the example below, the machine sits between a fake internal 144.19.74.* 2881network, and a routable external IP of 204.92.77.100. 2882The 2883.Ar no nat 2884rule excludes protocol AH from being translated. 2885.Bd -literal 2886# NO NAT 2887no nat on $ext_if proto ah from 144.19.74.0/24 to any 2888nat on $ext_if from 144.19.74.0/24 to any -\*(Gt 204.92.77.100 2889.Ed 2890.Pp 2891In the example below, packets bound for one specific server, as well as those 2892generated by the sysadmins are not proxied; all other connections are. 2893.Bd -literal 2894# NO RDR 2895no rdr on $int_if proto { tcp, udp } from any to $server port 80 2896no rdr on $int_if proto { tcp, udp } from $sysadmins to any port 80 2897rdr on $int_if proto { tcp, udp } from any to any port 80 -\*(Gt 127.0.0.1 \e 2898 port 80 2899.Ed 2900.Pp 2901This longer example uses both a NAT and a redirection. 2902The external interface has the address 157.161.48.183. 2903On localhost, we are running 2904.Xr ftp-proxy 8 , 2905waiting for FTP sessions to be redirected to it. 2906The three mandatory anchors for 2907.Xr ftp-proxy 8 2908are omitted from this example; see the 2909.Xr ftp-proxy 8 2910manpage. 2911.Bd -literal 2912# NAT 2913# Translate outgoing packets' source addresses (any protocol). 2914# In this case, any address but the gateway's external address is mapped. 2915nat on $ext_if inet from ! ($ext_if) to any -\*(Gt ($ext_if) 2916 2917# NAT PROXYING 2918# Map outgoing packets' source port to an assigned proxy port instead of 2919# an arbitrary port. 2920# In this case, proxy outgoing isakmp with port 500 on the gateway. 2921nat on $ext_if inet proto udp from any port = isakmp to any -\*(Gt ($ext_if) \e 2922 port 500 2923 2924# BINAT 2925# Translate outgoing packets' source address (any protocol). 2926# Translate incoming packets' destination address to an internal machine 2927# (bidirectional). 2928binat on $ext_if from 10.1.2.150 to any -\*(Gt $ext_if 2929 2930# RDR 2931# Translate incoming packets' destination addresses. 2932# As an example, redirect a TCP and UDP port to an internal machine. 2933rdr on $ext_if inet proto tcp from any to ($ext_if) port 8080 \e 2934 -\*(Gt 10.1.2.151 port 22 2935rdr on $ext_if inet proto udp from any to ($ext_if) port 8080 \e 2936 -\*(Gt 10.1.2.151 port 53 2937 2938# RDR 2939# Translate outgoing ftp control connections to send them to localhost 2940# for proxying with ftp-proxy(8) running on port 8021. 2941rdr on $int_if proto tcp from any to any port 21 -\*(Gt 127.0.0.1 port 8021 2942.Ed 2943.Pp 2944In this example, a NAT gateway is set up to translate internal addresses 2945using a pool of public addresses (192.0.2.16/28) and to redirect 2946incoming web server connections to a group of web servers on the internal 2947network. 2948.Bd -literal 2949# NAT LOAD BALANCE 2950# Translate outgoing packets' source addresses using an address pool. 2951# A given source address is always translated to the same pool address by 2952# using the source-hash keyword. 2953nat on $ext_if inet from any to any -\*(Gt 192.0.2.16/28 source-hash 2954 2955# RDR ROUND ROBIN 2956# Translate incoming web server connections to a group of web servers on 2957# the internal network. 2958rdr on $ext_if proto tcp from any to any port 80 \e 2959 -\*(Gt { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin 2960.Ed 2961.Sh FILTER EXAMPLES 2962.Bd -literal 2963# The external interface is kue0 2964# (157.161.48.183, the only routable address) 2965# and the private network is 10.0.0.0/8, for which we are doing NAT. 2966 2967# use a macro for the interface name, so it can be changed easily 2968ext_if = \&"kue0\&" 2969 2970# normalize all incoming traffic 2971scrub in on $ext_if all fragment reassemble 2972 2973# block and log everything by default 2974block return log on $ext_if all 2975 2976# block anything coming from source we have no back routes for 2977block in from no-route to any 2978 2979# block packets whose ingress interface does not match the one in 2980# the route back to their source address 2981block in from urpf-failed to any 2982 2983# block and log outgoing packets that do not have our address as source, 2984# they are either spoofed or something is misconfigured (NAT disabled, 2985# for instance), we want to be nice and do not send out garbage. 2986block out log quick on $ext_if from ! 157.161.48.183 to any 2987 2988# silently drop broadcasts (cable modem noise) 2989block in quick on $ext_if from any to 255.255.255.255 2990 2991# block and log incoming packets from reserved address space and invalid 2992# addresses, they are either spoofed or misconfigured, we cannot reply to 2993# them anyway (hence, no return-rst). 2994block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, \e 2995 192.168.0.0/16, 255.255.255.255/32 } to any 2996 2997# ICMP 2998 2999# pass out/in certain ICMP queries and keep state (ping) 3000# state matching is done on host addresses and ICMP id (not type/code), 3001# so replies (like 0/0 for 8/0) will match queries 3002# ICMP error messages (which always refer to a TCP/UDP packet) are 3003# handled by the TCP/UDP states 3004pass on $ext_if inet proto icmp all icmp-type 8 code 0 3005 3006# UDP 3007 3008# pass out all UDP connections and keep state 3009pass out on $ext_if proto udp all 3010 3011# pass in certain UDP connections and keep state (DNS) 3012pass in on $ext_if proto udp from any to any port domain 3013 3014# TCP 3015 3016# pass out all TCP connections and modulate state 3017pass out on $ext_if proto tcp all modulate state 3018 3019# pass in certain TCP connections and keep state (SSH, SMTP, DNS, IDENT) 3020pass in on $ext_if proto tcp from any to any port { ssh, smtp, domain, \e 3021 auth } 3022 3023# Do not allow Windows 9x SMTP connections since they are typically 3024# a viral worm. Alternately we could limit these OSes to 1 connection each. 3025block in on $ext_if proto tcp from any os {"Windows 95", "Windows 98"} \e 3026 to any port smtp 3027 3028# IPv6 3029# pass in/out all IPv6 traffic: note that we have to enable this in two 3030# different ways, on both our physical interface and our tunnel 3031pass quick on gif0 inet6 3032pass quick on $ext_if proto ipv6 3033 3034# Packet Tagging 3035 3036# three interfaces: $int_if, $ext_if, and $wifi_if (wireless). NAT is 3037# being done on $ext_if for all outgoing packets. tag packets in on 3038# $int_if and pass those tagged packets out on $ext_if. all other 3039# outgoing packets (i.e., packets from the wireless network) are only 3040# permitted to access port 80. 3041 3042pass in on $int_if from any to any tag INTNET 3043pass in on $wifi_if from any to any 3044 3045block out on $ext_if from any to any 3046pass out quick on $ext_if tagged INTNET 3047pass out on $ext_if proto tcp from any to any port 80 3048 3049# tag incoming packets as they are redirected to spamd(8). use the tag 3050# to pass those packets through the packet filter. 3051 3052rdr on $ext_if inet proto tcp from \*(Ltspammers\*(Gt to port smtp \e 3053 tag SPAMD -\*(Gt 127.0.0.1 port spamd 3054 3055block in on $ext_if 3056pass in on $ext_if inet proto tcp tagged SPAMD 3057.Ed 3058.Sh GRAMMAR 3059Syntax for 3060.Nm 3061in BNF: 3062.Bd -literal 3063line = ( option | ether-rule | pf-rule | nat-rule | binat-rule | 3064 rdr-rule | antispoof-rule | altq-rule | queue-rule | 3065 trans-anchors | anchor-rule | anchor-close | load-anchor | 3066 table-rule | include ) 3067 3068option = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] | 3069 [ "ruleset-optimization" [ "none" | "basic" | "profile" ]] | 3070 [ "optimization" [ "default" | "normal" | 3071 "high-latency" | "satellite" | 3072 "aggressive" | "conservative" ] ] 3073 [ "limit" ( limit-item | "{" limit-list "}" ) ] | 3074 [ "loginterface" ( interface-name | "none" ) ] | 3075 [ "block-policy" ( "drop" | "return" ) ] | 3076 [ "state-policy" ( "if-bound" | "floating" ) ] 3077 [ "state-defaults" state-opts ] 3078 [ "require-order" ( "yes" | "no" ) ] 3079 [ "fingerprints" filename ] | 3080 [ "skip on" ifspec ] | 3081 [ "debug" ( "none" | "urgent" | "misc" | "loud" ) ] 3082 [ "keepcounters" ] ) 3083 3084ether-rule = "ether" etheraction [ ( "in" | "out" ) ] 3085 [ "quick" ] [ "on" ifspec ] [ "bridge-to" interface-name ] 3086 [ etherprotospec ] etherhosts [ "l3" hosts ] 3087 [ etherfilteropt-list ] 3088 3089pf-rule = action [ ( "in" | "out" ) ] 3090 [ "log" [ "(" logopts ")"] ] [ "quick" ] 3091 [ "on" ifspec ] [ route ] [ af ] [ protospec ] 3092 hosts [ filteropt-list ] 3093 3094logopts = logopt [ "," logopts ] 3095logopt = "all" | "user" | "to" interface-name 3096 3097etherfilteropt-list = etherfilteropt-list etherfilteropt | etherfilteropt 3098etherfilteropt = "tag" string | "tagged" string | "queue" ( string ) 3099 3100filteropt-list = filteropt-list filteropt | filteropt 3101filteropt = user | group | flags | icmp-type | icmp6-type | "tos" tos | 3102 ( "no" | "keep" | "modulate" | "synproxy" ) "state" 3103 [ "(" state-opts ")" ] | 3104 "fragment" | "no-df" | "min-ttl" number | "set-tos" tos | 3105 "max-mss" number | "random-id" | "reassemble tcp" | 3106 fragmentation | "allow-opts" | 3107 "label" string | "tag" string | [ ! ] "tagged" string | 3108 "set prio" ( number | "(" number [ [ "," ] number ] ")" ) | 3109 "queue" ( string | "(" string [ [ "," ] string ] ")" ) | 3110 "rtable" number | "probability" number"%" | "prio" number | 3111 "dnpipe" ( number | "(" number "," number ")" ) | 3112 "dnqueue" ( number | "(" number "," number ")" ) | 3113 "ridentifier" number 3114 3115nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ] 3116 [ "on" ifspec ] [ af ] 3117 [ protospec ] hosts [ "tag" string ] [ "tagged" string ] 3118 [ "-\*(Gt" ( redirhost | "{" redirhost-list "}" ) 3119 [ portspec ] [ pooltype ] [ "static-port" ] 3120 [ "map-e-portset" number "/" number "/" number ] ] 3121 3122binat-rule = [ "no" ] "binat" [ "pass" [ "log" [ "(" logopts ")" ] ] ] 3123 [ "on" interface-name ] [ af ] 3124 [ "proto" ( proto-name | proto-number ) ] 3125 "from" address [ "/" mask-bits ] "to" ipspec 3126 [ "tag" string ] [ "tagged" string ] 3127 [ "-\*(Gt" address [ "/" mask-bits ] ] 3128 3129rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ] 3130 [ "on" ifspec ] [ af ] 3131 [ protospec ] hosts [ "tag" string ] [ "tagged" string ] 3132 [ "-\*(Gt" ( redirhost | "{" redirhost-list "}" ) 3133 [ portspec ] [ pooltype ] ] 3134 3135antispoof-rule = "antispoof" [ "log" ] [ "quick" ] 3136 "for" ifspec [ af ] [ "label" string ] 3137 [ "ridentifier" number ] 3138 3139table-rule = "table" "\*(Lt" string "\*(Gt" [ tableopts-list ] 3140tableopts-list = tableopts-list tableopts | tableopts 3141tableopts = "persist" | "const" | "counters" | "file" string | 3142 "{" [ tableaddr-list ] "}" 3143tableaddr-list = tableaddr-list [ "," ] tableaddr-spec | tableaddr-spec 3144tableaddr-spec = [ "!" ] tableaddr [ "/" mask-bits ] 3145tableaddr = hostname | ifspec | "self" | 3146 ipv4-dotted-quad | ipv6-coloned-hex 3147 3148altq-rule = "altq on" interface-name queueopts-list 3149 "queue" subqueue 3150queue-rule = "queue" string [ "on" interface-name ] queueopts-list 3151 subqueue 3152 3153anchor-rule = "anchor" [ string ] [ ( "in" | "out" ) ] [ "on" ifspec ] 3154 [ af ] [ protospec ] [ hosts ] [ filteropt-list ] [ "{" ] 3155 3156anchor-close = "}" 3157 3158trans-anchors = ( "nat-anchor" | "rdr-anchor" | "binat-anchor" ) string 3159 [ "on" ifspec ] [ af ] [ "proto" ] [ protospec ] [ hosts ] 3160 3161load-anchor = "load anchor" string "from" filename 3162 3163queueopts-list = queueopts-list queueopts | queueopts 3164queueopts = [ "bandwidth" bandwidth-spec ] | 3165 [ "qlimit" number ] | [ "tbrsize" number ] | 3166 [ "priority" number ] | [ schedulers ] 3167schedulers = ( cbq-def | priq-def | hfsc-def ) 3168bandwidth-spec = "number" ( "b" | "Kb" | "Mb" | "Gb" | "%" ) 3169 3170etheraction = "pass" | "block" 3171action = "pass" | "block" [ return ] | [ "no" ] "scrub" 3172return = "drop" | "return" | "return-rst" [ "( ttl" number ")" ] | 3173 "return-icmp" [ "(" icmpcode [ [ "," ] icmp6code ] ")" ] | 3174 "return-icmp6" [ "(" icmp6code ")" ] 3175icmpcode = ( icmp-code-name | icmp-code-number ) 3176icmp6code = ( icmp6-code-name | icmp6-code-number ) 3177 3178ifspec = ( [ "!" ] ( interface-name | interface-group ) ) | 3179 "{" interface-list "}" 3180interface-list = [ "!" ] ( interface-name | interface-group ) 3181 [ [ "," ] interface-list ] 3182route = ( "route-to" | "reply-to" | "dup-to" ) 3183 ( routehost | "{" routehost-list "}" ) 3184 [ pooltype ] 3185af = "inet" | "inet6" 3186 3187etherprotospec = "proto" ( proto-number | "{" proto-list "}" ) 3188protospec = "proto" ( proto-name | proto-number | 3189 "{" proto-list "}" ) 3190proto-list = ( proto-name | proto-number ) [ [ "," ] proto-list ] 3191 3192etherhosts = "from" macaddress "to" macaddress 3193macaddress = mac | mac "/" masklen | mac "&" mask 3194 3195hosts = "all" | 3196 "from" ( "any" | "no-route" | "urpf-failed" | "self" | host | 3197 "{" host-list "}" ) [ port ] [ os ] 3198 "to" ( "any" | "no-route" | "self" | host | 3199 "{" host-list "}" ) [ port ] 3200 3201ipspec = "any" | host | "{" host-list "}" 3202host = [ "!" ] ( address [ "/" mask-bits ] | "\*(Lt" string "\*(Gt" ) 3203redirhost = address [ "/" mask-bits ] 3204routehost = "(" interface-name [ address [ "/" mask-bits ] ] ")" 3205address = ( interface-name | interface-group | 3206 "(" ( interface-name | interface-group ) ")" | 3207 hostname | ipv4-dotted-quad | ipv6-coloned-hex ) 3208host-list = host [ [ "," ] host-list ] 3209redirhost-list = redirhost [ [ "," ] redirhost-list ] 3210routehost-list = routehost [ [ "," ] routehost-list ] 3211 3212port = "port" ( unary-op | binary-op | "{" op-list "}" ) 3213portspec = "port" ( number | name ) [ ":" ( "*" | number | name ) ] 3214os = "os" ( os-name | "{" os-list "}" ) 3215user = "user" ( unary-op | binary-op | "{" op-list "}" ) 3216group = "group" ( unary-op | binary-op | "{" op-list "}" ) 3217 3218unary-op = [ "=" | "!=" | "\*(Lt" | "\*(Le" | "\*(Gt" | "\*(Ge" ] 3219 ( name | number ) 3220binary-op = number ( "\*(Lt\*(Gt" | "\*(Gt\*(Lt" | ":" ) number 3221op-list = ( unary-op | binary-op ) [ [ "," ] op-list ] 3222 3223os-name = operating-system-name 3224os-list = os-name [ [ "," ] os-list ] 3225 3226flags = "flags" ( [ flag-set ] "/" flag-set | "any" ) 3227flag-set = [ "F" ] [ "S" ] [ "R" ] [ "P" ] [ "A" ] [ "U" ] [ "E" ] 3228 [ "W" ] 3229 3230icmp-type = "icmp-type" ( icmp-type-code | "{" icmp-list "}" ) 3231icmp6-type = "icmp6-type" ( icmp-type-code | "{" icmp-list "}" ) 3232icmp-type-code = ( icmp-type-name | icmp-type-number ) 3233 [ "code" ( icmp-code-name | icmp-code-number ) ] 3234icmp-list = icmp-type-code [ [ "," ] icmp-list ] 3235 3236tos = ( "lowdelay" | "throughput" | "reliability" | 3237 [ "0x" ] number ) 3238 3239state-opts = state-opt [ [ "," ] state-opts ] 3240state-opt = ( "max" number | "no-sync" | timeout | "sloppy" | 3241 "source-track" [ ( "rule" | "global" ) ] | 3242 "max-src-nodes" number | "max-src-states" number | 3243 "max-src-conn" number | 3244 "max-src-conn-rate" number "/" number | 3245 "overload" "\*(Lt" string "\*(Gt" [ "flush" ] | 3246 "if-bound" | "floating" ) 3247 3248fragmentation = [ "fragment reassemble" ] 3249 3250timeout-list = timeout [ [ "," ] timeout-list ] 3251timeout = ( "tcp.first" | "tcp.opening" | "tcp.established" | 3252 "tcp.closing" | "tcp.finwait" | "tcp.closed" | 3253 "udp.first" | "udp.single" | "udp.multiple" | 3254 "icmp.first" | "icmp.error" | 3255 "other.first" | "other.single" | "other.multiple" | 3256 "frag" | "interval" | "src.track" | 3257 "adaptive.start" | "adaptive.end" ) number 3258 3259limit-list = limit-item [ [ "," ] limit-list ] 3260limit-item = ( "states" | "frags" | "src-nodes" ) number 3261 3262pooltype = ( "bitmask" | "random" | 3263 "source-hash" [ ( hex-key | string-key ) ] | 3264 "round-robin" ) [ sticky-address ] 3265 3266subqueue = string | "{" queue-list "}" 3267queue-list = string [ [ "," ] string ] 3268cbq-def = "cbq" [ "(" cbq-opt [ [ "," ] cbq-opt ] ")" ] 3269priq-def = "priq" [ "(" priq-opt [ [ "," ] priq-opt ] ")" ] 3270hfsc-def = "hfsc" [ "(" hfsc-opt [ [ "," ] hfsc-opt ] ")" ] 3271cbq-opt = ( "default" | "borrow" | "red" | "ecn" | "rio" ) 3272priq-opt = ( "default" | "red" | "ecn" | "rio" ) 3273hfsc-opt = ( "default" | "red" | "ecn" | "rio" | 3274 linkshare-sc | realtime-sc | upperlimit-sc ) 3275linkshare-sc = "linkshare" sc-spec 3276realtime-sc = "realtime" sc-spec 3277upperlimit-sc = "upperlimit" sc-spec 3278sc-spec = ( bandwidth-spec | 3279 "(" bandwidth-spec number bandwidth-spec ")" ) 3280include = "include" filename 3281.Ed 3282.Sh FILES 3283.Bl -tag -width "/etc/protocols" -compact 3284.It Pa /etc/hosts 3285Host name database. 3286.It Pa /etc/pf.conf 3287Default location of the ruleset file. 3288The file has to be created manually as it is not installed with a 3289standard installation. 3290.It Pa /etc/pf.os 3291Default location of OS fingerprints. 3292.It Pa /etc/protocols 3293Protocol name database. 3294.It Pa /etc/services 3295Service name database. 3296.El 3297.Sh SEE ALSO 3298.Xr altq 4 , 3299.Xr carp 4 , 3300.Xr icmp 4 , 3301.Xr icmp6 4 , 3302.Xr ip 4 , 3303.Xr ip6 4 , 3304.Xr pf 4 , 3305.Xr pfsync 4 , 3306.Xr tcp 4 , 3307.Xr udp 4 , 3308.Xr hosts 5 , 3309.Xr pf.os 5 , 3310.Xr protocols 5 , 3311.Xr services 5 , 3312.Xr ftp-proxy 8 , 3313.Xr pfctl 8 , 3314.Xr pflogd 8 3315.Sh HISTORY 3316The 3317.Nm 3318file format first appeared in 3319.Ox 3.0 . 3320