1.\" $FreeBSD$ 2.\" $OpenBSD: pf.conf.5,v 1.406 2009/01/31 19:37:12 sobrado Exp $ 3.\" 4.\" Copyright (c) 2002, Daniel Hartmeier 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 11.\" - Redistributions of source code must retain the above copyright 12.\" notice, this list of conditions and the following disclaimer. 13.\" - Redistributions in binary form must reproduce the above 14.\" copyright notice, this list of conditions and the following 15.\" disclaimer in the documentation and/or other materials provided 16.\" with the distribution. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 21.\" FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 22.\" COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 23.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 24.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 25.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 26.\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 28.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29.\" POSSIBILITY OF SUCH DAMAGE. 30.\" 31.Dd October 6, 2016 32.Dt PF.CONF 5 33.Os 34.Sh NAME 35.Nm pf.conf 36.Nd packet filter configuration file 37.Sh DESCRIPTION 38The 39.Xr pf 4 40packet filter modifies, drops or passes packets according to rules or 41definitions specified in 42.Nm pf.conf . 43.Sh STATEMENT ORDER 44There are seven types of statements in 45.Nm pf.conf : 46.Bl -tag -width xxxx 47.It Cm Macros 48User-defined variables may be defined and used later, simplifying 49the configuration file. 50Macros must be defined before they are referenced in 51.Nm pf.conf . 52.It Cm Tables 53Tables provide a mechanism for increasing the performance and flexibility of 54rules with large numbers of source or destination addresses. 55.It Cm Options 56Options tune the behaviour of the packet filtering engine. 57.It Cm Traffic Normalization Li (e.g. Em scrub ) 58Traffic normalization protects internal machines against inconsistencies 59in Internet protocols and implementations. 60.It Cm Queueing 61Queueing provides rule-based bandwidth control. 62.It Cm Translation Li (Various forms of NAT) 63Translation rules specify how addresses are to be mapped or redirected to 64other addresses. 65.It Cm Packet Filtering 66Packet filtering provides rule-based blocking or passing of packets. 67.El 68.Pp 69With the exception of 70.Cm macros 71and 72.Cm tables , 73the types of statements should be grouped and appear in 74.Nm pf.conf 75in the order shown above, as this matches the operation of the underlying 76packet filtering engine. 77By default 78.Xr pfctl 8 79enforces this order (see 80.Ar set require-order 81below). 82.Pp 83Comments can be put anywhere in the file using a hash mark 84.Pq Sq # , 85and extend to the end of the current line. 86.Pp 87Additional configuration files can be included with the 88.Ic include 89keyword, for example: 90.Bd -literal -offset indent 91include "/etc/pf/sub.filter.conf" 92.Ed 93.Sh MACROS 94Macros can be defined that will later be expanded in context. 95Macro names must start with a letter, and may contain letters, digits 96and underscores. 97Macro names may not be reserved words (for example 98.Ar pass , 99.Ar in , 100.Ar out ) . 101Macros are not expanded inside quotes. 102.Pp 103For example, 104.Bd -literal -offset indent 105ext_if = \&"kue0\&" 106all_ifs = \&"{\&" $ext_if lo0 \&"}\&" 107pass out on $ext_if from any to any 108pass in on $ext_if proto tcp from any to any port 25 109.Ed 110.Sh TABLES 111Tables are named structures which can hold a collection of addresses and 112networks. 113Lookups against tables in 114.Xr pf 4 115are relatively fast, making a single rule with tables much more efficient, 116in terms of 117processor usage and memory consumption, than a large number of rules which 118differ only in IP address (either created explicitly or automatically by rule 119expansion). 120.Pp 121Tables can be used as the source or destination of filter rules, 122.Ar scrub 123rules 124or 125translation rules such as 126.Ar nat 127or 128.Ar rdr 129(see below for details on the various rule types). 130Tables can also be used for the redirect address of 131.Ar nat 132and 133.Ar rdr 134rules and in the routing options of filter rules, but only for 135.Ar round-robin 136pools. 137.Pp 138Tables can be defined with any of the following 139.Xr pfctl 8 140mechanisms. 141As with macros, reserved words may not be used as table names. 142.Bl -tag -width "manually" 143.It Ar manually 144Persistent tables can be manually created with the 145.Ar add 146or 147.Ar replace 148option of 149.Xr pfctl 8 , 150before or after the ruleset has been loaded. 151.It Pa pf.conf 152Table definitions can be placed directly in this file, and loaded at the 153same time as other rules are loaded, atomically. 154Table definitions inside 155.Nm pf.conf 156use the 157.Ar table 158statement, and are especially useful to define non-persistent tables. 159The contents of a pre-existing table defined without a list of addresses 160to initialize it is not altered when 161.Nm pf.conf 162is loaded. 163A table initialized with the empty list, 164.Li { } , 165will be cleared on load. 166.El 167.Pp 168Tables may be defined with the following attributes: 169.Bl -tag -width persist 170.It Ar persist 171The 172.Ar persist 173flag forces the kernel to keep the table even when no rules refer to it. 174If the flag is not set, the kernel will automatically remove the table 175when the last rule referring to it is flushed. 176.It Ar const 177The 178.Ar const 179flag prevents the user from altering the contents of the table once it 180has been created. 181Without that flag, 182.Xr pfctl 8 183can be used to add or remove addresses from the table at any time, even 184when running with 185.Xr securelevel 7 186= 2. 187.It Ar counters 188The 189.Ar counters 190flag enables per-address packet and byte counters which can be displayed with 191.Xr pfctl 8 . 192.El 193.Pp 194For example, 195.Bd -literal -offset indent 196table \*(Ltprivate\*(Gt const { 10/8, 172.16/12, 192.168/16 } 197table \*(Ltbadhosts\*(Gt persist 198block on fxp0 from { \*(Ltprivate\*(Gt, \*(Ltbadhosts\*(Gt } to any 199.Ed 200.Pp 201creates a table called private, to hold RFC 1918 private network 202blocks, and a table called badhosts, which is initially empty. 203A filter rule is set up to block all traffic coming from addresses listed in 204either table. 205The private table cannot have its contents changed and the badhosts table 206will exist even when no active filter rules reference it. 207Addresses may later be added to the badhosts table, so that traffic from 208these hosts can be blocked by using 209.Bd -literal -offset indent 210# pfctl -t badhosts -Tadd 204.92.77.111 211.Ed 212.Pp 213A table can also be initialized with an address list specified in one or more 214external files, using the following syntax: 215.Bd -literal -offset indent 216table \*(Ltspam\*(Gt persist file \&"/etc/spammers\&" file \&"/etc/openrelays\&" 217block on fxp0 from \*(Ltspam\*(Gt to any 218.Ed 219.Pp 220The files 221.Pa /etc/spammers 222and 223.Pa /etc/openrelays 224list IP addresses, one per line. 225Any lines beginning with a # are treated as comments and ignored. 226In addition to being specified by IP address, hosts may also be 227specified by their hostname. 228When the resolver is called to add a hostname to a table, 229.Em all 230resulting IPv4 and IPv6 addresses are placed into the table. 231IP addresses can also be entered in a table by specifying a valid interface 232name, a valid interface group or the 233.Em self 234keyword, in which case all addresses assigned to the interface(s) will be 235added to the table. 236.Sh OPTIONS 237.Xr pf 4 238may be tuned for various situations using the 239.Ar set 240command. 241.Bl -tag -width xxxx 242.It Ar set timeout 243.Pp 244.Bl -tag -width "src.track" -compact 245.It Ar interval 246Interval between purging expired states and fragments. 247.It Ar frag 248Seconds before an unassembled fragment is expired. 249.It Ar src.track 250Length of time to retain a source tracking entry after the last state 251expires. 252.El 253.Pp 254When a packet matches a stateful connection, the seconds to live for the 255connection will be updated to that of the 256.Ar proto.modifier 257which corresponds to the connection state. 258Each packet which matches this state will reset the TTL. 259Tuning these values may improve the performance of the 260firewall at the risk of dropping valid idle connections. 261.Pp 262.Bl -tag -width xxxx -compact 263.It Ar tcp.first 264The state after the first packet. 265.It Ar tcp.opening 266The state before the destination host ever sends a packet. 267.It Ar tcp.established 268The fully established state. 269.It Ar tcp.closing 270The state after the first FIN has been sent. 271.It Ar tcp.finwait 272The state after both FINs have been exchanged and the connection is closed. 273Some hosts (notably web servers on Solaris) send TCP packets even after closing 274the connection. 275Increasing 276.Ar tcp.finwait 277(and possibly 278.Ar tcp.closing ) 279can prevent blocking of such packets. 280.It Ar tcp.closed 281The state after one endpoint sends an RST. 282.El 283.Pp 284ICMP and UDP are handled in a fashion similar to TCP, but with a much more 285limited set of states: 286.Pp 287.Bl -tag -width xxxx -compact 288.It Ar udp.first 289The state after the first packet. 290.It Ar udp.single 291The state if the source host sends more than one packet but the destination 292host has never sent one back. 293.It Ar udp.multiple 294The state if both hosts have sent packets. 295.It Ar icmp.first 296The state after the first packet. 297.It Ar icmp.error 298The state after an ICMP error came back in response to an ICMP packet. 299.El 300.Pp 301Other protocols are handled similarly to UDP: 302.Pp 303.Bl -tag -width xxxx -compact 304.It Ar other.first 305.It Ar other.single 306.It Ar other.multiple 307.El 308.Pp 309Timeout values can be reduced adaptively as the number of state table 310entries grows. 311.Pp 312.Bl -tag -width xxxx -compact 313.It Ar adaptive.start 314When the number of state entries exceeds this value, adaptive scaling 315begins. 316All timeout values are scaled linearly with factor 317(adaptive.end - number of states) / (adaptive.end - adaptive.start). 318.It Ar adaptive.end 319When reaching this number of state entries, all timeout values become 320zero, effectively purging all state entries immediately. 321This value is used to define the scale factor, it should not actually 322be reached (set a lower state limit, see below). 323.El 324.Pp 325Adaptive timeouts are enabled by default, with an adaptive.start value 326equal to 60% of the state limit, and an adaptive.end value equal to 327120% of the state limit. 328They can be disabled by setting both adaptive.start and adaptive.end to 0. 329.Pp 330The adaptive timeout values can be defined both globally and for each rule. 331When used on a per-rule basis, the values relate to the number of 332states created by the rule, otherwise to the total number of 333states. 334.Pp 335For example: 336.Bd -literal -offset indent 337set timeout tcp.first 120 338set timeout tcp.established 86400 339set timeout { adaptive.start 6000, adaptive.end 12000 } 340set limit states 10000 341.Ed 342.Pp 343With 9000 state table entries, the timeout values are scaled to 50% 344(tcp.first 60, tcp.established 43200). 345.It Ar set loginterface 346Enable collection of packet and byte count statistics for the given 347interface or interface group. 348These statistics can be viewed using 349.Bd -literal -offset indent 350# pfctl -s info 351.Ed 352.Pp 353In this example 354.Xr pf 4 355collects statistics on the interface named dc0: 356.Bd -literal -offset indent 357set loginterface dc0 358.Ed 359.Pp 360One can disable the loginterface using: 361.Bd -literal -offset indent 362set loginterface none 363.Ed 364.It Ar set limit 365Sets hard limits on the memory pools used by the packet filter. 366See 367.Xr zone 9 368for an explanation of memory pools. 369.Pp 370For example, 371.Bd -literal -offset indent 372set limit states 20000 373.Ed 374.Pp 375sets the maximum number of entries in the memory pool used by state table 376entries (generated by 377.Ar pass 378rules which do not specify 379.Ar no state ) 380to 20000. 381Using 382.Bd -literal -offset indent 383set limit frags 20000 384.Ed 385.Pp 386sets the maximum number of entries in the memory pool used for fragment 387reassembly (generated by 388.Ar scrub 389rules) to 20000. 390Using 391.Bd -literal -offset indent 392set limit src-nodes 2000 393.Ed 394.Pp 395sets the maximum number of entries in the memory pool used for tracking 396source IP addresses (generated by the 397.Ar sticky-address 398and 399.Ar src.track 400options) to 2000. 401Using 402.Bd -literal -offset indent 403set limit tables 1000 404set limit table-entries 100000 405.Ed 406.Pp 407sets limits on the memory pools used by tables. 408The first limits the number of tables that can exist to 1000. 409The second limits the overall number of addresses that can be stored 410in tables to 100000. 411.Pp 412Various limits can be combined on a single line: 413.Bd -literal -offset indent 414set limit { states 20000, frags 20000, src-nodes 2000 } 415.Ed 416.It Ar set ruleset-optimization 417.Bl -tag -width xxxxxxxx -compact 418.It Ar none 419Disable the ruleset optimizer. 420.It Ar basic 421Enable basic ruleset optimization. 422This is the default behaviour. 423Basic ruleset optimization does four things to improve the 424performance of ruleset evaluations: 425.Pp 426.Bl -enum -compact 427.It 428remove duplicate rules 429.It 430remove rules that are a subset of another rule 431.It 432combine multiple rules into a table when advantageous 433.It 434re-order the rules to improve evaluation performance 435.El 436.Pp 437.It Ar profile 438Uses the currently loaded ruleset as a feedback profile to tailor the 439ordering of quick rules to actual network traffic. 440.El 441.Pp 442It is important to note that the ruleset optimizer will modify the ruleset 443to improve performance. 444A side effect of the ruleset modification is that per-rule accounting 445statistics will have different meanings than before. 446If per-rule accounting is important for billing purposes or whatnot, 447either the ruleset optimizer should not be used or a label field should 448be added to all of the accounting rules to act as optimization barriers. 449.Pp 450Optimization can also be set as a command-line argument to 451.Xr pfctl 8 , 452overriding the settings in 453.Nm . 454.It Ar set optimization 455Optimize state timeouts for one of the following network environments: 456.Pp 457.Bl -tag -width xxxx -compact 458.It Ar normal 459A normal network environment. 460Suitable for almost all networks. 461.It Ar high-latency 462A high-latency environment (such as a satellite connection). 463.It Ar satellite 464Alias for 465.Ar high-latency . 466.It Ar aggressive 467Aggressively expire connections. 468This can greatly reduce the memory usage of the firewall at the cost of 469dropping idle connections early. 470.It Ar conservative 471Extremely conservative settings. 472Avoid dropping legitimate connections at the 473expense of greater memory utilization (possibly much greater on a busy 474network) and slightly increased processor utilization. 475.El 476.Pp 477For example: 478.Bd -literal -offset indent 479set optimization aggressive 480.Ed 481.It Ar set block-policy 482The 483.Ar block-policy 484option sets the default behaviour for the packet 485.Ar block 486action: 487.Pp 488.Bl -tag -width xxxxxxxx -compact 489.It Ar drop 490Packet is silently dropped. 491.It Ar return 492A TCP RST is returned for blocked TCP packets, 493an ICMP UNREACHABLE is returned for blocked UDP packets, 494and all other packets are silently dropped. 495.El 496.Pp 497For example: 498.Bd -literal -offset indent 499set block-policy return 500.Ed 501.It Ar set state-policy 502The 503.Ar state-policy 504option sets the default behaviour for states: 505.Pp 506.Bl -tag -width group-bound -compact 507.It Ar if-bound 508States are bound to interface. 509.It Ar floating 510States can match packets on any interfaces (the default). 511.El 512.Pp 513For example: 514.Bd -literal -offset indent 515set state-policy if-bound 516.Ed 517.It Ar set state-defaults 518The 519.Ar state-defaults 520option sets the state options for states created from rules 521without an explicit 522.Ar keep state . 523For example: 524.Bd -literal -offset indent 525set state-defaults pflow, no-sync 526.Ed 527.It Ar set hostid 528The 32-bit 529.Ar hostid 530identifies this firewall's state table entries to other firewalls 531in a 532.Xr pfsync 4 533failover cluster. 534By default the hostid is set to a pseudo-random value, however it may be 535desirable to manually configure it, for example to more easily identify the 536source of state table entries. 537.Bd -literal -offset indent 538set hostid 1 539.Ed 540.Pp 541The hostid may be specified in either decimal or hexadecimal. 542.It Ar set require-order 543By default 544.Xr pfctl 8 545enforces an ordering of the statement types in the ruleset to: 546.Em options , 547.Em normalization , 548.Em queueing , 549.Em translation , 550.Em filtering . 551Setting this option to 552.Ar no 553disables this enforcement. 554There may be non-trivial and non-obvious implications to an out of 555order ruleset. 556Consider carefully before disabling the order enforcement. 557.It Ar set fingerprints 558Load fingerprints of known operating systems from the given filename. 559By default fingerprints of known operating systems are automatically 560loaded from 561.Xr pf.os 5 562in 563.Pa /etc 564but can be overridden via this option. 565Setting this option may leave a small period of time where the fingerprints 566referenced by the currently active ruleset are inconsistent until the new 567ruleset finishes loading. 568.Pp 569For example: 570.Pp 571.Dl set fingerprints \&"/etc/pf.os.devel\&" 572.It Ar set skip on Aq Ar ifspec 573List interfaces for which packets should not be filtered. 574Packets passing in or out on such interfaces are passed as if pf was 575disabled, i.e. pf does not process them in any way. 576This can be useful on loopback and other virtual interfaces, when 577packet filtering is not desired and can have unexpected effects. 578For example: 579.Pp 580.Dl set skip on lo0 581.It Ar set debug 582Set the debug 583.Ar level 584to one of the following: 585.Pp 586.Bl -tag -width xxxxxxxxxxxx -compact 587.It Ar none 588Don't generate debug messages. 589.It Ar urgent 590Generate debug messages only for serious errors. 591.It Ar misc 592Generate debug messages for various errors. 593.It Ar loud 594Generate debug messages for common conditions. 595.El 596.El 597.Sh TRAFFIC NORMALIZATION 598Traffic normalization is used to sanitize packet content in such 599a way that there are no ambiguities in packet interpretation on 600the receiving side. 601The normalizer does IP fragment reassembly to prevent attacks 602that confuse intrusion detection systems by sending overlapping 603IP fragments. 604Packet normalization is invoked with the 605.Ar scrub 606directive. 607.Pp 608.Ar scrub 609has the following options: 610.Bl -tag -width xxxx 611.It Ar no-df 612Clears the 613.Ar dont-fragment 614bit from a matching IP packet. 615Some operating systems are known to generate fragmented packets with the 616.Ar dont-fragment 617bit set. 618This is particularly true with NFS. 619.Ar Scrub 620will drop such fragmented 621.Ar dont-fragment 622packets unless 623.Ar no-df 624is specified. 625.Pp 626Unfortunately some operating systems also generate their 627.Ar dont-fragment 628packets with a zero IP identification field. 629Clearing the 630.Ar dont-fragment 631bit on packets with a zero IP ID may cause deleterious results if an 632upstream router later fragments the packet. 633Using the 634.Ar random-id 635modifier (see below) is recommended in combination with the 636.Ar no-df 637modifier to ensure unique IP identifiers. 638.It Ar min-ttl Aq Ar number 639Enforces a minimum TTL for matching IP packets. 640.It Ar max-mss Aq Ar number 641Enforces a maximum MSS for matching TCP packets. 642.It Xo Ar set-tos Aq Ar string 643.No \*(Ba Aq Ar number 644.Xc 645Enforces a 646.Em TOS 647for matching IP packets. 648.Em TOS 649may be 650given as one of 651.Ar critical , 652.Ar inetcontrol , 653.Ar lowdelay , 654.Ar netcontrol , 655.Ar throughput , 656.Ar reliability , 657or one of the DiffServ Code Points: 658.Ar ef , 659.Ar af11 No ... Ar af43 , 660.Ar cs0 No ... Ar cs7 ; 661or as either hex or decimal. 662.It Ar random-id 663Replaces the IP identification field with random values to compensate 664for predictable values generated by many hosts. 665This option only applies to packets that are not fragmented 666after the optional fragment reassembly. 667.It Ar fragment reassemble 668Using 669.Ar scrub 670rules, fragments can be reassembled by normalization. 671In this case, fragments are buffered until they form a complete 672packet, and only the completed packet is passed on to the filter. 673The advantage is that filter rules have to deal only with complete 674packets, and can ignore fragments. 675The drawback of caching fragments is the additional memory cost. 676.It Ar reassemble tcp 677Statefully normalizes TCP connections. 678.Ar scrub reassemble tcp 679rules may not have the direction (in/out) specified. 680.Ar reassemble tcp 681performs the following normalizations: 682.Pp 683.Bl -tag -width timeout -compact 684.It ttl 685Neither side of the connection is allowed to reduce their IP TTL. 686An attacker may send a packet such that it reaches the firewall, affects 687the firewall state, and expires before reaching the destination host. 688.Ar reassemble tcp 689will raise the TTL of all packets back up to the highest value seen on 690the connection. 691.It timestamp modulation 692Modern TCP stacks will send a timestamp on every TCP packet and echo 693the other endpoint's timestamp back to them. 694Many operating systems will merely start the timestamp at zero when 695first booted, and increment it several times a second. 696The uptime of the host can be deduced by reading the timestamp and multiplying 697by a constant. 698Also observing several different timestamps can be used to count hosts 699behind a NAT device. 700And spoofing TCP packets into a connection requires knowing or guessing 701valid timestamps. 702Timestamps merely need to be monotonically increasing and not derived off a 703guessable base time. 704.Ar reassemble tcp 705will cause 706.Ar scrub 707to modulate the TCP timestamps with a random number. 708.It extended PAWS checks 709There is a problem with TCP on long fat pipes, in that a packet might get 710delayed for longer than it takes the connection to wrap its 32-bit sequence 711space. 712In such an occurrence, the old packet would be indistinguishable from a 713new packet and would be accepted as such. 714The solution to this is called PAWS: Protection Against Wrapped Sequence 715numbers. 716It protects against it by making sure the timestamp on each packet does 717not go backwards. 718.Ar reassemble tcp 719also makes sure the timestamp on the packet does not go forward more 720than the RFC allows. 721By doing this, 722.Xr pf 4 723artificially extends the security of TCP sequence numbers by 10 to 18 724bits when the host uses appropriately randomized timestamps, since a 725blind attacker would have to guess the timestamp as well. 726.El 727.El 728.Pp 729For example, 730.Bd -literal -offset indent 731scrub in on $ext_if all fragment reassemble 732.Ed 733.Pp 734The 735.Ar no 736option prefixed to a scrub rule causes matching packets to remain unscrubbed, 737much in the same way as 738.Ar drop quick 739works in the packet filter (see below). 740This mechanism should be used when it is necessary to exclude specific packets 741from broader scrub rules. 742.Sh QUEUEING 743The ALTQ system is currently not available in the GENERIC kernel nor as 744loadable modules. 745In order to use the herein after called queueing options one has to use a 746custom built kernel. 747Please refer to 748.Xr altq 4 749to learn about the related kernel options. 750.Pp 751Packets can be assigned to queues for the purpose of bandwidth 752control. 753At least two declarations are required to configure queues, and later 754any packet filtering rule can reference the defined queues by name. 755During the filtering component of 756.Nm pf.conf , 757the last referenced 758.Ar queue 759name is where any packets from 760.Ar pass 761rules will be queued, while for 762.Ar block 763rules it specifies where any resulting ICMP or TCP RST 764packets should be queued. 765The 766.Ar scheduler 767defines the algorithm used to decide which packets get delayed, dropped, or 768sent out immediately. 769There are three 770.Ar schedulers 771currently supported. 772.Bl -tag -width xxxx 773.It Ar cbq 774Class Based Queueing. 775.Ar Queues 776attached to an interface build a tree, thus each 777.Ar queue 778can have further child 779.Ar queues . 780Each queue can have a 781.Ar priority 782and a 783.Ar bandwidth 784assigned. 785.Ar Priority 786mainly controls the time packets take to get sent out, while 787.Ar bandwidth 788has primarily effects on throughput. 789.Ar cbq 790achieves both partitioning and sharing of link bandwidth 791by hierarchically structured classes. 792Each class has its own 793.Ar queue 794and is assigned its share of 795.Ar bandwidth . 796A child class can borrow bandwidth from its parent class 797as long as excess bandwidth is available 798(see the option 799.Ar borrow , 800below). 801.It Ar priq 802Priority Queueing. 803.Ar Queues 804are flat attached to the interface, thus, 805.Ar queues 806cannot have further child 807.Ar queues . 808Each 809.Ar queue 810has a unique 811.Ar priority 812assigned, ranging from 0 to 15. 813Packets in the 814.Ar queue 815with the highest 816.Ar priority 817are processed first. 818.It Ar hfsc 819Hierarchical Fair Service Curve. 820.Ar Queues 821attached to an interface build a tree, thus each 822.Ar queue 823can have further child 824.Ar queues . 825Each queue can have a 826.Ar priority 827and a 828.Ar bandwidth 829assigned. 830.Ar Priority 831mainly controls the time packets take to get sent out, while 832.Ar bandwidth 833primarily affects throughput. 834.Ar hfsc 835supports both link-sharing and guaranteed real-time services. 836It employs a service curve based QoS model, 837and its unique feature is an ability to decouple 838.Ar delay 839and 840.Ar bandwidth 841allocation. 842.El 843.Pp 844The interfaces on which queueing should be activated are declared using 845the 846.Ar altq on 847declaration. 848.Ar altq on 849has the following keywords: 850.Bl -tag -width xxxx 851.It Aq Ar interface 852Queueing is enabled on the named interface. 853.It Aq Ar scheduler 854Specifies which queueing scheduler to use. 855Currently supported values 856are 857.Ar cbq 858for Class Based Queueing, 859.Ar priq 860for Priority Queueing and 861.Ar hfsc 862for the Hierarchical Fair Service Curve scheduler. 863.It Ar bandwidth Aq Ar bw 864The maximum bitrate for all queues on an 865interface may be specified using the 866.Ar bandwidth 867keyword. 868The value can be specified as an absolute value or as a 869percentage of the interface bandwidth. 870When using an absolute value, the suffixes 871.Ar b , 872.Ar Kb , 873.Ar Mb , 874and 875.Ar Gb 876are used to represent bits, kilobits, megabits, and 877gigabits per second, respectively. 878The value must not exceed the interface bandwidth. 879If 880.Ar bandwidth 881is not specified, the interface bandwidth is used 882(but take note that some interfaces do not know their bandwidth, 883or can adapt their bandwidth rates). 884.It Ar qlimit Aq Ar limit 885The maximum number of packets held in the queue. 886The default is 50. 887.It Ar tbrsize Aq Ar size 888Adjusts the size, in bytes, of the token bucket regulator. 889If not specified, heuristics based on the 890interface bandwidth are used to determine the size. 891.It Ar queue Aq Ar list 892Defines a list of subqueues to create on an interface. 893.El 894.Pp 895In the following example, the interface dc0 896should queue up to 5Mbps in four second-level queues using 897Class Based Queueing. 898Those four queues will be shown in a later example. 899.Bd -literal -offset indent 900altq on dc0 cbq bandwidth 5Mb queue { std, http, mail, ssh } 901.Ed 902.Pp 903Once interfaces are activated for queueing using the 904.Ar altq 905directive, a sequence of 906.Ar queue 907directives may be defined. 908The name associated with a 909.Ar queue 910must match a queue defined in the 911.Ar altq 912directive (e.g. mail), or, except for the 913.Ar priq 914.Ar scheduler , 915in a parent 916.Ar queue 917declaration. 918The following keywords can be used: 919.Bl -tag -width xxxx 920.It Ar on Aq Ar interface 921Specifies the interface the queue operates on. 922If not given, it operates on all matching interfaces. 923.It Ar bandwidth Aq Ar bw 924Specifies the maximum bitrate to be processed by the queue. 925This value must not exceed the value of the parent 926.Ar queue 927and can be specified as an absolute value or a percentage of the parent 928queue's bandwidth. 929If not specified, defaults to 100% of the parent queue's bandwidth. 930The 931.Ar priq 932scheduler does not support bandwidth specification. 933.It Ar priority Aq Ar level 934Between queues a priority level can be set. 935For 936.Ar cbq 937and 938.Ar hfsc , 939the range is 0 to 7 and for 940.Ar priq , 941the range is 0 to 15. 942The default for all is 1. 943.Ar Priq 944queues with a higher priority are always served first. 945.Ar Cbq 946and 947.Ar Hfsc 948queues with a higher priority are preferred in the case of overload. 949.It Ar qlimit Aq Ar limit 950The maximum number of packets held in the queue. 951The default is 50. 952.El 953.Pp 954The 955.Ar scheduler 956can get additional parameters with 957.Xo Aq Ar scheduler 958.Pf ( Aq Ar parameters ) . 959.Xc 960Parameters are as follows: 961.Bl -tag -width Fl 962.It Ar default 963Packets not matched by another queue are assigned to this one. 964Exactly one default queue is required. 965.It Ar red 966Enable RED (Random Early Detection) on this queue. 967RED drops packets with a probability proportional to the average 968queue length. 969.It Ar rio 970Enables RIO on this queue. 971RIO is RED with IN/OUT, thus running 972RED two times more than RIO would achieve the same effect. 973RIO is currently not supported in the GENERIC kernel. 974.It Ar ecn 975Enables ECN (Explicit Congestion Notification) on this queue. 976ECN implies RED. 977.El 978.Pp 979The 980.Ar cbq 981.Ar scheduler 982supports an additional option: 983.Bl -tag -width Fl 984.It Ar borrow 985The queue can borrow bandwidth from the parent. 986.El 987.Pp 988The 989.Ar hfsc 990.Ar scheduler 991supports some additional options: 992.Bl -tag -width Fl 993.It Ar realtime Aq Ar sc 994The minimum required bandwidth for the queue. 995.It Ar upperlimit Aq Ar sc 996The maximum allowed bandwidth for the queue. 997.It Ar linkshare Aq Ar sc 998The bandwidth share of a backlogged queue. 999.El 1000.Pp 1001.Aq Ar sc 1002is an acronym for 1003.Ar service curve . 1004.Pp 1005The format for service curve specifications is 1006.Ar ( m1 , d , m2 ) . 1007.Ar m2 1008controls the bandwidth assigned to the queue. 1009.Ar m1 1010and 1011.Ar d 1012are optional and can be used to control the initial bandwidth assignment. 1013For the first 1014.Ar d 1015milliseconds the queue gets the bandwidth given as 1016.Ar m1 , 1017afterwards the value given in 1018.Ar m2 . 1019.Pp 1020Furthermore, with 1021.Ar cbq 1022and 1023.Ar hfsc , 1024child queues can be specified as in an 1025.Ar altq 1026declaration, thus building a tree of queues using a part of 1027their parent's bandwidth. 1028.Pp 1029Packets can be assigned to queues based on filter rules by using the 1030.Ar queue 1031keyword. 1032Normally only one 1033.Ar queue 1034is specified; when a second one is specified it will instead be used for 1035packets which have a 1036.Em TOS 1037of 1038.Em lowdelay 1039and for TCP ACKs with no data payload. 1040.Pp 1041To continue the previous example, the examples below would specify the 1042four referenced 1043queues, plus a few child queues. 1044Interactive 1045.Xr ssh 1 1046sessions get priority over bulk transfers like 1047.Xr scp 1 1048and 1049.Xr sftp 1 . 1050The queues may then be referenced by filtering rules (see 1051.Sx PACKET FILTERING 1052below). 1053.Bd -literal 1054queue std bandwidth 10% cbq(default) 1055queue http bandwidth 60% priority 2 cbq(borrow red) \e 1056 { employees, developers } 1057queue developers bandwidth 75% cbq(borrow) 1058queue employees bandwidth 15% 1059queue mail bandwidth 10% priority 0 cbq(borrow ecn) 1060queue ssh bandwidth 20% cbq(borrow) { ssh_interactive, ssh_bulk } 1061queue ssh_interactive bandwidth 50% priority 7 cbq(borrow) 1062queue ssh_bulk bandwidth 50% priority 0 cbq(borrow) 1063 1064block return out on dc0 inet all queue std 1065pass out on dc0 inet proto tcp from $developerhosts to any port 80 \e 1066 queue developers 1067pass out on dc0 inet proto tcp from $employeehosts to any port 80 \e 1068 queue employees 1069pass out on dc0 inet proto tcp from any to any port 22 \e 1070 queue(ssh_bulk, ssh_interactive) 1071pass out on dc0 inet proto tcp from any to any port 25 \e 1072 queue mail 1073.Ed 1074.Sh TRANSLATION 1075Translation rules modify either the source or destination address of the 1076packets associated with a stateful connection. 1077A stateful connection is automatically created to track packets matching 1078such a rule as long as they are not blocked by the filtering section of 1079.Nm pf.conf . 1080The translation engine modifies the specified address and/or port in the 1081packet, recalculates IP, TCP and UDP checksums as necessary, and passes it to 1082the packet filter for evaluation. 1083.Pp 1084Since translation occurs before filtering the filter 1085engine will see packets as they look after any 1086addresses and ports have been translated. 1087Filter rules will therefore have to filter based on the translated 1088address and port number. 1089Packets that match a translation rule are only automatically passed if 1090the 1091.Ar pass 1092modifier is given, otherwise they are 1093still subject to 1094.Ar block 1095and 1096.Ar pass 1097rules. 1098.Pp 1099The state entry created permits 1100.Xr pf 4 1101to keep track of the original address for traffic associated with that state 1102and correctly direct return traffic for that connection. 1103.Pp 1104Various types of translation are possible with pf: 1105.Bl -tag -width xxxx 1106.It Ar binat 1107A 1108.Ar binat 1109rule specifies a bidirectional mapping between an external IP netblock 1110and an internal IP netblock. 1111.It Ar nat 1112A 1113.Ar nat 1114rule specifies that IP addresses are to be changed as the packet 1115traverses the given interface. 1116This technique allows one or more IP addresses 1117on the translating host to support network traffic for a larger range of 1118machines on an "inside" network. 1119Although in theory any IP address can be used on the inside, it is strongly 1120recommended that one of the address ranges defined by RFC 1918 be used. 1121These netblocks are: 1122.Bd -literal 112310.0.0.0 - 10.255.255.255 (all of net 10, i.e., 10/8) 1124172.16.0.0 - 172.31.255.255 (i.e., 172.16/12) 1125192.168.0.0 - 192.168.255.255 (i.e., 192.168/16) 1126.Ed 1127.It Pa rdr 1128The packet is redirected to another destination and possibly a 1129different port. 1130.Ar rdr 1131rules can optionally specify port ranges instead of single ports. 1132rdr ... port 2000:2999 -\*(Gt ... port 4000 1133redirects ports 2000 to 2999 (inclusive) to port 4000. 1134rdr ... port 2000:2999 -\*(Gt ... port 4000:* 1135redirects port 2000 to 4000, 2001 to 4001, ..., 2999 to 4999. 1136.El 1137.Pp 1138In addition to modifying the address, some translation rules may modify 1139source or destination ports for 1140.Xr tcp 4 1141or 1142.Xr udp 4 1143connections; implicitly in the case of 1144.Ar nat 1145rules and explicitly in the case of 1146.Ar rdr 1147rules. 1148Port numbers are never translated with a 1149.Ar binat 1150rule. 1151.Pp 1152Evaluation order of the translation rules is dependent on the type 1153of the translation rules and of the direction of a packet. 1154.Ar binat 1155rules are always evaluated first. 1156Then either the 1157.Ar rdr 1158rules are evaluated on an inbound packet or the 1159.Ar nat 1160rules on an outbound packet. 1161Rules of the same type are evaluated in the same order in which they 1162appear in the ruleset. 1163The first matching rule decides what action is taken. 1164.Pp 1165The 1166.Ar no 1167option prefixed to a translation rule causes packets to remain untranslated, 1168much in the same way as 1169.Ar drop quick 1170works in the packet filter (see below). 1171If no rule matches the packet it is passed to the filter engine unmodified. 1172.Pp 1173Translation rules apply only to packets that pass through 1174the specified interface, and if no interface is specified, 1175translation is applied to packets on all interfaces. 1176For instance, redirecting port 80 on an external interface to an internal 1177web server will only work for connections originating from the outside. 1178Connections to the address of the external interface from local hosts will 1179not be redirected, since such packets do not actually pass through the 1180external interface. 1181Redirections cannot reflect packets back through the interface they arrive 1182on, they can only be redirected to hosts connected to different interfaces 1183or to the firewall itself. 1184.Pp 1185Note that redirecting external incoming connections to the loopback 1186address, as in 1187.Bd -literal -offset indent 1188rdr on ne3 inet proto tcp to port smtp -\*(Gt 127.0.0.1 port spamd 1189.Ed 1190.Pp 1191will effectively allow an external host to connect to daemons 1192bound solely to the loopback address, circumventing the traditional 1193blocking of such connections on a real interface. 1194Unless this effect is desired, any of the local non-loopback addresses 1195should be used as redirection target instead, which allows external 1196connections only to daemons bound to this address or not bound to 1197any address. 1198.Pp 1199See 1200.Sx TRANSLATION EXAMPLES 1201below. 1202.Sh PACKET FILTERING 1203.Xr pf 4 1204has the ability to 1205.Ar block 1206and 1207.Ar pass 1208packets based on attributes of their layer 3 (see 1209.Xr ip 4 1210and 1211.Xr ip6 4 ) 1212and layer 4 (see 1213.Xr icmp 4 , 1214.Xr icmp6 4 , 1215.Xr tcp 4 , 1216.Xr udp 4 ) 1217headers. 1218In addition, packets may also be 1219assigned to queues for the purpose of bandwidth control. 1220.Pp 1221For each packet processed by the packet filter, the filter rules are 1222evaluated in sequential order, from first to last. 1223The last matching rule decides what action is taken. 1224If no rule matches the packet, the default action is to pass 1225the packet. 1226.Pp 1227The following actions can be used in the filter: 1228.Bl -tag -width xxxx 1229.It Ar block 1230The packet is blocked. 1231There are a number of ways in which a 1232.Ar block 1233rule can behave when blocking a packet. 1234The default behaviour is to 1235.Ar drop 1236packets silently, however this can be overridden or made 1237explicit either globally, by setting the 1238.Ar block-policy 1239option, or on a per-rule basis with one of the following options: 1240.Pp 1241.Bl -tag -width xxxx -compact 1242.It Ar drop 1243The packet is silently dropped. 1244.It Ar return-rst 1245This applies only to 1246.Xr tcp 4 1247packets, and issues a TCP RST which closes the 1248connection. 1249.It Ar return-icmp 1250.It Ar return-icmp6 1251This causes ICMP messages to be returned for packets which match the rule. 1252By default this is an ICMP UNREACHABLE message, however this 1253can be overridden by specifying a message as a code or number. 1254.It Ar return 1255This causes a TCP RST to be returned for 1256.Xr tcp 4 1257packets and an ICMP UNREACHABLE for UDP and other packets. 1258.El 1259.Pp 1260Options returning ICMP packets currently have no effect if 1261.Xr pf 4 1262operates on a 1263.Xr if_bridge 4 , 1264as the code to support this feature has not yet been implemented. 1265.Pp 1266The simplest mechanism to block everything by default and only pass 1267packets that match explicit rules is specify a first filter rule of: 1268.Bd -literal -offset indent 1269block all 1270.Ed 1271.It Ar pass 1272The packet is passed; 1273state is created unless the 1274.Ar no state 1275option is specified. 1276.El 1277.Pp 1278By default 1279.Xr pf 4 1280filters packets statefully; the first time a packet matches a 1281.Ar pass 1282rule, a state entry is created; for subsequent packets the filter checks 1283whether the packet matches any state. 1284If it does, the packet is passed without evaluation of any rules. 1285After the connection is closed or times out, the state entry is automatically 1286removed. 1287.Pp 1288This has several advantages. 1289For TCP connections, comparing a packet to a state involves checking 1290its sequence numbers, as well as TCP timestamps if a 1291.Ar scrub reassemble tcp 1292rule applies to the connection. 1293If these values are outside the narrow windows of expected 1294values, the packet is dropped. 1295This prevents spoofing attacks, such as when an attacker sends packets with 1296a fake source address/port but does not know the connection's sequence 1297numbers. 1298Similarly, 1299.Xr pf 4 1300knows how to match ICMP replies to states. 1301For example, 1302.Bd -literal -offset indent 1303pass out inet proto icmp all icmp-type echoreq 1304.Ed 1305.Pp 1306allows echo requests (such as those created by 1307.Xr ping 8 ) 1308out statefully, and matches incoming echo replies correctly to states. 1309.Pp 1310Also, looking up states is usually faster than evaluating rules. 1311If there are 50 rules, all of them are evaluated sequentially in O(n). 1312Even with 50000 states, only 16 comparisons are needed to match a 1313state, since states are stored in a binary search tree that allows 1314searches in O(log2 n). 1315.Pp 1316Furthermore, correct handling of ICMP error messages is critical to 1317many protocols, particularly TCP. 1318.Xr pf 4 1319matches ICMP error messages to the correct connection, checks them against 1320connection parameters, and passes them if appropriate. 1321For example if an ICMP source quench message referring to a stateful TCP 1322connection arrives, it will be matched to the state and get passed. 1323.Pp 1324Finally, state tracking is required for 1325.Ar nat , binat No and Ar rdr 1326rules, in order to track address and port translations and reverse the 1327translation on returning packets. 1328.Pp 1329.Xr pf 4 1330will also create state for other protocols which are effectively stateless by 1331nature. 1332UDP packets are matched to states using only host addresses and ports, 1333and other protocols are matched to states using only the host addresses. 1334.Pp 1335If stateless filtering of individual packets is desired, 1336the 1337.Ar no state 1338keyword can be used to specify that state will not be created 1339if this is the last matching rule. 1340A number of parameters can also be set to affect how 1341.Xr pf 4 1342handles state tracking. 1343See 1344.Sx STATEFUL TRACKING OPTIONS 1345below for further details. 1346.Sh PARAMETERS 1347The rule parameters specify the packets to which a rule applies. 1348A packet always comes in on, or goes out through, one interface. 1349Most parameters are optional. 1350If a parameter is specified, the rule only applies to packets with 1351matching attributes. 1352Certain parameters can be expressed as lists, in which case 1353.Xr pfctl 8 1354generates all needed rule combinations. 1355.Bl -tag -width xxxx 1356.It Ar in No or Ar out 1357This rule applies to incoming or outgoing packets. 1358If neither 1359.Ar in 1360nor 1361.Ar out 1362are specified, the rule will match packets in both directions. 1363.It Ar log 1364In addition to the action specified, a log message is generated. 1365Only the packet that establishes the state is logged, 1366unless the 1367.Ar no state 1368option is specified. 1369The logged packets are sent to a 1370.Xr pflog 4 1371interface, by default 1372.Ar pflog0 . 1373This interface is monitored by the 1374.Xr pflogd 8 1375logging daemon, which dumps the logged packets to the file 1376.Pa /var/log/pflog 1377in 1378.Xr pcap 3 1379binary format. 1380.It Ar log (all) 1381Used to force logging of all packets for a connection. 1382This is not necessary when 1383.Ar no state 1384is explicitly specified. 1385As with 1386.Ar log , 1387packets are logged to 1388.Xr pflog 4 . 1389.It Ar log (user) 1390Logs the 1391.Ux 1392user ID of the user that owns the socket and the PID of the process that 1393has the socket open where the packet is sourced from or destined to 1394(depending on which socket is local). 1395This is in addition to the normal information logged. 1396.Pp 1397Only the first packet 1398logged via 1399.Ar log (all, user) 1400will have the user credentials logged when using stateful matching. 1401.It Ar log (to Aq Ar interface ) 1402Send logs to the specified 1403.Xr pflog 4 1404interface instead of 1405.Ar pflog0 . 1406.It Ar quick 1407If a packet matches a rule which has the 1408.Ar quick 1409option set, this rule 1410is considered the last matching rule, and evaluation of subsequent rules 1411is skipped. 1412.It Ar on Aq Ar interface 1413This rule applies only to packets coming in on, or going out through, this 1414particular interface or interface group. 1415For more information on interface groups, 1416see the 1417.Ic group 1418keyword in 1419.Xr ifconfig 8 . 1420.It Aq Ar af 1421This rule applies only to packets of this address family. 1422Supported values are 1423.Ar inet 1424and 1425.Ar inet6 . 1426.It Ar proto Aq Ar protocol 1427This rule applies only to packets of this protocol. 1428Common protocols are 1429.Xr icmp 4 , 1430.Xr icmp6 4 , 1431.Xr tcp 4 , 1432and 1433.Xr udp 4 . 1434For a list of all the protocol name to number mappings used by 1435.Xr pfctl 8 , 1436see the file 1437.Pa /etc/protocols . 1438.It Xo 1439.Ar from Aq Ar source 1440.Ar port Aq Ar source 1441.Ar os Aq Ar source 1442.Ar to Aq Ar dest 1443.Ar port Aq Ar dest 1444.Xc 1445This rule applies only to packets with the specified source and destination 1446addresses and ports. 1447.Pp 1448Addresses can be specified in CIDR notation (matching netblocks), as 1449symbolic host names, interface names or interface group names, or as any 1450of the following keywords: 1451.Pp 1452.Bl -tag -width xxxxxxxxxxxxxx -compact 1453.It Ar any 1454Any address. 1455.It Ar no-route 1456Any address which is not currently routable. 1457.It Ar urpf-failed 1458Any source address that fails a unicast reverse path forwarding (URPF) 1459check, i.e. packets coming in on an interface other than that which holds 1460the route back to the packet's source address. 1461.It Aq Ar table 1462Any address that matches the given table. 1463.El 1464.Pp 1465Ranges of addresses are specified by using the 1466.Sq - 1467operator. 1468For instance: 1469.Dq 10.1.1.10 - 10.1.1.12 1470means all addresses from 10.1.1.10 to 10.1.1.12, 1471hence addresses 10.1.1.10, 10.1.1.11, and 10.1.1.12. 1472.Pp 1473Interface names and interface group names can have modifiers appended: 1474.Pp 1475.Bl -tag -width xxxxxxxxxxxx -compact 1476.It Ar :network 1477Translates to the network(s) attached to the interface. 1478.It Ar :broadcast 1479Translates to the interface's broadcast address(es). 1480.It Ar :peer 1481Translates to the point-to-point interface's peer address(es). 1482.It Ar :0 1483Do not include interface aliases. 1484.El 1485.Pp 1486Host names may also have the 1487.Ar :0 1488option appended to restrict the name resolution to the first of each 1489v4 and v6 address found. 1490.Pp 1491Host name resolution and interface to address translation are done at 1492ruleset load-time. 1493When the address of an interface (or host name) changes (under DHCP or PPP, 1494for instance), the ruleset must be reloaded for the change to be reflected 1495in the kernel. 1496Surrounding the interface name (and optional modifiers) in parentheses 1497changes this behaviour. 1498When the interface name is surrounded by parentheses, the rule is 1499automatically updated whenever the interface changes its address. 1500The ruleset does not need to be reloaded. 1501This is especially useful with 1502.Ar nat . 1503.Pp 1504Ports can be specified either by number or by name. 1505For example, port 80 can be specified as 1506.Em www . 1507For a list of all port name to number mappings used by 1508.Xr pfctl 8 , 1509see the file 1510.Pa /etc/services . 1511.Pp 1512Ports and ranges of ports are specified by using these operators: 1513.Bd -literal -offset indent 1514= (equal) 1515!= (unequal) 1516\*(Lt (less than) 1517\*(Le (less than or equal) 1518\*(Gt (greater than) 1519\*(Ge (greater than or equal) 1520: (range including boundaries) 1521\*(Gt\*(Lt (range excluding boundaries) 1522\*(Lt\*(Gt (except range) 1523.Ed 1524.Pp 1525.Sq \*(Gt\*(Lt , 1526.Sq \*(Lt\*(Gt 1527and 1528.Sq \&: 1529are binary operators (they take two arguments). 1530For instance: 1531.Bl -tag -width Fl 1532.It Ar port 2000:2004 1533means 1534.Sq all ports \*(Ge 2000 and \*(Le 2004 , 1535hence ports 2000, 2001, 2002, 2003 and 2004. 1536.It Ar port 2000 \*(Gt\*(Lt 2004 1537means 1538.Sq all ports \*(Gt 2000 and \*(Lt 2004 , 1539hence ports 2001, 2002 and 2003. 1540.It Ar port 2000 \*(Lt\*(Gt 2004 1541means 1542.Sq all ports \*(Lt 2000 or \*(Gt 2004 , 1543hence ports 1-1999 and 2005-65535. 1544.El 1545.Pp 1546The operating system of the source host can be specified in the case of TCP 1547rules with the 1548.Ar OS 1549modifier. 1550See the 1551.Sx OPERATING SYSTEM FINGERPRINTING 1552section for more information. 1553.Pp 1554The host, port and OS specifications are optional, as in the following examples: 1555.Bd -literal -offset indent 1556pass in all 1557pass in from any to any 1558pass in proto tcp from any port \*(Le 1024 to any 1559pass in proto tcp from any to any port 25 1560pass in proto tcp from 10.0.0.0/8 port \*(Gt 1024 \e 1561 to ! 10.1.2.3 port != ssh 1562pass in proto tcp from any os "OpenBSD" 1563.Ed 1564.It Ar all 1565This is equivalent to "from any to any". 1566.It Ar group Aq Ar group 1567Similar to 1568.Ar user , 1569this rule only applies to packets of sockets owned by the specified group. 1570.It Ar user Aq Ar user 1571This rule only applies to packets of sockets owned by the specified user. 1572For outgoing connections initiated from the firewall, this is the user 1573that opened the connection. 1574For incoming connections to the firewall itself, this is the user that 1575listens on the destination port. 1576For forwarded connections, where the firewall is not a connection endpoint, 1577the user and group are 1578.Em unknown . 1579.Pp 1580All packets, both outgoing and incoming, of one connection are associated 1581with the same user and group. 1582Only TCP and UDP packets can be associated with users; for other protocols 1583these parameters are ignored. 1584.Pp 1585User and group refer to the effective (as opposed to the real) IDs, in 1586case the socket is created by a setuid/setgid process. 1587User and group IDs are stored when a socket is created; 1588when a process creates a listening socket as root (for instance, by 1589binding to a privileged port) and subsequently changes to another 1590user ID (to drop privileges), the credentials will remain root. 1591.Pp 1592User and group IDs can be specified as either numbers or names. 1593The syntax is similar to the one for ports. 1594The value 1595.Em unknown 1596matches packets of forwarded connections. 1597.Em unknown 1598can only be used with the operators 1599.Cm = 1600and 1601.Cm != . 1602Other constructs like 1603.Cm user \*(Ge unknown 1604are invalid. 1605Forwarded packets with unknown user and group ID match only rules 1606that explicitly compare against 1607.Em unknown 1608with the operators 1609.Cm = 1610or 1611.Cm != . 1612For instance 1613.Cm user \*(Ge 0 1614does not match forwarded packets. 1615The following example allows only selected users to open outgoing 1616connections: 1617.Bd -literal -offset indent 1618block out proto { tcp, udp } all 1619pass out proto { tcp, udp } all user { \*(Lt 1000, dhartmei } 1620.Ed 1621.It Xo Ar flags Aq Ar a 1622.Pf / Ns Aq Ar b 1623.No \*(Ba / Ns Aq Ar b 1624.No \*(Ba any 1625.Xc 1626This rule only applies to TCP packets that have the flags 1627.Aq Ar a 1628set out of set 1629.Aq Ar b . 1630Flags not specified in 1631.Aq Ar b 1632are ignored. 1633For stateful connections, the default is 1634.Ar flags S/SA . 1635To indicate that flags should not be checked at all, specify 1636.Ar flags any . 1637The flags are: (F)IN, (S)YN, (R)ST, (P)USH, (A)CK, (U)RG, (E)CE, and C(W)R. 1638.Bl -tag -width Fl 1639.It Ar flags S/S 1640Flag SYN is set. 1641The other flags are ignored. 1642.It Ar flags S/SA 1643This is the default setting for stateful connections. 1644Out of SYN and ACK, exactly SYN may be set. 1645SYN, SYN+PSH and SYN+RST match, but SYN+ACK, ACK and ACK+RST do not. 1646This is more restrictive than the previous example. 1647.It Ar flags /SFRA 1648If the first set is not specified, it defaults to none. 1649All of SYN, FIN, RST and ACK must be unset. 1650.El 1651.Pp 1652Because 1653.Ar flags S/SA 1654is applied by default (unless 1655.Ar no state 1656is specified), only the initial SYN packet of a TCP handshake will create 1657a state for a TCP connection. 1658It is possible to be less restrictive, and allow state creation from 1659intermediate 1660.Pq non-SYN 1661packets, by specifying 1662.Ar flags any . 1663This will cause 1664.Xr pf 4 1665to synchronize to existing connections, for instance 1666if one flushes the state table. 1667However, states created from such intermediate packets may be missing 1668connection details such as the TCP window scaling factor. 1669States which modify the packet flow, such as those affected by 1670.Ar nat , binat No or Ar rdr 1671rules, 1672.Ar modulate No or Ar synproxy state 1673options, or scrubbed with 1674.Ar reassemble tcp 1675will also not be recoverable from intermediate packets. 1676Such connections will stall and time out. 1677.It Xo Ar icmp-type Aq Ar type 1678.Ar code Aq Ar code 1679.Xc 1680.It Xo Ar icmp6-type Aq Ar type 1681.Ar code Aq Ar code 1682.Xc 1683This rule only applies to ICMP or ICMPv6 packets with the specified type 1684and code. 1685Text names for ICMP types and codes are listed in 1686.Xr icmp 4 1687and 1688.Xr icmp6 4 . 1689This parameter is only valid for rules that cover protocols ICMP or 1690ICMP6. 1691The protocol and the ICMP type indicator 1692.Po 1693.Ar icmp-type 1694or 1695.Ar icmp6-type 1696.Pc 1697must match. 1698.It Xo Ar tos Aq Ar string 1699.No \*(Ba Aq Ar number 1700.Xc 1701This rule applies to packets with the specified 1702.Em TOS 1703bits set. 1704.Em TOS 1705may be 1706given as one of 1707.Ar critical , 1708.Ar inetcontrol , 1709.Ar lowdelay , 1710.Ar netcontrol , 1711.Ar throughput , 1712.Ar reliability , 1713or one of the DiffServ Code Points: 1714.Ar ef , 1715.Ar af11 No ... Ar af43 , 1716.Ar cs0 No ... Ar cs7 ; 1717or as either hex or decimal. 1718.Pp 1719For example, the following rules are identical: 1720.Bd -literal -offset indent 1721pass all tos lowdelay 1722pass all tos 0x10 1723pass all tos 16 1724.Ed 1725.It Ar allow-opts 1726By default, IPv4 packets with IP options or IPv6 packets with routing 1727extension headers are blocked. 1728When 1729.Ar allow-opts 1730is specified for a 1731.Ar pass 1732rule, packets that pass the filter based on that rule (last matching) 1733do so even if they contain IP options or routing extension headers. 1734For packets that match state, the rule that initially created the 1735state is used. 1736The implicit 1737.Ar pass 1738rule that is used when a packet does not match any rules does not 1739allow IP options. 1740.It Ar label Aq Ar string 1741Adds a label (name) to the rule, which can be used to identify the rule. 1742For instance, 1743pfctl -s labels 1744shows per-rule statistics for rules that have labels. 1745.Pp 1746The following macros can be used in labels: 1747.Pp 1748.Bl -tag -width $srcaddr -compact -offset indent 1749.It Ar $if 1750The interface. 1751.It Ar $srcaddr 1752The source IP address. 1753.It Ar $dstaddr 1754The destination IP address. 1755.It Ar $srcport 1756The source port specification. 1757.It Ar $dstport 1758The destination port specification. 1759.It Ar $proto 1760The protocol name. 1761.It Ar $nr 1762The rule number. 1763.El 1764.Pp 1765For example: 1766.Bd -literal -offset indent 1767ips = \&"{ 1.2.3.4, 1.2.3.5 }\&" 1768pass in proto tcp from any to $ips \e 1769 port \*(Gt 1023 label \&"$dstaddr:$dstport\&" 1770.Ed 1771.Pp 1772expands to 1773.Bd -literal -offset indent 1774pass in inet proto tcp from any to 1.2.3.4 \e 1775 port \*(Gt 1023 label \&"1.2.3.4:\*(Gt1023\&" 1776pass in inet proto tcp from any to 1.2.3.5 \e 1777 port \*(Gt 1023 label \&"1.2.3.5:\*(Gt1023\&" 1778.Ed 1779.Pp 1780The macro expansion for the 1781.Ar label 1782directive occurs only at configuration file parse time, not during runtime. 1783.It Xo Ar queue Aq Ar queue 1784.No \*(Ba ( Aq Ar queue , 1785.Aq Ar queue ) 1786.Xc 1787Packets matching this rule will be assigned to the specified queue. 1788If two queues are given, packets which have a 1789.Em TOS 1790of 1791.Em lowdelay 1792and TCP ACKs with no data payload will be assigned to the second one. 1793See 1794.Sx QUEUEING 1795for setup details. 1796.Pp 1797For example: 1798.Bd -literal -offset indent 1799pass in proto tcp to port 25 queue mail 1800pass in proto tcp to port 22 queue(ssh_bulk, ssh_prio) 1801.Ed 1802.Pp 1803.It Cm set prio Ar priority | Pq Ar priority , priority 1804Packets matching this rule will be assigned a specific queueing priority. 1805Priorities are assigned as integers 0 through 7. 1806If the packet is transmitted on a 1807.Xr vlan 4 1808interface, the queueing priority will be written as the priority 1809code point in the 802.1Q VLAN header. 1810If two priorities are given, packets which have a TOS of 1811.Cm lowdelay 1812and TCP ACKs with no data payload will be assigned to the second one. 1813.Pp 1814For example: 1815.Bd -literal -offset indent 1816pass in proto tcp to port 25 set prio 2 1817pass in proto tcp to port 22 set prio (2, 5) 1818.Ed 1819.Pp 1820.It Ar tag Aq Ar string 1821Packets matching this rule will be tagged with the 1822specified string. 1823The tag acts as an internal marker that can be used to 1824identify these packets later on. 1825This can be used, for example, to provide trust between 1826interfaces and to determine if packets have been 1827processed by translation rules. 1828Tags are 1829.Qq sticky , 1830meaning that the packet will be tagged even if the rule 1831is not the last matching rule. 1832Further matching rules can replace the tag with a 1833new one but will not remove a previously applied tag. 1834A packet is only ever assigned one tag at a time. 1835Packet tagging can be done during 1836.Ar nat , 1837.Ar rdr , 1838or 1839.Ar binat 1840rules in addition to filter rules. 1841Tags take the same macros as labels (see above). 1842.It Ar tagged Aq Ar string 1843Used with filter, translation or scrub rules 1844to specify that packets must already 1845be tagged with the given tag in order to match the rule. 1846Inverse tag matching can also be done 1847by specifying the 1848.Cm !\& 1849operator before the 1850.Ar tagged 1851keyword. 1852.It Ar rtable Aq Ar number 1853Used to select an alternate routing table for the routing lookup. 1854Only effective before the route lookup happened, i.e. when filtering inbound. 1855.It Xo Ar divert-to Aq Ar host 1856.Ar port Aq Ar port 1857.Xc 1858Used to redirect packets to a local socket bound to 1859.Ar host 1860and 1861.Ar port . 1862The packets will not be modified, so 1863.Xr getsockname 2 1864on the socket will return the original destination address of the packet. 1865.It Ar divert-reply 1866Used to receive replies for sockets that are bound to addresses 1867which are not local to the machine. 1868See 1869.Xr setsockopt 2 1870for information on how to bind these sockets. 1871.It Ar probability Aq Ar number 1872A probability attribute can be attached to a rule, with a value set between 18730 and 1, bounds not included. 1874In that case, the rule will be honoured using the given probability value 1875only. 1876For example, the following rule will drop 20% of incoming ICMP packets: 1877.Bd -literal -offset indent 1878block in proto icmp probability 20% 1879.Ed 1880.It Ar prio Aq Ar number 1881Only match packets which have the given queueing priority assigned. 1882.Pp 1883.El 1884.Sh ROUTING 1885If a packet matches a rule with a route option set, the packet filter will 1886route the packet according to the type of route option. 1887When such a rule creates state, the route option is also applied to all 1888packets matching the same connection. 1889.Bl -tag -width xxxx 1890.It Ar route-to 1891The 1892.Ar route-to 1893option routes the packet to the specified interface with an optional address 1894for the next hop. 1895When a 1896.Ar route-to 1897rule creates state, only packets that pass in the same direction as the 1898filter rule specifies will be routed in this way. 1899Packets passing in the opposite direction (replies) are not affected 1900and are routed normally. 1901.It Ar reply-to 1902The 1903.Ar reply-to 1904option is similar to 1905.Ar route-to , 1906but routes packets that pass in the opposite direction (replies) to the 1907specified interface. 1908Opposite direction is only defined in the context of a state entry, and 1909.Ar reply-to 1910is useful only in rules that create state. 1911It can be used on systems with multiple external connections to 1912route all outgoing packets of a connection through the interface 1913the incoming connection arrived through (symmetric routing enforcement). 1914.It Ar dup-to 1915The 1916.Ar dup-to 1917option creates a duplicate of the packet and routes it like 1918.Ar route-to . 1919The original packet gets routed as it normally would. 1920.El 1921.Sh POOL OPTIONS 1922For 1923.Ar nat 1924and 1925.Ar rdr 1926rules, (as well as for the 1927.Ar route-to , 1928.Ar reply-to 1929and 1930.Ar dup-to 1931rule options) for which there is a single redirection address which has a 1932subnet mask smaller than 32 for IPv4 or 128 for IPv6 (more than one IP 1933address), a variety of different methods for assigning this address can be 1934used: 1935.Bl -tag -width xxxx 1936.It Ar bitmask 1937The 1938.Ar bitmask 1939option applies the network portion of the redirection address to the address 1940to be modified (source with 1941.Ar nat , 1942destination with 1943.Ar rdr ) . 1944.It Ar random 1945The 1946.Ar random 1947option selects an address at random within the defined block of addresses. 1948.It Ar source-hash 1949The 1950.Ar source-hash 1951option uses a hash of the source address to determine the redirection address, 1952ensuring that the redirection address is always the same for a given source. 1953An optional key can be specified after this keyword either in hex or as a 1954string; by default 1955.Xr pfctl 8 1956randomly generates a key for source-hash every time the 1957ruleset is reloaded. 1958.It Ar round-robin 1959The 1960.Ar round-robin 1961option loops through the redirection address(es). 1962.Pp 1963When more than one redirection address is specified, 1964.Ar round-robin 1965is the only permitted pool type. 1966.It Ar static-port 1967With 1968.Ar nat 1969rules, the 1970.Ar static-port 1971option prevents 1972.Xr pf 4 1973from modifying the source port on TCP and UDP packets. 1974.El 1975.Pp 1976Additionally, the 1977.Ar sticky-address 1978option can be specified to help ensure that multiple connections from the 1979same source are mapped to the same redirection address. 1980This option can be used with the 1981.Ar random 1982and 1983.Ar round-robin 1984pool options. 1985Note that by default these associations are destroyed as soon as there are 1986no longer states which refer to them; in order to make the mappings last 1987beyond the lifetime of the states, increase the global options with 1988.Ar set timeout src.track . 1989See 1990.Sx STATEFUL TRACKING OPTIONS 1991for more ways to control the source tracking. 1992.Sh STATE MODULATION 1993Much of the security derived from TCP is attributable to how well the 1994initial sequence numbers (ISNs) are chosen. 1995Some popular stack implementations choose 1996.Em very 1997poor ISNs and thus are normally susceptible to ISN prediction exploits. 1998By applying a 1999.Ar modulate state 2000rule to a TCP connection, 2001.Xr pf 4 2002will create a high quality random sequence number for each connection 2003endpoint. 2004.Pp 2005The 2006.Ar modulate state 2007directive implicitly keeps state on the rule and is 2008only applicable to TCP connections. 2009.Pp 2010For instance: 2011.Bd -literal -offset indent 2012block all 2013pass out proto tcp from any to any modulate state 2014pass in proto tcp from any to any port 25 flags S/SFRA modulate state 2015.Ed 2016.Pp 2017Note that modulated connections will not recover when the state table 2018is lost (firewall reboot, flushing the state table, etc...). 2019.Xr pf 4 2020will not be able to infer a connection again after the state table flushes 2021the connection's modulator. 2022When the state is lost, the connection may be left dangling until the 2023respective endpoints time out the connection. 2024It is possible on a fast local network for the endpoints to start an ACK 2025storm while trying to resynchronize after the loss of the modulator. 2026The default 2027.Ar flags 2028settings (or a more strict equivalent) should be used on 2029.Ar modulate state 2030rules to prevent ACK storms. 2031.Pp 2032Note that alternative methods are available 2033to prevent loss of the state table 2034and allow for firewall failover. 2035See 2036.Xr carp 4 2037and 2038.Xr pfsync 4 2039for further information. 2040.Sh SYN PROXY 2041By default, 2042.Xr pf 4 2043passes packets that are part of a 2044.Xr tcp 4 2045handshake between the endpoints. 2046The 2047.Ar synproxy state 2048option can be used to cause 2049.Xr pf 4 2050itself to complete the handshake with the active endpoint, perform a handshake 2051with the passive endpoint, and then forward packets between the endpoints. 2052.Pp 2053No packets are sent to the passive endpoint before the active endpoint has 2054completed the handshake, hence so-called SYN floods with spoofed source 2055addresses will not reach the passive endpoint, as the sender can't complete the 2056handshake. 2057.Pp 2058The proxy is transparent to both endpoints, they each see a single 2059connection from/to the other endpoint. 2060.Xr pf 4 2061chooses random initial sequence numbers for both handshakes. 2062Once the handshakes are completed, the sequence number modulators 2063(see previous section) are used to translate further packets of the 2064connection. 2065.Ar synproxy state 2066includes 2067.Ar modulate state . 2068.Pp 2069Rules with 2070.Ar synproxy 2071will not work if 2072.Xr pf 4 2073operates on a 2074.Xr bridge 4 . 2075.Pp 2076Example: 2077.Bd -literal -offset indent 2078pass in proto tcp from any to any port www synproxy state 2079.Ed 2080.Sh STATEFUL TRACKING OPTIONS 2081A number of options related to stateful tracking can be applied on a 2082per-rule basis. 2083.Ar keep state , 2084.Ar modulate state 2085and 2086.Ar synproxy state 2087support these options, and 2088.Ar keep state 2089must be specified explicitly to apply options to a rule. 2090.Pp 2091.Bl -tag -width xxxx -compact 2092.It Ar max Aq Ar number 2093Limits the number of concurrent states the rule may create. 2094When this limit is reached, further packets that would create 2095state will not match this rule until existing states time out. 2096.It Ar no-sync 2097Prevent state changes for states created by this rule from appearing on the 2098.Xr pfsync 4 2099interface. 2100.It Xo Aq Ar timeout 2101.Aq Ar seconds 2102.Xc 2103Changes the timeout values used for states created by this rule. 2104For a list of all valid timeout names, see 2105.Sx OPTIONS 2106above. 2107.It Ar sloppy 2108Uses a sloppy TCP connection tracker that does not check sequence 2109numbers at all, which makes insertion and ICMP teardown attacks way 2110easier. 2111This is intended to be used in situations where one does not see all 2112packets of a connection, e.g. in asymmetric routing situations. 2113Cannot be used with modulate or synproxy state. 2114.It Ar pflow 2115States created by this rule are exported on the 2116.Xr pflow 4 2117interface. 2118.El 2119.Pp 2120Multiple options can be specified, separated by commas: 2121.Bd -literal -offset indent 2122pass in proto tcp from any to any \e 2123 port www keep state \e 2124 (max 100, source-track rule, max-src-nodes 75, \e 2125 max-src-states 3, tcp.established 60, tcp.closing 5) 2126.Ed 2127.Pp 2128When the 2129.Ar source-track 2130keyword is specified, the number of states per source IP is tracked. 2131.Pp 2132.Bl -tag -width xxxx -compact 2133.It Ar source-track rule 2134The maximum number of states created by this rule is limited by the rule's 2135.Ar max-src-nodes 2136and 2137.Ar max-src-states 2138options. 2139Only state entries created by this particular rule count toward the rule's 2140limits. 2141.It Ar source-track global 2142The number of states created by all rules that use this option is limited. 2143Each rule can specify different 2144.Ar max-src-nodes 2145and 2146.Ar max-src-states 2147options, however state entries created by any participating rule count towards 2148each individual rule's limits. 2149.El 2150.Pp 2151The following limits can be set: 2152.Pp 2153.Bl -tag -width xxxx -compact 2154.It Ar max-src-nodes Aq Ar number 2155Limits the maximum number of source addresses which can simultaneously 2156have state table entries. 2157.It Ar max-src-states Aq Ar number 2158Limits the maximum number of simultaneous state entries that a single 2159source address can create with this rule. 2160.El 2161.Pp 2162For stateful TCP connections, limits on established connections (connections 2163which have completed the TCP 3-way handshake) can also be enforced 2164per source IP. 2165.Pp 2166.Bl -tag -width xxxx -compact 2167.It Ar max-src-conn Aq Ar number 2168Limits the maximum number of simultaneous TCP connections which have 2169completed the 3-way handshake that a single host can make. 2170.It Xo Ar max-src-conn-rate Aq Ar number 2171.No / Aq Ar seconds 2172.Xc 2173Limit the rate of new connections over a time interval. 2174The connection rate is an approximation calculated as a moving average. 2175.El 2176.Pp 2177Because the 3-way handshake ensures that the source address is not being 2178spoofed, more aggressive action can be taken based on these limits. 2179With the 2180.Ar overload Aq Ar table 2181state option, source IP addresses which hit either of the limits on 2182established connections will be added to the named table. 2183This table can be used in the ruleset to block further activity from 2184the offending host, redirect it to a tarpit process, or restrict its 2185bandwidth. 2186.Pp 2187The optional 2188.Ar flush 2189keyword kills all states created by the matching rule which originate 2190from the host which exceeds these limits. 2191The 2192.Ar global 2193modifier to the flush command kills all states originating from the 2194offending host, regardless of which rule created the state. 2195.Pp 2196For example, the following rules will protect the webserver against 2197hosts making more than 100 connections in 10 seconds. 2198Any host which connects faster than this rate will have its address added 2199to the 2200.Aq bad_hosts 2201table and have all states originating from it flushed. 2202Any new packets arriving from this host will be dropped unconditionally 2203by the block rule. 2204.Bd -literal -offset indent 2205block quick from \*(Ltbad_hosts\*(Gt 2206pass in on $ext_if proto tcp to $webserver port www keep state \e 2207 (max-src-conn-rate 100/10, overload \*(Ltbad_hosts\*(Gt flush global) 2208.Ed 2209.Sh OPERATING SYSTEM FINGERPRINTING 2210Passive OS Fingerprinting is a mechanism to inspect nuances of a TCP 2211connection's initial SYN packet and guess at the host's operating system. 2212Unfortunately these nuances are easily spoofed by an attacker so the 2213fingerprint is not useful in making security decisions. 2214But the fingerprint is typically accurate enough to make policy decisions 2215upon. 2216.Pp 2217The fingerprints may be specified by operating system class, by 2218version, or by subtype/patchlevel. 2219The class of an operating system is typically the vendor or genre 2220and would be 2221.Ox 2222for the 2223.Xr pf 4 2224firewall itself. 2225The version of the oldest available 2226.Ox 2227release on the main FTP site 2228would be 2.6 and the fingerprint would be written 2229.Pp 2230.Dl \&"OpenBSD 2.6\&" 2231.Pp 2232The subtype of an operating system is typically used to describe the 2233patchlevel if that patch led to changes in the TCP stack behavior. 2234In the case of 2235.Ox , 2236the only subtype is for a fingerprint that was 2237normalized by the 2238.Ar no-df 2239scrub option and would be specified as 2240.Pp 2241.Dl \&"OpenBSD 3.3 no-df\&" 2242.Pp 2243Fingerprints for most popular operating systems are provided by 2244.Xr pf.os 5 . 2245Once 2246.Xr pf 4 2247is running, a complete list of known operating system fingerprints may 2248be listed by running: 2249.Pp 2250.Dl # pfctl -so 2251.Pp 2252Filter rules can enforce policy at any level of operating system specification 2253assuming a fingerprint is present. 2254Policy could limit traffic to approved operating systems or even ban traffic 2255from hosts that aren't at the latest service pack. 2256.Pp 2257The 2258.Ar unknown 2259class can also be used as the fingerprint which will match packets for 2260which no operating system fingerprint is known. 2261.Pp 2262Examples: 2263.Bd -literal -offset indent 2264pass out proto tcp from any os OpenBSD 2265block out proto tcp from any os Doors 2266block out proto tcp from any os "Doors PT" 2267block out proto tcp from any os "Doors PT SP3" 2268block out from any os "unknown" 2269pass on lo0 proto tcp from any os "OpenBSD 3.3 lo0" 2270.Ed 2271.Pp 2272Operating system fingerprinting is limited only to the TCP SYN packet. 2273This means that it will not work on other protocols and will not match 2274a currently established connection. 2275.Pp 2276Caveat: operating system fingerprints are occasionally wrong. 2277There are three problems: an attacker can trivially craft his packets to 2278appear as any operating system he chooses; 2279an operating system patch could change the stack behavior and no fingerprints 2280will match it until the database is updated; 2281and multiple operating systems may have the same fingerprint. 2282.Sh BLOCKING SPOOFED TRAFFIC 2283"Spoofing" is the faking of IP addresses, typically for malicious 2284purposes. 2285The 2286.Ar antispoof 2287directive expands to a set of filter rules which will block all 2288traffic with a source IP from the network(s) directly connected 2289to the specified interface(s) from entering the system through 2290any other interface. 2291.Pp 2292For example, the line 2293.Bd -literal -offset indent 2294antispoof for lo0 2295.Ed 2296.Pp 2297expands to 2298.Bd -literal -offset indent 2299block drop in on ! lo0 inet from 127.0.0.1/8 to any 2300block drop in on ! lo0 inet6 from ::1 to any 2301.Ed 2302.Pp 2303For non-loopback interfaces, there are additional rules to block incoming 2304packets with a source IP address identical to the interface's IP(s). 2305For example, assuming the interface wi0 had an IP address of 10.0.0.1 and a 2306netmask of 255.255.255.0, 2307the line 2308.Bd -literal -offset indent 2309antispoof for wi0 inet 2310.Ed 2311.Pp 2312expands to 2313.Bd -literal -offset indent 2314block drop in on ! wi0 inet from 10.0.0.0/24 to any 2315block drop in inet from 10.0.0.1 to any 2316.Ed 2317.Pp 2318Caveat: Rules created by the 2319.Ar antispoof 2320directive interfere with packets sent over loopback interfaces 2321to local addresses. 2322One should pass these explicitly. 2323.Sh FRAGMENT HANDLING 2324The size of IP datagrams (packets) can be significantly larger than the 2325maximum transmission unit (MTU) of the network. 2326In cases when it is necessary or more efficient to send such large packets, 2327the large packet will be fragmented into many smaller packets that will each 2328fit onto the wire. 2329Unfortunately for a firewalling device, only the first logical fragment will 2330contain the necessary header information for the subprotocol that allows 2331.Xr pf 4 2332to filter on things such as TCP ports or to perform NAT. 2333.Pp 2334Besides the use of 2335.Ar scrub 2336rules as described in 2337.Sx TRAFFIC NORMALIZATION 2338above, there are three options for handling fragments in the packet filter. 2339.Pp 2340One alternative is to filter individual fragments with filter rules. 2341If no 2342.Ar scrub 2343rule applies to a fragment, it is passed to the filter. 2344Filter rules with matching IP header parameters decide whether the 2345fragment is passed or blocked, in the same way as complete packets 2346are filtered. 2347Without reassembly, fragments can only be filtered based on IP header 2348fields (source/destination address, protocol), since subprotocol header 2349fields are not available (TCP/UDP port numbers, ICMP code/type). 2350The 2351.Ar fragment 2352option can be used to restrict filter rules to apply only to 2353fragments, but not complete packets. 2354Filter rules without the 2355.Ar fragment 2356option still apply to fragments, if they only specify IP header fields. 2357For instance, the rule 2358.Bd -literal -offset indent 2359pass in proto tcp from any to any port 80 2360.Ed 2361.Pp 2362never applies to a fragment, even if the fragment is part of a TCP 2363packet with destination port 80, because without reassembly this information 2364is not available for each fragment. 2365This also means that fragments cannot create new or match existing 2366state table entries, which makes stateful filtering and address 2367translation (NAT, redirection) for fragments impossible. 2368.Pp 2369It's also possible to reassemble only certain fragments by specifying 2370source or destination addresses or protocols as parameters in 2371.Ar scrub 2372rules. 2373.Pp 2374In most cases, the benefits of reassembly outweigh the additional 2375memory cost, and it's recommended to use 2376.Ar scrub 2377rules to reassemble 2378all fragments via the 2379.Ar fragment reassemble 2380modifier. 2381.Pp 2382The memory allocated for fragment caching can be limited using 2383.Xr pfctl 8 . 2384Once this limit is reached, fragments that would have to be cached 2385are dropped until other entries time out. 2386The timeout value can also be adjusted. 2387.Pp 2388When forwarding reassembled IPv6 packets, pf refragments them with 2389the original maximum fragment size. 2390This allows the sender to determine the optimal fragment size by 2391path MTU discovery. 2392.Sh ANCHORS 2393Besides the main ruleset, 2394.Xr pfctl 8 2395can load rulesets into 2396.Ar anchor 2397attachment points. 2398An 2399.Ar anchor 2400is a container that can hold rules, address tables, and other anchors. 2401.Pp 2402An 2403.Ar anchor 2404has a name which specifies the path where 2405.Xr pfctl 8 2406can be used to access the anchor to perform operations on it, such as 2407attaching child anchors to it or loading rules into it. 2408Anchors may be nested, with components separated by 2409.Sq / 2410characters, similar to how file system hierarchies are laid out. 2411The main ruleset is actually the default anchor, so filter and 2412translation rules, for example, may also be contained in any anchor. 2413.Pp 2414An anchor can reference another 2415.Ar anchor 2416attachment point 2417using the following kinds 2418of rules: 2419.Bl -tag -width xxxx 2420.It Ar nat-anchor Aq Ar name 2421Evaluates the 2422.Ar nat 2423rules in the specified 2424.Ar anchor . 2425.It Ar rdr-anchor Aq Ar name 2426Evaluates the 2427.Ar rdr 2428rules in the specified 2429.Ar anchor . 2430.It Ar binat-anchor Aq Ar name 2431Evaluates the 2432.Ar binat 2433rules in the specified 2434.Ar anchor . 2435.It Ar anchor Aq Ar name 2436Evaluates the filter rules in the specified 2437.Ar anchor . 2438.It Xo Ar load anchor 2439.Aq Ar name 2440.Ar from Aq Ar file 2441.Xc 2442Loads the rules from the specified file into the 2443anchor 2444.Ar name . 2445.El 2446.Pp 2447When evaluation of the main ruleset reaches an 2448.Ar anchor 2449rule, 2450.Xr pf 4 2451will proceed to evaluate all rules specified in that anchor. 2452.Pp 2453Matching filter and translation rules marked with the 2454.Ar quick 2455option are final and abort the evaluation of the rules in other 2456anchors and the main ruleset. 2457If the 2458.Ar anchor 2459itself is marked with the 2460.Ar quick 2461option, 2462ruleset evaluation will terminate when the anchor is exited if the packet is 2463matched by any rule within the anchor. 2464.Pp 2465.Ar anchor 2466rules are evaluated relative to the anchor in which they are contained. 2467For example, all 2468.Ar anchor 2469rules specified in the main ruleset will reference anchor 2470attachment points underneath the main ruleset, and 2471.Ar anchor 2472rules specified in a file loaded from a 2473.Ar load anchor 2474rule will be attached under that anchor point. 2475.Pp 2476Rules may be contained in 2477.Ar anchor 2478attachment points which do not contain any rules when the main ruleset 2479is loaded, and later such anchors can be manipulated through 2480.Xr pfctl 8 2481without reloading the main ruleset or other anchors. 2482For example, 2483.Bd -literal -offset indent 2484ext_if = \&"kue0\&" 2485block on $ext_if all 2486anchor spam 2487pass out on $ext_if all 2488pass in on $ext_if proto tcp from any \e 2489 to $ext_if port smtp 2490.Ed 2491.Pp 2492blocks all packets on the external interface by default, then evaluates 2493all rules in the 2494.Ar anchor 2495named "spam", and finally passes all outgoing connections and 2496incoming connections to port 25. 2497.Bd -literal -offset indent 2498# echo \&"block in quick from 1.2.3.4 to any\&" \&| \e 2499 pfctl -a spam -f - 2500.Ed 2501.Pp 2502This loads a single rule into the 2503.Ar anchor , 2504which blocks all packets from a specific address. 2505.Pp 2506The anchor can also be populated by adding a 2507.Ar load anchor 2508rule after the 2509.Ar anchor 2510rule: 2511.Bd -literal -offset indent 2512anchor spam 2513load anchor spam from "/etc/pf-spam.conf" 2514.Ed 2515.Pp 2516When 2517.Xr pfctl 8 2518loads 2519.Nm pf.conf , 2520it will also load all the rules from the file 2521.Pa /etc/pf-spam.conf 2522into the anchor. 2523.Pp 2524Optionally, 2525.Ar anchor 2526rules can specify packet filtering parameters using the same syntax as 2527filter rules. 2528When parameters are used, the 2529.Ar anchor 2530rule is only evaluated for matching packets. 2531This allows conditional evaluation of anchors, like: 2532.Bd -literal -offset indent 2533block on $ext_if all 2534anchor spam proto tcp from any to any port smtp 2535pass out on $ext_if all 2536pass in on $ext_if proto tcp from any to $ext_if port smtp 2537.Ed 2538.Pp 2539The rules inside 2540.Ar anchor 2541spam are only evaluated for 2542.Ar tcp 2543packets with destination port 25. 2544Hence, 2545.Bd -literal -offset indent 2546# echo \&"block in quick from 1.2.3.4 to any" \&| \e 2547 pfctl -a spam -f - 2548.Ed 2549.Pp 2550will only block connections from 1.2.3.4 to port 25. 2551.Pp 2552Anchors may end with the asterisk 2553.Pq Sq * 2554character, which signifies that all anchors attached at that point 2555should be evaluated in the alphabetical ordering of their anchor name. 2556For example, 2557.Bd -literal -offset indent 2558anchor "spam/*" 2559.Ed 2560.Pp 2561will evaluate each rule in each anchor attached to the 2562.Li spam 2563anchor. 2564Note that it will only evaluate anchors that are directly attached to the 2565.Li spam 2566anchor, and will not descend to evaluate anchors recursively. 2567.Pp 2568Since anchors are evaluated relative to the anchor in which they are 2569contained, there is a mechanism for accessing the parent and ancestor 2570anchors of a given anchor. 2571Similar to file system path name resolution, if the sequence 2572.Dq .. 2573appears as an anchor path component, the parent anchor of the current 2574anchor in the path evaluation at that point will become the new current 2575anchor. 2576As an example, consider the following: 2577.Bd -literal -offset indent 2578# echo ' anchor "spam/allowed" ' | pfctl -f - 2579# echo -e ' anchor "../banned" \en pass' | \e 2580 pfctl -a spam/allowed -f - 2581.Ed 2582.Pp 2583Evaluation of the main ruleset will lead into the 2584.Li spam/allowed 2585anchor, which will evaluate the rules in the 2586.Li spam/banned 2587anchor, if any, before finally evaluating the 2588.Ar pass 2589rule. 2590.Pp 2591Filter rule 2592.Ar anchors 2593can also be loaded inline in the ruleset within a brace ('{' '}') delimited 2594block. 2595Brace delimited blocks may contain rules or other brace-delimited blocks. 2596When anchors are loaded this way the anchor name becomes optional. 2597.Bd -literal -offset indent 2598anchor "external" on egress { 2599 block 2600 anchor out { 2601 pass proto tcp from any to port { 25, 80, 443 } 2602 } 2603 pass in proto tcp to any port 22 2604} 2605.Ed 2606.Pp 2607Since the parser specification for anchor names is a string, any 2608reference to an anchor name containing 2609.Sq / 2610characters will require double quote 2611.Pq Sq \&" 2612characters around the anchor name. 2613.Sh TRANSLATION EXAMPLES 2614This example maps incoming requests on port 80 to port 8080, on 2615which a daemon is running (because, for example, it is not run as root, 2616and therefore lacks permission to bind to port 80). 2617.Bd -literal 2618# use a macro for the interface name, so it can be changed easily 2619ext_if = \&"ne3\&" 2620 2621# map daemon on 8080 to appear to be on 80 2622rdr on $ext_if proto tcp from any to any port 80 -\*(Gt 127.0.0.1 port 8080 2623.Ed 2624.Pp 2625If the 2626.Ar pass 2627modifier is given, packets matching the translation rule are passed without 2628inspecting the filter rules: 2629.Bd -literal 2630rdr pass on $ext_if proto tcp from any to any port 80 -\*(Gt 127.0.0.1 \e 2631 port 8080 2632.Ed 2633.Pp 2634In the example below, vlan12 is configured as 192.168.168.1; 2635the machine translates all packets coming from 192.168.168.0/24 to 204.92.77.111 2636when they are going out any interface except vlan12. 2637This has the net effect of making traffic from the 192.168.168.0/24 2638network appear as though it is the Internet routable address 2639204.92.77.111 to nodes behind any interface on the router except 2640for the nodes on vlan12. 2641(Thus, 192.168.168.1 can talk to the 192.168.168.0/24 nodes.) 2642.Bd -literal 2643nat on ! vlan12 from 192.168.168.0/24 to any -\*(Gt 204.92.77.111 2644.Ed 2645.Pp 2646In the example below, the machine sits between a fake internal 144.19.74.* 2647network, and a routable external IP of 204.92.77.100. 2648The 2649.Ar no nat 2650rule excludes protocol AH from being translated. 2651.Bd -literal 2652# NO NAT 2653no nat on $ext_if proto ah from 144.19.74.0/24 to any 2654nat on $ext_if from 144.19.74.0/24 to any -\*(Gt 204.92.77.100 2655.Ed 2656.Pp 2657In the example below, packets bound for one specific server, as well as those 2658generated by the sysadmins are not proxied; all other connections are. 2659.Bd -literal 2660# NO RDR 2661no rdr on $int_if proto { tcp, udp } from any to $server port 80 2662no rdr on $int_if proto { tcp, udp } from $sysadmins to any port 80 2663rdr on $int_if proto { tcp, udp } from any to any port 80 -\*(Gt 127.0.0.1 \e 2664 port 80 2665.Ed 2666.Pp 2667This longer example uses both a NAT and a redirection. 2668The external interface has the address 157.161.48.183. 2669On localhost, we are running 2670.Xr ftp-proxy 8 , 2671waiting for FTP sessions to be redirected to it. 2672The three mandatory anchors for 2673.Xr ftp-proxy 8 2674are omitted from this example; see the 2675.Xr ftp-proxy 8 2676manpage. 2677.Bd -literal 2678# NAT 2679# Translate outgoing packets' source addresses (any protocol). 2680# In this case, any address but the gateway's external address is mapped. 2681nat on $ext_if inet from ! ($ext_if) to any -\*(Gt ($ext_if) 2682 2683# NAT PROXYING 2684# Map outgoing packets' source port to an assigned proxy port instead of 2685# an arbitrary port. 2686# In this case, proxy outgoing isakmp with port 500 on the gateway. 2687nat on $ext_if inet proto udp from any port = isakmp to any -\*(Gt ($ext_if) \e 2688 port 500 2689 2690# BINAT 2691# Translate outgoing packets' source address (any protocol). 2692# Translate incoming packets' destination address to an internal machine 2693# (bidirectional). 2694binat on $ext_if from 10.1.2.150 to any -\*(Gt $ext_if 2695 2696# RDR 2697# Translate incoming packets' destination addresses. 2698# As an example, redirect a TCP and UDP port to an internal machine. 2699rdr on $ext_if inet proto tcp from any to ($ext_if) port 8080 \e 2700 -\*(Gt 10.1.2.151 port 22 2701rdr on $ext_if inet proto udp from any to ($ext_if) port 8080 \e 2702 -\*(Gt 10.1.2.151 port 53 2703 2704# RDR 2705# Translate outgoing ftp control connections to send them to localhost 2706# for proxying with ftp-proxy(8) running on port 8021. 2707rdr on $int_if proto tcp from any to any port 21 -\*(Gt 127.0.0.1 port 8021 2708.Ed 2709.Pp 2710In this example, a NAT gateway is set up to translate internal addresses 2711using a pool of public addresses (192.0.2.16/28) and to redirect 2712incoming web server connections to a group of web servers on the internal 2713network. 2714.Bd -literal 2715# NAT LOAD BALANCE 2716# Translate outgoing packets' source addresses using an address pool. 2717# A given source address is always translated to the same pool address by 2718# using the source-hash keyword. 2719nat on $ext_if inet from any to any -\*(Gt 192.0.2.16/28 source-hash 2720 2721# RDR ROUND ROBIN 2722# Translate incoming web server connections to a group of web servers on 2723# the internal network. 2724rdr on $ext_if proto tcp from any to any port 80 \e 2725 -\*(Gt { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin 2726.Ed 2727.Sh FILTER EXAMPLES 2728.Bd -literal 2729# The external interface is kue0 2730# (157.161.48.183, the only routable address) 2731# and the private network is 10.0.0.0/8, for which we are doing NAT. 2732 2733# use a macro for the interface name, so it can be changed easily 2734ext_if = \&"kue0\&" 2735 2736# normalize all incoming traffic 2737scrub in on $ext_if all fragment reassemble 2738 2739# block and log everything by default 2740block return log on $ext_if all 2741 2742# block anything coming from source we have no back routes for 2743block in from no-route to any 2744 2745# block packets whose ingress interface does not match the one in 2746# the route back to their source address 2747block in from urpf-failed to any 2748 2749# block and log outgoing packets that do not have our address as source, 2750# they are either spoofed or something is misconfigured (NAT disabled, 2751# for instance), we want to be nice and do not send out garbage. 2752block out log quick on $ext_if from ! 157.161.48.183 to any 2753 2754# silently drop broadcasts (cable modem noise) 2755block in quick on $ext_if from any to 255.255.255.255 2756 2757# block and log incoming packets from reserved address space and invalid 2758# addresses, they are either spoofed or misconfigured, we cannot reply to 2759# them anyway (hence, no return-rst). 2760block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, \e 2761 192.168.0.0/16, 255.255.255.255/32 } to any 2762 2763# ICMP 2764 2765# pass out/in certain ICMP queries and keep state (ping) 2766# state matching is done on host addresses and ICMP id (not type/code), 2767# so replies (like 0/0 for 8/0) will match queries 2768# ICMP error messages (which always refer to a TCP/UDP packet) are 2769# handled by the TCP/UDP states 2770pass on $ext_if inet proto icmp all icmp-type 8 code 0 2771 2772# UDP 2773 2774# pass out all UDP connections and keep state 2775pass out on $ext_if proto udp all 2776 2777# pass in certain UDP connections and keep state (DNS) 2778pass in on $ext_if proto udp from any to any port domain 2779 2780# TCP 2781 2782# pass out all TCP connections and modulate state 2783pass out on $ext_if proto tcp all modulate state 2784 2785# pass in certain TCP connections and keep state (SSH, SMTP, DNS, IDENT) 2786pass in on $ext_if proto tcp from any to any port { ssh, smtp, domain, \e 2787 auth } 2788 2789# Do not allow Windows 9x SMTP connections since they are typically 2790# a viral worm. Alternately we could limit these OSes to 1 connection each. 2791block in on $ext_if proto tcp from any os {"Windows 95", "Windows 98"} \e 2792 to any port smtp 2793 2794# IPv6 2795# pass in/out all IPv6 traffic: note that we have to enable this in two 2796# different ways, on both our physical interface and our tunnel 2797pass quick on gif0 inet6 2798pass quick on $ext_if proto ipv6 2799 2800# Packet Tagging 2801 2802# three interfaces: $int_if, $ext_if, and $wifi_if (wireless). NAT is 2803# being done on $ext_if for all outgoing packets. tag packets in on 2804# $int_if and pass those tagged packets out on $ext_if. all other 2805# outgoing packets (i.e., packets from the wireless network) are only 2806# permitted to access port 80. 2807 2808pass in on $int_if from any to any tag INTNET 2809pass in on $wifi_if from any to any 2810 2811block out on $ext_if from any to any 2812pass out quick on $ext_if tagged INTNET 2813pass out on $ext_if proto tcp from any to any port 80 2814 2815# tag incoming packets as they are redirected to spamd(8). use the tag 2816# to pass those packets through the packet filter. 2817 2818rdr on $ext_if inet proto tcp from \*(Ltspammers\*(Gt to port smtp \e 2819 tag SPAMD -\*(Gt 127.0.0.1 port spamd 2820 2821block in on $ext_if 2822pass in on $ext_if inet proto tcp tagged SPAMD 2823.Ed 2824.Sh GRAMMAR 2825Syntax for 2826.Nm 2827in BNF: 2828.Bd -literal 2829line = ( option | pf-rule | nat-rule | binat-rule | rdr-rule | 2830 antispoof-rule | altq-rule | queue-rule | trans-anchors | 2831 anchor-rule | anchor-close | load-anchor | table-rule | 2832 include ) 2833 2834option = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] | 2835 [ "ruleset-optimization" [ "none" | "basic" | "profile" ]] | 2836 [ "optimization" [ "default" | "normal" | 2837 "high-latency" | "satellite" | 2838 "aggressive" | "conservative" ] ] 2839 [ "limit" ( limit-item | "{" limit-list "}" ) ] | 2840 [ "loginterface" ( interface-name | "none" ) ] | 2841 [ "block-policy" ( "drop" | "return" ) ] | 2842 [ "state-policy" ( "if-bound" | "floating" ) ] 2843 [ "state-defaults" state-opts ] 2844 [ "require-order" ( "yes" | "no" ) ] 2845 [ "fingerprints" filename ] | 2846 [ "skip on" ifspec ] | 2847 [ "debug" ( "none" | "urgent" | "misc" | "loud" ) ] ) 2848 2849pf-rule = action [ ( "in" | "out" ) ] 2850 [ "log" [ "(" logopts ")"] ] [ "quick" ] 2851 [ "on" ifspec ] [ route ] [ af ] [ protospec ] 2852 hosts [ filteropt-list ] 2853 2854logopts = logopt [ "," logopts ] 2855logopt = "all" | "user" | "to" interface-name 2856 2857filteropt-list = filteropt-list filteropt | filteropt 2858filteropt = user | group | flags | icmp-type | icmp6-type | "tos" tos | 2859 ( "no" | "keep" | "modulate" | "synproxy" ) "state" 2860 [ "(" state-opts ")" ] | 2861 "fragment" | "no-df" | "min-ttl" number | "set-tos" tos | 2862 "max-mss" number | "random-id" | "reassemble tcp" | 2863 fragmentation | "allow-opts" | 2864 "label" string | "tag" string | [ ! ] "tagged" string | 2865 "set prio" ( number | "(" number [ [ "," ] number ] ")" ) | 2866 "queue" ( string | "(" string [ [ "," ] string ] ")" ) | 2867 "rtable" number | "probability" number"%" | "prio" number 2868 2869nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ] 2870 [ "on" ifspec ] [ af ] 2871 [ protospec ] hosts [ "tag" string ] [ "tagged" string ] 2872 [ "-\*(Gt" ( redirhost | "{" redirhost-list "}" ) 2873 [ portspec ] [ pooltype ] [ "static-port" ] ] 2874 2875binat-rule = [ "no" ] "binat" [ "pass" [ "log" [ "(" logopts ")" ] ] ] 2876 [ "on" interface-name ] [ af ] 2877 [ "proto" ( proto-name | proto-number ) ] 2878 "from" address [ "/" mask-bits ] "to" ipspec 2879 [ "tag" string ] [ "tagged" string ] 2880 [ "-\*(Gt" address [ "/" mask-bits ] ] 2881 2882rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ] 2883 [ "on" ifspec ] [ af ] 2884 [ protospec ] hosts [ "tag" string ] [ "tagged" string ] 2885 [ "-\*(Gt" ( redirhost | "{" redirhost-list "}" ) 2886 [ portspec ] [ pooltype ] ] 2887 2888antispoof-rule = "antispoof" [ "log" ] [ "quick" ] 2889 "for" ifspec [ af ] [ "label" string ] 2890 2891table-rule = "table" "\*(Lt" string "\*(Gt" [ tableopts-list ] 2892tableopts-list = tableopts-list tableopts | tableopts 2893tableopts = "persist" | "const" | "counters" | "file" string | 2894 "{" [ tableaddr-list ] "}" 2895tableaddr-list = tableaddr-list [ "," ] tableaddr-spec | tableaddr-spec 2896tableaddr-spec = [ "!" ] tableaddr [ "/" mask-bits ] 2897tableaddr = hostname | ifspec | "self" | 2898 ipv4-dotted-quad | ipv6-coloned-hex 2899 2900altq-rule = "altq on" interface-name queueopts-list 2901 "queue" subqueue 2902queue-rule = "queue" string [ "on" interface-name ] queueopts-list 2903 subqueue 2904 2905anchor-rule = "anchor" [ string ] [ ( "in" | "out" ) ] [ "on" ifspec ] 2906 [ af ] [ protospec ] [ hosts ] [ filteropt-list ] [ "{" ] 2907 2908anchor-close = "}" 2909 2910trans-anchors = ( "nat-anchor" | "rdr-anchor" | "binat-anchor" ) string 2911 [ "on" ifspec ] [ af ] [ "proto" ] [ protospec ] [ hosts ] 2912 2913load-anchor = "load anchor" string "from" filename 2914 2915queueopts-list = queueopts-list queueopts | queueopts 2916queueopts = [ "bandwidth" bandwidth-spec ] | 2917 [ "qlimit" number ] | [ "tbrsize" number ] | 2918 [ "priority" number ] | [ schedulers ] 2919schedulers = ( cbq-def | priq-def | hfsc-def ) 2920bandwidth-spec = "number" ( "b" | "Kb" | "Mb" | "Gb" | "%" ) 2921 2922action = "pass" | "block" [ return ] | [ "no" ] "scrub" 2923return = "drop" | "return" | "return-rst" [ "( ttl" number ")" ] | 2924 "return-icmp" [ "(" icmpcode [ [ "," ] icmp6code ] ")" ] | 2925 "return-icmp6" [ "(" icmp6code ")" ] 2926icmpcode = ( icmp-code-name | icmp-code-number ) 2927icmp6code = ( icmp6-code-name | icmp6-code-number ) 2928 2929ifspec = ( [ "!" ] ( interface-name | interface-group ) ) | 2930 "{" interface-list "}" 2931interface-list = [ "!" ] ( interface-name | interface-group ) 2932 [ [ "," ] interface-list ] 2933route = ( "route-to" | "reply-to" | "dup-to" ) 2934 ( routehost | "{" routehost-list "}" ) 2935 [ pooltype ] 2936af = "inet" | "inet6" 2937 2938protospec = "proto" ( proto-name | proto-number | 2939 "{" proto-list "}" ) 2940proto-list = ( proto-name | proto-number ) [ [ "," ] proto-list ] 2941 2942hosts = "all" | 2943 "from" ( "any" | "no-route" | "urpf-failed" | "self" | host | 2944 "{" host-list "}" ) [ port ] [ os ] 2945 "to" ( "any" | "no-route" | "self" | host | 2946 "{" host-list "}" ) [ port ] 2947 2948ipspec = "any" | host | "{" host-list "}" 2949host = [ "!" ] ( address [ "/" mask-bits ] | "\*(Lt" string "\*(Gt" ) 2950redirhost = address [ "/" mask-bits ] 2951routehost = "(" interface-name [ address [ "/" mask-bits ] ] ")" 2952address = ( interface-name | interface-group | 2953 "(" ( interface-name | interface-group ) ")" | 2954 hostname | ipv4-dotted-quad | ipv6-coloned-hex ) 2955host-list = host [ [ "," ] host-list ] 2956redirhost-list = redirhost [ [ "," ] redirhost-list ] 2957routehost-list = routehost [ [ "," ] routehost-list ] 2958 2959port = "port" ( unary-op | binary-op | "{" op-list "}" ) 2960portspec = "port" ( number | name ) [ ":" ( "*" | number | name ) ] 2961os = "os" ( os-name | "{" os-list "}" ) 2962user = "user" ( unary-op | binary-op | "{" op-list "}" ) 2963group = "group" ( unary-op | binary-op | "{" op-list "}" ) 2964 2965unary-op = [ "=" | "!=" | "\*(Lt" | "\*(Le" | "\*(Gt" | "\*(Ge" ] 2966 ( name | number ) 2967binary-op = number ( "\*(Lt\*(Gt" | "\*(Gt\*(Lt" | ":" ) number 2968op-list = ( unary-op | binary-op ) [ [ "," ] op-list ] 2969 2970os-name = operating-system-name 2971os-list = os-name [ [ "," ] os-list ] 2972 2973flags = "flags" ( [ flag-set ] "/" flag-set | "any" ) 2974flag-set = [ "F" ] [ "S" ] [ "R" ] [ "P" ] [ "A" ] [ "U" ] [ "E" ] 2975 [ "W" ] 2976 2977icmp-type = "icmp-type" ( icmp-type-code | "{" icmp-list "}" ) 2978icmp6-type = "icmp6-type" ( icmp-type-code | "{" icmp-list "}" ) 2979icmp-type-code = ( icmp-type-name | icmp-type-number ) 2980 [ "code" ( icmp-code-name | icmp-code-number ) ] 2981icmp-list = icmp-type-code [ [ "," ] icmp-list ] 2982 2983tos = ( "lowdelay" | "throughput" | "reliability" | 2984 [ "0x" ] number ) 2985 2986state-opts = state-opt [ [ "," ] state-opts ] 2987state-opt = ( "max" number | "no-sync" | timeout | "sloppy" | "pflow" | 2988 "source-track" [ ( "rule" | "global" ) ] | 2989 "max-src-nodes" number | "max-src-states" number | 2990 "max-src-conn" number | 2991 "max-src-conn-rate" number "/" number | 2992 "overload" "\*(Lt" string "\*(Gt" [ "flush" ] | 2993 "if-bound" | "floating" ) 2994 2995fragmentation = [ "fragment reassemble" ] 2996 2997timeout-list = timeout [ [ "," ] timeout-list ] 2998timeout = ( "tcp.first" | "tcp.opening" | "tcp.established" | 2999 "tcp.closing" | "tcp.finwait" | "tcp.closed" | 3000 "udp.first" | "udp.single" | "udp.multiple" | 3001 "icmp.first" | "icmp.error" | 3002 "other.first" | "other.single" | "other.multiple" | 3003 "frag" | "interval" | "src.track" | 3004 "adaptive.start" | "adaptive.end" ) number 3005 3006limit-list = limit-item [ [ "," ] limit-list ] 3007limit-item = ( "states" | "frags" | "src-nodes" ) number 3008 3009pooltype = ( "bitmask" | "random" | 3010 "source-hash" [ ( hex-key | string-key ) ] | 3011 "round-robin" ) [ sticky-address ] 3012 3013subqueue = string | "{" queue-list "}" 3014queue-list = string [ [ "," ] string ] 3015cbq-def = "cbq" [ "(" cbq-opt [ [ "," ] cbq-opt ] ")" ] 3016priq-def = "priq" [ "(" priq-opt [ [ "," ] priq-opt ] ")" ] 3017hfsc-def = "hfsc" [ "(" hfsc-opt [ [ "," ] hfsc-opt ] ")" ] 3018cbq-opt = ( "default" | "borrow" | "red" | "ecn" | "rio" ) 3019priq-opt = ( "default" | "red" | "ecn" | "rio" ) 3020hfsc-opt = ( "default" | "red" | "ecn" | "rio" | 3021 linkshare-sc | realtime-sc | upperlimit-sc ) 3022linkshare-sc = "linkshare" sc-spec 3023realtime-sc = "realtime" sc-spec 3024upperlimit-sc = "upperlimit" sc-spec 3025sc-spec = ( bandwidth-spec | 3026 "(" bandwidth-spec number bandwidth-spec ")" ) 3027include = "include" filename 3028.Ed 3029.Sh FILES 3030.Bl -tag -width "/etc/protocols" -compact 3031.It Pa /etc/hosts 3032Host name database. 3033.It Pa /etc/pf.conf 3034Default location of the ruleset file. 3035.It Pa /etc/pf.os 3036Default location of OS fingerprints. 3037.It Pa /etc/protocols 3038Protocol name database. 3039.It Pa /etc/services 3040Service name database. 3041.El 3042.Sh SEE ALSO 3043.Xr altq 4 , 3044.Xr carp 4 , 3045.Xr icmp 4 , 3046.Xr icmp6 4 , 3047.Xr ip 4 , 3048.Xr ip6 4 , 3049.Xr pf 4 , 3050.Xr pflow 4 , 3051.Xr pfsync 4 , 3052.Xr tcp 4 , 3053.Xr udp 4 , 3054.Xr hosts 5 , 3055.Xr pf.os 5 , 3056.Xr protocols 5 , 3057.Xr services 5 , 3058.Xr ftp-proxy 8 , 3059.Xr pfctl 8 , 3060.Xr pflogd 8 3061.Sh HISTORY 3062The 3063.Nm 3064file format first appeared in 3065.Ox 3.0 . 3066