1.\" $FreeBSD$ 2.\" $OpenBSD: pf.conf.5,v 1.406 2009/01/31 19:37:12 sobrado Exp $ 3.\" 4.\" Copyright (c) 2002, Daniel Hartmeier 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 11.\" - Redistributions of source code must retain the above copyright 12.\" notice, this list of conditions and the following disclaimer. 13.\" - Redistributions in binary form must reproduce the above 14.\" copyright notice, this list of conditions and the following 15.\" disclaimer in the documentation and/or other materials provided 16.\" with the distribution. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 21.\" FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 22.\" COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 23.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 24.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 25.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 26.\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 28.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29.\" POSSIBILITY OF SUCH DAMAGE. 30.\" 31.Dd June 29, 2012 32.Dt PF.CONF 5 33.Os 34.Sh NAME 35.Nm pf.conf 36.Nd packet filter configuration file 37.Sh DESCRIPTION 38The 39.Xr pf 4 40packet filter modifies, drops or passes packets according to rules or 41definitions specified in 42.Nm pf.conf . 43.Sh STATEMENT ORDER 44There are seven types of statements in 45.Nm pf.conf : 46.Bl -tag -width xxxx 47.It Cm Macros 48User-defined variables may be defined and used later, simplifying 49the configuration file. 50Macros must be defined before they are referenced in 51.Nm pf.conf . 52.It Cm Tables 53Tables provide a mechanism for increasing the performance and flexibility of 54rules with large numbers of source or destination addresses. 55.It Cm Options 56Options tune the behaviour of the packet filtering engine. 57.It Cm Traffic Normalization Li (e.g. Em scrub ) 58Traffic normalization protects internal machines against inconsistencies 59in Internet protocols and implementations. 60.It Cm Queueing 61Queueing provides rule-based bandwidth control. 62.It Cm Translation Li (Various forms of NAT) 63Translation rules specify how addresses are to be mapped or redirected to 64other addresses. 65.It Cm Packet Filtering 66Packet filtering provides rule-based blocking or passing of packets. 67.El 68.Pp 69With the exception of 70.Cm macros 71and 72.Cm tables , 73the types of statements should be grouped and appear in 74.Nm pf.conf 75in the order shown above, as this matches the operation of the underlying 76packet filtering engine. 77By default 78.Xr pfctl 8 79enforces this order (see 80.Ar set require-order 81below). 82.Pp 83Comments can be put anywhere in the file using a hash mark 84.Pq Sq # , 85and extend to the end of the current line. 86.Pp 87Additional configuration files can be included with the 88.Ic include 89keyword, for example: 90.Bd -literal -offset indent 91include "/etc/pf/sub.filter.conf" 92.Ed 93.Sh MACROS 94Macros can be defined that will later be expanded in context. 95Macro names must start with a letter, and may contain letters, digits 96and underscores. 97Macro names may not be reserved words (for example 98.Ar pass , 99.Ar in , 100.Ar out ) . 101Macros are not expanded inside quotes. 102.Pp 103For example, 104.Bd -literal -offset indent 105ext_if = \&"kue0\&" 106all_ifs = \&"{\&" $ext_if lo0 \&"}\&" 107pass out on $ext_if from any to any 108pass in on $ext_if proto tcp from any to any port 25 109.Ed 110.Sh TABLES 111Tables are named structures which can hold a collection of addresses and 112networks. 113Lookups against tables in 114.Xr pf 4 115are relatively fast, making a single rule with tables much more efficient, 116in terms of 117processor usage and memory consumption, than a large number of rules which 118differ only in IP address (either created explicitly or automatically by rule 119expansion). 120.Pp 121Tables can be used as the source or destination of filter rules, 122.Ar scrub 123rules 124or 125translation rules such as 126.Ar nat 127or 128.Ar rdr 129(see below for details on the various rule types). 130Tables can also be used for the redirect address of 131.Ar nat 132and 133.Ar rdr 134rules and in the routing options of filter rules, but only for 135.Ar round-robin 136pools. 137.Pp 138Tables can be defined with any of the following 139.Xr pfctl 8 140mechanisms. 141As with macros, reserved words may not be used as table names. 142.Bl -tag -width "manually" 143.It Ar manually 144Persistent tables can be manually created with the 145.Ar add 146or 147.Ar replace 148option of 149.Xr pfctl 8 , 150before or after the ruleset has been loaded. 151.It Pa pf.conf 152Table definitions can be placed directly in this file, and loaded at the 153same time as other rules are loaded, atomically. 154Table definitions inside 155.Nm pf.conf 156use the 157.Ar table 158statement, and are especially useful to define non-persistent tables. 159The contents of a pre-existing table defined without a list of addresses 160to initialize it is not altered when 161.Nm pf.conf 162is loaded. 163A table initialized with the empty list, 164.Li { } , 165will be cleared on load. 166.El 167.Pp 168Tables may be defined with the following attributes: 169.Bl -tag -width persist 170.It Ar persist 171The 172.Ar persist 173flag forces the kernel to keep the table even when no rules refer to it. 174If the flag is not set, the kernel will automatically remove the table 175when the last rule referring to it is flushed. 176.It Ar const 177The 178.Ar const 179flag prevents the user from altering the contents of the table once it 180has been created. 181Without that flag, 182.Xr pfctl 8 183can be used to add or remove addresses from the table at any time, even 184when running with 185.Xr securelevel 7 186= 2. 187.It Ar counters 188The 189.Ar counters 190flag enables per-address packet and byte counters which can be displayed with 191.Xr pfctl 8 . 192.El 193.Pp 194For example, 195.Bd -literal -offset indent 196table \*(Ltprivate\*(Gt const { 10/8, 172.16/12, 192.168/16 } 197table \*(Ltbadhosts\*(Gt persist 198block on fxp0 from { \*(Ltprivate\*(Gt, \*(Ltbadhosts\*(Gt } to any 199.Ed 200.Pp 201creates a table called private, to hold RFC 1918 private network 202blocks, and a table called badhosts, which is initially empty. 203A filter rule is set up to block all traffic coming from addresses listed in 204either table. 205The private table cannot have its contents changed and the badhosts table 206will exist even when no active filter rules reference it. 207Addresses may later be added to the badhosts table, so that traffic from 208these hosts can be blocked by using 209.Bd -literal -offset indent 210# pfctl -t badhosts -Tadd 204.92.77.111 211.Ed 212.Pp 213A table can also be initialized with an address list specified in one or more 214external files, using the following syntax: 215.Bd -literal -offset indent 216table \*(Ltspam\*(Gt persist file \&"/etc/spammers\&" file \&"/etc/openrelays\&" 217block on fxp0 from \*(Ltspam\*(Gt to any 218.Ed 219.Pp 220The files 221.Pa /etc/spammers 222and 223.Pa /etc/openrelays 224list IP addresses, one per line. 225Any lines beginning with a # are treated as comments and ignored. 226In addition to being specified by IP address, hosts may also be 227specified by their hostname. 228When the resolver is called to add a hostname to a table, 229.Em all 230resulting IPv4 and IPv6 addresses are placed into the table. 231IP addresses can also be entered in a table by specifying a valid interface 232name, a valid interface group or the 233.Em self 234keyword, in which case all addresses assigned to the interface(s) will be 235added to the table. 236.Sh OPTIONS 237.Xr pf 4 238may be tuned for various situations using the 239.Ar set 240command. 241.Bl -tag -width xxxx 242.It Ar set timeout 243.Pp 244.Bl -tag -width "src.track" -compact 245.It Ar interval 246Interval between purging expired states and fragments. 247.It Ar frag 248Seconds before an unassembled fragment is expired. 249.It Ar src.track 250Length of time to retain a source tracking entry after the last state 251expires. 252.El 253.Pp 254When a packet matches a stateful connection, the seconds to live for the 255connection will be updated to that of the 256.Ar proto.modifier 257which corresponds to the connection state. 258Each packet which matches this state will reset the TTL. 259Tuning these values may improve the performance of the 260firewall at the risk of dropping valid idle connections. 261.Pp 262.Bl -tag -width xxxx -compact 263.It Ar tcp.first 264The state after the first packet. 265.It Ar tcp.opening 266The state before the destination host ever sends a packet. 267.It Ar tcp.established 268The fully established state. 269.It Ar tcp.closing 270The state after the first FIN has been sent. 271.It Ar tcp.finwait 272The state after both FINs have been exchanged and the connection is closed. 273Some hosts (notably web servers on Solaris) send TCP packets even after closing 274the connection. 275Increasing 276.Ar tcp.finwait 277(and possibly 278.Ar tcp.closing ) 279can prevent blocking of such packets. 280.It Ar tcp.closed 281The state after one endpoint sends an RST. 282.El 283.Pp 284ICMP and UDP are handled in a fashion similar to TCP, but with a much more 285limited set of states: 286.Pp 287.Bl -tag -width xxxx -compact 288.It Ar udp.first 289The state after the first packet. 290.It Ar udp.single 291The state if the source host sends more than one packet but the destination 292host has never sent one back. 293.It Ar udp.multiple 294The state if both hosts have sent packets. 295.It Ar icmp.first 296The state after the first packet. 297.It Ar icmp.error 298The state after an ICMP error came back in response to an ICMP packet. 299.El 300.Pp 301Other protocols are handled similarly to UDP: 302.Pp 303.Bl -tag -width xxxx -compact 304.It Ar other.first 305.It Ar other.single 306.It Ar other.multiple 307.El 308.Pp 309Timeout values can be reduced adaptively as the number of state table 310entries grows. 311.Pp 312.Bl -tag -width xxxx -compact 313.It Ar adaptive.start 314When the number of state entries exceeds this value, adaptive scaling 315begins. 316All timeout values are scaled linearly with factor 317(adaptive.end - number of states) / (adaptive.end - adaptive.start). 318.It Ar adaptive.end 319When reaching this number of state entries, all timeout values become 320zero, effectively purging all state entries immediately. 321This value is used to define the scale factor, it should not actually 322be reached (set a lower state limit, see below). 323.El 324.Pp 325Adaptive timeouts are enabled by default, with an adaptive.start value 326equal to 60% of the state limit, and an adaptive.end value equal to 327120% of the state limit. 328They can be disabled by setting both adaptive.start and adaptive.end to 0. 329.Pp 330The adaptive timeout values can be defined both globally and for each rule. 331When used on a per-rule basis, the values relate to the number of 332states created by the rule, otherwise to the total number of 333states. 334.Pp 335For example: 336.Bd -literal -offset indent 337set timeout tcp.first 120 338set timeout tcp.established 86400 339set timeout { adaptive.start 6000, adaptive.end 12000 } 340set limit states 10000 341.Ed 342.Pp 343With 9000 state table entries, the timeout values are scaled to 50% 344(tcp.first 60, tcp.established 43200). 345.It Ar set loginterface 346Enable collection of packet and byte count statistics for the given 347interface or interface group. 348These statistics can be viewed using 349.Bd -literal -offset indent 350# pfctl -s info 351.Ed 352.Pp 353In this example 354.Xr pf 4 355collects statistics on the interface named dc0: 356.Bd -literal -offset indent 357set loginterface dc0 358.Ed 359.Pp 360One can disable the loginterface using: 361.Bd -literal -offset indent 362set loginterface none 363.Ed 364.It Ar set limit 365Sets hard limits on the memory pools used by the packet filter. 366See 367.Xr zone 9 368for an explanation of memory pools. 369.Pp 370For example, 371.Bd -literal -offset indent 372set limit states 20000 373.Ed 374.Pp 375sets the maximum number of entries in the memory pool used by state table 376entries (generated by 377.Ar pass 378rules which do not specify 379.Ar no state ) 380to 20000. 381Using 382.Bd -literal -offset indent 383set limit frags 20000 384.Ed 385.Pp 386sets the maximum number of entries in the memory pool used for fragment 387reassembly (generated by 388.Ar scrub 389rules) to 20000. 390Using 391.Bd -literal -offset indent 392set limit src-nodes 2000 393.Ed 394.Pp 395sets the maximum number of entries in the memory pool used for tracking 396source IP addresses (generated by the 397.Ar sticky-address 398and 399.Ar src.track 400options) to 2000. 401Using 402.Bd -literal -offset indent 403set limit tables 1000 404set limit table-entries 100000 405.Ed 406.Pp 407sets limits on the memory pools used by tables. 408The first limits the number of tables that can exist to 1000. 409The second limits the overall number of addresses that can be stored 410in tables to 100000. 411.Pp 412Various limits can be combined on a single line: 413.Bd -literal -offset indent 414set limit { states 20000, frags 20000, src-nodes 2000 } 415.Ed 416.It Ar set ruleset-optimization 417.Bl -tag -width xxxxxxxx -compact 418.It Ar none 419Disable the ruleset optimizer. 420.It Ar basic 421Enable basic ruleset optimization. 422This is the default behaviour. 423Basic ruleset optimization does four things to improve the 424performance of ruleset evaluations: 425.Pp 426.Bl -enum -compact 427.It 428remove duplicate rules 429.It 430remove rules that are a subset of another rule 431.It 432combine multiple rules into a table when advantageous 433.It 434re-order the rules to improve evaluation performance 435.El 436.Pp 437.It Ar profile 438Uses the currently loaded ruleset as a feedback profile to tailor the 439ordering of quick rules to actual network traffic. 440.El 441.Pp 442It is important to note that the ruleset optimizer will modify the ruleset 443to improve performance. 444A side effect of the ruleset modification is that per-rule accounting 445statistics will have different meanings than before. 446If per-rule accounting is important for billing purposes or whatnot, 447either the ruleset optimizer should not be used or a label field should 448be added to all of the accounting rules to act as optimization barriers. 449.Pp 450Optimization can also be set as a command-line argument to 451.Xr pfctl 8 , 452overriding the settings in 453.Nm . 454.It Ar set optimization 455Optimize state timeouts for one of the following network environments: 456.Pp 457.Bl -tag -width xxxx -compact 458.It Ar normal 459A normal network environment. 460Suitable for almost all networks. 461.It Ar high-latency 462A high-latency environment (such as a satellite connection). 463.It Ar satellite 464Alias for 465.Ar high-latency . 466.It Ar aggressive 467Aggressively expire connections. 468This can greatly reduce the memory usage of the firewall at the cost of 469dropping idle connections early. 470.It Ar conservative 471Extremely conservative settings. 472Avoid dropping legitimate connections at the 473expense of greater memory utilization (possibly much greater on a busy 474network) and slightly increased processor utilization. 475.El 476.Pp 477For example: 478.Bd -literal -offset indent 479set optimization aggressive 480.Ed 481.It Ar set block-policy 482The 483.Ar block-policy 484option sets the default behaviour for the packet 485.Ar block 486action: 487.Pp 488.Bl -tag -width xxxxxxxx -compact 489.It Ar drop 490Packet is silently dropped. 491.It Ar return 492A TCP RST is returned for blocked TCP packets, 493an ICMP UNREACHABLE is returned for blocked UDP packets, 494and all other packets are silently dropped. 495.El 496.Pp 497For example: 498.Bd -literal -offset indent 499set block-policy return 500.Ed 501.It Ar set state-policy 502The 503.Ar state-policy 504option sets the default behaviour for states: 505.Pp 506.Bl -tag -width group-bound -compact 507.It Ar if-bound 508States are bound to interface. 509.It Ar floating 510States can match packets on any interfaces (the default). 511.El 512.Pp 513For example: 514.Bd -literal -offset indent 515set state-policy if-bound 516.Ed 517.It Ar set state-defaults 518The 519.Ar state-defaults 520option sets the state options for states created from rules 521without an explicit 522.Ar keep state . 523For example: 524.Bd -literal -offset indent 525set state-defaults pflow, no-sync 526.Ed 527.It Ar set hostid 528The 32-bit 529.Ar hostid 530identifies this firewall's state table entries to other firewalls 531in a 532.Xr pfsync 4 533failover cluster. 534By default the hostid is set to a pseudo-random value, however it may be 535desirable to manually configure it, for example to more easily identify the 536source of state table entries. 537.Bd -literal -offset indent 538set hostid 1 539.Ed 540.Pp 541The hostid may be specified in either decimal or hexadecimal. 542.It Ar set require-order 543By default 544.Xr pfctl 8 545enforces an ordering of the statement types in the ruleset to: 546.Em options , 547.Em normalization , 548.Em queueing , 549.Em translation , 550.Em filtering . 551Setting this option to 552.Ar no 553disables this enforcement. 554There may be non-trivial and non-obvious implications to an out of 555order ruleset. 556Consider carefully before disabling the order enforcement. 557.It Ar set fingerprints 558Load fingerprints of known operating systems from the given filename. 559By default fingerprints of known operating systems are automatically 560loaded from 561.Xr pf.os 5 562in 563.Pa /etc 564but can be overridden via this option. 565Setting this option may leave a small period of time where the fingerprints 566referenced by the currently active ruleset are inconsistent until the new 567ruleset finishes loading. 568.Pp 569For example: 570.Pp 571.Dl set fingerprints \&"/etc/pf.os.devel\&" 572.It Ar set skip on Aq Ar ifspec 573List interfaces for which packets should not be filtered. 574Packets passing in or out on such interfaces are passed as if pf was 575disabled, i.e. pf does not process them in any way. 576This can be useful on loopback and other virtual interfaces, when 577packet filtering is not desired and can have unexpected effects. 578For example: 579.Pp 580.Dl set skip on lo0 581.It Ar set debug 582Set the debug 583.Ar level 584to one of the following: 585.Pp 586.Bl -tag -width xxxxxxxxxxxx -compact 587.It Ar none 588Don't generate debug messages. 589.It Ar urgent 590Generate debug messages only for serious errors. 591.It Ar misc 592Generate debug messages for various errors. 593.It Ar loud 594Generate debug messages for common conditions. 595.El 596.El 597.Sh TRAFFIC NORMALIZATION 598Traffic normalization is used to sanitize packet content in such 599a way that there are no ambiguities in packet interpretation on 600the receiving side. 601The normalizer does IP fragment reassembly to prevent attacks 602that confuse intrusion detection systems by sending overlapping 603IP fragments. 604Packet normalization is invoked with the 605.Ar scrub 606directive. 607.Pp 608.Ar scrub 609has the following options: 610.Bl -tag -width xxxx 611.It Ar no-df 612Clears the 613.Ar dont-fragment 614bit from a matching IP packet. 615Some operating systems are known to generate fragmented packets with the 616.Ar dont-fragment 617bit set. 618This is particularly true with NFS. 619.Ar Scrub 620will drop such fragmented 621.Ar dont-fragment 622packets unless 623.Ar no-df 624is specified. 625.Pp 626Unfortunately some operating systems also generate their 627.Ar dont-fragment 628packets with a zero IP identification field. 629Clearing the 630.Ar dont-fragment 631bit on packets with a zero IP ID may cause deleterious results if an 632upstream router later fragments the packet. 633Using the 634.Ar random-id 635modifier (see below) is recommended in combination with the 636.Ar no-df 637modifier to ensure unique IP identifiers. 638.It Ar min-ttl Aq Ar number 639Enforces a minimum TTL for matching IP packets. 640.It Ar max-mss Aq Ar number 641Enforces a maximum MSS for matching TCP packets. 642.It Xo Ar set-tos Aq Ar string 643.No \*(Ba Aq Ar number 644.Xc 645Enforces a 646.Em TOS 647for matching IP packets. 648.Em TOS 649may be 650given as one of 651.Ar lowdelay , 652.Ar throughput , 653.Ar reliability , 654or as either hex or decimal. 655.It Ar random-id 656Replaces the IP identification field with random values to compensate 657for predictable values generated by many hosts. 658This option only applies to packets that are not fragmented 659after the optional fragment reassembly. 660.It Ar fragment reassemble 661Using 662.Ar scrub 663rules, fragments can be reassembled by normalization. 664In this case, fragments are buffered until they form a complete 665packet, and only the completed packet is passed on to the filter. 666The advantage is that filter rules have to deal only with complete 667packets, and can ignore fragments. 668The drawback of caching fragments is the additional memory cost. 669But the full reassembly method is the only method that currently works 670with NAT. 671This is the default behavior of a 672.Ar scrub 673rule if no fragmentation modifier is supplied. 674.It Ar fragment crop 675The default fragment reassembly method is expensive, hence the option 676to crop is provided. 677In this case, 678.Xr pf 4 679will track the fragments and cache a small range descriptor. 680Duplicate fragments are dropped and overlaps are cropped. 681Thus data will only occur once on the wire with ambiguities resolving to 682the first occurrence. 683Unlike the 684.Ar fragment reassemble 685modifier, fragments are not buffered, they are passed as soon as they 686are received. 687The 688.Ar fragment crop 689reassembly mechanism does not yet work with NAT. 690.It Ar fragment drop-ovl 691This option is similar to the 692.Ar fragment crop 693modifier except that all overlapping or duplicate fragments will be 694dropped, and all further corresponding fragments will be 695dropped as well. 696.It Ar reassemble tcp 697Statefully normalizes TCP connections. 698.Ar scrub reassemble tcp 699rules may not have the direction (in/out) specified. 700.Ar reassemble tcp 701performs the following normalizations: 702.Pp 703.Bl -tag -width timeout -compact 704.It ttl 705Neither side of the connection is allowed to reduce their IP TTL. 706An attacker may send a packet such that it reaches the firewall, affects 707the firewall state, and expires before reaching the destination host. 708.Ar reassemble tcp 709will raise the TTL of all packets back up to the highest value seen on 710the connection. 711.It timestamp modulation 712Modern TCP stacks will send a timestamp on every TCP packet and echo 713the other endpoint's timestamp back to them. 714Many operating systems will merely start the timestamp at zero when 715first booted, and increment it several times a second. 716The uptime of the host can be deduced by reading the timestamp and multiplying 717by a constant. 718Also observing several different timestamps can be used to count hosts 719behind a NAT device. 720And spoofing TCP packets into a connection requires knowing or guessing 721valid timestamps. 722Timestamps merely need to be monotonically increasing and not derived off a 723guessable base time. 724.Ar reassemble tcp 725will cause 726.Ar scrub 727to modulate the TCP timestamps with a random number. 728.It extended PAWS checks 729There is a problem with TCP on long fat pipes, in that a packet might get 730delayed for longer than it takes the connection to wrap its 32-bit sequence 731space. 732In such an occurrence, the old packet would be indistinguishable from a 733new packet and would be accepted as such. 734The solution to this is called PAWS: Protection Against Wrapped Sequence 735numbers. 736It protects against it by making sure the timestamp on each packet does 737not go backwards. 738.Ar reassemble tcp 739also makes sure the timestamp on the packet does not go forward more 740than the RFC allows. 741By doing this, 742.Xr pf 4 743artificially extends the security of TCP sequence numbers by 10 to 18 744bits when the host uses appropriately randomized timestamps, since a 745blind attacker would have to guess the timestamp as well. 746.El 747.El 748.Pp 749For example, 750.Bd -literal -offset indent 751scrub in on $ext_if all fragment reassemble 752.Ed 753.Pp 754The 755.Ar no 756option prefixed to a scrub rule causes matching packets to remain unscrubbed, 757much in the same way as 758.Ar drop quick 759works in the packet filter (see below). 760This mechanism should be used when it is necessary to exclude specific packets 761from broader scrub rules. 762.Sh QUEUEING 763The ALTQ system is currently not available in the GENERIC kernel nor as 764loadable modules. 765In order to use the herein after called queueing options one has to use a 766custom built kernel. 767Please refer to 768.Xr altq 4 769to learn about the related kernel options. 770.Pp 771Packets can be assigned to queues for the purpose of bandwidth 772control. 773At least two declarations are required to configure queues, and later 774any packet filtering rule can reference the defined queues by name. 775During the filtering component of 776.Nm pf.conf , 777the last referenced 778.Ar queue 779name is where any packets from 780.Ar pass 781rules will be queued, while for 782.Ar block 783rules it specifies where any resulting ICMP or TCP RST 784packets should be queued. 785The 786.Ar scheduler 787defines the algorithm used to decide which packets get delayed, dropped, or 788sent out immediately. 789There are three 790.Ar schedulers 791currently supported. 792.Bl -tag -width xxxx 793.It Ar cbq 794Class Based Queueing. 795.Ar Queues 796attached to an interface build a tree, thus each 797.Ar queue 798can have further child 799.Ar queues . 800Each queue can have a 801.Ar priority 802and a 803.Ar bandwidth 804assigned. 805.Ar Priority 806mainly controls the time packets take to get sent out, while 807.Ar bandwidth 808has primarily effects on throughput. 809.Ar cbq 810achieves both partitioning and sharing of link bandwidth 811by hierarchically structured classes. 812Each class has its own 813.Ar queue 814and is assigned its share of 815.Ar bandwidth . 816A child class can borrow bandwidth from its parent class 817as long as excess bandwidth is available 818(see the option 819.Ar borrow , 820below). 821.It Ar priq 822Priority Queueing. 823.Ar Queues 824are flat attached to the interface, thus, 825.Ar queues 826cannot have further child 827.Ar queues . 828Each 829.Ar queue 830has a unique 831.Ar priority 832assigned, ranging from 0 to 15. 833Packets in the 834.Ar queue 835with the highest 836.Ar priority 837are processed first. 838.It Ar hfsc 839Hierarchical Fair Service Curve. 840.Ar Queues 841attached to an interface build a tree, thus each 842.Ar queue 843can have further child 844.Ar queues . 845Each queue can have a 846.Ar priority 847and a 848.Ar bandwidth 849assigned. 850.Ar Priority 851mainly controls the time packets take to get sent out, while 852.Ar bandwidth 853primarily affects throughput. 854.Ar hfsc 855supports both link-sharing and guaranteed real-time services. 856It employs a service curve based QoS model, 857and its unique feature is an ability to decouple 858.Ar delay 859and 860.Ar bandwidth 861allocation. 862.El 863.Pp 864The interfaces on which queueing should be activated are declared using 865the 866.Ar altq on 867declaration. 868.Ar altq on 869has the following keywords: 870.Bl -tag -width xxxx 871.It Aq Ar interface 872Queueing is enabled on the named interface. 873.It Aq Ar scheduler 874Specifies which queueing scheduler to use. 875Currently supported values 876are 877.Ar cbq 878for Class Based Queueing, 879.Ar priq 880for Priority Queueing and 881.Ar hfsc 882for the Hierarchical Fair Service Curve scheduler. 883.It Ar bandwidth Aq Ar bw 884The maximum bitrate for all queues on an 885interface may be specified using the 886.Ar bandwidth 887keyword. 888The value can be specified as an absolute value or as a 889percentage of the interface bandwidth. 890When using an absolute value, the suffixes 891.Ar b , 892.Ar Kb , 893.Ar Mb , 894and 895.Ar Gb 896are used to represent bits, kilobits, megabits, and 897gigabits per second, respectively. 898The value must not exceed the interface bandwidth. 899If 900.Ar bandwidth 901is not specified, the interface bandwidth is used 902(but take note that some interfaces do not know their bandwidth, 903or can adapt their bandwidth rates). 904.It Ar qlimit Aq Ar limit 905The maximum number of packets held in the queue. 906The default is 50. 907.It Ar tbrsize Aq Ar size 908Adjusts the size, in bytes, of the token bucket regulator. 909If not specified, heuristics based on the 910interface bandwidth are used to determine the size. 911.It Ar queue Aq Ar list 912Defines a list of subqueues to create on an interface. 913.El 914.Pp 915In the following example, the interface dc0 916should queue up to 5Mbps in four second-level queues using 917Class Based Queueing. 918Those four queues will be shown in a later example. 919.Bd -literal -offset indent 920altq on dc0 cbq bandwidth 5Mb queue { std, http, mail, ssh } 921.Ed 922.Pp 923Once interfaces are activated for queueing using the 924.Ar altq 925directive, a sequence of 926.Ar queue 927directives may be defined. 928The name associated with a 929.Ar queue 930must match a queue defined in the 931.Ar altq 932directive (e.g. mail), or, except for the 933.Ar priq 934.Ar scheduler , 935in a parent 936.Ar queue 937declaration. 938The following keywords can be used: 939.Bl -tag -width xxxx 940.It Ar on Aq Ar interface 941Specifies the interface the queue operates on. 942If not given, it operates on all matching interfaces. 943.It Ar bandwidth Aq Ar bw 944Specifies the maximum bitrate to be processed by the queue. 945This value must not exceed the value of the parent 946.Ar queue 947and can be specified as an absolute value or a percentage of the parent 948queue's bandwidth. 949If not specified, defaults to 100% of the parent queue's bandwidth. 950The 951.Ar priq 952scheduler does not support bandwidth specification. 953.It Ar priority Aq Ar level 954Between queues a priority level can be set. 955For 956.Ar cbq 957and 958.Ar hfsc , 959the range is 0 to 7 and for 960.Ar priq , 961the range is 0 to 15. 962The default for all is 1. 963.Ar Priq 964queues with a higher priority are always served first. 965.Ar Cbq 966and 967.Ar Hfsc 968queues with a higher priority are preferred in the case of overload. 969.It Ar qlimit Aq Ar limit 970The maximum number of packets held in the queue. 971The default is 50. 972.El 973.Pp 974The 975.Ar scheduler 976can get additional parameters with 977.Xo Aq Ar scheduler 978.Pf ( Aq Ar parameters ) . 979.Xc 980Parameters are as follows: 981.Bl -tag -width Fl 982.It Ar default 983Packets not matched by another queue are assigned to this one. 984Exactly one default queue is required. 985.It Ar red 986Enable RED (Random Early Detection) on this queue. 987RED drops packets with a probability proportional to the average 988queue length. 989.It Ar rio 990Enables RIO on this queue. 991RIO is RED with IN/OUT, thus running 992RED two times more than RIO would achieve the same effect. 993RIO is currently not supported in the GENERIC kernel. 994.It Ar ecn 995Enables ECN (Explicit Congestion Notification) on this queue. 996ECN implies RED. 997.El 998.Pp 999The 1000.Ar cbq 1001.Ar scheduler 1002supports an additional option: 1003.Bl -tag -width Fl 1004.It Ar borrow 1005The queue can borrow bandwidth from the parent. 1006.El 1007.Pp 1008The 1009.Ar hfsc 1010.Ar scheduler 1011supports some additional options: 1012.Bl -tag -width Fl 1013.It Ar realtime Aq Ar sc 1014The minimum required bandwidth for the queue. 1015.It Ar upperlimit Aq Ar sc 1016The maximum allowed bandwidth for the queue. 1017.It Ar linkshare Aq Ar sc 1018The bandwidth share of a backlogged queue. 1019.El 1020.Pp 1021.Aq Ar sc 1022is an acronym for 1023.Ar service curve . 1024.Pp 1025The format for service curve specifications is 1026.Ar ( m1 , d , m2 ) . 1027.Ar m2 1028controls the bandwidth assigned to the queue. 1029.Ar m1 1030and 1031.Ar d 1032are optional and can be used to control the initial bandwidth assignment. 1033For the first 1034.Ar d 1035milliseconds the queue gets the bandwidth given as 1036.Ar m1 , 1037afterwards the value given in 1038.Ar m2 . 1039.Pp 1040Furthermore, with 1041.Ar cbq 1042and 1043.Ar hfsc , 1044child queues can be specified as in an 1045.Ar altq 1046declaration, thus building a tree of queues using a part of 1047their parent's bandwidth. 1048.Pp 1049Packets can be assigned to queues based on filter rules by using the 1050.Ar queue 1051keyword. 1052Normally only one 1053.Ar queue 1054is specified; when a second one is specified it will instead be used for 1055packets which have a 1056.Em TOS 1057of 1058.Em lowdelay 1059and for TCP ACKs with no data payload. 1060.Pp 1061To continue the previous example, the examples below would specify the 1062four referenced 1063queues, plus a few child queues. 1064Interactive 1065.Xr ssh 1 1066sessions get priority over bulk transfers like 1067.Xr scp 1 1068and 1069.Xr sftp 1 . 1070The queues may then be referenced by filtering rules (see 1071.Sx PACKET FILTERING 1072below). 1073.Bd -literal 1074queue std bandwidth 10% cbq(default) 1075queue http bandwidth 60% priority 2 cbq(borrow red) \e 1076 { employees, developers } 1077queue developers bandwidth 75% cbq(borrow) 1078queue employees bandwidth 15% 1079queue mail bandwidth 10% priority 0 cbq(borrow ecn) 1080queue ssh bandwidth 20% cbq(borrow) { ssh_interactive, ssh_bulk } 1081queue ssh_interactive bandwidth 50% priority 7 cbq(borrow) 1082queue ssh_bulk bandwidth 50% priority 0 cbq(borrow) 1083 1084block return out on dc0 inet all queue std 1085pass out on dc0 inet proto tcp from $developerhosts to any port 80 \e 1086 queue developers 1087pass out on dc0 inet proto tcp from $employeehosts to any port 80 \e 1088 queue employees 1089pass out on dc0 inet proto tcp from any to any port 22 \e 1090 queue(ssh_bulk, ssh_interactive) 1091pass out on dc0 inet proto tcp from any to any port 25 \e 1092 queue mail 1093.Ed 1094.Sh TRANSLATION 1095Translation rules modify either the source or destination address of the 1096packets associated with a stateful connection. 1097A stateful connection is automatically created to track packets matching 1098such a rule as long as they are not blocked by the filtering section of 1099.Nm pf.conf . 1100The translation engine modifies the specified address and/or port in the 1101packet, recalculates IP, TCP and UDP checksums as necessary, and passes it to 1102the packet filter for evaluation. 1103.Pp 1104Since translation occurs before filtering the filter 1105engine will see packets as they look after any 1106addresses and ports have been translated. 1107Filter rules will therefore have to filter based on the translated 1108address and port number. 1109Packets that match a translation rule are only automatically passed if 1110the 1111.Ar pass 1112modifier is given, otherwise they are 1113still subject to 1114.Ar block 1115and 1116.Ar pass 1117rules. 1118.Pp 1119The state entry created permits 1120.Xr pf 4 1121to keep track of the original address for traffic associated with that state 1122and correctly direct return traffic for that connection. 1123.Pp 1124Various types of translation are possible with pf: 1125.Bl -tag -width xxxx 1126.It Ar binat 1127A 1128.Ar binat 1129rule specifies a bidirectional mapping between an external IP netblock 1130and an internal IP netblock. 1131.It Ar nat 1132A 1133.Ar nat 1134rule specifies that IP addresses are to be changed as the packet 1135traverses the given interface. 1136This technique allows one or more IP addresses 1137on the translating host to support network traffic for a larger range of 1138machines on an "inside" network. 1139Although in theory any IP address can be used on the inside, it is strongly 1140recommended that one of the address ranges defined by RFC 1918 be used. 1141These netblocks are: 1142.Bd -literal 114310.0.0.0 - 10.255.255.255 (all of net 10, i.e., 10/8) 1144172.16.0.0 - 172.31.255.255 (i.e., 172.16/12) 1145192.168.0.0 - 192.168.255.255 (i.e., 192.168/16) 1146.Ed 1147.It Pa rdr 1148The packet is redirected to another destination and possibly a 1149different port. 1150.Ar rdr 1151rules can optionally specify port ranges instead of single ports. 1152rdr ... port 2000:2999 -\*(Gt ... port 4000 1153redirects ports 2000 to 2999 (inclusive) to port 4000. 1154rdr ... port 2000:2999 -\*(Gt ... port 4000:* 1155redirects port 2000 to 4000, 2001 to 4001, ..., 2999 to 4999. 1156.El 1157.Pp 1158In addition to modifying the address, some translation rules may modify 1159source or destination ports for 1160.Xr tcp 4 1161or 1162.Xr udp 4 1163connections; implicitly in the case of 1164.Ar nat 1165rules and explicitly in the case of 1166.Ar rdr 1167rules. 1168Port numbers are never translated with a 1169.Ar binat 1170rule. 1171.Pp 1172Evaluation order of the translation rules is dependent on the type 1173of the translation rules and of the direction of a packet. 1174.Ar binat 1175rules are always evaluated first. 1176Then either the 1177.Ar rdr 1178rules are evaluated on an inbound packet or the 1179.Ar nat 1180rules on an outbound packet. 1181Rules of the same type are evaluated in the same order in which they 1182appear in the ruleset. 1183The first matching rule decides what action is taken. 1184.Pp 1185The 1186.Ar no 1187option prefixed to a translation rule causes packets to remain untranslated, 1188much in the same way as 1189.Ar drop quick 1190works in the packet filter (see below). 1191If no rule matches the packet it is passed to the filter engine unmodified. 1192.Pp 1193Translation rules apply only to packets that pass through 1194the specified interface, and if no interface is specified, 1195translation is applied to packets on all interfaces. 1196For instance, redirecting port 80 on an external interface to an internal 1197web server will only work for connections originating from the outside. 1198Connections to the address of the external interface from local hosts will 1199not be redirected, since such packets do not actually pass through the 1200external interface. 1201Redirections cannot reflect packets back through the interface they arrive 1202on, they can only be redirected to hosts connected to different interfaces 1203or to the firewall itself. 1204.Pp 1205Note that redirecting external incoming connections to the loopback 1206address, as in 1207.Bd -literal -offset indent 1208rdr on ne3 inet proto tcp to port smtp -\*(Gt 127.0.0.1 port spamd 1209.Ed 1210.Pp 1211will effectively allow an external host to connect to daemons 1212bound solely to the loopback address, circumventing the traditional 1213blocking of such connections on a real interface. 1214Unless this effect is desired, any of the local non-loopback addresses 1215should be used as redirection target instead, which allows external 1216connections only to daemons bound to this address or not bound to 1217any address. 1218.Pp 1219See 1220.Sx TRANSLATION EXAMPLES 1221below. 1222.Sh PACKET FILTERING 1223.Xr pf 4 1224has the ability to 1225.Ar block 1226and 1227.Ar pass 1228packets based on attributes of their layer 3 (see 1229.Xr ip 4 1230and 1231.Xr ip6 4 ) 1232and layer 4 (see 1233.Xr icmp 4 , 1234.Xr icmp6 4 , 1235.Xr tcp 4 , 1236.Xr udp 4 ) 1237headers. 1238In addition, packets may also be 1239assigned to queues for the purpose of bandwidth control. 1240.Pp 1241For each packet processed by the packet filter, the filter rules are 1242evaluated in sequential order, from first to last. 1243The last matching rule decides what action is taken. 1244If no rule matches the packet, the default action is to pass 1245the packet. 1246.Pp 1247The following actions can be used in the filter: 1248.Bl -tag -width xxxx 1249.It Ar block 1250The packet is blocked. 1251There are a number of ways in which a 1252.Ar block 1253rule can behave when blocking a packet. 1254The default behaviour is to 1255.Ar drop 1256packets silently, however this can be overridden or made 1257explicit either globally, by setting the 1258.Ar block-policy 1259option, or on a per-rule basis with one of the following options: 1260.Pp 1261.Bl -tag -width xxxx -compact 1262.It Ar drop 1263The packet is silently dropped. 1264.It Ar return-rst 1265This applies only to 1266.Xr tcp 4 1267packets, and issues a TCP RST which closes the 1268connection. 1269.It Ar return-icmp 1270.It Ar return-icmp6 1271This causes ICMP messages to be returned for packets which match the rule. 1272By default this is an ICMP UNREACHABLE message, however this 1273can be overridden by specifying a message as a code or number. 1274.It Ar return 1275This causes a TCP RST to be returned for 1276.Xr tcp 4 1277packets and an ICMP UNREACHABLE for UDP and other packets. 1278.El 1279.Pp 1280Options returning ICMP packets currently have no effect if 1281.Xr pf 4 1282operates on a 1283.Xr if_bridge 4 , 1284as the code to support this feature has not yet been implemented. 1285.Pp 1286The simplest mechanism to block everything by default and only pass 1287packets that match explicit rules is specify a first filter rule of: 1288.Bd -literal -offset indent 1289block all 1290.Ed 1291.It Ar pass 1292The packet is passed; 1293state is created unless the 1294.Ar no state 1295option is specified. 1296.El 1297.Pp 1298By default 1299.Xr pf 4 1300filters packets statefully; the first time a packet matches a 1301.Ar pass 1302rule, a state entry is created; for subsequent packets the filter checks 1303whether the packet matches any state. 1304If it does, the packet is passed without evaluation of any rules. 1305After the connection is closed or times out, the state entry is automatically 1306removed. 1307.Pp 1308This has several advantages. 1309For TCP connections, comparing a packet to a state involves checking 1310its sequence numbers, as well as TCP timestamps if a 1311.Ar scrub reassemble tcp 1312rule applies to the connection. 1313If these values are outside the narrow windows of expected 1314values, the packet is dropped. 1315This prevents spoofing attacks, such as when an attacker sends packets with 1316a fake source address/port but does not know the connection's sequence 1317numbers. 1318Similarly, 1319.Xr pf 4 1320knows how to match ICMP replies to states. 1321For example, 1322.Bd -literal -offset indent 1323pass out inet proto icmp all icmp-type echoreq 1324.Ed 1325.Pp 1326allows echo requests (such as those created by 1327.Xr ping 8 ) 1328out statefully, and matches incoming echo replies correctly to states. 1329.Pp 1330Also, looking up states is usually faster than evaluating rules. 1331If there are 50 rules, all of them are evaluated sequentially in O(n). 1332Even with 50000 states, only 16 comparisons are needed to match a 1333state, since states are stored in a binary search tree that allows 1334searches in O(log2 n). 1335.Pp 1336Furthermore, correct handling of ICMP error messages is critical to 1337many protocols, particularly TCP. 1338.Xr pf 4 1339matches ICMP error messages to the correct connection, checks them against 1340connection parameters, and passes them if appropriate. 1341For example if an ICMP source quench message referring to a stateful TCP 1342connection arrives, it will be matched to the state and get passed. 1343.Pp 1344Finally, state tracking is required for 1345.Ar nat , binat No and Ar rdr 1346rules, in order to track address and port translations and reverse the 1347translation on returning packets. 1348.Pp 1349.Xr pf 4 1350will also create state for other protocols which are effectively stateless by 1351nature. 1352UDP packets are matched to states using only host addresses and ports, 1353and other protocols are matched to states using only the host addresses. 1354.Pp 1355If stateless filtering of individual packets is desired, 1356the 1357.Ar no state 1358keyword can be used to specify that state will not be created 1359if this is the last matching rule. 1360A number of parameters can also be set to affect how 1361.Xr pf 4 1362handles state tracking. 1363See 1364.Sx STATEFUL TRACKING OPTIONS 1365below for further details. 1366.Sh PARAMETERS 1367The rule parameters specify the packets to which a rule applies. 1368A packet always comes in on, or goes out through, one interface. 1369Most parameters are optional. 1370If a parameter is specified, the rule only applies to packets with 1371matching attributes. 1372Certain parameters can be expressed as lists, in which case 1373.Xr pfctl 8 1374generates all needed rule combinations. 1375.Bl -tag -width xxxx 1376.It Ar in No or Ar out 1377This rule applies to incoming or outgoing packets. 1378If neither 1379.Ar in 1380nor 1381.Ar out 1382are specified, the rule will match packets in both directions. 1383.It Ar log 1384In addition to the action specified, a log message is generated. 1385Only the packet that establishes the state is logged, 1386unless the 1387.Ar no state 1388option is specified. 1389The logged packets are sent to a 1390.Xr pflog 4 1391interface, by default 1392.Ar pflog0 . 1393This interface is monitored by the 1394.Xr pflogd 8 1395logging daemon, which dumps the logged packets to the file 1396.Pa /var/log/pflog 1397in 1398.Xr pcap 3 1399binary format. 1400.It Ar log (all) 1401Used to force logging of all packets for a connection. 1402This is not necessary when 1403.Ar no state 1404is explicitly specified. 1405As with 1406.Ar log , 1407packets are logged to 1408.Xr pflog 4 . 1409.It Ar log (user) 1410Logs the 1411.Ux 1412user ID of the user that owns the socket and the PID of the process that 1413has the socket open where the packet is sourced from or destined to 1414(depending on which socket is local). 1415This is in addition to the normal information logged. 1416.Pp 1417Only the first packet 1418logged via 1419.Ar log (all, user) 1420will have the user credentials logged when using stateful matching. 1421.It Ar log (to Aq Ar interface ) 1422Send logs to the specified 1423.Xr pflog 4 1424interface instead of 1425.Ar pflog0 . 1426.It Ar quick 1427If a packet matches a rule which has the 1428.Ar quick 1429option set, this rule 1430is considered the last matching rule, and evaluation of subsequent rules 1431is skipped. 1432.It Ar on Aq Ar interface 1433This rule applies only to packets coming in on, or going out through, this 1434particular interface or interface group. 1435For more information on interface groups, 1436see the 1437.Ic group 1438keyword in 1439.Xr ifconfig 8 . 1440.It Aq Ar af 1441This rule applies only to packets of this address family. 1442Supported values are 1443.Ar inet 1444and 1445.Ar inet6 . 1446.It Ar proto Aq Ar protocol 1447This rule applies only to packets of this protocol. 1448Common protocols are 1449.Xr icmp 4 , 1450.Xr icmp6 4 , 1451.Xr tcp 4 , 1452and 1453.Xr udp 4 . 1454For a list of all the protocol name to number mappings used by 1455.Xr pfctl 8 , 1456see the file 1457.Pa /etc/protocols . 1458.It Xo 1459.Ar from Aq Ar source 1460.Ar port Aq Ar source 1461.Ar os Aq Ar source 1462.Ar to Aq Ar dest 1463.Ar port Aq Ar dest 1464.Xc 1465This rule applies only to packets with the specified source and destination 1466addresses and ports. 1467.Pp 1468Addresses can be specified in CIDR notation (matching netblocks), as 1469symbolic host names, interface names or interface group names, or as any 1470of the following keywords: 1471.Pp 1472.Bl -tag -width xxxxxxxxxxxxxx -compact 1473.It Ar any 1474Any address. 1475.It Ar no-route 1476Any address which is not currently routable. 1477.It Ar urpf-failed 1478Any source address that fails a unicast reverse path forwarding (URPF) 1479check, i.e. packets coming in on an interface other than that which holds 1480the route back to the packet's source address. 1481.It Aq Ar table 1482Any address that matches the given table. 1483.El 1484.Pp 1485Ranges of addresses are specified by using the 1486.Sq - 1487operator. 1488For instance: 1489.Dq 10.1.1.10 - 10.1.1.12 1490means all addresses from 10.1.1.10 to 10.1.1.12, 1491hence addresses 10.1.1.10, 10.1.1.11, and 10.1.1.12. 1492.Pp 1493Interface names and interface group names can have modifiers appended: 1494.Pp 1495.Bl -tag -width xxxxxxxxxxxx -compact 1496.It Ar :network 1497Translates to the network(s) attached to the interface. 1498.It Ar :broadcast 1499Translates to the interface's broadcast address(es). 1500.It Ar :peer 1501Translates to the point-to-point interface's peer address(es). 1502.It Ar :0 1503Do not include interface aliases. 1504.El 1505.Pp 1506Host names may also have the 1507.Ar :0 1508option appended to restrict the name resolution to the first of each 1509v4 and v6 address found. 1510.Pp 1511Host name resolution and interface to address translation are done at 1512ruleset load-time. 1513When the address of an interface (or host name) changes (under DHCP or PPP, 1514for instance), the ruleset must be reloaded for the change to be reflected 1515in the kernel. 1516Surrounding the interface name (and optional modifiers) in parentheses 1517changes this behaviour. 1518When the interface name is surrounded by parentheses, the rule is 1519automatically updated whenever the interface changes its address. 1520The ruleset does not need to be reloaded. 1521This is especially useful with 1522.Ar nat . 1523.Pp 1524Ports can be specified either by number or by name. 1525For example, port 80 can be specified as 1526.Em www . 1527For a list of all port name to number mappings used by 1528.Xr pfctl 8 , 1529see the file 1530.Pa /etc/services . 1531.Pp 1532Ports and ranges of ports are specified by using these operators: 1533.Bd -literal -offset indent 1534= (equal) 1535!= (unequal) 1536\*(Lt (less than) 1537\*(Le (less than or equal) 1538\*(Gt (greater than) 1539\*(Ge (greater than or equal) 1540: (range including boundaries) 1541\*(Gt\*(Lt (range excluding boundaries) 1542\*(Lt\*(Gt (except range) 1543.Ed 1544.Pp 1545.Sq \*(Gt\*(Lt , 1546.Sq \*(Lt\*(Gt 1547and 1548.Sq \&: 1549are binary operators (they take two arguments). 1550For instance: 1551.Bl -tag -width Fl 1552.It Ar port 2000:2004 1553means 1554.Sq all ports \*(Ge 2000 and \*(Le 2004 , 1555hence ports 2000, 2001, 2002, 2003 and 2004. 1556.It Ar port 2000 \*(Gt\*(Lt 2004 1557means 1558.Sq all ports \*(Gt 2000 and \*(Lt 2004 , 1559hence ports 2001, 2002 and 2003. 1560.It Ar port 2000 \*(Lt\*(Gt 2004 1561means 1562.Sq all ports \*(Lt 2000 or \*(Gt 2004 , 1563hence ports 1-1999 and 2005-65535. 1564.El 1565.Pp 1566The operating system of the source host can be specified in the case of TCP 1567rules with the 1568.Ar OS 1569modifier. 1570See the 1571.Sx OPERATING SYSTEM FINGERPRINTING 1572section for more information. 1573.Pp 1574The host, port and OS specifications are optional, as in the following examples: 1575.Bd -literal -offset indent 1576pass in all 1577pass in from any to any 1578pass in proto tcp from any port \*(Le 1024 to any 1579pass in proto tcp from any to any port 25 1580pass in proto tcp from 10.0.0.0/8 port \*(Gt 1024 \e 1581 to ! 10.1.2.3 port != ssh 1582pass in proto tcp from any os "OpenBSD" 1583.Ed 1584.It Ar all 1585This is equivalent to "from any to any". 1586.It Ar group Aq Ar group 1587Similar to 1588.Ar user , 1589this rule only applies to packets of sockets owned by the specified group. 1590.It Ar user Aq Ar user 1591This rule only applies to packets of sockets owned by the specified user. 1592For outgoing connections initiated from the firewall, this is the user 1593that opened the connection. 1594For incoming connections to the firewall itself, this is the user that 1595listens on the destination port. 1596For forwarded connections, where the firewall is not a connection endpoint, 1597the user and group are 1598.Em unknown . 1599.Pp 1600All packets, both outgoing and incoming, of one connection are associated 1601with the same user and group. 1602Only TCP and UDP packets can be associated with users; for other protocols 1603these parameters are ignored. 1604.Pp 1605User and group refer to the effective (as opposed to the real) IDs, in 1606case the socket is created by a setuid/setgid process. 1607User and group IDs are stored when a socket is created; 1608when a process creates a listening socket as root (for instance, by 1609binding to a privileged port) and subsequently changes to another 1610user ID (to drop privileges), the credentials will remain root. 1611.Pp 1612User and group IDs can be specified as either numbers or names. 1613The syntax is similar to the one for ports. 1614The value 1615.Em unknown 1616matches packets of forwarded connections. 1617.Em unknown 1618can only be used with the operators 1619.Cm = 1620and 1621.Cm != . 1622Other constructs like 1623.Cm user \*(Ge unknown 1624are invalid. 1625Forwarded packets with unknown user and group ID match only rules 1626that explicitly compare against 1627.Em unknown 1628with the operators 1629.Cm = 1630or 1631.Cm != . 1632For instance 1633.Cm user \*(Ge 0 1634does not match forwarded packets. 1635The following example allows only selected users to open outgoing 1636connections: 1637.Bd -literal -offset indent 1638block out proto { tcp, udp } all 1639pass out proto { tcp, udp } all user { \*(Lt 1000, dhartmei } 1640.Ed 1641.It Xo Ar flags Aq Ar a 1642.Pf / Ns Aq Ar b 1643.No \*(Ba / Ns Aq Ar b 1644.No \*(Ba any 1645.Xc 1646This rule only applies to TCP packets that have the flags 1647.Aq Ar a 1648set out of set 1649.Aq Ar b . 1650Flags not specified in 1651.Aq Ar b 1652are ignored. 1653For stateful connections, the default is 1654.Ar flags S/SA . 1655To indicate that flags should not be checked at all, specify 1656.Ar flags any . 1657The flags are: (F)IN, (S)YN, (R)ST, (P)USH, (A)CK, (U)RG, (E)CE, and C(W)R. 1658.Bl -tag -width Fl 1659.It Ar flags S/S 1660Flag SYN is set. 1661The other flags are ignored. 1662.It Ar flags S/SA 1663This is the default setting for stateful connections. 1664Out of SYN and ACK, exactly SYN may be set. 1665SYN, SYN+PSH and SYN+RST match, but SYN+ACK, ACK and ACK+RST do not. 1666This is more restrictive than the previous example. 1667.It Ar flags /SFRA 1668If the first set is not specified, it defaults to none. 1669All of SYN, FIN, RST and ACK must be unset. 1670.El 1671.Pp 1672Because 1673.Ar flags S/SA 1674is applied by default (unless 1675.Ar no state 1676is specified), only the initial SYN packet of a TCP handshake will create 1677a state for a TCP connection. 1678It is possible to be less restrictive, and allow state creation from 1679intermediate 1680.Pq non-SYN 1681packets, by specifying 1682.Ar flags any . 1683This will cause 1684.Xr pf 4 1685to synchronize to existing connections, for instance 1686if one flushes the state table. 1687However, states created from such intermediate packets may be missing 1688connection details such as the TCP window scaling factor. 1689States which modify the packet flow, such as those affected by 1690.Ar nat , binat No or Ar rdr 1691rules, 1692.Ar modulate No or Ar synproxy state 1693options, or scrubbed with 1694.Ar reassemble tcp 1695will also not be recoverable from intermediate packets. 1696Such connections will stall and time out. 1697.It Xo Ar icmp-type Aq Ar type 1698.Ar code Aq Ar code 1699.Xc 1700.It Xo Ar icmp6-type Aq Ar type 1701.Ar code Aq Ar code 1702.Xc 1703This rule only applies to ICMP or ICMPv6 packets with the specified type 1704and code. 1705Text names for ICMP types and codes are listed in 1706.Xr icmp 4 1707and 1708.Xr icmp6 4 . 1709This parameter is only valid for rules that cover protocols ICMP or 1710ICMP6. 1711The protocol and the ICMP type indicator 1712.Po 1713.Ar icmp-type 1714or 1715.Ar icmp6-type 1716.Pc 1717must match. 1718.It Xo Ar tos Aq Ar string 1719.No \*(Ba Aq Ar number 1720.Xc 1721This rule applies to packets with the specified 1722.Em TOS 1723bits set. 1724.Em TOS 1725may be 1726given as one of 1727.Ar lowdelay , 1728.Ar throughput , 1729.Ar reliability , 1730or as either hex or decimal. 1731.Pp 1732For example, the following rules are identical: 1733.Bd -literal -offset indent 1734pass all tos lowdelay 1735pass all tos 0x10 1736pass all tos 16 1737.Ed 1738.It Ar allow-opts 1739By default, IPv4 packets with IP options or IPv6 packets with routing 1740extension headers are blocked. 1741When 1742.Ar allow-opts 1743is specified for a 1744.Ar pass 1745rule, packets that pass the filter based on that rule (last matching) 1746do so even if they contain IP options or routing extension headers. 1747For packets that match state, the rule that initially created the 1748state is used. 1749The implicit 1750.Ar pass 1751rule that is used when a packet does not match any rules does not 1752allow IP options. 1753.It Ar label Aq Ar string 1754Adds a label (name) to the rule, which can be used to identify the rule. 1755For instance, 1756pfctl -s labels 1757shows per-rule statistics for rules that have labels. 1758.Pp 1759The following macros can be used in labels: 1760.Pp 1761.Bl -tag -width $srcaddr -compact -offset indent 1762.It Ar $if 1763The interface. 1764.It Ar $srcaddr 1765The source IP address. 1766.It Ar $dstaddr 1767The destination IP address. 1768.It Ar $srcport 1769The source port specification. 1770.It Ar $dstport 1771The destination port specification. 1772.It Ar $proto 1773The protocol name. 1774.It Ar $nr 1775The rule number. 1776.El 1777.Pp 1778For example: 1779.Bd -literal -offset indent 1780ips = \&"{ 1.2.3.4, 1.2.3.5 }\&" 1781pass in proto tcp from any to $ips \e 1782 port \*(Gt 1023 label \&"$dstaddr:$dstport\&" 1783.Ed 1784.Pp 1785expands to 1786.Bd -literal -offset indent 1787pass in inet proto tcp from any to 1.2.3.4 \e 1788 port \*(Gt 1023 label \&"1.2.3.4:\*(Gt1023\&" 1789pass in inet proto tcp from any to 1.2.3.5 \e 1790 port \*(Gt 1023 label \&"1.2.3.5:\*(Gt1023\&" 1791.Ed 1792.Pp 1793The macro expansion for the 1794.Ar label 1795directive occurs only at configuration file parse time, not during runtime. 1796.It Xo Ar queue Aq Ar queue 1797.No \*(Ba ( Aq Ar queue , 1798.Aq Ar queue ) 1799.Xc 1800Packets matching this rule will be assigned to the specified queue. 1801If two queues are given, packets which have a 1802.Em TOS 1803of 1804.Em lowdelay 1805and TCP ACKs with no data payload will be assigned to the second one. 1806See 1807.Sx QUEUEING 1808for setup details. 1809.Pp 1810For example: 1811.Bd -literal -offset indent 1812pass in proto tcp to port 25 queue mail 1813pass in proto tcp to port 22 queue(ssh_bulk, ssh_prio) 1814.Ed 1815.It Ar tag Aq Ar string 1816Packets matching this rule will be tagged with the 1817specified string. 1818The tag acts as an internal marker that can be used to 1819identify these packets later on. 1820This can be used, for example, to provide trust between 1821interfaces and to determine if packets have been 1822processed by translation rules. 1823Tags are 1824.Qq sticky , 1825meaning that the packet will be tagged even if the rule 1826is not the last matching rule. 1827Further matching rules can replace the tag with a 1828new one but will not remove a previously applied tag. 1829A packet is only ever assigned one tag at a time. 1830Packet tagging can be done during 1831.Ar nat , 1832.Ar rdr , 1833or 1834.Ar binat 1835rules in addition to filter rules. 1836Tags take the same macros as labels (see above). 1837.It Ar tagged Aq Ar string 1838Used with filter, translation or scrub rules 1839to specify that packets must already 1840be tagged with the given tag in order to match the rule. 1841Inverse tag matching can also be done 1842by specifying the 1843.Cm !\& 1844operator before the 1845.Ar tagged 1846keyword. 1847.It Ar rtable Aq Ar number 1848Used to select an alternate routing table for the routing lookup. 1849Only effective before the route lookup happened, i.e. when filtering inbound. 1850.It Xo Ar divert-to Aq Ar host 1851.Ar port Aq Ar port 1852.Xc 1853Used to redirect packets to a local socket bound to 1854.Ar host 1855and 1856.Ar port . 1857The packets will not be modified, so 1858.Xr getsockname 2 1859on the socket will return the original destination address of the packet. 1860.It Ar divert-reply 1861Used to receive replies for sockets that are bound to addresses 1862which are not local to the machine. 1863See 1864.Xr setsockopt 2 1865for information on how to bind these sockets. 1866.It Ar probability Aq Ar number 1867A probability attribute can be attached to a rule, with a value set between 18680 and 1, bounds not included. 1869In that case, the rule will be honoured using the given probability value 1870only. 1871For example, the following rule will drop 20% of incoming ICMP packets: 1872.Bd -literal -offset indent 1873block in proto icmp probability 20% 1874.Ed 1875.El 1876.Sh ROUTING 1877If a packet matches a rule with a route option set, the packet filter will 1878route the packet according to the type of route option. 1879When such a rule creates state, the route option is also applied to all 1880packets matching the same connection. 1881.Bl -tag -width xxxx 1882.It Ar fastroute 1883The 1884.Ar fastroute 1885option does a normal route lookup to find the next hop for the packet. 1886.It Ar route-to 1887The 1888.Ar route-to 1889option routes the packet to the specified interface with an optional address 1890for the next hop. 1891When a 1892.Ar route-to 1893rule creates state, only packets that pass in the same direction as the 1894filter rule specifies will be routed in this way. 1895Packets passing in the opposite direction (replies) are not affected 1896and are routed normally. 1897.It Ar reply-to 1898The 1899.Ar reply-to 1900option is similar to 1901.Ar route-to , 1902but routes packets that pass in the opposite direction (replies) to the 1903specified interface. 1904Opposite direction is only defined in the context of a state entry, and 1905.Ar reply-to 1906is useful only in rules that create state. 1907It can be used on systems with multiple external connections to 1908route all outgoing packets of a connection through the interface 1909the incoming connection arrived through (symmetric routing enforcement). 1910.It Ar dup-to 1911The 1912.Ar dup-to 1913option creates a duplicate of the packet and routes it like 1914.Ar route-to . 1915The original packet gets routed as it normally would. 1916.El 1917.Sh POOL OPTIONS 1918For 1919.Ar nat 1920and 1921.Ar rdr 1922rules, (as well as for the 1923.Ar route-to , 1924.Ar reply-to 1925and 1926.Ar dup-to 1927rule options) for which there is a single redirection address which has a 1928subnet mask smaller than 32 for IPv4 or 128 for IPv6 (more than one IP 1929address), a variety of different methods for assigning this address can be 1930used: 1931.Bl -tag -width xxxx 1932.It Ar bitmask 1933The 1934.Ar bitmask 1935option applies the network portion of the redirection address to the address 1936to be modified (source with 1937.Ar nat , 1938destination with 1939.Ar rdr ) . 1940.It Ar random 1941The 1942.Ar random 1943option selects an address at random within the defined block of addresses. 1944.It Ar source-hash 1945The 1946.Ar source-hash 1947option uses a hash of the source address to determine the redirection address, 1948ensuring that the redirection address is always the same for a given source. 1949An optional key can be specified after this keyword either in hex or as a 1950string; by default 1951.Xr pfctl 8 1952randomly generates a key for source-hash every time the 1953ruleset is reloaded. 1954.It Ar round-robin 1955The 1956.Ar round-robin 1957option loops through the redirection address(es). 1958.Pp 1959When more than one redirection address is specified, 1960.Ar round-robin 1961is the only permitted pool type. 1962.It Ar static-port 1963With 1964.Ar nat 1965rules, the 1966.Ar static-port 1967option prevents 1968.Xr pf 4 1969from modifying the source port on TCP and UDP packets. 1970.El 1971.Pp 1972Additionally, the 1973.Ar sticky-address 1974option can be specified to help ensure that multiple connections from the 1975same source are mapped to the same redirection address. 1976This option can be used with the 1977.Ar random 1978and 1979.Ar round-robin 1980pool options. 1981Note that by default these associations are destroyed as soon as there are 1982no longer states which refer to them; in order to make the mappings last 1983beyond the lifetime of the states, increase the global options with 1984.Ar set timeout src.track . 1985See 1986.Sx STATEFUL TRACKING OPTIONS 1987for more ways to control the source tracking. 1988.Sh STATE MODULATION 1989Much of the security derived from TCP is attributable to how well the 1990initial sequence numbers (ISNs) are chosen. 1991Some popular stack implementations choose 1992.Em very 1993poor ISNs and thus are normally susceptible to ISN prediction exploits. 1994By applying a 1995.Ar modulate state 1996rule to a TCP connection, 1997.Xr pf 4 1998will create a high quality random sequence number for each connection 1999endpoint. 2000.Pp 2001The 2002.Ar modulate state 2003directive implicitly keeps state on the rule and is 2004only applicable to TCP connections. 2005.Pp 2006For instance: 2007.Bd -literal -offset indent 2008block all 2009pass out proto tcp from any to any modulate state 2010pass in proto tcp from any to any port 25 flags S/SFRA modulate state 2011.Ed 2012.Pp 2013Note that modulated connections will not recover when the state table 2014is lost (firewall reboot, flushing the state table, etc...). 2015.Xr pf 4 2016will not be able to infer a connection again after the state table flushes 2017the connection's modulator. 2018When the state is lost, the connection may be left dangling until the 2019respective endpoints time out the connection. 2020It is possible on a fast local network for the endpoints to start an ACK 2021storm while trying to resynchronize after the loss of the modulator. 2022The default 2023.Ar flags 2024settings (or a more strict equivalent) should be used on 2025.Ar modulate state 2026rules to prevent ACK storms. 2027.Pp 2028Note that alternative methods are available 2029to prevent loss of the state table 2030and allow for firewall failover. 2031See 2032.Xr carp 4 2033and 2034.Xr pfsync 4 2035for further information. 2036.Sh SYN PROXY 2037By default, 2038.Xr pf 4 2039passes packets that are part of a 2040.Xr tcp 4 2041handshake between the endpoints. 2042The 2043.Ar synproxy state 2044option can be used to cause 2045.Xr pf 4 2046itself to complete the handshake with the active endpoint, perform a handshake 2047with the passive endpoint, and then forward packets between the endpoints. 2048.Pp 2049No packets are sent to the passive endpoint before the active endpoint has 2050completed the handshake, hence so-called SYN floods with spoofed source 2051addresses will not reach the passive endpoint, as the sender can't complete the 2052handshake. 2053.Pp 2054The proxy is transparent to both endpoints, they each see a single 2055connection from/to the other endpoint. 2056.Xr pf 4 2057chooses random initial sequence numbers for both handshakes. 2058Once the handshakes are completed, the sequence number modulators 2059(see previous section) are used to translate further packets of the 2060connection. 2061.Ar synproxy state 2062includes 2063.Ar modulate state . 2064.Pp 2065Rules with 2066.Ar synproxy 2067will not work if 2068.Xr pf 4 2069operates on a 2070.Xr bridge 4 . 2071.Pp 2072Example: 2073.Bd -literal -offset indent 2074pass in proto tcp from any to any port www synproxy state 2075.Ed 2076.Sh STATEFUL TRACKING OPTIONS 2077A number of options related to stateful tracking can be applied on a 2078per-rule basis. 2079.Ar keep state , 2080.Ar modulate state 2081and 2082.Ar synproxy state 2083support these options, and 2084.Ar keep state 2085must be specified explicitly to apply options to a rule. 2086.Pp 2087.Bl -tag -width xxxx -compact 2088.It Ar max Aq Ar number 2089Limits the number of concurrent states the rule may create. 2090When this limit is reached, further packets that would create 2091state will not match this rule until existing states time out. 2092.It Ar no-sync 2093Prevent state changes for states created by this rule from appearing on the 2094.Xr pfsync 4 2095interface. 2096.It Xo Aq Ar timeout 2097.Aq Ar seconds 2098.Xc 2099Changes the timeout values used for states created by this rule. 2100For a list of all valid timeout names, see 2101.Sx OPTIONS 2102above. 2103.It Ar sloppy 2104Uses a sloppy TCP connection tracker that does not check sequence 2105numbers at all, which makes insertion and ICMP teardown attacks way 2106easier. 2107This is intended to be used in situations where one does not see all 2108packets of a connection, e.g. in asymmetric routing situations. 2109Cannot be used with modulate or synproxy state. 2110.It Ar pflow 2111States created by this rule are exported on the 2112.Xr pflow 4 2113interface. 2114.El 2115.Pp 2116Multiple options can be specified, separated by commas: 2117.Bd -literal -offset indent 2118pass in proto tcp from any to any \e 2119 port www keep state \e 2120 (max 100, source-track rule, max-src-nodes 75, \e 2121 max-src-states 3, tcp.established 60, tcp.closing 5) 2122.Ed 2123.Pp 2124When the 2125.Ar source-track 2126keyword is specified, the number of states per source IP is tracked. 2127.Pp 2128.Bl -tag -width xxxx -compact 2129.It Ar source-track rule 2130The maximum number of states created by this rule is limited by the rule's 2131.Ar max-src-nodes 2132and 2133.Ar max-src-states 2134options. 2135Only state entries created by this particular rule count toward the rule's 2136limits. 2137.It Ar source-track global 2138The number of states created by all rules that use this option is limited. 2139Each rule can specify different 2140.Ar max-src-nodes 2141and 2142.Ar max-src-states 2143options, however state entries created by any participating rule count towards 2144each individual rule's limits. 2145.El 2146.Pp 2147The following limits can be set: 2148.Pp 2149.Bl -tag -width xxxx -compact 2150.It Ar max-src-nodes Aq Ar number 2151Limits the maximum number of source addresses which can simultaneously 2152have state table entries. 2153.It Ar max-src-states Aq Ar number 2154Limits the maximum number of simultaneous state entries that a single 2155source address can create with this rule. 2156.El 2157.Pp 2158For stateful TCP connections, limits on established connections (connections 2159which have completed the TCP 3-way handshake) can also be enforced 2160per source IP. 2161.Pp 2162.Bl -tag -width xxxx -compact 2163.It Ar max-src-conn Aq Ar number 2164Limits the maximum number of simultaneous TCP connections which have 2165completed the 3-way handshake that a single host can make. 2166.It Xo Ar max-src-conn-rate Aq Ar number 2167.No / Aq Ar seconds 2168.Xc 2169Limit the rate of new connections over a time interval. 2170The connection rate is an approximation calculated as a moving average. 2171.El 2172.Pp 2173Because the 3-way handshake ensures that the source address is not being 2174spoofed, more aggressive action can be taken based on these limits. 2175With the 2176.Ar overload Aq Ar table 2177state option, source IP addresses which hit either of the limits on 2178established connections will be added to the named table. 2179This table can be used in the ruleset to block further activity from 2180the offending host, redirect it to a tarpit process, or restrict its 2181bandwidth. 2182.Pp 2183The optional 2184.Ar flush 2185keyword kills all states created by the matching rule which originate 2186from the host which exceeds these limits. 2187The 2188.Ar global 2189modifier to the flush command kills all states originating from the 2190offending host, regardless of which rule created the state. 2191.Pp 2192For example, the following rules will protect the webserver against 2193hosts making more than 100 connections in 10 seconds. 2194Any host which connects faster than this rate will have its address added 2195to the 2196.Aq bad_hosts 2197table and have all states originating from it flushed. 2198Any new packets arriving from this host will be dropped unconditionally 2199by the block rule. 2200.Bd -literal -offset indent 2201block quick from \*(Ltbad_hosts\*(Gt 2202pass in on $ext_if proto tcp to $webserver port www keep state \e 2203 (max-src-conn-rate 100/10, overload \*(Ltbad_hosts\*(Gt flush global) 2204.Ed 2205.Sh OPERATING SYSTEM FINGERPRINTING 2206Passive OS Fingerprinting is a mechanism to inspect nuances of a TCP 2207connection's initial SYN packet and guess at the host's operating system. 2208Unfortunately these nuances are easily spoofed by an attacker so the 2209fingerprint is not useful in making security decisions. 2210But the fingerprint is typically accurate enough to make policy decisions 2211upon. 2212.Pp 2213The fingerprints may be specified by operating system class, by 2214version, or by subtype/patchlevel. 2215The class of an operating system is typically the vendor or genre 2216and would be 2217.Ox 2218for the 2219.Xr pf 4 2220firewall itself. 2221The version of the oldest available 2222.Ox 2223release on the main FTP site 2224would be 2.6 and the fingerprint would be written 2225.Pp 2226.Dl \&"OpenBSD 2.6\&" 2227.Pp 2228The subtype of an operating system is typically used to describe the 2229patchlevel if that patch led to changes in the TCP stack behavior. 2230In the case of 2231.Ox , 2232the only subtype is for a fingerprint that was 2233normalized by the 2234.Ar no-df 2235scrub option and would be specified as 2236.Pp 2237.Dl \&"OpenBSD 3.3 no-df\&" 2238.Pp 2239Fingerprints for most popular operating systems are provided by 2240.Xr pf.os 5 . 2241Once 2242.Xr pf 4 2243is running, a complete list of known operating system fingerprints may 2244be listed by running: 2245.Pp 2246.Dl # pfctl -so 2247.Pp 2248Filter rules can enforce policy at any level of operating system specification 2249assuming a fingerprint is present. 2250Policy could limit traffic to approved operating systems or even ban traffic 2251from hosts that aren't at the latest service pack. 2252.Pp 2253The 2254.Ar unknown 2255class can also be used as the fingerprint which will match packets for 2256which no operating system fingerprint is known. 2257.Pp 2258Examples: 2259.Bd -literal -offset indent 2260pass out proto tcp from any os OpenBSD 2261block out proto tcp from any os Doors 2262block out proto tcp from any os "Doors PT" 2263block out proto tcp from any os "Doors PT SP3" 2264block out from any os "unknown" 2265pass on lo0 proto tcp from any os "OpenBSD 3.3 lo0" 2266.Ed 2267.Pp 2268Operating system fingerprinting is limited only to the TCP SYN packet. 2269This means that it will not work on other protocols and will not match 2270a currently established connection. 2271.Pp 2272Caveat: operating system fingerprints are occasionally wrong. 2273There are three problems: an attacker can trivially craft his packets to 2274appear as any operating system he chooses; 2275an operating system patch could change the stack behavior and no fingerprints 2276will match it until the database is updated; 2277and multiple operating systems may have the same fingerprint. 2278.Sh BLOCKING SPOOFED TRAFFIC 2279"Spoofing" is the faking of IP addresses, typically for malicious 2280purposes. 2281The 2282.Ar antispoof 2283directive expands to a set of filter rules which will block all 2284traffic with a source IP from the network(s) directly connected 2285to the specified interface(s) from entering the system through 2286any other interface. 2287.Pp 2288For example, the line 2289.Bd -literal -offset indent 2290antispoof for lo0 2291.Ed 2292.Pp 2293expands to 2294.Bd -literal -offset indent 2295block drop in on ! lo0 inet from 127.0.0.1/8 to any 2296block drop in on ! lo0 inet6 from ::1 to any 2297.Ed 2298.Pp 2299For non-loopback interfaces, there are additional rules to block incoming 2300packets with a source IP address identical to the interface's IP(s). 2301For example, assuming the interface wi0 had an IP address of 10.0.0.1 and a 2302netmask of 255.255.255.0, 2303the line 2304.Bd -literal -offset indent 2305antispoof for wi0 inet 2306.Ed 2307.Pp 2308expands to 2309.Bd -literal -offset indent 2310block drop in on ! wi0 inet from 10.0.0.0/24 to any 2311block drop in inet from 10.0.0.1 to any 2312.Ed 2313.Pp 2314Caveat: Rules created by the 2315.Ar antispoof 2316directive interfere with packets sent over loopback interfaces 2317to local addresses. 2318One should pass these explicitly. 2319.Sh FRAGMENT HANDLING 2320The size of IP datagrams (packets) can be significantly larger than the 2321maximum transmission unit (MTU) of the network. 2322In cases when it is necessary or more efficient to send such large packets, 2323the large packet will be fragmented into many smaller packets that will each 2324fit onto the wire. 2325Unfortunately for a firewalling device, only the first logical fragment will 2326contain the necessary header information for the subprotocol that allows 2327.Xr pf 4 2328to filter on things such as TCP ports or to perform NAT. 2329.Pp 2330Besides the use of 2331.Ar scrub 2332rules as described in 2333.Sx TRAFFIC NORMALIZATION 2334above, there are three options for handling fragments in the packet filter. 2335.Pp 2336One alternative is to filter individual fragments with filter rules. 2337If no 2338.Ar scrub 2339rule applies to a fragment, it is passed to the filter. 2340Filter rules with matching IP header parameters decide whether the 2341fragment is passed or blocked, in the same way as complete packets 2342are filtered. 2343Without reassembly, fragments can only be filtered based on IP header 2344fields (source/destination address, protocol), since subprotocol header 2345fields are not available (TCP/UDP port numbers, ICMP code/type). 2346The 2347.Ar fragment 2348option can be used to restrict filter rules to apply only to 2349fragments, but not complete packets. 2350Filter rules without the 2351.Ar fragment 2352option still apply to fragments, if they only specify IP header fields. 2353For instance, the rule 2354.Bd -literal -offset indent 2355pass in proto tcp from any to any port 80 2356.Ed 2357.Pp 2358never applies to a fragment, even if the fragment is part of a TCP 2359packet with destination port 80, because without reassembly this information 2360is not available for each fragment. 2361This also means that fragments cannot create new or match existing 2362state table entries, which makes stateful filtering and address 2363translation (NAT, redirection) for fragments impossible. 2364.Pp 2365It's also possible to reassemble only certain fragments by specifying 2366source or destination addresses or protocols as parameters in 2367.Ar scrub 2368rules. 2369.Pp 2370In most cases, the benefits of reassembly outweigh the additional 2371memory cost, and it's recommended to use 2372.Ar scrub 2373rules to reassemble 2374all fragments via the 2375.Ar fragment reassemble 2376modifier. 2377.Pp 2378The memory allocated for fragment caching can be limited using 2379.Xr pfctl 8 . 2380Once this limit is reached, fragments that would have to be cached 2381are dropped until other entries time out. 2382The timeout value can also be adjusted. 2383.Pp 2384Currently, only IPv4 fragments are supported and IPv6 fragments 2385are blocked unconditionally. 2386.Sh ANCHORS 2387Besides the main ruleset, 2388.Xr pfctl 8 2389can load rulesets into 2390.Ar anchor 2391attachment points. 2392An 2393.Ar anchor 2394is a container that can hold rules, address tables, and other anchors. 2395.Pp 2396An 2397.Ar anchor 2398has a name which specifies the path where 2399.Xr pfctl 8 2400can be used to access the anchor to perform operations on it, such as 2401attaching child anchors to it or loading rules into it. 2402Anchors may be nested, with components separated by 2403.Sq / 2404characters, similar to how file system hierarchies are laid out. 2405The main ruleset is actually the default anchor, so filter and 2406translation rules, for example, may also be contained in any anchor. 2407.Pp 2408An anchor can reference another 2409.Ar anchor 2410attachment point 2411using the following kinds 2412of rules: 2413.Bl -tag -width xxxx 2414.It Ar nat-anchor Aq Ar name 2415Evaluates the 2416.Ar nat 2417rules in the specified 2418.Ar anchor . 2419.It Ar rdr-anchor Aq Ar name 2420Evaluates the 2421.Ar rdr 2422rules in the specified 2423.Ar anchor . 2424.It Ar binat-anchor Aq Ar name 2425Evaluates the 2426.Ar binat 2427rules in the specified 2428.Ar anchor . 2429.It Ar anchor Aq Ar name 2430Evaluates the filter rules in the specified 2431.Ar anchor . 2432.It Xo Ar load anchor 2433.Aq Ar name 2434.Ar from Aq Ar file 2435.Xc 2436Loads the rules from the specified file into the 2437anchor 2438.Ar name . 2439.El 2440.Pp 2441When evaluation of the main ruleset reaches an 2442.Ar anchor 2443rule, 2444.Xr pf 4 2445will proceed to evaluate all rules specified in that anchor. 2446.Pp 2447Matching filter and translation rules marked with the 2448.Ar quick 2449option are final and abort the evaluation of the rules in other 2450anchors and the main ruleset. 2451If the 2452.Ar anchor 2453itself is marked with the 2454.Ar quick 2455option, 2456ruleset evaluation will terminate when the anchor is exited if the packet is 2457matched by any rule within the anchor. 2458.Pp 2459.Ar anchor 2460rules are evaluated relative to the anchor in which they are contained. 2461For example, all 2462.Ar anchor 2463rules specified in the main ruleset will reference anchor 2464attachment points underneath the main ruleset, and 2465.Ar anchor 2466rules specified in a file loaded from a 2467.Ar load anchor 2468rule will be attached under that anchor point. 2469.Pp 2470Rules may be contained in 2471.Ar anchor 2472attachment points which do not contain any rules when the main ruleset 2473is loaded, and later such anchors can be manipulated through 2474.Xr pfctl 8 2475without reloading the main ruleset or other anchors. 2476For example, 2477.Bd -literal -offset indent 2478ext_if = \&"kue0\&" 2479block on $ext_if all 2480anchor spam 2481pass out on $ext_if all 2482pass in on $ext_if proto tcp from any \e 2483 to $ext_if port smtp 2484.Ed 2485.Pp 2486blocks all packets on the external interface by default, then evaluates 2487all rules in the 2488.Ar anchor 2489named "spam", and finally passes all outgoing connections and 2490incoming connections to port 25. 2491.Bd -literal -offset indent 2492# echo \&"block in quick from 1.2.3.4 to any\&" \&| \e 2493 pfctl -a spam -f - 2494.Ed 2495.Pp 2496This loads a single rule into the 2497.Ar anchor , 2498which blocks all packets from a specific address. 2499.Pp 2500The anchor can also be populated by adding a 2501.Ar load anchor 2502rule after the 2503.Ar anchor 2504rule: 2505.Bd -literal -offset indent 2506anchor spam 2507load anchor spam from "/etc/pf-spam.conf" 2508.Ed 2509.Pp 2510When 2511.Xr pfctl 8 2512loads 2513.Nm pf.conf , 2514it will also load all the rules from the file 2515.Pa /etc/pf-spam.conf 2516into the anchor. 2517.Pp 2518Optionally, 2519.Ar anchor 2520rules can specify packet filtering parameters using the same syntax as 2521filter rules. 2522When parameters are used, the 2523.Ar anchor 2524rule is only evaluated for matching packets. 2525This allows conditional evaluation of anchors, like: 2526.Bd -literal -offset indent 2527block on $ext_if all 2528anchor spam proto tcp from any to any port smtp 2529pass out on $ext_if all 2530pass in on $ext_if proto tcp from any to $ext_if port smtp 2531.Ed 2532.Pp 2533The rules inside 2534.Ar anchor 2535spam are only evaluated for 2536.Ar tcp 2537packets with destination port 25. 2538Hence, 2539.Bd -literal -offset indent 2540# echo \&"block in quick from 1.2.3.4 to any" \&| \e 2541 pfctl -a spam -f - 2542.Ed 2543.Pp 2544will only block connections from 1.2.3.4 to port 25. 2545.Pp 2546Anchors may end with the asterisk 2547.Pq Sq * 2548character, which signifies that all anchors attached at that point 2549should be evaluated in the alphabetical ordering of their anchor name. 2550For example, 2551.Bd -literal -offset indent 2552anchor "spam/*" 2553.Ed 2554.Pp 2555will evaluate each rule in each anchor attached to the 2556.Li spam 2557anchor. 2558Note that it will only evaluate anchors that are directly attached to the 2559.Li spam 2560anchor, and will not descend to evaluate anchors recursively. 2561.Pp 2562Since anchors are evaluated relative to the anchor in which they are 2563contained, there is a mechanism for accessing the parent and ancestor 2564anchors of a given anchor. 2565Similar to file system path name resolution, if the sequence 2566.Dq .. 2567appears as an anchor path component, the parent anchor of the current 2568anchor in the path evaluation at that point will become the new current 2569anchor. 2570As an example, consider the following: 2571.Bd -literal -offset indent 2572# echo ' anchor "spam/allowed" ' | pfctl -f - 2573# echo -e ' anchor "../banned" \en pass' | \e 2574 pfctl -a spam/allowed -f - 2575.Ed 2576.Pp 2577Evaluation of the main ruleset will lead into the 2578.Li spam/allowed 2579anchor, which will evaluate the rules in the 2580.Li spam/banned 2581anchor, if any, before finally evaluating the 2582.Ar pass 2583rule. 2584.Pp 2585Filter rule 2586.Ar anchors 2587can also be loaded inline in the ruleset within a brace ('{' '}') delimited 2588block. 2589Brace delimited blocks may contain rules or other brace-delimited blocks. 2590When anchors are loaded this way the anchor name becomes optional. 2591.Bd -literal -offset indent 2592anchor "external" on egress { 2593 block 2594 anchor out { 2595 pass proto tcp from any to port { 25, 80, 443 } 2596 } 2597 pass in proto tcp to any port 22 2598} 2599.Ed 2600.Pp 2601Since the parser specification for anchor names is a string, any 2602reference to an anchor name containing 2603.Sq / 2604characters will require double quote 2605.Pq Sq \&" 2606characters around the anchor name. 2607.Sh TRANSLATION EXAMPLES 2608This example maps incoming requests on port 80 to port 8080, on 2609which a daemon is running (because, for example, it is not run as root, 2610and therefore lacks permission to bind to port 80). 2611.Bd -literal 2612# use a macro for the interface name, so it can be changed easily 2613ext_if = \&"ne3\&" 2614 2615# map daemon on 8080 to appear to be on 80 2616rdr on $ext_if proto tcp from any to any port 80 -\*(Gt 127.0.0.1 port 8080 2617.Ed 2618.Pp 2619If the 2620.Ar pass 2621modifier is given, packets matching the translation rule are passed without 2622inspecting the filter rules: 2623.Bd -literal 2624rdr pass on $ext_if proto tcp from any to any port 80 -\*(Gt 127.0.0.1 \e 2625 port 8080 2626.Ed 2627.Pp 2628In the example below, vlan12 is configured as 192.168.168.1; 2629the machine translates all packets coming from 192.168.168.0/24 to 204.92.77.111 2630when they are going out any interface except vlan12. 2631This has the net effect of making traffic from the 192.168.168.0/24 2632network appear as though it is the Internet routable address 2633204.92.77.111 to nodes behind any interface on the router except 2634for the nodes on vlan12. 2635(Thus, 192.168.168.1 can talk to the 192.168.168.0/24 nodes.) 2636.Bd -literal 2637nat on ! vlan12 from 192.168.168.0/24 to any -\*(Gt 204.92.77.111 2638.Ed 2639.Pp 2640In the example below, the machine sits between a fake internal 144.19.74.* 2641network, and a routable external IP of 204.92.77.100. 2642The 2643.Ar no nat 2644rule excludes protocol AH from being translated. 2645.Bd -literal 2646# NO NAT 2647no nat on $ext_if proto ah from 144.19.74.0/24 to any 2648nat on $ext_if from 144.19.74.0/24 to any -\*(Gt 204.92.77.100 2649.Ed 2650.Pp 2651In the example below, packets bound for one specific server, as well as those 2652generated by the sysadmins are not proxied; all other connections are. 2653.Bd -literal 2654# NO RDR 2655no rdr on $int_if proto { tcp, udp } from any to $server port 80 2656no rdr on $int_if proto { tcp, udp } from $sysadmins to any port 80 2657rdr on $int_if proto { tcp, udp } from any to any port 80 -\*(Gt 127.0.0.1 \e 2658 port 80 2659.Ed 2660.Pp 2661This longer example uses both a NAT and a redirection. 2662The external interface has the address 157.161.48.183. 2663On localhost, we are running 2664.Xr ftp-proxy 8 , 2665waiting for FTP sessions to be redirected to it. 2666The three mandatory anchors for 2667.Xr ftp-proxy 8 2668are omitted from this example; see the 2669.Xr ftp-proxy 8 2670manpage. 2671.Bd -literal 2672# NAT 2673# Translate outgoing packets' source addresses (any protocol). 2674# In this case, any address but the gateway's external address is mapped. 2675nat on $ext_if inet from ! ($ext_if) to any -\*(Gt ($ext_if) 2676 2677# NAT PROXYING 2678# Map outgoing packets' source port to an assigned proxy port instead of 2679# an arbitrary port. 2680# In this case, proxy outgoing isakmp with port 500 on the gateway. 2681nat on $ext_if inet proto udp from any port = isakmp to any -\*(Gt ($ext_if) \e 2682 port 500 2683 2684# BINAT 2685# Translate outgoing packets' source address (any protocol). 2686# Translate incoming packets' destination address to an internal machine 2687# (bidirectional). 2688binat on $ext_if from 10.1.2.150 to any -\*(Gt $ext_if 2689 2690# RDR 2691# Translate incoming packets' destination addresses. 2692# As an example, redirect a TCP and UDP port to an internal machine. 2693rdr on $ext_if inet proto tcp from any to ($ext_if) port 8080 \e 2694 -\*(Gt 10.1.2.151 port 22 2695rdr on $ext_if inet proto udp from any to ($ext_if) port 8080 \e 2696 -\*(Gt 10.1.2.151 port 53 2697 2698# RDR 2699# Translate outgoing ftp control connections to send them to localhost 2700# for proxying with ftp-proxy(8) running on port 8021. 2701rdr on $int_if proto tcp from any to any port 21 -\*(Gt 127.0.0.1 port 8021 2702.Ed 2703.Pp 2704In this example, a NAT gateway is set up to translate internal addresses 2705using a pool of public addresses (192.0.2.16/28) and to redirect 2706incoming web server connections to a group of web servers on the internal 2707network. 2708.Bd -literal 2709# NAT LOAD BALANCE 2710# Translate outgoing packets' source addresses using an address pool. 2711# A given source address is always translated to the same pool address by 2712# using the source-hash keyword. 2713nat on $ext_if inet from any to any -\*(Gt 192.0.2.16/28 source-hash 2714 2715# RDR ROUND ROBIN 2716# Translate incoming web server connections to a group of web servers on 2717# the internal network. 2718rdr on $ext_if proto tcp from any to any port 80 \e 2719 -\*(Gt { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin 2720.Ed 2721.Sh FILTER EXAMPLES 2722.Bd -literal 2723# The external interface is kue0 2724# (157.161.48.183, the only routable address) 2725# and the private network is 10.0.0.0/8, for which we are doing NAT. 2726 2727# use a macro for the interface name, so it can be changed easily 2728ext_if = \&"kue0\&" 2729 2730# normalize all incoming traffic 2731scrub in on $ext_if all fragment reassemble 2732 2733# block and log everything by default 2734block return log on $ext_if all 2735 2736# block anything coming from source we have no back routes for 2737block in from no-route to any 2738 2739# block packets whose ingress interface does not match the one in 2740# the route back to their source address 2741block in from urpf-failed to any 2742 2743# block and log outgoing packets that do not have our address as source, 2744# they are either spoofed or something is misconfigured (NAT disabled, 2745# for instance), we want to be nice and do not send out garbage. 2746block out log quick on $ext_if from ! 157.161.48.183 to any 2747 2748# silently drop broadcasts (cable modem noise) 2749block in quick on $ext_if from any to 255.255.255.255 2750 2751# block and log incoming packets from reserved address space and invalid 2752# addresses, they are either spoofed or misconfigured, we cannot reply to 2753# them anyway (hence, no return-rst). 2754block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, \e 2755 192.168.0.0/16, 255.255.255.255/32 } to any 2756 2757# ICMP 2758 2759# pass out/in certain ICMP queries and keep state (ping) 2760# state matching is done on host addresses and ICMP id (not type/code), 2761# so replies (like 0/0 for 8/0) will match queries 2762# ICMP error messages (which always refer to a TCP/UDP packet) are 2763# handled by the TCP/UDP states 2764pass on $ext_if inet proto icmp all icmp-type 8 code 0 2765 2766# UDP 2767 2768# pass out all UDP connections and keep state 2769pass out on $ext_if proto udp all 2770 2771# pass in certain UDP connections and keep state (DNS) 2772pass in on $ext_if proto udp from any to any port domain 2773 2774# TCP 2775 2776# pass out all TCP connections and modulate state 2777pass out on $ext_if proto tcp all modulate state 2778 2779# pass in certain TCP connections and keep state (SSH, SMTP, DNS, IDENT) 2780pass in on $ext_if proto tcp from any to any port { ssh, smtp, domain, \e 2781 auth } 2782 2783# Do not allow Windows 9x SMTP connections since they are typically 2784# a viral worm. Alternately we could limit these OSes to 1 connection each. 2785block in on $ext_if proto tcp from any os {"Windows 95", "Windows 98"} \e 2786 to any port smtp 2787 2788# IPv6 2789# pass in/out all IPv6 traffic: note that we have to enable this in two 2790# different ways, on both our physical interface and our tunnel 2791pass quick on gif0 inet6 2792pass quick on $ext_if proto ipv6 2793 2794# Packet Tagging 2795 2796# three interfaces: $int_if, $ext_if, and $wifi_if (wireless). NAT is 2797# being done on $ext_if for all outgoing packets. tag packets in on 2798# $int_if and pass those tagged packets out on $ext_if. all other 2799# outgoing packets (i.e., packets from the wireless network) are only 2800# permitted to access port 80. 2801 2802pass in on $int_if from any to any tag INTNET 2803pass in on $wifi_if from any to any 2804 2805block out on $ext_if from any to any 2806pass out quick on $ext_if tagged INTNET 2807pass out on $ext_if proto tcp from any to any port 80 2808 2809# tag incoming packets as they are redirected to spamd(8). use the tag 2810# to pass those packets through the packet filter. 2811 2812rdr on $ext_if inet proto tcp from \*(Ltspammers\*(Gt to port smtp \e 2813 tag SPAMD -\*(Gt 127.0.0.1 port spamd 2814 2815block in on $ext_if 2816pass in on $ext_if inet proto tcp tagged SPAMD 2817.Ed 2818.Sh GRAMMAR 2819Syntax for 2820.Nm 2821in BNF: 2822.Bd -literal 2823line = ( option | pf-rule | nat-rule | binat-rule | rdr-rule | 2824 antispoof-rule | altq-rule | queue-rule | trans-anchors | 2825 anchor-rule | anchor-close | load-anchor | table-rule | 2826 include ) 2827 2828option = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] | 2829 [ "ruleset-optimization" [ "none" | "basic" | "profile" ]] | 2830 [ "optimization" [ "default" | "normal" | 2831 "high-latency" | "satellite" | 2832 "aggressive" | "conservative" ] ] 2833 [ "limit" ( limit-item | "{" limit-list "}" ) ] | 2834 [ "loginterface" ( interface-name | "none" ) ] | 2835 [ "block-policy" ( "drop" | "return" ) ] | 2836 [ "state-policy" ( "if-bound" | "floating" ) ] 2837 [ "state-defaults" state-opts ] 2838 [ "require-order" ( "yes" | "no" ) ] 2839 [ "fingerprints" filename ] | 2840 [ "skip on" ifspec ] | 2841 [ "debug" ( "none" | "urgent" | "misc" | "loud" ) ] ) 2842 2843pf-rule = action [ ( "in" | "out" ) ] 2844 [ "log" [ "(" logopts ")"] ] [ "quick" ] 2845 [ "on" ifspec ] [ "fastroute" | route ] [ af ] [ protospec ] 2846 hosts [ filteropt-list ] 2847 2848logopts = logopt [ "," logopts ] 2849logopt = "all" | "user" | "to" interface-name 2850 2851filteropt-list = filteropt-list filteropt | filteropt 2852filteropt = user | group | flags | icmp-type | icmp6-type | "tos" tos | 2853 ( "no" | "keep" | "modulate" | "synproxy" ) "state" 2854 [ "(" state-opts ")" ] | 2855 "fragment" | "no-df" | "min-ttl" number | "set-tos" tos | 2856 "max-mss" number | "random-id" | "reassemble tcp" | 2857 fragmentation | "allow-opts" | 2858 "label" string | "tag" string | [ ! ] "tagged" string | 2859 "queue" ( string | "(" string [ [ "," ] string ] ")" ) | 2860 "rtable" number | "probability" number"%" 2861 2862nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ] 2863 [ "on" ifspec ] [ af ] 2864 [ protospec ] hosts [ "tag" string ] [ "tagged" string ] 2865 [ "-\*(Gt" ( redirhost | "{" redirhost-list "}" ) 2866 [ portspec ] [ pooltype ] [ "static-port" ] ] 2867 2868binat-rule = [ "no" ] "binat" [ "pass" [ "log" [ "(" logopts ")" ] ] ] 2869 [ "on" interface-name ] [ af ] 2870 [ "proto" ( proto-name | proto-number ) ] 2871 "from" address [ "/" mask-bits ] "to" ipspec 2872 [ "tag" string ] [ "tagged" string ] 2873 [ "-\*(Gt" address [ "/" mask-bits ] ] 2874 2875rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ] 2876 [ "on" ifspec ] [ af ] 2877 [ protospec ] hosts [ "tag" string ] [ "tagged" string ] 2878 [ "-\*(Gt" ( redirhost | "{" redirhost-list "}" ) 2879 [ portspec ] [ pooltype ] ] 2880 2881antispoof-rule = "antispoof" [ "log" ] [ "quick" ] 2882 "for" ifspec [ af ] [ "label" string ] 2883 2884table-rule = "table" "\*(Lt" string "\*(Gt" [ tableopts-list ] 2885tableopts-list = tableopts-list tableopts | tableopts 2886tableopts = "persist" | "const" | "counters" | "file" string | 2887 "{" [ tableaddr-list ] "}" 2888tableaddr-list = tableaddr-list [ "," ] tableaddr-spec | tableaddr-spec 2889tableaddr-spec = [ "!" ] tableaddr [ "/" mask-bits ] 2890tableaddr = hostname | ifspec | "self" | 2891 ipv4-dotted-quad | ipv6-coloned-hex 2892 2893altq-rule = "altq on" interface-name queueopts-list 2894 "queue" subqueue 2895queue-rule = "queue" string [ "on" interface-name ] queueopts-list 2896 subqueue 2897 2898anchor-rule = "anchor" [ string ] [ ( "in" | "out" ) ] [ "on" ifspec ] 2899 [ af ] [ protospec ] [ hosts ] [ filteropt-list ] [ "{" ] 2900 2901anchor-close = "}" 2902 2903trans-anchors = ( "nat-anchor" | "rdr-anchor" | "binat-anchor" ) string 2904 [ "on" ifspec ] [ af ] [ "proto" ] [ protospec ] [ hosts ] 2905 2906load-anchor = "load anchor" string "from" filename 2907 2908queueopts-list = queueopts-list queueopts | queueopts 2909queueopts = [ "bandwidth" bandwidth-spec ] | 2910 [ "qlimit" number ] | [ "tbrsize" number ] | 2911 [ "priority" number ] | [ schedulers ] 2912schedulers = ( cbq-def | priq-def | hfsc-def ) 2913bandwidth-spec = "number" ( "b" | "Kb" | "Mb" | "Gb" | "%" ) 2914 2915action = "pass" | "block" [ return ] | [ "no" ] "scrub" 2916return = "drop" | "return" | "return-rst" [ "( ttl" number ")" ] | 2917 "return-icmp" [ "(" icmpcode [ [ "," ] icmp6code ] ")" ] | 2918 "return-icmp6" [ "(" icmp6code ")" ] 2919icmpcode = ( icmp-code-name | icmp-code-number ) 2920icmp6code = ( icmp6-code-name | icmp6-code-number ) 2921 2922ifspec = ( [ "!" ] ( interface-name | interface-group ) ) | 2923 "{" interface-list "}" 2924interface-list = [ "!" ] ( interface-name | interface-group ) 2925 [ [ "," ] interface-list ] 2926route = ( "route-to" | "reply-to" | "dup-to" ) 2927 ( routehost | "{" routehost-list "}" ) 2928 [ pooltype ] 2929af = "inet" | "inet6" 2930 2931protospec = "proto" ( proto-name | proto-number | 2932 "{" proto-list "}" ) 2933proto-list = ( proto-name | proto-number ) [ [ "," ] proto-list ] 2934 2935hosts = "all" | 2936 "from" ( "any" | "no-route" | "urpf-failed" | "self" | host | 2937 "{" host-list "}" ) [ port ] [ os ] 2938 "to" ( "any" | "no-route" | "self" | host | 2939 "{" host-list "}" ) [ port ] 2940 2941ipspec = "any" | host | "{" host-list "}" 2942host = [ "!" ] ( address [ "/" mask-bits ] | "\*(Lt" string "\*(Gt" ) 2943redirhost = address [ "/" mask-bits ] 2944routehost = "(" interface-name [ address [ "/" mask-bits ] ] ")" 2945address = ( interface-name | interface-group | 2946 "(" ( interface-name | interface-group ) ")" | 2947 hostname | ipv4-dotted-quad | ipv6-coloned-hex ) 2948host-list = host [ [ "," ] host-list ] 2949redirhost-list = redirhost [ [ "," ] redirhost-list ] 2950routehost-list = routehost [ [ "," ] routehost-list ] 2951 2952port = "port" ( unary-op | binary-op | "{" op-list "}" ) 2953portspec = "port" ( number | name ) [ ":" ( "*" | number | name ) ] 2954os = "os" ( os-name | "{" os-list "}" ) 2955user = "user" ( unary-op | binary-op | "{" op-list "}" ) 2956group = "group" ( unary-op | binary-op | "{" op-list "}" ) 2957 2958unary-op = [ "=" | "!=" | "\*(Lt" | "\*(Le" | "\*(Gt" | "\*(Ge" ] 2959 ( name | number ) 2960binary-op = number ( "\*(Lt\*(Gt" | "\*(Gt\*(Lt" | ":" ) number 2961op-list = ( unary-op | binary-op ) [ [ "," ] op-list ] 2962 2963os-name = operating-system-name 2964os-list = os-name [ [ "," ] os-list ] 2965 2966flags = "flags" ( [ flag-set ] "/" flag-set | "any" ) 2967flag-set = [ "F" ] [ "S" ] [ "R" ] [ "P" ] [ "A" ] [ "U" ] [ "E" ] 2968 [ "W" ] 2969 2970icmp-type = "icmp-type" ( icmp-type-code | "{" icmp-list "}" ) 2971icmp6-type = "icmp6-type" ( icmp-type-code | "{" icmp-list "}" ) 2972icmp-type-code = ( icmp-type-name | icmp-type-number ) 2973 [ "code" ( icmp-code-name | icmp-code-number ) ] 2974icmp-list = icmp-type-code [ [ "," ] icmp-list ] 2975 2976tos = ( "lowdelay" | "throughput" | "reliability" | 2977 [ "0x" ] number ) 2978 2979state-opts = state-opt [ [ "," ] state-opts ] 2980state-opt = ( "max" number | "no-sync" | timeout | "sloppy" | "pflow" | 2981 "source-track" [ ( "rule" | "global" ) ] | 2982 "max-src-nodes" number | "max-src-states" number | 2983 "max-src-conn" number | 2984 "max-src-conn-rate" number "/" number | 2985 "overload" "\*(Lt" string "\*(Gt" [ "flush" ] | 2986 "if-bound" | "floating" ) 2987 2988fragmentation = [ "fragment reassemble" | "fragment crop" | 2989 "fragment drop-ovl" ] 2990 2991timeout-list = timeout [ [ "," ] timeout-list ] 2992timeout = ( "tcp.first" | "tcp.opening" | "tcp.established" | 2993 "tcp.closing" | "tcp.finwait" | "tcp.closed" | 2994 "udp.first" | "udp.single" | "udp.multiple" | 2995 "icmp.first" | "icmp.error" | 2996 "other.first" | "other.single" | "other.multiple" | 2997 "frag" | "interval" | "src.track" | 2998 "adaptive.start" | "adaptive.end" ) number 2999 3000limit-list = limit-item [ [ "," ] limit-list ] 3001limit-item = ( "states" | "frags" | "src-nodes" ) number 3002 3003pooltype = ( "bitmask" | "random" | 3004 "source-hash" [ ( hex-key | string-key ) ] | 3005 "round-robin" ) [ sticky-address ] 3006 3007subqueue = string | "{" queue-list "}" 3008queue-list = string [ [ "," ] string ] 3009cbq-def = "cbq" [ "(" cbq-opt [ [ "," ] cbq-opt ] ")" ] 3010priq-def = "priq" [ "(" priq-opt [ [ "," ] priq-opt ] ")" ] 3011hfsc-def = "hfsc" [ "(" hfsc-opt [ [ "," ] hfsc-opt ] ")" ] 3012cbq-opt = ( "default" | "borrow" | "red" | "ecn" | "rio" ) 3013priq-opt = ( "default" | "red" | "ecn" | "rio" ) 3014hfsc-opt = ( "default" | "red" | "ecn" | "rio" | 3015 linkshare-sc | realtime-sc | upperlimit-sc ) 3016linkshare-sc = "linkshare" sc-spec 3017realtime-sc = "realtime" sc-spec 3018upperlimit-sc = "upperlimit" sc-spec 3019sc-spec = ( bandwidth-spec | 3020 "(" bandwidth-spec number bandwidth-spec ")" ) 3021include = "include" filename 3022.Ed 3023.Sh FILES 3024.Bl -tag -width "/etc/protocols" -compact 3025.It Pa /etc/hosts 3026Host name database. 3027.It Pa /etc/pf.conf 3028Default location of the ruleset file. 3029.It Pa /etc/pf.os 3030Default location of OS fingerprints. 3031.It Pa /etc/protocols 3032Protocol name database. 3033.It Pa /etc/services 3034Service name database. 3035.El 3036.Sh SEE ALSO 3037.Xr altq 4 , 3038.Xr carp 4 , 3039.Xr icmp 4 , 3040.Xr icmp6 4 , 3041.Xr ip 4 , 3042.Xr ip6 4 , 3043.Xr pf 4 , 3044.Xr pflow 4 , 3045.Xr pfsync 4 , 3046.Xr tcp 4 , 3047.Xr udp 4 , 3048.Xr hosts 5 , 3049.Xr pf.os 5 , 3050.Xr protocols 5 , 3051.Xr services 5 , 3052.Xr ftp-proxy 8 , 3053.Xr pfctl 8 , 3054.Xr pflogd 8 3055.Sh HISTORY 3056The 3057.Nm 3058file format first appeared in 3059.Ox 3.0 . 3060