summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJason McIntyre <jmc@cvs.openbsd.org>2009-09-03 17:53:26 +0000
committerJason McIntyre <jmc@cvs.openbsd.org>2009-09-03 17:53:26 +0000
commit56f7add333ac6f22a9079e6197ff8a02bc5a7bec (patch)
tree2325941b7f8244c87931a8367c73a77b8c13fa8c
parente8c88b71b0caf05b7a16f7fef03ce862d102f84c (diff)
the recent changes to translation make the ordering of this document
slightly redundant: move the packet filtering section to the top, and make translation a subsection; ok henning
-rw-r--r--share/man/man5/pf.conf.51711
1 files changed, 854 insertions, 857 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 751afd3acd2..0f7365a1418 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pf.conf.5,v 1.451 2009/09/02 14:50:01 henning Exp $
+.\" $OpenBSD: pf.conf.5,v 1.452 2009/09/03 17:53:25 jmc Exp $
.\"
.\" Copyright (c) 2002, Daniel Hartmeier
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: September 2 2009 $
+.Dd $Mdocdate: September 3 2009 $
.Dt PF.CONF 5
.Os
.Sh NAME
@@ -42,14 +42,12 @@ definitions specified in
.Pp
This is an overview of the sections in this manual page:
.Bl -ohang
+.It Sy Packet Filtering
+Packet filtering, including network address translation (NAT).
.It Sy Options
Global options tune the behaviour of the packet filtering engine.
.It Sy Queueing
Queueing provides rule-based bandwidth control.
-.It Sy Translation
-Translation specifies how addresses are mapped to other addresses.
-.It Sy Packet Filtering
-Packet filtering provides rule-based blocking or passing of packets.
.It Sy Tables
Tables provide a method for dealing with large numbers of addresses.
.It Sy Anchors
@@ -61,7 +59,7 @@ Including scrub, fragment handling, and blocking spoofed traffic.
.It Sy Operating System Fingerprinting
A method for detecting a host's operating system.
.It Sy Examples
-Translation and filter examples.
+Some example rulesets.
.El
.Pp
Comments can be put anywhere in the file using a hash mark
@@ -90,774 +88,6 @@ all_ifs = "{" $ext_if lo0 "}"
pass out on $ext_if from any to any
pass in on $ext_if proto tcp from any to any port 25
.Ed
-.Sh OPTIONS
-.Xr pf 4
-may be tuned for various situations using the
-.Ar set
-command.
-.Bl -tag -width Ds
-.It Ar set block-policy
-The
-.Ar block-policy
-option sets the default behaviour for the packet
-.Ar block
-action:
-.Pp
-.Bl -tag -width xxxxxxxx -compact
-.It Ar drop
-Packet is silently dropped.
-.It Ar return
-A TCP RST is returned for blocked TCP packets,
-an ICMP UNREACHABLE is returned for blocked UDP packets,
-and all other packets are silently dropped.
-.El
-.It Ar set debug
-Set the debug
-.Ar level
-to one of the following:
-.Pp
-.Bl -tag -width xxxxxxxx -compact
-.It Ar loud
-Generate debug messages for common conditions.
-.It Ar misc
-Generate debug messages for various errors.
-.It Ar none
-Don't generate debug messages.
-.It Ar urgent
-Generate debug messages only for serious errors.
-.El
-.It Ar set fingerprints
-Load fingerprints of known operating systems from the given filename.
-By default fingerprints of known operating systems are automatically
-loaded from
-.Xr pf.os 5 ,
-but can be overridden via this option.
-Setting this option may leave a small period of time where the fingerprints
-referenced by the currently active ruleset are inconsistent until the new
-ruleset finishes loading.
-.It Ar set hostid
-The 32-bit
-.Ar hostid
-identifies this firewall's state table entries to other firewalls
-in a
-.Xr pfsync 4
-failover cluster.
-By default the hostid is set to a pseudo-random value, however it may be
-desirable to manually configure it, for example to more easily identify the
-source of state table entries.
-The hostid may be specified in either decimal or hexadecimal.
-.It Ar set limit
-Sets hard limits on the memory pools used by the packet filter.
-See
-.Xr pool 9
-for an explanation of memory pools.
-.Pp
-For example,
-to set the maximum number of entries in the memory pool used by state table
-entries (generated by
-.Ar pass
-rules which do not specify
-.Ar no state )
-to 20000:
-.Pp
-.Dl set limit states 20000
-.Pp
-To set the maximum number of entries in the memory pool used for fragment
-reassembly to 20000:
-.Pp
-.Dl set limit frags 20000
-.Pp
-To set the maximum number of entries in the memory pool used for tracking
-source IP addresses (generated by the
-.Ar sticky-address
-and
-.Ar src.track
-options) to 2000:
-.Pp
-.Dl set limit src-nodes 2000
-.Pp
-To set limits on the memory pools used by tables:
-.Bd -literal -offset indent
-set limit tables 1000
-set limit table-entries 100000
-.Ed
-.Pp
-The first limits the number of tables that can exist to 1000.
-The second limits the overall number of addresses that can be stored
-in tables to 100000.
-.Pp
-Various limits can be combined on a single line:
-.Bd -literal -offset indent
-set limit { states 20000, frags 20000, src-nodes 2000 }
-.Ed
-.It Ar set loginterface
-Enable collection of packet and byte count statistics for the given
-interface or interface group.
-These statistics can be viewed using:
-.Pp
-.Dl # pfctl -s info
-.Pp
-In this example
-.Xr pf 4
-collects statistics on the interface named dc0:
-.Pp
-.Dl set loginterface dc0
-.Pp
-One can disable the loginterface using:
-.Pp
-.Dl set loginterface none
-.It Ar set optimization
-Optimize state timeouts for one of the following network environments:
-.Pp
-.Bl -tag -width Ds -compact
-.It Ar aggressive
-Aggressively expire connections.
-This can greatly reduce the memory usage of the firewall at the cost of
-dropping idle connections early.
-.It Ar conservative
-Extremely conservative settings.
-Avoid dropping legitimate connections at the
-expense of greater memory utilization (possibly much greater on a busy
-network) and slightly increased processor utilization.
-.It Ar high-latency
-A high-latency environment (such as a satellite connection).
-.It Ar normal
-A normal network environment.
-Suitable for almost all networks.
-.It Ar satellite
-Alias for
-.Ar high-latency .
-.El
-.It Ar set reassemble
-The
-.Ar reassemble
-option turns reassembly of fragmented packets on or off.
-If
-.Ar no-df
-is given, fragments with the
-.Ar dont-fragment
-bit set have it cleared before entering the fragment cache,
-and thus the reassembled packet doesn't have
-.Ar dont-fragment
-set either.
-Setting this option does not affect non-fragmented packets.
-Fragment reassembly is turned on by default.
-.It Ar set require-order
-If set to
-.Ar yes ,
-.Xr pfctl 8
-will enforce that statement types in the ruleset are listed in the
-following order, to match the operation of the underlying packet
-filtering engine:
-.Em options ,
-.Em queueing ,
-.Em translation ,
-.Em filtering .
-This option is disabled by default.
-.It Ar set ruleset-optimization
-.Bl -tag -width xxxxxxxx -compact
-.It Ar basic
-Enable basic ruleset optimization.
-This is the default behaviour.
-Basic ruleset optimization does four things to improve the
-performance of ruleset evaluations:
-.Pp
-.Bl -enum -compact
-.It
-remove duplicate rules
-.It
-remove rules that are a subset of another rule
-.It
-combine multiple rules into a table when advantageous
-.It
-re-order the rules to improve evaluation performance
-.El
-.It Ar none
-Disable the ruleset optimizer.
-.It Ar profile
-Uses the currently loaded ruleset as a feedback profile to tailor the
-ordering of quick rules to actual network traffic.
-.El
-.Pp
-It is important to note that the ruleset optimizer will modify the ruleset
-to improve performance.
-A side effect of the ruleset modification is that per-rule accounting
-statistics will have different meanings than before.
-If per-rule accounting is important for billing purposes or whatnot,
-either the ruleset optimizer should not be used or a label field should
-be added to all of the accounting rules to act as optimization barriers.
-.Pp
-Optimization can also be set as a command-line argument to
-.Xr pfctl 8 ,
-overriding the settings in
-.Nm .
-.It Ar set skip on Aq Ar ifspec
-List interfaces for which packets should not be filtered.
-Packets passing in or out on such interfaces are passed as if pf was
-disabled, i.e. pf does not process them in any way.
-This can be useful on loopback and other virtual interfaces, when
-packet filtering is not desired and can have unexpected effects.
-.It Ar set state-defaults
-The
-.Ar state-defaults
-option sets the state options for states created from rules
-without an explicit
-.Ar keep state .
-For example:
-.Pp
-.Dl set state-defaults pflow, no-sync
-.It Ar set state-policy
-The
-.Ar state-policy
-option sets the default behaviour for states:
-.Pp
-.Bl -tag -width if-bound -compact
-.It Ar if-bound
-States are bound to interface.
-.It Ar floating
-States can match packets on any interfaces (the default).
-.El
-.It Ar set timeout
-.Pp
-.Bl -tag -width "src.track" -compact
-.It Ar frag
-Seconds before an unassembled fragment is expired.
-.It Ar interval
-Interval between purging expired states and fragments.
-.It Ar src.track
-Length of time to retain a source tracking entry after the last state
-expires.
-.El
-.Pp
-When a packet matches a stateful connection, the seconds to live for the
-connection will be updated to that of the
-protocol and modifier
-which corresponds to the connection state.
-Each packet which matches this state will reset the TTL.
-Tuning these values may improve the performance of the
-firewall at the risk of dropping valid idle connections.
-.Pp
-.Bl -tag -width Ds -compact
-.It Ar tcp.closed
-The state after one endpoint sends an RST.
-.It Ar tcp.closing
-The state after the first FIN has been sent.
-.It Ar tcp.established
-The fully established state.
-.It Ar tcp.finwait
-The state after both FINs have been exchanged and the connection is closed.
-Some hosts (notably web servers on Solaris) send TCP packets even after closing
-the connection.
-Increasing
-.Ar tcp.finwait
-(and possibly
-.Ar tcp.closing )
-can prevent blocking of such packets.
-.It Ar tcp.first
-The state after the first packet.
-.It Ar tcp.opening
-The state before the destination host ever sends a packet.
-.El
-.Pp
-ICMP and UDP are handled in a fashion similar to TCP, but with a much more
-limited set of states:
-.Pp
-.Bl -tag -width Ds -compact
-.It Ar icmp.error
-The state after an ICMP error came back in response to an ICMP packet.
-.It Ar icmp.first
-The state after the first packet.
-.It Ar udp.first
-The state after the first packet.
-.It Ar udp.multiple
-The state if both hosts have sent packets.
-.It Ar udp.single
-The state if the source host sends more than one packet but the destination
-host has never sent one back.
-.El
-.Pp
-Other protocols are handled similarly to UDP:
-.Pp
-.Bl -tag -width xxxx -compact
-.It Ar other.first
-.It Ar other.multiple
-.It Ar other.single
-.El
-.Pp
-Timeout values can be reduced adaptively as the number of state table
-entries grows.
-.Pp
-.Bl -tag -width Ds -compact
-.It Ar adaptive.end
-When reaching this number of state entries, all timeout values become
-zero, effectively purging all state entries immediately.
-This value is used to define the scale factor; it should not actually
-be reached (set a lower state limit, see below).
-.It Ar adaptive.start
-When the number of state entries exceeds this value, adaptive scaling
-begins.
-All timeout values are scaled linearly with factor
-(adaptive.end \- number of states) / (adaptive.end \- adaptive.start).
-.El
-.Pp
-Adaptive timeouts are enabled by default, with an adaptive.start value
-equal to 60% of the state limit, and an adaptive.end value equal to
-120% of the state limit.
-They can be disabled by setting both adaptive.start and adaptive.end to 0.
-.Pp
-The adaptive timeout values can be defined both globally and for each rule.
-When used on a per-rule basis, the values relate to the number of
-states created by the rule, otherwise to the total number of
-states.
-.Pp
-For example:
-.Bd -literal -offset indent
-set timeout tcp.first 120
-set timeout tcp.established 86400
-set timeout { adaptive.start 6000, adaptive.end 12000 }
-set limit states 10000
-.Ed
-.Pp
-With 9000 state table entries, the timeout values are scaled to 50%
-(tcp.first 60, tcp.established 43200).
-.El
-.Sh QUEUEING
-Packets can be assigned to queues for the purpose of bandwidth
-control.
-At least two declarations are required to configure queues, and later
-any packet filtering rule can reference the defined queues by name.
-During the filtering component of
-.Nm ,
-the last referenced
-.Ar queue
-name is where any packets from
-.Ar pass
-rules will be queued, while for
-.Ar block
-rules it specifies where any resulting ICMP or TCP RST
-packets should be queued.
-The
-.Em scheduler
-defines the algorithm used to decide which packets get delayed, dropped, or
-sent out immediately.
-There are three schedulers currently supported:
-.Bl -tag -width xxxx
-.It Ar cbq
-Class Based Queueing.
-Queues attached to an interface build a tree,
-thus each queue can have further child queues.
-Each queue can have a
-.Ar priority
-and a
-.Ar bandwidth
-assigned.
-Priority mainly controls the time packets take to get sent out,
-while bandwidth has primarily effects on throughput.
-.Ar cbq
-achieves both partitioning and sharing of link bandwidth
-by hierarchically structured classes.
-Each class has its own queue
-and is assigned its share of bandwidth.
-A child class can borrow bandwidth from its parent class
-as long as excess bandwidth is available
-(see the option
-.Ar borrow ,
-below).
-.It Ar hfsc
-Hierarchical Fair Service Curve.
-Queues attached to an interface build a tree,
-thus each queue can have further child queues.
-Each queue can have a
-.Ar priority
-and a
-.Ar bandwidth
-assigned.
-Priority mainly controls the time packets take to get sent out,
-while bandwidth primarily affects throughput.
-.Ar hfsc
-supports both link-sharing and guaranteed real-time services.
-It employs a service curve based QoS model,
-and its unique feature is an ability to decouple
-delay and bandwidth allocation.
-.It Ar priq
-Priority Queueing.
-Queues are flat attached to the interface,
-thus queues cannot have further child queues.
-Each queue has a unique
-.Ar priority
-assigned, ranging from 0 to 15.
-Packets in the queue with the highest priority are processed first.
-.El
-.Pp
-The interfaces on which queueing should be activated are declared using
-the
-.Ar altq on
-declaration.
-.Ar altq on
-has the following keywords:
-.Bl -tag -width xxxx
-.It Aq Ar interface
-Queueing is enabled on the named interface.
-.It Aq Ar scheduler
-Specifies which queueing scheduler to use.
-.It Ar bandwidth Aq Ar bw
-The maximum bitrate for all queues on an
-interface may be specified using the
-.Ar bandwidth
-keyword.
-The value can be specified as an absolute value or as a
-percentage of the interface bandwidth.
-When using an absolute value, the suffixes
-.Ar b ,
-.Ar Kb ,
-.Ar Mb ,
-and
-.Ar Gb
-are used to represent bits, kilobits, megabits, and
-gigabits per second, respectively.
-The value must not exceed the interface bandwidth.
-If
-.Ar bandwidth
-is not specified, the interface bandwidth is used
-(but take note that some interfaces do not know their bandwidth,
-or can adapt their bandwidth rates).
-.It Ar qlimit Aq Ar limit
-The maximum number of packets held in the queue.
-The default is 50.
-.It Ar tbrsize Aq Ar size
-Adjusts the size, in bytes, of the token bucket regulator.
-If not specified, heuristics based on the
-interface bandwidth are used to determine the size.
-.It Ar queue Aq Ar list
-Defines a list of subqueues to create on an interface.
-.El
-.Pp
-In the following example, the interface dc0
-should queue up to 5Mbps in four second-level queues using
-Class Based Queueing.
-Those four queues will be shown in a later example.
-.Bd -literal -offset indent
-altq on dc0 cbq bandwidth 5Mb queue { std, http, mail, ssh }
-.Ed
-.Pp
-Once interfaces are activated for queueing using the
-.Ar altq
-directive, a sequence of
-.Ar queue
-directives may be defined.
-The name associated with a queue
-must match a queue defined in the altq
-directive or, except for the
-.Ar priq
-scheduler, in a parent queue declaration.
-The following keywords can be used:
-.Bl -tag -width xxxx
-.It Ar on Aq Ar interface
-Specifies the interface the queue operates on.
-If not given, it operates on all matching interfaces.
-.It Ar bandwidth Aq Ar bw
-Specifies the maximum bitrate to be processed by the queue.
-This value must not exceed the value of the parent
-.Ar queue
-and can be specified as an absolute value or a percentage of the parent
-queue's bandwidth.
-If not specified, defaults to 100% of the parent queue's bandwidth.
-The
-.Ar priq
-scheduler does not support bandwidth specification.
-.It Ar priority Aq Ar level
-Between queues a priority level can be set.
-For
-.Ar cbq
-and
-.Ar hfsc ,
-the range is 0 to 7 and for
-.Ar priq ,
-the range is 0 to 15.
-The default for all is 1.
-.Ar priq
-queues with a higher priority are always served first.
-.Ar cbq
-and
-.Ar hfsc
-queues with a higher priority are preferred in the case of overload.
-.It Ar qlimit Aq Ar limit
-The maximum number of packets held in the queue.
-The default is 50.
-.El
-.Pp
-The scheduler can specify additional parameters using the format
-.Ar scheduler Ns Pq Ar parameters .
-The parameters are:
-.Bl -tag -width Fl
-.It Ar default
-Packets not matched by another queue are assigned to this one.
-Exactly one default queue is required.
-.It Ar ecn
-Enables Explicit Congestion Notification (ECN) on this queue.
-ECN implies RED.
-.It Ar red
-Enables Random Early Detection (RED) on this queue.
-RED drops packets with a probability proportional to the average
-queue length.
-.\" .It Ar rio
-.\" Enables RIO on this queue.
-.\" RIO is RED with IN/OUT, thus running
-.\" RED two times more than RIO would achieve the same effect.
-.El
-.Pp
-The
-.Ar cbq
-scheduler supports an additional option:
-.Pp
-.Bl -tag -width "upperlimit XXXXXXX" -compact -offset 3n
-.It Ar borrow
-The queue can borrow bandwidth from the parent.
-.El
-.Pp
-The
-.Ar hfsc
-scheduler supports some additional options:
-.Pp
-.Bl -tag -width "upperlimit XXXXXXX" -compact -offset 3n
-.It Ar linkshare Aq Ar sc
-The bandwidth share of a backlogged queue.
-.It Ar realtime Aq Ar sc
-The minimum required bandwidth for the queue.
-.It Ar upperlimit Aq Ar sc
-The maximum allowed bandwidth for the queue.
-.El
-.Pp
-.Aq Ar sc
-is an abbreviation for
-.Ar service curve .
-.Pp
-The format for service curve specifications is
-.Ar ( m1 , d , m2 ) .
-.Ar m2
-controls the bandwidth assigned to the queue.
-.Ar m1
-and
-.Ar d
-are optional and can be used to control the initial bandwidth assignment.
-For the first
-.Ar d
-milliseconds the queue gets the bandwidth given as
-.Ar m1 ,
-afterwards the value given in
-.Ar m2 .
-.Pp
-Furthermore, with
-.Ar cbq
-and
-.Ar hfsc ,
-child queues can be specified as in an
-.Ar altq
-declaration, thus building a tree of queues using a part of
-their parent's bandwidth.
-.Pp
-Packets can be assigned to queues based on filter rules by using the
-.Ar queue
-keyword.
-Normally only one
-.Ar queue
-is specified; when a second one is specified it will instead be used for
-packets which have a TOS of
-.Ar lowdelay
-and for TCP ACKs with no data payload.
-.Pp
-To continue the previous example, the examples below would specify the
-four referenced
-queues, plus a few child queues.
-Interactive
-.Xr ssh 1
-sessions get priority over bulk transfers like
-.Xr scp 1
-and
-.Xr sftp 1 .
-The queues may then be referenced by filtering rules (see
-.Sx PACKET FILTERING
-below).
-.Bd -literal -offset 4n
-queue std bandwidth 10% cbq(default)
-queue http bandwidth 60% priority 2 cbq(borrow red) \e
- { employees, developers }
-queue developers bandwidth 75% cbq(borrow)
-queue employees bandwidth 15%
-queue mail bandwidth 10% priority 0 cbq(borrow ecn)
-queue ssh bandwidth 20% cbq(borrow) { ssh_interactive, ssh_bulk }
-queue ssh_interactive bandwidth 50% priority 7 cbq(borrow)
-queue ssh_bulk bandwidth 50% priority 0 cbq(borrow)
-
-block return out on dc0 inet all queue std
-pass out on dc0 inet proto tcp from $developerhosts to any port 80 \e
- queue developers
-pass out on dc0 inet proto tcp from $employeehosts to any port 80 \e
- queue employees
-pass out on dc0 inet proto tcp from any to any port 22 \e
- queue(ssh_bulk, ssh_interactive)
-pass out on dc0 inet proto tcp from any to any port 25 \e
- queue mail
-.Ed
-.Sh TRANSLATION
-Translation options modify either the source or destination address of the
-packets associated with a stateful connection.
-A stateful connection is automatically created to track packets matching
-such a rule as long as they are not blocked by the filtering section of
-.Nm .
-The translation engine modifies the specified address and/or port in the
-packet, recalculates IP, TCP, and UDP checksums as necessary, and passes it to
-the packet filter for evaluation.
-.Pp
-Since translation occurs before filtering,
-the filter engine will see packets as they look
-after any addresses and ports have been translated.
-Filter rules will therefore have to filter based on the translated
-address and port number.
-Packets that match a translation rule are only automatically passed if the
-.Ar pass
-modifier is given,
-otherwise they are still subject to
-.Ar block
-and
-.Ar pass
-rules.
-.Pp
-The state entry created permits
-.Xr pf 4
-to keep track of the original address for traffic associated with that state
-and correctly direct return traffic for that connection.
-.Pp
-Two types of translation are possible with pf:
-.Bl -tag -width xxxxxxxx
-.It Ar nat-to
-A
-.Ar nat-to
-option specifies that IP addresses are to be changed as the packet
-traverses the given interface.
-This technique allows one or more IP addresses
-on the translating host to support network traffic for a larger range of
-machines on an "inside" network.
-Although in theory any IP address can be used on the inside, it is strongly
-recommended that one of the address ranges defined by RFC 1918 be used.
-Those netblocks are:
-.Bd -literal -offset indent
-10.0.0.0 \(en 10.255.255.255 (all of net 10, i.e. 10/8)
-172.16.0.0 \(en 172.31.255.255 (i.e. 172.16/12)
-192.168.0.0 \(en 192.168.255.255 (i.e. 192.168/16)
-.Ed
-.It Pa rdr-to
-The packet is redirected to another destination and possibly a
-different port.
-.Ar rdr-to
-can optionally specify port ranges instead of single ports.
-For instance:
-.Bl -tag -width Ds
-.It match in ... port 2000:2999 rdr-to ... port 4000
-redirects ports 2000 to 2999 (inclusive) to port 4000.
-.Pp
-.It match in ... port 2000:2999 rdr-to ... port 4000:*
-redirects port 2000 to 4000, port 2001 to 4001, ..., port 2999 to 4999.
-.El
-.El
-.Pp
-In addition to modifying the address, some translation rules may modify
-source or destination ports for TCP or UDP connections;
-implicitly in the case of
-.Ar nat-to
-options and explicitly in the case of
-.Ar rdr-to
-ones.
-.Pp
-Translation options apply only to packets that pass through the specified
-interface, and if no interface is specified, translation is applied
-to packets on all interfaces.
-For instance, redirecting port 80 on an external interface to an internal
-web server will only work for connections originating from the outside.
-Connections to the address of the external interface from local hosts will
-not be redirected, since such packets do not actually pass through the
-external interface.
-Redirections cannot reflect packets back through the interface they arrive
-on, they can only be redirected to hosts connected to different interfaces
-or to the firewall itself.
-.Pp
-Note that redirecting external incoming connections to the loopback address
-will effectively allow an external host to connect to daemons
-bound solely to the loopback address, circumventing the traditional
-blocking of such connections on a real interface.
-For example:
-.Bd -literal -offset indent
-match in on ne3 inet proto tcp to port smtp rdr-to 127.0.0.1 \e
- port spamd
-.Ed
-.Pp
-Unless this effect is desired, any of the local non-loopback addresses
-should be used instead as the redirection target, which allows external
-connections only to daemons bound to this address or not bound to
-any address.
-.Pp
-For
-.Ar nat-to
-and
-.Ar rdr-to
-options for which there is a single redirection address which has a
-subnet mask smaller than 32 for IPv4 or 128 for IPv6 (more than one IP
-address), a variety of different methods for assigning this address can be
-used:
-.Bl -tag -width xxxx
-.It Ar bitmask
-The
-.Ar bitmask
-option applies the network portion of the redirection address to the address
-to be modified (source with
-.Ar nat-to ,
-destination with
-.Ar rdr-to ) .
-.It Ar random Op Ar sticky-address
-The
-.Ar random
-option selects an address at random within the defined block of addresses.
-.Pp
-.Ar sticky-address
-can be specified to ensure that multiple connections from the
-same source are mapped to the same redirection address.
-Associations are destroyed as soon as there are
-no longer states which refer to them;
-in order to make the mappings last
-beyond the lifetime of the states,
-increase the global options with
-.Ar set timeout src.track .
-.It Ar round-robin Op Ar sticky-address
-The
-.Ar round-robin
-option loops through the redirection address(es).
-.Ar sticky-address
-is as described above.
-.Pp
-When more than one redirection address is specified,
-.Ar round-robin
-is the only permitted pool type.
-.It Ar source-hash Op Ar key
-The
-.Ar source-hash
-option uses a hash of the source address to determine the redirection address,
-ensuring that the redirection address is always the same for a given source.
-An optional
-.Ar key
-can be specified after this keyword either in hex or as a string;
-by default
-.Xr pfctl 8
-randomly generates a key for source-hash every time the
-ruleset is reloaded.
-.It Ar static-port
-With
-.Ar nat
-rules, the
-.Ar static-port
-option prevents
-.Xr pf 4
-from modifying the source port on TCP and UDP packets.
-.El
.Sh PACKET FILTERING
.Xr pf 4
has the ability to
@@ -1493,6 +723,165 @@ block out proto { tcp, udp } all
pass out proto { tcp, udp } all user { \*(Lt 1000, dhartmei }
.Ed
.El
+.Ss Translation
+Translation options modify either the source or destination address of the
+packets associated with a stateful connection.
+A stateful connection is automatically created to track packets matching
+such a rule as long as they are not blocked by the filtering section of
+.Nm .
+The translation engine modifies the specified address and/or port in the
+packet, recalculates IP, TCP, and UDP checksums as necessary, and passes it to
+the packet filter for evaluation.
+.Pp
+Since translation occurs before filtering,
+the filter engine will see packets as they look
+after any addresses and ports have been translated.
+Filter rules will therefore have to filter based on the translated
+address and port number.
+Packets that match a translation rule are only automatically passed if the
+.Ar pass
+modifier is given,
+otherwise they are still subject to
+.Ar block
+and
+.Ar pass
+rules.
+.Pp
+The state entry created permits
+.Xr pf 4
+to keep track of the original address for traffic associated with that state
+and correctly direct return traffic for that connection.
+.Pp
+Different types of translation are possible with pf:
+.Bl -tag -width xxxxxxxx
+.It Ar nat-to
+A
+.Ar nat-to
+option specifies that IP addresses are to be changed as the packet
+traverses the given interface.
+This technique allows one or more IP addresses
+on the translating host to support network traffic for a larger range of
+machines on an "inside" network.
+Although in theory any IP address can be used on the inside, it is strongly
+recommended that one of the address ranges defined by RFC 1918 be used.
+Those netblocks are:
+.Bd -literal -offset indent
+10.0.0.0 \(en 10.255.255.255 (all of net 10, i.e. 10/8)
+172.16.0.0 \(en 172.31.255.255 (i.e. 172.16/12)
+192.168.0.0 \(en 192.168.255.255 (i.e. 192.168/16)
+.Ed
+.It Pa rdr-to
+The packet is redirected to another destination and possibly a
+different port.
+.Ar rdr-to
+can optionally specify port ranges instead of single ports.
+For instance:
+.Bl -tag -width Ds
+.It match in ... port 2000:2999 rdr-to ... port 4000
+redirects ports 2000 to 2999 (inclusive) to port 4000.
+.Pp
+.It match in ... port 2000:2999 rdr-to ... port 4000:*
+redirects port 2000 to 4000, port 2001 to 4001, ..., port 2999 to 4999.
+.El
+.El
+.Pp
+In addition to modifying the address, some translation rules may modify
+source or destination ports for TCP or UDP connections;
+implicitly in the case of
+.Ar nat-to
+options and explicitly in the case of
+.Ar rdr-to
+ones.
+.Pp
+Translation options apply only to packets that pass through the specified
+interface, and if no interface is specified, translation is applied
+to packets on all interfaces.
+For instance, redirecting port 80 on an external interface to an internal
+web server will only work for connections originating from the outside.
+Connections to the address of the external interface from local hosts will
+not be redirected, since such packets do not actually pass through the
+external interface.
+Redirections cannot reflect packets back through the interface they arrive
+on, they can only be redirected to hosts connected to different interfaces
+or to the firewall itself.
+.Pp
+Note that redirecting external incoming connections to the loopback address
+will effectively allow an external host to connect to daemons
+bound solely to the loopback address, circumventing the traditional
+blocking of such connections on a real interface.
+For example:
+.Bd -literal -offset indent
+pass on egress proto tcp from any to any port smtp \e
+ rdr-to 127.0.0.1 port spamd
+.Ed
+.Pp
+Unless this effect is desired, any of the local non-loopback addresses
+should be used instead as the redirection target, which allows external
+connections only to daemons bound to this address or not bound to
+any address.
+.Pp
+For
+.Ar nat-to
+and
+.Ar rdr-to
+options for which there is a single redirection address which has a
+subnet mask smaller than 32 for IPv4 or 128 for IPv6 (more than one IP
+address), a variety of different methods for assigning this address can be
+used:
+.Bl -tag -width xxxx
+.It Ar bitmask
+The
+.Ar bitmask
+option applies the network portion of the redirection address to the address
+to be modified (source with
+.Ar nat-to ,
+destination with
+.Ar rdr-to ) .
+.It Ar random Op Ar sticky-address
+The
+.Ar random
+option selects an address at random within the defined block of addresses.
+.Pp
+.Ar sticky-address
+can be specified to ensure that multiple connections from the
+same source are mapped to the same redirection address.
+Associations are destroyed as soon as there are
+no longer states which refer to them;
+in order to make the mappings last
+beyond the lifetime of the states,
+increase the global options with
+.Ar set timeout src.track .
+.It Ar round-robin Op Ar sticky-address
+The
+.Ar round-robin
+option loops through the redirection address(es).
+.Ar sticky-address
+is as described above.
+.Pp
+When more than one redirection address is specified,
+.Ar round-robin
+is the only permitted pool type.
+.It Ar source-hash Op Ar key
+The
+.Ar source-hash
+option uses a hash of the source address to determine the redirection address,
+ensuring that the redirection address is always the same for a given source.
+An optional
+.Ar key
+can be specified after this keyword either in hex or as a string;
+by default
+.Xr pfctl 8
+randomly generates a key for source-hash every time the
+ruleset is reloaded.
+.It Ar static-port
+With
+.Ar nat
+rules, the
+.Ar static-port
+option prevents
+.Xr pf 4
+from modifying the source port on TCP and UDP packets.
+.El
.Ss Routing
If a packet matches a rule with one of the following route options set,
the packet filter will route the packet according to the type of route option.
@@ -1549,9 +938,617 @@ the methods
.Ar round-robin ,
and
.Ar source-hash ,
-as described above in
-.Sx TRANSLATION ,
+as described above,
can be used.
+.Sh OPTIONS
+.Xr pf 4
+may be tuned for various situations using the
+.Ar set
+command.
+.Bl -tag -width Ds
+.It Ar set block-policy
+The
+.Ar block-policy
+option sets the default behaviour for the packet
+.Ar block
+action:
+.Pp
+.Bl -tag -width xxxxxxxx -compact
+.It Ar drop
+Packet is silently dropped.
+.It Ar return
+A TCP RST is returned for blocked TCP packets,
+an ICMP UNREACHABLE is returned for blocked UDP packets,
+and all other packets are silently dropped.
+.El
+.It Ar set debug
+Set the debug
+.Ar level
+to one of the following:
+.Pp
+.Bl -tag -width xxxxxxxx -compact
+.It Ar loud
+Generate debug messages for common conditions.
+.It Ar misc
+Generate debug messages for various errors.
+.It Ar none
+Don't generate debug messages.
+.It Ar urgent
+Generate debug messages only for serious errors.
+.El
+.It Ar set fingerprints
+Load fingerprints of known operating systems from the given filename.
+By default fingerprints of known operating systems are automatically
+loaded from
+.Xr pf.os 5 ,
+but can be overridden via this option.
+Setting this option may leave a small period of time where the fingerprints
+referenced by the currently active ruleset are inconsistent until the new
+ruleset finishes loading.
+.It Ar set hostid
+The 32-bit
+.Ar hostid
+identifies this firewall's state table entries to other firewalls
+in a
+.Xr pfsync 4
+failover cluster.
+By default the hostid is set to a pseudo-random value, however it may be
+desirable to manually configure it, for example to more easily identify the
+source of state table entries.
+The hostid may be specified in either decimal or hexadecimal.
+.It Ar set limit
+Sets hard limits on the memory pools used by the packet filter.
+See
+.Xr pool 9
+for an explanation of memory pools.
+.Pp
+For example,
+to set the maximum number of entries in the memory pool used by state table
+entries (generated by
+.Ar pass
+rules which do not specify
+.Ar no state )
+to 20000:
+.Pp
+.Dl set limit states 20000
+.Pp
+To set the maximum number of entries in the memory pool used for fragment
+reassembly to 20000:
+.Pp
+.Dl set limit frags 20000
+.Pp
+To set the maximum number of entries in the memory pool used for tracking
+source IP addresses (generated by the
+.Ar sticky-address
+and
+.Ar src.track
+options) to 2000:
+.Pp
+.Dl set limit src-nodes 2000
+.Pp
+To set limits on the memory pools used by tables:
+.Bd -literal -offset indent
+set limit tables 1000
+set limit table-entries 100000
+.Ed
+.Pp
+The first limits the number of tables that can exist to 1000.
+The second limits the overall number of addresses that can be stored
+in tables to 100000.
+.Pp
+Various limits can be combined on a single line:
+.Bd -literal -offset indent
+set limit { states 20000, frags 20000, src-nodes 2000 }
+.Ed
+.It Ar set loginterface
+Enable collection of packet and byte count statistics for the given
+interface or interface group.
+These statistics can be viewed using:
+.Pp
+.Dl # pfctl -s info
+.Pp
+In this example
+.Xr pf 4
+collects statistics on the interface named dc0:
+.Pp
+.Dl set loginterface dc0
+.Pp
+One can disable the loginterface using:
+.Pp
+.Dl set loginterface none
+.It Ar set optimization
+Optimize state timeouts for one of the following network environments:
+.Pp
+.Bl -tag -width Ds -compact
+.It Ar aggressive
+Aggressively expire connections.
+This can greatly reduce the memory usage of the firewall at the cost of
+dropping idle connections early.
+.It Ar conservative
+Extremely conservative settings.
+Avoid dropping legitimate connections at the
+expense of greater memory utilization (possibly much greater on a busy
+network) and slightly increased processor utilization.
+.It Ar high-latency
+A high-latency environment (such as a satellite connection).
+.It Ar normal
+A normal network environment.
+Suitable for almost all networks.
+.It Ar satellite
+Alias for
+.Ar high-latency .
+.El
+.It Ar set reassemble
+The
+.Ar reassemble
+option turns reassembly of fragmented packets on or off.
+If
+.Ar no-df
+is given, fragments with the
+.Ar dont-fragment
+bit set have it cleared before entering the fragment cache,
+and thus the reassembled packet doesn't have
+.Ar dont-fragment
+set either.
+Setting this option does not affect non-fragmented packets.
+Fragment reassembly is turned on by default.
+.It Ar set require-order
+If set to
+.Ar yes ,
+.Xr pfctl 8
+will enforce that statement types in the ruleset are listed in the
+following order, to match the operation of the underlying packet
+filtering engine:
+.Em options ,
+.Em queueing ,
+.Em translation ,
+.Em filtering .
+This option is disabled by default.
+.It Ar set ruleset-optimization
+.Bl -tag -width xxxxxxxx -compact
+.It Ar basic
+Enable basic ruleset optimization.
+This is the default behaviour.
+Basic ruleset optimization does four things to improve the
+performance of ruleset evaluations:
+.Pp
+.Bl -enum -compact
+.It
+remove duplicate rules
+.It
+remove rules that are a subset of another rule
+.It
+combine multiple rules into a table when advantageous
+.It
+re-order the rules to improve evaluation performance
+.El
+.It Ar none
+Disable the ruleset optimizer.
+.It Ar profile
+Uses the currently loaded ruleset as a feedback profile to tailor the
+ordering of quick rules to actual network traffic.
+.El
+.Pp
+It is important to note that the ruleset optimizer will modify the ruleset
+to improve performance.
+A side effect of the ruleset modification is that per-rule accounting
+statistics will have different meanings than before.
+If per-rule accounting is important for billing purposes or whatnot,
+either the ruleset optimizer should not be used or a label field should
+be added to all of the accounting rules to act as optimization barriers.
+.Pp
+Optimization can also be set as a command-line argument to
+.Xr pfctl 8 ,
+overriding the settings in
+.Nm .
+.It Ar set skip on Aq Ar ifspec
+List interfaces for which packets should not be filtered.
+Packets passing in or out on such interfaces are passed as if pf was
+disabled, i.e. pf does not process them in any way.
+This can be useful on loopback and other virtual interfaces, when
+packet filtering is not desired and can have unexpected effects.
+.It Ar set state-defaults
+The
+.Ar state-defaults
+option sets the state options for states created from rules
+without an explicit
+.Ar keep state .
+For example:
+.Pp
+.Dl set state-defaults pflow, no-sync
+.It Ar set state-policy
+The
+.Ar state-policy
+option sets the default behaviour for states:
+.Pp
+.Bl -tag -width if-bound -compact
+.It Ar if-bound
+States are bound to interface.
+.It Ar floating
+States can match packets on any interfaces (the default).
+.El
+.It Ar set timeout
+.Pp
+.Bl -tag -width "src.track" -compact
+.It Ar frag
+Seconds before an unassembled fragment is expired.
+.It Ar interval
+Interval between purging expired states and fragments.
+.It Ar src.track
+Length of time to retain a source tracking entry after the last state
+expires.
+.El
+.Pp
+When a packet matches a stateful connection, the seconds to live for the
+connection will be updated to that of the
+protocol and modifier
+which corresponds to the connection state.
+Each packet which matches this state will reset the TTL.
+Tuning these values may improve the performance of the
+firewall at the risk of dropping valid idle connections.
+.Pp
+.Bl -tag -width Ds -compact
+.It Ar tcp.closed
+The state after one endpoint sends an RST.
+.It Ar tcp.closing
+The state after the first FIN has been sent.
+.It Ar tcp.established
+The fully established state.
+.It Ar tcp.finwait
+The state after both FINs have been exchanged and the connection is closed.
+Some hosts (notably web servers on Solaris) send TCP packets even after closing
+the connection.
+Increasing
+.Ar tcp.finwait
+(and possibly
+.Ar tcp.closing )
+can prevent blocking of such packets.
+.It Ar tcp.first
+The state after the first packet.
+.It Ar tcp.opening
+The state before the destination host ever sends a packet.
+.El
+.Pp
+ICMP and UDP are handled in a fashion similar to TCP, but with a much more
+limited set of states:
+.Pp
+.Bl -tag -width Ds -compact
+.It Ar icmp.error
+The state after an ICMP error came back in response to an ICMP packet.
+.It Ar icmp.first
+The state after the first packet.
+.It Ar udp.first
+The state after the first packet.
+.It Ar udp.multiple
+The state if both hosts have sent packets.
+.It Ar udp.single
+The state if the source host sends more than one packet but the destination
+host has never sent one back.
+.El
+.Pp
+Other protocols are handled similarly to UDP:
+.Pp
+.Bl -tag -width xxxx -compact
+.It Ar other.first
+.It Ar other.multiple
+.It Ar other.single
+.El
+.Pp
+Timeout values can be reduced adaptively as the number of state table
+entries grows.
+.Pp
+.Bl -tag -width Ds -compact
+.It Ar adaptive.end
+When reaching this number of state entries, all timeout values become
+zero, effectively purging all state entries immediately.
+This value is used to define the scale factor; it should not actually
+be reached (set a lower state limit, see below).
+.It Ar adaptive.start
+When the number of state entries exceeds this value, adaptive scaling
+begins.
+All timeout values are scaled linearly with factor
+(adaptive.end \- number of states) / (adaptive.end \- adaptive.start).
+.El
+.Pp
+Adaptive timeouts are enabled by default, with an adaptive.start value
+equal to 60% of the state limit, and an adaptive.end value equal to
+120% of the state limit.
+They can be disabled by setting both adaptive.start and adaptive.end to 0.
+.Pp
+The adaptive timeout values can be defined both globally and for each rule.
+When used on a per-rule basis, the values relate to the number of
+states created by the rule, otherwise to the total number of
+states.
+.Pp
+For example:
+.Bd -literal -offset indent
+set timeout tcp.first 120
+set timeout tcp.established 86400
+set timeout { adaptive.start 6000, adaptive.end 12000 }
+set limit states 10000
+.Ed
+.Pp
+With 9000 state table entries, the timeout values are scaled to 50%
+(tcp.first 60, tcp.established 43200).
+.El
+.Sh QUEUEING
+Packets can be assigned to queues for the purpose of bandwidth
+control.
+At least two declarations are required to configure queues, and later
+any packet filtering rule can reference the defined queues by name.
+During the filtering component of
+.Nm ,
+the last referenced
+.Ar queue
+name is where any packets from
+.Ar pass
+rules will be queued, while for
+.Ar block
+rules it specifies where any resulting ICMP or TCP RST
+packets should be queued.
+The
+.Em scheduler
+defines the algorithm used to decide which packets get delayed, dropped, or
+sent out immediately.
+There are three schedulers currently supported:
+.Bl -tag -width xxxx
+.It Ar cbq
+Class Based Queueing.
+Queues attached to an interface build a tree,
+thus each queue can have further child queues.
+Each queue can have a
+.Ar priority
+and a
+.Ar bandwidth
+assigned.
+Priority mainly controls the time packets take to get sent out,
+while bandwidth has primarily effects on throughput.
+.Ar cbq
+achieves both partitioning and sharing of link bandwidth
+by hierarchically structured classes.
+Each class has its own queue
+and is assigned its share of bandwidth.
+A child class can borrow bandwidth from its parent class
+as long as excess bandwidth is available
+(see the option
+.Ar borrow ,
+below).
+.It Ar hfsc
+Hierarchical Fair Service Curve.
+Queues attached to an interface build a tree,
+thus each queue can have further child queues.
+Each queue can have a
+.Ar priority
+and a
+.Ar bandwidth
+assigned.
+Priority mainly controls the time packets take to get sent out,
+while bandwidth primarily affects throughput.
+.Ar hfsc
+supports both link-sharing and guaranteed real-time services.
+It employs a service curve based QoS model,
+and its unique feature is an ability to decouple
+delay and bandwidth allocation.
+.It Ar priq
+Priority Queueing.
+Queues are flat attached to the interface,
+thus queues cannot have further child queues.
+Each queue has a unique
+.Ar priority
+assigned, ranging from 0 to 15.
+Packets in the queue with the highest priority are processed first.
+.El
+.Pp
+The interfaces on which queueing should be activated are declared using
+the
+.Ar altq on
+declaration.
+.Ar altq on
+has the following keywords:
+.Bl -tag -width xxxx
+.It Aq Ar interface
+Queueing is enabled on the named interface.
+.It Aq Ar scheduler
+Specifies which queueing scheduler to use.
+.It Ar bandwidth Aq Ar bw
+The maximum bitrate for all queues on an
+interface may be specified using the
+.Ar bandwidth
+keyword.
+The value can be specified as an absolute value or as a
+percentage of the interface bandwidth.
+When using an absolute value, the suffixes
+.Ar b ,
+.Ar Kb ,
+.Ar Mb ,
+and
+.Ar Gb
+are used to represent bits, kilobits, megabits, and
+gigabits per second, respectively.
+The value must not exceed the interface bandwidth.
+If
+.Ar bandwidth
+is not specified, the interface bandwidth is used
+(but take note that some interfaces do not know their bandwidth,
+or can adapt their bandwidth rates).
+.It Ar qlimit Aq Ar limit
+The maximum number of packets held in the queue.
+The default is 50.
+.It Ar tbrsize Aq Ar size
+Adjusts the size, in bytes, of the token bucket regulator.
+If not specified, heuristics based on the
+interface bandwidth are used to determine the size.
+.It Ar queue Aq Ar list
+Defines a list of subqueues to create on an interface.
+.El
+.Pp
+In the following example, the interface dc0
+should queue up to 5Mbps in four second-level queues using
+Class Based Queueing.
+Those four queues will be shown in a later example.
+.Bd -literal -offset indent
+altq on dc0 cbq bandwidth 5Mb queue { std, http, mail, ssh }
+.Ed
+.Pp
+Once interfaces are activated for queueing using the
+.Ar altq
+directive, a sequence of
+.Ar queue
+directives may be defined.
+The name associated with a queue
+must match a queue defined in the altq
+directive or, except for the
+.Ar priq
+scheduler, in a parent queue declaration.
+The following keywords can be used:
+.Bl -tag -width xxxx
+.It Ar on Aq Ar interface
+Specifies the interface the queue operates on.
+If not given, it operates on all matching interfaces.
+.It Ar bandwidth Aq Ar bw
+Specifies the maximum bitrate to be processed by the queue.
+This value must not exceed the value of the parent
+.Ar queue
+and can be specified as an absolute value or a percentage of the parent
+queue's bandwidth.
+If not specified, defaults to 100% of the parent queue's bandwidth.
+The
+.Ar priq
+scheduler does not support bandwidth specification.
+.It Ar priority Aq Ar level
+Between queues a priority level can be set.
+For
+.Ar cbq
+and
+.Ar hfsc ,
+the range is 0 to 7 and for
+.Ar priq ,
+the range is 0 to 15.
+The default for all is 1.
+.Ar priq
+queues with a higher priority are always served first.
+.Ar cbq
+and
+.Ar hfsc
+queues with a higher priority are preferred in the case of overload.
+.It Ar qlimit Aq Ar limit
+The maximum number of packets held in the queue.
+The default is 50.
+.El
+.Pp
+The scheduler can specify additional parameters using the format
+.Ar scheduler Ns Pq Ar parameters .
+The parameters are:
+.Bl -tag -width Fl
+.It Ar default
+Packets not matched by another queue are assigned to this one.
+Exactly one default queue is required.
+.It Ar ecn
+Enables Explicit Congestion Notification (ECN) on this queue.
+ECN implies RED.
+.It Ar red
+Enables Random Early Detection (RED) on this queue.
+RED drops packets with a probability proportional to the average
+queue length.
+.\" .It Ar rio
+.\" Enables RIO on this queue.
+.\" RIO is RED with IN/OUT, thus running
+.\" RED two times more than RIO would achieve the same effect.
+.El
+.Pp
+The
+.Ar cbq
+scheduler supports an additional option:
+.Pp
+.Bl -tag -width "upperlimit XXXXXXX" -compact -offset 3n
+.It Ar borrow
+The queue can borrow bandwidth from the parent.
+.El
+.Pp
+The
+.Ar hfsc
+scheduler supports some additional options:
+.Pp
+.Bl -tag -width "upperlimit XXXXXXX" -compact -offset 3n
+.It Ar linkshare Aq Ar sc
+The bandwidth share of a backlogged queue.
+.It Ar realtime Aq Ar sc
+The minimum required bandwidth for the queue.
+.It Ar upperlimit Aq Ar sc
+The maximum allowed bandwidth for the queue.
+.El
+.Pp
+.Aq Ar sc
+is an abbreviation for
+.Ar service curve .
+.Pp
+The format for service curve specifications is
+.Ar ( m1 , d , m2 ) .
+.Ar m2
+controls the bandwidth assigned to the queue.
+.Ar m1
+and
+.Ar d
+are optional and can be used to control the initial bandwidth assignment.
+For the first
+.Ar d
+milliseconds the queue gets the bandwidth given as
+.Ar m1 ,
+afterwards the value given in
+.Ar m2 .
+.Pp
+Furthermore, with
+.Ar cbq
+and
+.Ar hfsc ,
+child queues can be specified as in an
+.Ar altq
+declaration, thus building a tree of queues using a part of
+their parent's bandwidth.
+.Pp
+Packets can be assigned to queues based on filter rules by using the
+.Ar queue
+keyword.
+Normally only one
+.Ar queue
+is specified; when a second one is specified it will instead be used for
+packets which have a TOS of
+.Ar lowdelay
+and for TCP ACKs with no data payload.
+.Pp
+To continue the previous example, the examples below would specify the
+four referenced
+queues, plus a few child queues.
+Interactive
+.Xr ssh 1
+sessions get priority over bulk transfers like
+.Xr scp 1
+and
+.Xr sftp 1 .
+The queues may then be referenced by filtering rules (see
+.Sx PACKET FILTERING ,
+above).
+.Bd -literal -offset 4n
+queue std bandwidth 10% cbq(default)
+queue http bandwidth 60% priority 2 cbq(borrow red) \e
+ { employees, developers }
+queue developers bandwidth 75% cbq(borrow)
+queue employees bandwidth 15%
+queue mail bandwidth 10% priority 0 cbq(borrow ecn)
+queue ssh bandwidth 20% cbq(borrow) { ssh_interactive, ssh_bulk }
+queue ssh_interactive bandwidth 50% priority 7 cbq(borrow)
+queue ssh_bulk bandwidth 50% priority 0 cbq(borrow)
+
+block return out on dc0 inet all queue std
+pass out on dc0 inet proto tcp from $developerhosts to any port 80 \e
+ queue developers
+pass out on dc0 inet proto tcp from $employeehosts to any port 80 \e
+ queue employees
+pass out on dc0 inet proto tcp from any to any port 22 \e
+ queue(ssh_bulk, ssh_interactive)
+pass out on dc0 inet proto tcp from any to any port 25 \e
+ queue mail
+.Ed
.Sh TABLES
Tables are named structures which can hold a collection of addresses and
networks.
@@ -2386,84 +2383,7 @@ appear as any operating system he chooses;
an operating system patch could change the stack behavior and no fingerprints
will match it until the database is updated;
and multiple operating systems may have the same fingerprint.
-.Sh TRANSLATION EXAMPLES
-This example maps incoming requests on port 80 to port 8080, on
-which a daemon is running (because, for example, it is not run as root,
-and therefore lacks permission to bind to port 80).
-.Bd -literal -offset 4n
-match in on $ext_if proto tcp from any to any port 80 \e
- rdr-to 127.0.0.1 port 8080
-.Ed
-.Pp
-If the
-.Ar pass
-modifier is given, packets matching the translation rule are passed without
-inspecting the filter rules.
-.Bd -literal -offset 4n
-match in on $ext_if proto tcp from any to any port 80 \e
- rdr-to 127.0.0.1 port 8080
-.Ed
-.Pp
-In the example below, vlan12 is configured as 192.168.168.1;
-the machine translates all packets coming from 192.168.168.0/24 to 204.92.77.111
-when they are going out any interface except vlan12.
-This has the net effect of making traffic from the 192.168.168.0/24
-network appear as though it is the Internet routable address
-204.92.77.111 to nodes behind any interface on the router except
-for the nodes on vlan12.
-Thus, 192.168.168.1 can talk to the 192.168.168.0/24 nodes.
-.Bd -literal -offset 4n
-match out on ! vlan12 from 192.168.168.0/24 to any nat-to 204.92.77.111
-.Ed
-.Pp
-In the example below, the machine sits between a fake internal
-144.19.74.* network, and a routable external IP of 204.92.77.100.
-The last rule excludes protocol AH from being translated.
-.Bd -literal -offset 4n
-pass out on $ext_if from 144.19.74.0/24 nat-to 204.92.77.100
-pass out on $ext_if proto ah from 144.19.74.0/24
-.Ed
-.Pp
-In the example below, packets bound for one specific server, as well as those
-generated by the sysadmins are not proxied; all other connections are.
-.Bd -literal -offset 4n
-match in on $int_if proto { tcp, udp } from any to any port 80 \e
- rdr-to 127.0.0.1 port 80
-pass in on $int_if proto { tcp, udp } from any to $server port 80
-pass in on $int_if proto { tcp, udp } from $sysadmins to any port 80
-.Ed
-.Pp
-This example maps outgoing packets' source port
-to an assigned proxy port instead of an arbitrary port.
-In this case, proxy outgoing isakmp with port 500 on the gateway.
-.Bd -literal -offset 4n
-match out on $ext_if inet proto udp from any port isakmp to any \e
- nat-to ($ext_if) port 500
-.Ed
-.Pp
-One more example uses
-.Ar rdr-to
-to redirect a TCP and UDP port to an internal machine.
-.Bd -literal -offset 4n
-match in on $ext_if inet proto tcp from any to ($ext_if) port 8080 \e
- rdr-to 10.1.2.151 port 22
-match in on $ext_if inet proto udp from any to ($ext_if) port 8080 \e
- rdr-to 10.1.2.151 port 53
-.Ed
-.Pp
-In this example, a NAT gateway is set up to translate internal addresses
-using a pool of public addresses (192.0.2.16/28).
-A given source address is always translated to the same pool address by
-using the source-hash keyword.
-The gateway also translates incoming web server connections
-to a group of web servers on the internal network.
-.Bd -literal -offset 4n
-match out on $ext_if inet from any to any nat-to 192.0.2.16/28 \e
- source-hash
-match in on $ext_if proto tcp from any to any port 80 \e
- rdr-to { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin
-.Ed
-.Sh FILTER EXAMPLES
+.Sh EXAMPLES
In this example,
the external interface is kue0.
We use a macro for the interface name, so it can be changed easily.
@@ -2556,6 +2476,83 @@ match in on $ext_if inet proto tcp from \*(Ltspammers\*(Gt to port smtp \e
block in on $ext_if
pass in on $ext_if inet proto tcp tagged SPAMD
.Ed
+.Pp
+This example maps incoming requests on port 80 to port 8080, on
+which a daemon is running (because, for example, it is not run as root,
+and therefore lacks permission to bind to port 80).
+.Bd -literal -offset 4n
+match in on $ext_if proto tcp from any to any port 80 \e
+ rdr-to 127.0.0.1 port 8080
+.Ed
+.Pp
+If the
+.Ar pass
+modifier is given, packets matching the translation rule are passed without
+inspecting the filter rules.
+.Bd -literal -offset 4n
+match in on $ext_if proto tcp from any to any port 80 \e
+ rdr-to 127.0.0.1 port 8080
+.Ed
+.Pp
+In the example below, vlan12 is configured as 192.168.168.1;
+the machine translates all packets coming from 192.168.168.0/24 to 204.92.77.111
+when they are going out any interface except vlan12.
+This has the net effect of making traffic from the 192.168.168.0/24
+network appear as though it is the Internet routable address
+204.92.77.111 to nodes behind any interface on the router except
+for the nodes on vlan12.
+Thus, 192.168.168.1 can talk to the 192.168.168.0/24 nodes.
+.Bd -literal -offset 4n
+match out on ! vlan12 from 192.168.168.0/24 to any nat-to 204.92.77.111
+.Ed
+.Pp
+In the example below, the machine sits between a fake internal
+144.19.74.* network, and a routable external IP of 204.92.77.100.
+The last rule excludes protocol AH from being translated.
+.Bd -literal -offset 4n
+pass out on $ext_if from 144.19.74.0/24 nat-to 204.92.77.100
+pass out on $ext_if proto ah from 144.19.74.0/24
+.Ed
+.Pp
+In the example below, packets bound for one specific server, as well as those
+generated by the sysadmins are not proxied; all other connections are.
+.Bd -literal -offset 4n
+match in on $int_if proto { tcp, udp } from any to any port 80 \e
+ rdr-to 127.0.0.1 port 80
+pass in on $int_if proto { tcp, udp } from any to $server port 80
+pass in on $int_if proto { tcp, udp } from $sysadmins to any port 80
+.Ed
+.Pp
+This example maps outgoing packets' source port
+to an assigned proxy port instead of an arbitrary port.
+In this case, proxy outgoing isakmp with port 500 on the gateway.
+.Bd -literal -offset 4n
+match out on $ext_if inet proto udp from any port isakmp to any \e
+ nat-to ($ext_if) port 500
+.Ed
+.Pp
+One more example uses
+.Ar rdr-to
+to redirect a TCP and UDP port to an internal machine.
+.Bd -literal -offset 4n
+match in on $ext_if inet proto tcp from any to ($ext_if) port 8080 \e
+ rdr-to 10.1.2.151 port 22
+match in on $ext_if inet proto udp from any to ($ext_if) port 8080 \e
+ rdr-to 10.1.2.151 port 53
+.Ed
+.Pp
+In this example, a NAT gateway is set up to translate internal addresses
+using a pool of public addresses (192.0.2.16/28).
+A given source address is always translated to the same pool address by
+using the source-hash keyword.
+The gateway also translates incoming web server connections
+to a group of web servers on the internal network.
+.Bd -literal -offset 4n
+match out on $ext_if inet from any to any nat-to 192.0.2.16/28 \e
+ source-hash
+match in on $ext_if proto tcp from any to any port 80 \e
+ rdr-to { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin
+.Ed
.Sh GRAMMAR
Syntax for
.Nm
@@ -2601,8 +2598,8 @@ filteropt = user | group | flags | icmp-type | icmp6-type |
"rdr-to" ( redirhost | "{" redirhost-list "}" )
[ portspec ] [ pooltype ] |
"nat-to" ( redirhost | "{" redirhost-list "}" )
- [ portspec ] [ pooltype ] [ "static-port" ]
- [ "fastroute" | route ]
+ [ portspec ] [ pooltype ] [ "static-port" ]
+ [ "fastroute" | route ]
scrubopts = scrubopt [ [ "," ] scrubopts ]
scrubopt = "no-df" | "min-ttl" number | "max-mss" number |