summaryrefslogtreecommitdiff
path: root/share/man/man5/pf.conf.5
diff options
context:
space:
mode:
authorJason McIntyre <jmc@cvs.openbsd.org>2003-03-10 09:27:48 +0000
committerJason McIntyre <jmc@cvs.openbsd.org>2003-03-10 09:27:48 +0000
commite26366db5fca1e363f9cf9050a6dc031fd8ef0f1 (patch)
treebfa9993a436b2cdbd8f14a48a5633d31ceea48ee /share/man/man5/pf.conf.5
parent6dec9611d637212b8c98c39ef041a615592998fd (diff)
removal of .Ic for examples.
this was messing the postscript output.
Diffstat (limited to 'share/man/man5/pf.conf.5')
-rw-r--r--share/man/man5/pf.conf.5539
1 files changed, 144 insertions, 395 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 907f9c716b2..c0eb1fec020 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pf.conf.5,v 1.210 2003/03/09 22:02:45 frantzen Exp $
+.\" $OpenBSD: pf.conf.5,v 1.211 2003/03/10 09:27:47 jmc Exp $
.\"
.\" Copyright (c) 2002, Daniel Hartmeier
.\" All rights reserved.
@@ -98,14 +98,10 @@ Macros are not expanded inside quotes.
For example,
.Pp
.Bd -literal -offset indent
-.Ic ext_if = \&"kue0\&"
-.Ic all_ifs = \&"{\&" $ext_if lo0 \&"}\&"
-.Xo Ic pass out on $ext_if from any\
-.Ic to any keep state
-.Xc
-.Xo Ic pass in \ on $ext_if proto tcp\
-.Ic from any to any port 25 keep state
-.Xc
+ext_if = \&"kue0\&"
+all_ifs = \&"{\&" $ext_if lo0 \&"}\&"
+pass out on $ext_if from any to any keep state
+pass in \ on $ext_if proto tcp from any to any port 25 keep state
.Ed
.Pp
.Sh TABLES
@@ -185,11 +181,9 @@ when running with
.Pp
For example,
.Bd -literal -offset indent
-.Ic table <private> const { 10/8, 172.16/12, 192.168/16 }
-.Ic table <badhosts> persist
-.Xo Ic block on fxp0 from { <private>, <badhosts> }\
-.Ic to any
-.Xc
+table <private> const { 10/8, 172.16/12, 192.168/16 }
+table <badhosts> persist
+block on fxp0 from { <private>, <badhosts> } to any
.Ed
.Pp
creates a table called private, and then blocks all traffic coming from
@@ -197,9 +191,7 @@ RFC 1918 style private network blocks.
Later, addresses may be added to the rule with the following commands, so that
traffic from these hosts can be dropped:
.Bd -literal -offset indent
-.Xo Ic # pfctl -t badhosts -Tadd\
-.Ic 204.92.77.111
-.Xc
+# pfctl -t badhosts -Tadd 204.92.77.111
.Ed
.Pp
When no active rules which refer to the badhosts table exist (such as when the
@@ -210,10 +202,8 @@ keyword ensures that the table will not be lost.
A table can also be initialized with an address list specified in one or more
external files, using the following syntax:
.Bd -literal -offset indent
-.Ic table <spam> persist file \&"/etc/spammers\&" file \&"/etc/openrelays\&"
-.Xo Ic block on fxp0 from <spam>\
-.Ic to any
-.Xc
+table <spam> persist file \&"/etc/spammers\&" file \&"/etc/openrelays\&"
+block on fxp0 from <spam> to any
.Ed
.Pp
In addition to being specified by IP address, hosts may also be specified
@@ -300,29 +290,27 @@ Other protocols are handled similarly to UDP:
For example:
.br
.Bd -literal -offset indent
-.Ic set timeout tcp.established 3600
-.Xo Ic set timeout { tcp.opening 30,\
-.Ic tcp.closing 900 }
-.Xc
+set timeout tcp.established 3600
+set timeout { tcp.opening 30, tcp.closing 900 }
.Ed
.Pp
.It Ar set loginterface
Enable collection of packet and byte count statistics for the given interface.
These statistics can be viewed using
.Bd -literal -offset indent
-.Ic # pfctl -s info
+# pfctl -s info
.Ed
.Pp
In this example
.Xr pf 4
collects statistics on the interface named dc0:
.Bd -literal -offset indent
-.Ic set loginterface dc0
+set loginterface dc0
.Ed
.Pp
One can disable the loginterface using:
.Bd -literal -offset indent
-.Ic set loginterface none
+set loginterface none
.Ed
.Pp
.It Ar set limit
@@ -333,7 +321,7 @@ for an explanation of memory pools.
.Pp
For example,
.Bd -literal -offset indent
-.Ic set limit states 20000
+set limit states 20000
.Ed
.Pp
sets the maximum number of entries in the memory pool used by state table
@@ -341,7 +329,7 @@ entries (generated by
.Ar keep state
rules) to 20000.
.Bd -literal -offset indent
-.Ic set limit frags 20000
+set limit frags 20000
.Ed
.Pp
sets the maximum number of entries in the memory pool used for fragment
@@ -351,9 +339,7 @@ rules) to 20000.
.Pp
These can be combined:
.Bd -literal -offset indent
-.Xo Ic set limit { states 20000,\
-.Ic frags 20000 }
-.Xc
+set limit { states 20000, frags 20000 }
.Ed
.Pp
.It Ar set optimization
@@ -382,9 +368,7 @@ network) and slightly increased processor utilization.
For example:
.Pp
.Bd -literal -offset indent
-.Xo Ic set optimization\
-.Ic aggressive
-.Xc
+set optimization aggressive
.Ed
.Pp
.It Ar set block-policy
@@ -406,11 +390,8 @@ and all other packets are silently dropped.
For example:
.Pp
.Bd -literal -offset indent
-.Xo Ic set block-policy\
-.Ic return
-.Xc
+set block-policy return
.Ed
-.Pp
.It Ar set require-order
By default
.Xr pfctl 8
@@ -448,7 +429,7 @@ Clears the
bit from a matching ip packet.
Some operating systems are known to generate fragmented packets with the
.Ar dont-fragment
-bit set. This is particularly true with NFS.
+bit set. This is particularly true with NFS.
.Ar Scrub
will drop such fragmented
.Ar dont-fragment
@@ -518,11 +499,8 @@ dropped as well.
.Pp
For example,
.Bd -literal -offset indent
-.Xo Ic scrub in on $ext_if all\
-.Ic fragment reassemble
-.Xc
+scrub in on $ext_if all fragment reassemble
.Ed
-.Pp
.Sh QUEUEING
Packets can be assigned to queues for the purpose of bandwidth
control.
@@ -610,11 +588,7 @@ should queue up to 5 Mbit/s in four second-level queues using
.Ar cbq .
Those four queues will be shown in a later example.
.Bd -literal -offset indent
-.Xo Ic altq on dc0 cbq bandwidth 5Mb\
-.Xo Ic queue { std, http, mail,\
-.Ic ssh }
-.Xc
-.Xc
+altq on dc0 cbq bandwidth 5Mb queue { std, http, mail, ssh }
.Ed
.Pp
Once interfaces are activated for queueing using the
@@ -715,56 +689,25 @@ The queues may then be referenced by filtering rules (see
below).
.Pp
.Bd -literal
-.Xo Ic queue std bandwidth\
-.Ic 10% cbq(default)
-.Xc
-.Xo Ic queue http bandwidth 60%\
-.Ic priority 2 cbq(borrow red) \e
-.Xc
-.Xo Ic \ \ { employees,\
-.Ic developers }
-.Xc
-.Xo Ic queue \ developers bandwidth\
-.Ic 75% cbq(borrow)
-.Xc
-.Xo Ic queue \ employees\
-.Ic bandwidth 15%
-.Xc
-.Xo Ic queue mail bandwidth 10%\
-.Ic priority 0 cbq(borrow ecn)
-.Xc
-.Xo Ic queue ssh bandwidth 20%\
-.Ic cbq(borrow) { ssh_interactive,\
-.Ic ssh_bulk }
-.Xc
-.Xo Ic queue \ ssh_interactive\
-.Ic priority 7
-.Xc
-.Xo Ic queue \ ssh_bulk\
-.Ic priority 0
-.Xc
-.Pp
-.Xo Ic block return out on\
-.Ic dc0 inet all queue std
-.Xc
-.Xo Ic pass out on dc0 inet proto tcp from\
-.Ic $developerhosts to any port 80 \e
-.Xc
-.Ic \ \ keep state queue developers
-.Xo Ic pass out on dc0 inet proto tcp from\
-.Ic $employeehosts to any port 80 \e
-.Xc
-.Ic \ \ keep state queue employees
-.Xo Ic pass out on dc0 inet proto tcp from\
-.Ic any to any port 22 \e
-.Xc
-.Ic \ \ keep state queue(ssh_bulk, ssh_interactive)
-.Xo Ic pass out on dc0 inet proto tcp from\
-.Ic any to any port 25 \e
-.Xc
-.Xo Ic \ \ keep state\
-.Ic queue mail
-.Xc
+queue std bandwidth 10% cbq(default)
+queue http bandwidth 60% priority 2 cbq(borrow red) \e
+ { employees, developers }
+queue \ developers bandwidth 75% cbq(borrow)
+queue \ employees bandwidth 15%
+queue mail bandwidth 10% priority 0 cbq(borrow ecn)
+queue ssh bandwidth 20% cbq(borrow) { ssh_interactive, ssh_bulk }
+queue \ ssh_interactive priority 7
+queue \ ssh_bulk priority 0
+.Pp
+block return out on dc0 inet all queue std
+pass out on dc0 inet proto tcp from $developerhosts to any port 80 \e
+ keep state queue developers
+pass out on dc0 inet proto tcp from $employeehosts to any port 80 \e
+ keep state queue employees
+pass out on dc0 inet proto tcp from any to any port 22 \e
+ keep state queue(ssh_bulk, ssh_interactive)
+pass out on dc0 inet proto tcp from any to any port 25 \e
+ keep state queue mail
.Ed
.Pp
.Sh TRANSLATION
@@ -801,25 +744,18 @@ Although in theory any IP address can be used on the inside, it is strongly
recommended that one of the address ranges defined by RFC 1918 be used.
These netblocks are:
.Bd -literal
-.Xo Ic 10.0.0.0 - 10.255.255.255\
-.Ic (all of net 10, i.e.,\
-.Ic 10/8)
-.Xc
-.Xo Ic 172.16.0.0 - 172.31.255.255\
-.Ic (i.e., 172.16/12)
-.Xc
-.Xo Ic 192.168.0.0 - 192.168.255.255\
-.Ic (i.e., 192.168/16)
-.Xc
+10.0.0.0 - 10.255.255.255 (all of net 10, i.e., 10/8)
+172.16.0.0 - 172.31.255.255 (i.e., 172.16/12)
+192.168.0.0 - 192.168.255.255 (i.e., 192.168/16)
.Ed
.It Pa rdr
The packet is redirected to another destination and possibly a
different port.
.Ar rdr
rules can optionally specify port ranges instead of single ports.
-.Ic rdr ... port 2000:2999 -> ... port 4000
+rdr ... port 2000:2999 -> ... port 4000
redirects ports 2000 to 2999 (inclusive) to port 4000.
-.Ic rdr ... port 2000:2999 -> ... port 4000:*
+rdr ... port 2000:2999 -> ... port 4000:*
redirects port 2000 to 4000, 2001 to 4001, ..., 2999 to 4999.
.El
.Pp
@@ -868,9 +804,7 @@ or to the firewall itself.
Note that redirecting external incoming connections to the loopback
address, as in
.Bd -literal -offset indent
-.Xo Ic rdr on ne3 inet proto tcp\
-.Ic to port 8025 -> 127.0.0.1 port 25
-.Xc
+rdr on ne3 inet proto tcp to port 8025 -> 127.0.0.1 port 25
.Ed
.Pp
will effectively allow an external host to connect to daemons
@@ -920,7 +854,7 @@ explicit either globally, by setting the
option, or on a per-rule basis with one of the following options:
.Pp
.Bl -tag -width xxxx -compact
-.It Ar drop
+.It Ar drop
The packet is silently dropped.
.It Ar return-rst
This applies only to
@@ -948,9 +882,7 @@ If no rule matches the packet, the default action is
To block everything by default and only pass packets
that match explicit rules, one uses
.Bd -literal -offset indent
-.Xo Ic block\
-.Ic all
-.Xc
+block all
.Ed
.Pp
as the first filter rule.
@@ -998,7 +930,7 @@ binary format.
Used with
.Ar keep state
or
-.Ar modulate state
+.Ar modulate state
rules to force logging of all packets for a connection.
As with
.Ar log ,
@@ -1078,35 +1010,17 @@ see the file
.Pp
Ports and ranges of ports are specified by using these operators:
.Bd -literal -offset indent
-.Xo Cm = Li\
-.Cm \ (equal)
-.Xc
-.Xo Cm != Li\
-.Cm \ (unequal)
-.Xc
-.Xo Cm < Li\
-.Cm \ (less than)
-.Xc
-.Xo Cm <= Li\
-.Cm \ (less than or equal)
-.Xc
-.Xo Cm > Li\
-.Cm \ (greater than)
-.Xc
-.Xo Cm >= Li\
-.Cm \ (greater than or equal)
-.Xc
-.Xo Cm >< Li\
-.Cm \ (range)
-.Xc
-.Xo Cm <> Li\
-.Cm \ (except range)
-.Xc
+= (equal)
+!= (unequal)
+< (less than)
+<= (less than or equal)
+> (greater than)
+>= (greater than or equal)
+>< (range)
+<> (except range)
.Ed
.Pp
-.Cm ><
-and
-.Cm <>
+>< and <>
are binary operators (they take two arguments), and the range
does not include the limits.
For instance:
@@ -1123,24 +1037,12 @@ hence ports 1-1999 and 2005-65535.
.Pp
The host and port specifications are optional, as in the following examples:
.Bd -literal -offset indent
-.Xo Ic pass in\
-.Ic all
-.Xc
-.Xo Ic pass in from any\
-.Ic to any
-.Xc
-.Xo Ic pass in proto tcp from\
-.Ic any port <= 1024 to any
-.Xc
-.Xo Ic pass in proto tcp from\
-.Ic any to any port 25
-.Xc
-.Xo Ic pass in proto tcp from\
-.Ic 10.0.0.0/8 port >1024 \e
-.Xc
-.Xo Ic \ \ to ! \
-.Ic 10.1.2.3 port != ssh
-.Xc
+pass in all
+pass in from any to any
+pass in proto tcp from any port <= 1024 to any
+pass in proto tcp from any to any port 25
+pass in proto tcp from 10.0.0.0/8 port >1024 \e
+ to ! 10.1.2.3 port != ssh
.Ed
.It Ar all
This is equivalent to "from any to any".
@@ -1196,15 +1098,9 @@ does not match forwarded packets.
The following example allows only selected users to open outgoing
connections:
.Bd -literal -offset indent
-.Xo Ic block out proto\
-.Ic { tcp, udp } all
-.Xc
-.Xo Ic pass \ out proto\
-.Ic { tcp, udp } all \e
-.Xc
-.Xo Ic \ user { < 1000,\
-.Ic dhartmei } keep state
-.Xc
+block out proto { tcp, udp } all
+pass \ out proto { tcp, udp } all \e
+ user { < 1000, dhartmei } keep state
.Ed
.It Ar flags <a>/<b> | /<b>
This rule only applies to TCP packets that have the flags
@@ -1252,7 +1148,7 @@ allow IP options.
.It Ar label <string>
Adds a label (name) to the rule, which can be used to identify the rule.
For instance,
-.Ic pfctl -s labels
+pfctl -s labels
shows per-rule statistics for rules that have labels.
.Pp
The following macros can be used in labels:
@@ -1277,31 +1173,18 @@ The rule number.
For example:
.Pp
.Bd -literal -offset indent
-.Xo Ic ips = \&"{ 1.2.3.4,\
-.Ic 1.2.3.5 }\&"
-.Xc
-.Xo Ic pass in proto tcp from\
-.Ic any to $ips \e
-.Xc
-.Xo Ic \ \ port >1023\
-.Ic label \&"$dstaddr:$dstport\&"
-.Xc
+ips = \&"{ 1.2.3.4, 1.2.3.5 }\&"
+pass in proto tcp from any to $ips \e
+ port >1023
+label \&"$dstaddr:$dstport\&"
.Ed
.Pp
expands to
.Bd -literal -offset indent
-.Xo Ic pass in proto tcp from\
-.Ic any to 1.2.3.4 \e
-.Xc
-.Xo Ic \ \ port >1023\
-.Ic label \&"1.2.3.4:>1023\&"
-.Xc
-.Xo Ic pass in proto tcp\
-.Ic from any to 1.2.3.5 \e
-.Xc
-.Xo Ic \ \ port >1023\
-.Ic label \&"1.2.3.5:>1023\&"
-.Xc
+pass in proto tcp from any to 1.2.3.4 \e
+ port >1023 label \&"1.2.3.4:>1023\&"
+pass in proto tcp from any to 1.2.3.5 \e
+ port >1023 label \&"1.2.3.5:>1023\&"
.Ed
.Pp
The macro expansion for the
@@ -1321,12 +1204,8 @@ for setup details.
For example:
.Pp
.Bd -literal -offset indent
-.Xo Ic pass in proto tcp\
-.Ic to port 25 queue mail
-.Xc
-.Xo Ic pass in proto tcp to\
-.Ic port 22 queue(ssh_bulk, ssh_prio)
-.Xc
+pass in proto tcp to port 25 queue mail
+pass in proto tcp to port 22 queue(ssh_bulk, ssh_prio)
.Ed
.Pp
.Sh ROUTING
@@ -1461,18 +1340,9 @@ searches in O(log2 n).
.Pp
For instance:
.Bd -literal -offset indent
-.Xo Ic block\
-.Ic all
-.Xc
-.Xo Ic pass out proto tcp\
-.Ic from any to any\
-.Ic flags S/SA keep state
-.Xc
-.Xo Ic pass in proto tcp \
-.Ic from any to any\
-.Ic port 25 flags\
-.Ic S/SA keep state
-.Xc
+block all
+pass out proto tcp from any to any flags S/SA keep state
+pass in proto tcp from any to any port 25 flags S/SA keep state
.Ed
.Pp
This ruleset blocks everything by default.
@@ -1512,10 +1382,7 @@ creates an ICMP state, and
knows how to match ICMP replies to states.
For example,
.Bd -literal -offset indent
-.Xo Ic pass out inet proto\
-.Ic icmp all icmp-type echoreq\
-.Ic keep state
-.Xc
+pass out inet proto icmp all icmp-type echoreq keep state
.Ed
.Pp
allows echo requests (such as those created by
@@ -1529,7 +1396,7 @@ rules implicitly create state for connections.
Much of the security derived from TCP is attributable to how well the
initial sequence numbers (ISNs) are chosen.
Some popular stack implementations choose
-.Ic very
+.Em very
poor ISNs and thus are normally susceptible to ISN prediction exploits.
By applying a
.Ar modulate state
@@ -1545,13 +1412,8 @@ only applicable to TCP connections.
.Pp
For instance:
.Bd -literal -offset indent
-.Ic block all
-.Xo Ic pass out proto tcp from any to any\
-.Ic modulate state
-.Xc
-.Xo Ic pass in proto tcp from any to any\
-.Ic port 25 flags S/SA modulate state
-.Xc
+block all pass out proto tcp from any to any modulate state
+pass in proto tcp from any to any port 25 flags S/SA modulate state
.Ed
.Pp
There are two caveats associated with state modulation:
@@ -1603,15 +1465,9 @@ above.
.Pp
Multiple options can be specified, separated by commas:
.Bd -literal
-.Xo Ic pass in proto tcp\
-.Ic from any to any \e
-.Xc
-.Xo Ic \ \ port www flags\
-.Ic S/SA keep state \e
-.Xc
-.Xo Ic \ \ (max 100,\
-.Ic tcp.established 60, tcp.closing 5)
-.Xc
+pass in proto tcp from any to any \e
+ port www flags S/SA keep state \e
+ (max 100, tcp.established 60, tcp.closing 5)
.Ed
.Sh BLOCKING SPOOFED TRAFFIC
"Spoofing" is the faking of IP addresses, typically for malicious
@@ -1625,21 +1481,13 @@ any other interface.
.Pp
For example, the line
.Bd -literal -offset indent
-.Xo Ic antispoof\
-.Ic for lo0
-.Xc
+antispoof for lo0
.Ed
.Pp
expands to
.Bd -literal -offset indent
-.Xo Ic block in on ! lo0\
-.Ic inet from 127.0.0.1/8\
-.Ic to any
-.Xc
-.Xo Ic block in on ! lo0\
-.Ic inet6 from ::1\
-.Ic to any
-.Xc
+block in on ! lo0 inet from 127.0.0.1/8 to any
+block in on ! lo0 inet6 from ::1 to any
.Ed
.Pp
For non-loopback interfaces, there are additional rules to block incoming
@@ -1648,20 +1496,13 @@ For example, assuming the interface wi0 had an IP address of 10.0.0.1 and a
netmask of 255.255.255.0,
the line
.Bd -literal -offset indent
-.Xo Ic antispoof for\
-.Ic wi0 inet
-.Xc
+antispoof for wi0 inet
.Ed
.Pp
expands to
.Bd -literal -offset indent
-.Xo Ic block in on ! wi0\
-.Ic inet from 10.0.0.1/24\
-.Ic to any
-.Xc
-.Xo Ic block in inet\
-.Ic from 10.0.0.1 to any
-.Xc
+block in on ! wi0 inet from 10.0.0.1/24 to any
+block in inet from 10.0.0.1 to any
.Ed
.Pp
Caveat: Rules created by the
@@ -1707,9 +1548,7 @@ option still apply to fragments, if they only specify IP header fields.
For instance, the rule
.Pp
.Bd -literal -offset indent
-.Xo Ic pass in proto tcp from any to any\
-.Ic port 80
-.Xc
+pass in proto tcp from any to any port 80
.Ed
.Pp
never applies to a fragment, even if the fragment is part of a TCP
@@ -1815,24 +1654,12 @@ without reloading the main ruleset.
For example,
.Pp
.Bd -literal -offset indent
-.Xo Ic ext_if =\
-.Ic \&"kue0\&"
-.Xc
-.Xo Ic block on\
-.Ic $ext_if all
-.Xc
-.Xo Ic anchor\
-.Ic spam
-.Xc
-.Xo Ic pass out on\
-.Ic $ext_if all keep state
-.Xc
-.Xo Ic pass in on $ext_if\
-.Ic proto tcp from any \e
-.Xc
-.Xo Ic \ \ to $ext_if\
-.Ic port smtp keep state
-.Xc
+ext_if = \&"kue0\&"
+block on $ext_if all
+anchor spam
+pass out on $ext_if all keep state
+pass in on $ext_if proto tcp from any \e
+ to $ext_if port smtp keep state
.Ed
.Pp
blocks all packets on the external interface by default, then evaluates
@@ -1842,12 +1669,8 @@ named "spam", and finally passes all outgoing connections and
incoming connections to port 25.
.Pp
.Bd -literal -offset indent
-.Xo Cm # echo \&"block in quick from\
-.Ic 1.2.3.4 to any\&" \&|
-.Xc
-.Xo Ic \ \ pfctl -a\
-.Ic spam:manual -f -
-.Xc
+# echo \&"block in quick from 1.2.3.4 to any\&" \&|
+ pfctl -a spam:manual -f -
.Ed
.Pp
loads a single ruleset containing a single rule into the
@@ -1865,16 +1688,10 @@ When parameters are used, the
rule is only evaluated for matching packets.
This allows conditional evaluation of named rulesets, like:
.Bd -literal -offset indent
-.Xo Ic block on\
-.Ic $ext_if all
-.Xc
-.Xo Ic anchor spam proto tcp from any to\
-.Ic any port smtp
-.Xc
-.Ic pass out on $ext_if all keep state
-.Xo Ic pass in on $ext_if proto tcp from any\
-.Ic to $ext_if port smtp keep state
-.Xc
+block on $ext_if all
+anchor spam proto tcp from any to any port smtp
+pass out on $ext_if all keep state
+pass in on $ext_if proto tcp from any to $ext_if port smtp keep state
.Ed
.Pp
The rules inside
@@ -1884,12 +1701,8 @@ spam are only evaluated for
packets with destination port 25.
Hence,
.Bd -literal -offset indent
-.Xo Ic # echo \&"block in quick from 1.2.3.4\
-.Ic to any" \&|
-.Xc
-.Xo Ic \ \ pfctl -a\
-.Ic spam:manual -f -
-.Xc
+# echo \&"block in quick from 1.2.3.4 to any" \&|
+ pfctl -a spam:manual -f -
.Ed
.Pp
will only block connections from 1.2.3.4 to port 25.
@@ -1899,9 +1712,7 @@ which a daemon is running (because, for example, it is not run as root,
and therefore lacks permission to bind to port 80).
.Bd -literal
# map daemon on 8080 to appear to be on 80
-.Xo Ic rdr on ne3 proto tcp from any\
-.Ic to any port 80 -> 127.0.0.1 port 8080
-.Xc
+rdr on ne3 proto tcp from any to any port 80 -> 127.0.0.1 port 8080
.Ed
.Pp
In the example below, vlan12 is configured as 192.168.168.1;
@@ -1913,9 +1724,7 @@ network appear as though it is the Internet routable address
for the nodes on vlan12.
(Thus, 192.168.168.1 can talk to the 192.168.168.0/24 nodes.)
.Bd -literal
-.Xo Ic nat on ! vlan12 from 192.168.168.0/24\
-.Ic to any -> 204.92.77.111
-.Xc
+nat on ! vlan12 from 192.168.168.0/24 to any -> 204.92.77.111
.Ed
.Pp
In the example below, fxp1 is the outside interface; the machine sits between a
@@ -1925,12 +1734,8 @@ The
rule excludes protocol AH from being translated.
.Bd -literal
# NO NAT
-.Xo Ic no nat on fxp1 proto ah\
-.Ic from 144.19.74.0/24 to any
-.Xc
-.Xo Ic nat on fxp1 from 144.19.74.0/24\
-.Ic to any -> 204.92.77.100
-.Xc
+no nat on fxp1 proto ah from 144.19.74.0/24 to any
+nat on fxp1 from 144.19.74.0/24 to any -> 204.92.77.100
.Ed
.Pp
In the example below, fxp0 is the internal interface.
@@ -1939,15 +1744,9 @@ for one specific server, as well as those generated by the sysadmins
are not proxied; all other connections are.
.Bd -literal
# NO RDR
-.Xo Ic no rdr on fxp0 from any\
-.Ic to $server port 80
-.Xc
-.Xo Ic no rdr on fxp0 from $sysadmins\
-.Ic to any port 80
-.Xc
-.Xo Ic rdr on fxp0 from any\
-.Ic to any port 80 -> 127.0.0.1 port 80
-.Xc
+no rdr on fxp0 from any to $server port 80
+no rdr on fxp0 from $sysadmins to any port 80
+rdr on fxp0 from any to any port 80 -> 127.0.0.1 port 80
.Ed
.Pp
This longer example uses both a NAT and a redirection.
@@ -1960,51 +1759,33 @@ listening for outbound ftp sessions captured to port 8081.
# NAT
# translate outgoing packets' source addresses (any protocol)
# in this case, any address but the gateway's external address is mapped
-.Xo Ic nat on kue0 inet from !\
-.Ic (kue0) to any -> (kue0)
-.Xc
+nat on kue0 inet from ! (kue0) to any -> (kue0)
.Pp
# NAT PROXYING
# map outgoing packets' source port to an assigned proxy port instead of
# an arbitrary port
# in this case, proxy outgoing isakmp with port 500 on the gateway
-.Xo Ic nat on kue0 inet proto udp from\
-.Ic any port = isakmp to any -> (kue0) \e
-.Xc
-.Xo Ic \ \ port\
-.Ic 500
-.Xc
+nat on kue0 inet proto udp from any port = isakmp to any -> (kue0) \e
+ port 500
.Pp
# BINAT
# translate outgoing packets' source address (any protocol)
# translate incoming packets' destination address to an internal machine
# (bidirectional)
-.Xo Ic binat on kue0 from\
-.Ic 10.1.2.150 to any -> (kue0)
-.Xc
+binat on kue0 from 10.1.2.150 to any -> (kue0)
.Pp
# RDR
# translate incoming packets' destination addresses
# as an example, redirect a TCP and UDP port to an internal machine
-.Xo Ic rdr on kue0 inet proto tcp from any\
-.Ic to (kue0) port 8080 -> 10.1.2.151 \e
-.Xc
-.Xo Ic \ \ port\
-.Ic 22
-.Xc
-.Xo Ic rdr on kue0 inet proto udp from any\
-.Ic to (kue0) port 8080 -> 10.1.2.151 \e
-.Xc
-.Xo Ic \ \ port\
-.Ic 53
-.Xc
+rdr on kue0 inet proto tcp from any to (kue0) port 8080 -> 10.1.2.151 \e
+ port 22
+rdr on kue0 inet proto udp from any to (kue0) port 8080 -> 10.1.2.151 \e
+ port 53
.Pp
# RDR
# translate outgoing ftp control connections to send them to localhost
# for proxying with ftp-proxy(8) running on port 8081
-.Xo Ic rdr on fxp0 proto tcp from any to\
-.Ic any port 21 -> 127.0.0.1 port 8081
-.Xc
+rdr on fxp0 proto tcp from any to any port 21 -> 127.0.0.1 port 8081
.Ed
.Sh FILTER EXAMPLES
.Pp
@@ -2014,46 +1795,30 @@ listening for outbound ftp sessions captured to port 8081.
# and the private network is 10.0.0.0/8, for which we are doing NAT.
.Pp
# use a macro for the interface name, so it can be changed easily
-.Xo Ic ext_if =\
-.Ic \&"kue0\&"
-.Xc
+ext_if = \&"kue0\&"
.Pp
# normalize all incoming traffic
-.Xo Ic scrub in on $ext_if\
-.Ic all fragment reassemble
-.Xc
+scrub in on $ext_if all fragment reassemble
.Pp
# block and log everything by default
-.Xo Ic block return log\
-.Ic on $ext_if all
-.Xc
+block return log on $ext_if all
.Pp
# block anything coming from source we have no back routes for
-.Xo Ic block in from\
-.Ic no-route to any
-.Xc
+block in from no-route to any
.Pp
# block and log outgoing packets that do not have our address as source,
# they are either spoofed or something is misconfigured (NAT disabled,
# for instance), we want to be nice and do not send out garbage.
-.Xo Ic block out log quick on $ext_if\
-.Ic from ! 157.161.48.183 to any
-.Xc
+block out log quick on $ext_if from ! 157.161.48.183 to any
.Pp
# silently drop broadcasts (cable modem noise)
-.Xo Ic block in quick on $ext_if\
-.Ic from any to 255.255.255.255
-.Xc
+block in quick on $ext_if from any to 255.255.255.255
.Pp
# block and log incoming packets from reserved address space and invalid
# addresses, they are either spoofed or misconfigured, we cannot reply to
# them anyway (hence, no return-rst).
-.Xo Ic block in log quick on $ext_if from\
-.Ic { 10.0.0.0/8, 172.16.0.0/12, \e
-.Xc
-.Xo Ic \ \ 192.168.0.0/16,\
-.Ic 255.255.255.255/32 } to any
-.Xc
+block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, \e
+ 192.168.0.0/16, 255.255.255.255/32 } to any
.Pp
# ICMP
.Pp
@@ -2062,45 +1827,29 @@ listening for outbound ftp sessions captured to port 8081.
# so replies (like 0/0 for 8/0) will match queries
# ICMP error messages (which always refer to a TCP/UDP packet) are
# handled by the TCP/UDP states
-.Xo Ic pass on $ext_if inet proto icmp all\
-.Ic icmp-type 8 code 0 keep state
-.Xc
+pass on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
.Pp
# UDP
.Pp
# pass out all UDP connections and keep state
-.Xo Ic pass out on $ext_if proto\
-.Ic udp all keep state
-.Xc
+pass out on $ext_if proto udp all keep state
.Pp
# pass in certain UDP connections and keep state (DNS)
-.Xo Ic pass in on $ext_if proto udp from any\
-.Ic to any port domain keep state
-.Xc
+pass in on $ext_if proto udp from any to any port domain keep state
.Pp
# TCP
.Pp
# pass out all TCP connections and modulate state
-.Xo Ic pass out on $ext_if proto\
-.Ic tcp all modulate state
-.Xc
+pass out on $ext_if proto tcp all modulate state
.Pp
# pass in certain TCP connections and keep state (SSH, SMTP, DNS, IDENT)
-.Xo Ic pass in on $ext_if proto tcp from any\
-.Ic to any port { ssh, smtp, domain, \e
-.Xc
-.Xo Ic \ \ auth } flags S/SA\
-.Ic keep state
-.Xc
+pass in on $ext_if proto tcp from any to any port { ssh, smtp, domain, \e
+ auth } flags S/SA keep state
.Pp
# pass in data mode connections for ftp-proxy running on this host.
# (see ftp-proxy(8) for details)
-.Xo Ic pass in on $ext_if proto tcp from any\
-.Ic to 157.161.48.183 port >= 49152 \e
-.Xc
-.Xo Ic \ \ flags S/SA\
-.Ic keep state
-.Xc
+pass in on $ext_if proto tcp from any to 157.161.48.183 port >= 49152 \e
+ flags S/SA keep state
.Ed
.Sh GRAMMAR
Syntax for