diff options
-rw-r--r-- | share/man/man5/pf.conf.5 | 693 |
1 files changed, 369 insertions, 324 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 00f37007fd1..d75859928eb 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.117 2002/11/24 23:06:04 henning Exp $ +.\" $OpenBSD: pf.conf.5,v 1.118 2002/11/25 03:25:56 deraadt Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" All rights reserved. @@ -37,67 +37,56 @@ packet filter .Sh DESCRIPTION The .Xr pf 4 -packet filter drops, passes and modifies packets according to the -rules defined in this file. -Filter rules are used to selectively pass traffic while translation -rules specify which addresses are to be mapped and which are to be -redirected. -For each packet inspected by the filter, the set of rules is evaluated -from top to bottom, and the last matching rule decides what action is -performed. -For each packet inspected by the translator, the set of rules is evaluated -from top to bottom, and the first matching rule decides what action is -performed. -In short: filters are last match, translation is first match. -Rules must be in order: options, scrub, translation, queue, filter. -.Sh FILTER RULES -While filter rules are typically manipulated using -.Xr pfctl 8 -other utilities may be written using the -.Xr ioctl 2 -interface described in -.Xr pf 4 . +packet filter modifies, drops or passes packets according to rules or +definitions specified in +.Nm pf.conf . +A variety of definitions activate features: +.Pp +.Bl -tag -width xxxx +.It Macros +User-defined variables can be set and used later on, resulting in a +file which is more easily comprehended. +.It Options +Various options can be changed to tune the default behaviour of the engine. +.It Traffic Normalization (e.g. Pa scrub No ) +Traffic normalization protects internal machines against inconsistancies +in Internet protocols. +.It Translation (Various forms of NAT) +Translation rules specify which addresses are to be mapped or redirected. +.It Queueing +A queuing engine allows for filtering rule based bandwidth control. +.It Packet filtering +Lastly, a stateful and stateless packet filtering can constrain packet flow. +.El .Pp -For each packet processed by the packet filter, the filter rules are -evaluated in sequential order, from first to last. -Each rule either matches the packet or doesn't. -The last matching rule decides what action is taken. +In general, the above lines must occur in the order shown because this +matches the semantics of the underlying engine; in most cases rules +are evaluated in the order in which they are specified. .Pp -If no rule matches the packet, the default action is -.Em pass . +.Sh MACROS +Where is the fucking introductory paragraph for this section? .Pp -To block everything by default and only pass packets -that match explicit rules, one uses +.Xr pfctl 8 +supports macro definition and expansion like: .Bd -literal - block in all - block out all + ext_if = "kue0" + pass out on $ext_if from any to any keep state + pass in on $ext_if proto tcp from any to any port 25 keep state .Ed .Pp -as the first two rules. -.Pp -For each packet processed by the translator, the translation rules are -evaluated in sequential order, from first to last. -Each rule either matches the packet or doesn't. -The first matching rule decides what action is taken. -.Pp -If no rule matches the packet, the default action is to pass the packet -up to the filter unmodified. -It should be noted that all translations of packets occur before -the filters are applied. -Hence, rules for redirected packets should specify the address and port -after translation. -Note that all translation rules apply only to packets that pass through -the specified interface. -For instance, redirecting port 80 on an external interface to an internal -web server will only work for connections originating from the outside. -Connections to the address of the external interface from local hosts will -not be redirected, since such packets do not actually pass through the -external interface. -Redirections can't reflect packets back through the interface they arrive -on, they can only be redirected to hosts connected to different interfaces -or to the firewall itself. +Macro names must start with a letter and may contain letters, digits +and underscores. +Macro names may not be pf reserved words (e.g. pass, in, out). +Macros are not expanded recursively. .Sh OPTIONS -.Ss timeout +A variety of global options can be adjusted to tune +.Xr pf 4 +so that it performs better in various situations, using the +.Pa set +command. +.Pp +.Bl -tag -width xxxx +.It Pa set timeout .Bl -tag -width interval -compact .It Em interval Interval between purging expired states and fragments. @@ -161,7 +150,7 @@ Example: set timeout tcp.established 3600 set timeout { tcp.opening 30, tcp.closing 900 } .Ed -.Ss loginterface +.It Pa set loginterface Enable collection of packet and byte count statistics for the given interface. These statistics can be viewed using .Bd -literal @@ -177,7 +166,7 @@ One can unset the loginterface using .Bd -literal set loginterface none .Ed -.Ss limit +.It Pa set limit Sets hard limits on the memory pools used by the packet filter. See .Xr pool 9 @@ -195,13 +184,15 @@ entries (generated by 'keep state' rules) to 20000. .Ed .Pp sets the maximum number of entries in the memory pool used for fragment -reassembly (generated by 'scrub' rules) to 20000. +reassembly (generated by +.Pa scrub +rules) to 20000. .Pp These can be combined: .Bd -literal set limit { states 20000, frags 20000 } .Ed -.Ss optimization +.It Pa set optimization Optimize the engine to one of the following network topographies or environments: .Bl -tag -width "O high-latency " -compact @@ -230,7 +221,7 @@ Example: .Bd -literal set optimization aggressive .Ed -.Ss block-policy +.It Pa set block-policy The .Em block-policy option sets the default behaviour for the @@ -247,16 +238,227 @@ Example: .Bd -literal set block-policy return .Ed -.Ss require-order +.It Pa set require-order By default .Xr pfctl 8 -enforces an ordering of the ruleset to: options, scrub, translation, queue, +enforces an ordering of the ruleset to: options, +.Pa scrub , +translation, +.Pa queue , filter. Setting this option to .Em no disables this enforcement. One has to be very careful about the implications of an out of order ruleset. +.El +.Pp +.Sh TRAFFIC NORMALIZATION +Traffic normalization is used to sanitize packet content in such +a way that there are no ambiguities in packet interpretation on +the receiving side. +Packet normalization is invoked via the +.Pa scrub +directive. +The normalizer does IP fragment reassembly to prevent attacks +that confuse intrusion detection systems by sending overlapping +IP fragments. +.Pp +A few options exist which affect scrub operation: +.Bl -tag -width xxxx +.It Pa no-df +Clears the +.Pa dont-fragment +bit from a matching ip packet. +.It Pa min-ttl <number> +Enforces a minimum ttl for matching ip packets. +.It Pa max-mss <number> +Enforces a maximum mss for matching tcp packets. +.It Pa fragment reassemble +Using scrub rules, fragments can be reassembled by normalization. +In this case, fragments are buffered until they form a complete +packet, and only the completed packet is passed on to the filter. +The advantage is that filter rules have to deal only with complete +packets, and can ignore fragments. +The drawback of caching fragments is the additional memory cost. +But the full reassembly method is the only method that currently works +with NAT. +This is the default behavior of a +.Pa scrub +rule if no fragmentation modifier is supplied. +.It Pa fragment crop +The default fragment reassembly method is expensive, hence the option +to crop is provided. +In this case, +.Xr pf 4 +will track the fragments and cache a small range descriptor. +Duplicate fragments are dropped and overlaps are cropped. +Thus data will only occur once on the wire with ambiguities resolving to +the first occurrence. +Unlike the +.Pa fragment reassemble +modifier, fragments are not buffered, they are passed as soon as they +are received. +This reassembly mechanism does not yet work with NAT. +.Pp +.It Pa fragment drop-ovl +This option is similar to the +.Pa fragment crop +modifier except that all overlapping or duplicate fragments will be +dropped and will cause the following corresponding fragments to be +dropped as well. +.El +.Pp +For example, +.Bd -literal + scrub in on $ext_if all fragment reassemble +.Ed +.Pp +.Sh QUEUEING +Filtering rules can also assign packets to a queue. +At least two rules are required to configure queues, and later +any basic filtering or NAT rule can reference the defined +queues by name. +The queue name last referenced is where any packets from +.Em pass +rules will be queued, while for +.Em block +rules it specifies where any resulting +.Em icmp +or +.Em TCP RST +packets should be enqueued. +.Pp +.Em altq on +specifies on which interface queues will be set up. +The +.Em scheduler +type is required where currently only CBQ is supported. +.Em bandwidth +is optional and specifies the maximum rate for all queues on this interface. +All queues for this interface have to be listed after +.Em queue . +.Pp +For example, the interface +.Pa dc0 +should queue up to 5 Mbit/s in two queues using CBQ. +.Bd -literal + altq on dc0 scheduler cbq bandwidth 5Mb queue { qname1, qname2 } +.Ed +.Pp +Parameters for the queues are specified in +.Em queue +rules. The queuename must match the definition in the +.Em altq +rule. +.Em bandwidth +sets the maximum bitrate that can be processed by this queue. +The value must not exceed the value of the parent queue and can be specified +in absolute and percentage values. +Between queues a +.Em priority +level can be set. +The range is 0..7 with a default of 1. +Queues with a higher priority level are preferred in the case of overload. +The scheduler can get additional parameters with +.Em cbq( <parameters> ) . +Parameters are as follows: +.Pp +.Bl -tag -width Fl +.It Em default +Packets not matched by another queue are assigned to this one. +Exactly one default queue is required. +.It Em borrow +The queue can borrow bandwidth from the parent. +.It Em control +Control class packets (RSVP, IGMP, ICMP) are assigned to this queue. +.It Em red +Enables RED (Random Early Detection) on this queue. +RED drops packets with a probability proportional to the average +queue length. +.It Em rio +Enables RIO on this queue. RIO is RED with IN/OUT, thus running +RED two times more then RED would do. +RIO is currently not supported in the GENERIC kernel. +.It Em ecn +Enables ECN (Explicit Congestion Notification) on this queue. +ECN implies RED. +.El +.Pp +Furthermore child queues can be specified like in an +.Em altq +rule. +.Pp +Following the previous example, this would specify the two referenced +queues, plus one child queue: +.Pp +.Bd -literal + queue qname1 bandwidth 50% cbq(default ecn) queue { qname1a } + queue qname1a bandwidth 1Mb cbq(borrow) + queue qname2 bandwidth 1000 priority 3 +.Ed +.Pp +Please note that child queues must not exceed the bandwidth definition +of the parent. +Relative values are calculated against the bandwidth of the parent queue. +.Pp +.Sh TRANSLATION +Where is the section discussion NAT / translation? +.Pp +This is the only part of NAT that is fucking documented: +.Bl -item -width xxxx +.It Pa no +Causes matching packets to remain untranslated. +.El +.Pp +.Sh PACKET FILTERING +The sentence below is COMPLETELY wrong for an intruduction on *FILTERING* +.Pp +While filter rules are typically manipulated using +.Xr pfctl 8 +other utilities may be written using the +.Xr ioctl 2 +interface described in +.Xr pf 4 . +.Pp +For each packet processed by the packet filter, the filter rules are +evaluated in sequential order, from first to last. +Each rule either matches the packet or doesn't. +The last matching rule decides what action is taken. +.Pp +If no rule matches the packet, the default action is +.Em pass . +.Pp +To block everything by default and only pass packets +that match explicit rules, one uses +.Bd -literal + block in all + block out all +.Ed +.Pp +as the first two rules. +.Pp +For each packet processed by the translator, the translation rules are +evaluated in sequential order, from first to last. +Each rule either matches the packet or doesn't. +The first matching rule decides what action is taken. +.Pp +If no rule matches the packet, the default action is to pass the packet +up to the filter unmodified. +It should be noted that all translations of packets occur before +the filters are applied. +Hence, rules for redirected packets should specify the address and port +after translation. +Note that all translation rules apply only to packets that pass through +the specified interface. +For instance, redirecting port 80 on an external interface to an internal +web server will only work for connections originating from the outside. +Connections to the address of the external interface from local hosts will +not be redirected, since such packets do not actually pass through the +external interface. +Redirections can't reflect packets back through the interface they arrive +on, they can only be redirected to hosts connected to different interfaces +or to the firewall itself. .Sh ACTIONS .Bl -tag -width Fl .It Em block @@ -266,9 +468,9 @@ There are a number of ways in which a rule can behave when blocking a packet. The default behaviour is to .Em drop packets silently, however this can be overridden or made explicit -globally by setting the +globally by setting the .Em block-policy -option, or on a per-rule basis with the following options: +option, or on a per-rule basis with the following options: .Pp .Bl -tag -width "return-icmp6" -compact -offset indent .It Em drop @@ -279,7 +481,7 @@ connection. .It Em return-icmp .It Em return-icmp6 return ICMP messages for packets which match the rule. -By default this is an ICMP UNREACHABLE message, however the type +By default this is an ICMP UNREACHABLE message, however the type of message can be overridden by specifying it as a code or number. .It Em return returns a TCP RST for tcp packets, an ICMP UNREACHABLE for UDP packets, @@ -329,9 +531,10 @@ Most parameters are optional. If a parameter is specified, the rule only applies to packets with matching attributes. Certain parameters can be expressed as lists, in which case -.Em pfctl -generates all needed rule combinations. -.Ss in or out +.Xr pfctl 8 +generates all needed rule combinations: +.Bl -tag -width xxxx +.It Pa in No or Pa out The rule applies to incoming or outgoing packets. Either .Em in @@ -339,22 +542,12 @@ or .Em out must be specified. To cover both directions, two rules are needed. -.Ss log -.Bl -tag -width Fl .It Em log In addition to the action specified, a log message is generated. -.It Em log-all -Used with -.Sq keep state -or -.Sq modulate state -rules. Not only the packet that creates state is logged, but all packets of the connection. -.El -.Pp The logged packets are sent to the -.Em pflog0 +.Xr pflog 4 interface. This interface is monitored by the .Xr pflogd 8 @@ -363,27 +556,40 @@ logging daemon which dumps the logged packets to the file in .Xr pcap 3 binary format. -.Ss quick -If a packet matches a rule which has the +.It Em log-all +Used with +.Sq keep state +or +.Sq modulate state +rules. +The same rules as for +.Pa log +regarding +.Xr pflog 4 +also apply to +.Pa log-all . +.It Pa quick +If a packet matches a rule which has the .Sq quick option set, this rule is considered the last matching rule, and evaluation of subsequent rules is skipped. -.Ss on <interface> +.It Pa on No <interface> The rule applies only to packets coming in on or going out through this particular interface. -.Ss <af> +.It <af> The rule applies only to packets of this address family. Supported values are inet and inet6. -.Ss proto <protocol> +.It Pa proto No <protocol> The rule applies only to packets of this protocol. Common protocols used here are tcp, udp, icmp and ipv6-icmp. -.Ss from <source> port <source> to <dest> port <dest> +.It Pa from <source> port <source> to <dest> port <dest> The rule applies only to packets with the specified source and destination addresses/ports. .Pp Addresses can be specified in CIDR notation (matching netblocks), as symbolic host names or interface names, or as any of the following keywords: +.Pp .Bl -tag -width no-route -compact .It Em any means any address; @@ -392,7 +598,7 @@ means any address which is not currently routable. .El .Pp Host name resolution and interface to address translation are done at -rule set load-time. +rule set load-time. When the address of an interface (or host name) changes (by DHCP or PPP, for instance), the rule set must be reloaded for the change to be reflected in the kernel. @@ -410,11 +616,11 @@ Ports can be specified using these operators doesn't include the limits, for instance: .Bl -tag -width Fl .It Em port 2000 >< 2004 -means +means .Sq all ports > 2000 and < 2004 , hence ports 2001, 2002 and 2003. .It Em port 2000 <> 2004 -means +means .Sq all ports < 2000 or > 2004 , hence ports 1-1999 and 2005-65535. .El @@ -428,7 +634,7 @@ show: pass in proto tcp from any to any port 25 pass in proto tcp from 10.0.0.0/8 port > 1024 to ! 10.1.2.3 port != 22 .Ed -.Ss user <user> group <group> +.It Pa user <user> group <group> The rule only applies to packets of sockets owned by the specified user and group. For outgoing connections initiated from the firewall, this is the user @@ -470,7 +676,7 @@ connections: block out proto { tcp, udp } all pass out proto { tcp, udp } all user { < 1000, dhartmei } keep state .Ed -.Ss flags <a>/<b> | /<b> +.It Pa flags <a>/<b> | /<b> The rule only applies to TCP packets that have the flags <a> set out of set <b>. Flags not specified in <b> are ignored. @@ -488,14 +694,14 @@ This is more restrictive than the previous example. If the first set is not specified, it defaults to none. All of SYN, FIN, RST and ACK must be unset. .El -.Ss icmp-type <type> code <code> and ipv6-icmp-type <type> code <code> +.It Pa icmp-type <type> code <code> and ipv6-icmp-type <type> code <code> The rule only applies to ICMP or ICMPv6 packets with the specified type and code. This parameter is only valid for rules that cover protocols icmp or ipv6-icmp. The protocol and the icmp type indicator (icmp-type or ipv6-icmp-type) must match. -.Ss allow-opts +.It Pa allow-opts By default, packets which contain IP options are blocked. When .Em allow-opts @@ -509,7 +715,7 @@ The implicit .Em pass rule that is used when a packet doesn't match any rules does not allow IP options. -.Ss label <string> +.It Pa label <string> Adds a label (name) to the rule, which can be used to identify the rule. For instance, .Em pfctl -s labels @@ -547,7 +753,7 @@ expands to .Ed .Pp Note that evaluation takes place at parse time. -.Ss queue <string> +.It Pa queue <string> Packets matching this rule will be assigned to the specified queue. See QUEUE RULES for setup details. .Pp @@ -556,23 +762,19 @@ Example: .Bd -literal pass in proto tcp from any to any port 25 queue mail .Ed -.Sh NO -The -.Sq no -option is to a translation rule what the -.Sq quick -option is to a filter rule. -This option causes matching packets to remain untranslated. +.El +.Pp .Sh ROUTING If a packet matches a rule with a route option set, the packet filter will route the packet according to the type of route option. When such a rule creates state, the route option is also applied to all packets matching the same connection. -.Ss fastroute +.Bl -tag -width xxxx +.It Pa fastroute The .Em fastroute option does a normal route lookup to find the next hop for the packet. -.Ss route-to +.It Pa route-to The .Em route-to option routes the packet to the specified interface with an optional address @@ -583,7 +785,7 @@ rule creates state, only packets that pass in the same direction as the filter rule specifies will be routed in this way. Packets passing in the opposite direction (replies) are not affected and routed normally. -.Ss reply-to +.It Pa reply-to The .Em reply-to option is similar to @@ -596,29 +798,29 @@ is useful only in rules that create state. It can be used on systems with multiple external connections to route all outgoing packets of a connection through the interface the incoming connection arrived through (symmetric routing enforcement). -.Ss dup-to +.It Pa dup-to The .Em dup-to option creates a duplicate of the packet and routes it like .Em route-to. The original packet gets routed as it normally would. +.El +.Pp .Sh POOL OPTIONS -.Ss <pooltype> -For +For .Em nat and .Em rdr rules, (as well as for the -.Em route-to -, +.Em route-to , .Em reply-to and .Em dup-to rule options) for which there is a single redirection address which has a subnet mask smaller than 32 for IPv4 or 128 for IPv6 (more than one IP address), a variety of different methods for assigning this address can be -used: -.Bl -tag -width Fl +used: +.Bl -tag -width xxxx .It Em bitmask The .Em bitmask @@ -640,7 +842,7 @@ The .Em key option for .Em source-hash -allows you to specify a string used by pfctl to generate a key which is hashed +allows one to specify a string used by pfctl to generate a key which is hashed in with the source address. .It Em random The @@ -653,32 +855,19 @@ randomly generates a key for source-hash every time the ruleset is reloaded. The .Em round-robin option loops through the redirection address(s). -.El .Pp -When more than one redirection address is specified, +When more than one redirection address is specified, .Em round-robin is the only permitted pool type. -.Ss static-port +.It Pa static-port With .Em nat rules, the .Em static-port option prevents pf from modifying the source port on tcp and udp packets. -.Sh MACROS -.Em pfctl -supports macro definition and expansion like: -.Bd -literal - ext_if = "kue0" - pass out on $ext_if from any to any keep state - pass in on $ext_if proto tcp from any to any port 25 keep state -.Ed -.Pp -Macro names must start with a letter and may contain letters, digits -and underscores. -Macro names may not be pf reserved words (e.g. pass, in, out). -Macros are not expanded recursively. +.El .Sh STATEFUL INSPECTION -.Em pf +.Xr pf 4 is a stateful packet filter, which means it can track the state of a connection. Instead of passing all traffic to port 25, for instance, one can pass @@ -725,11 +914,11 @@ All further packets of these connections are passed if they match a state. Specifying flags S/SA restricts state creation to the initial SYN packet of the TCP handshake. One can also be less restrictive, and allow state creation from -intermediate +intermediate .Pq non-SYN packets. This will cause -.Em pf +.Xr pf 4 to synchronize to existing connections, for instance if one flushes the state table. .Pp @@ -744,14 +933,14 @@ referring to this TCP connection arrives, it will be matched to the right state and get passed. .Pp For ICMP queries, keep state creates an ICMP state, and -.Em pf +.Xr pf 4 knows how to match ICMP replies to states. For example .Bd -literal pass out inet proto icmp all icmp-type echoreq keep state .Ed .Pp -lets echo requests +lets echo requests .Pq pings out, creates state, and matches incoming echo replies correctly to states. .Pp @@ -762,8 +951,8 @@ initial sequence numbers (ISNs) are chosen. Some popular stack implementations choose .Cm very poor ISNs and thus are normally susceptible to ISN prediction exploits. -By applying a "modulate state" rule to a TCP connection, -.Em pf +By applying a "modulate state" rule to a TCP connection, +.Xr pf 4 will create a high quality random sequence number for each connection endpoint. .Pp @@ -779,13 +968,13 @@ For instance: .Ed .Pp Caveat: If -.Em pf +.Xr pf 4 picks up an already established connection .Po the firewall was rebooted, the state table was flushed, ... .Pc it will not be able to safely modulate the state of that connection. -.Em pf +.Xr pf 4 will fall back and operate as if "keep state" was specified instead. Without this fallback, modulation would cause each host to think that the other end had somehow lost sync. @@ -799,11 +988,16 @@ shift the sequencing of each side of a connection add a random number to each side. .Pc Both sides of the connection will notice, that its peer has suddenly -shifted its sequence by a random amount. +shifted its sequence by a random amount. Neither side will be able to recover and the connection will stall and eventually close. -.Sh STATE OPTIONS -Both "keep state" and "modulate state" support the following options: +.Sh STATEFUL OPTIONS +Both +.Pa keep state +and +.Pa modulate state +support the following options: +.Pp .Bl -tag -width timeout_seconds -compact .It Em max number Limits the number of concurrent states the rule may create. @@ -820,38 +1014,14 @@ Multiple options can be specified, separated by commas: pass in proto tcp from any to any port www flags S/SA \\ keep state (max 100, tcp.established 60, tcp.closing 5) .Ed -.Sh NORMALIZATION -Packet normalization is invoked via the -.Pa scrub -directive. -Normalization is used to sanitize packet content in such -a way that there are no ambiguities in packet interpretation on -the receiving side. -.Pp -The normalizer does IP fragment reassembly to prevent attacks -that confuse intrusion detection systems by sending overlapping -IP fragments. -.Ss no-df -Clears the -.Pa dont-fragment -bit from a matching ip packet. -.Ss min-ttl <number> -Enforces a minimum ttl for matching ip packets. -.Ss max-mss <number> -Enforces a maximum mss for matching tcp packets. -.Pp -Normalization occurs before filtering, scrub rules and pass/block -rules are evaluated independently. -Hence, their relative position in the rule set is not relevant, -and packets can't be blocked before normalization. .Sh BLOCKING SPOOFED TRAFFIC "Spoofing" is the faking of IP addresses, typically for malicious purposes. -The +The .Pa antispoof -directive expands to a set of filter rules which will block all -traffic with a source IP from the network(s) directly connected -to the specified interface(s) from entering the system through +directive expands to a set of filter rules which will block all +traffic with a source IP from the network(s) directly connected +to the specified interface(s) from entering the system through any other interface. .Pp For example, the line @@ -861,11 +1031,11 @@ For example, the line .Pp expands to .Bd -literal - block in on ! lo0 inet from 127.0.0.1/8 to any - block in on ! lo0 inet6 from ::1 to any + block in on ! lo0 inet from 127.0.0.1/8 to any + block in on ! lo0 inet6 from ::1 to any .Ed .Pp -For non-loopback interfaces, there are additional rules to block incoming +For non-loopback interfaces, there are additional rules to block incoming packets with a source IP address identical to the interface's IP(s). For example, assuming the interface wi0 had an IP address of 10.0.0.1 and a netmask of 255.255.255.0, @@ -876,8 +1046,8 @@ the line .Pp expands to .Bd -literal - block in on ! wi0 inet from 10.0.0.1/24 to any - block in inet from 10.0.0.1 to any + block in on ! wi0 inet from 10.0.0.1/24 to any + block in inet from 10.0.0.1 to any .Ed .Pp Caveat: Rules created by the @@ -894,151 +1064,26 @@ of their ruleset to pass all traffic on lo0: pass in quick on lo0 all pass out quick on lo0 all .Ed -.Sh QUEUE RULES -Filtering rules can also assign packets to a queue. -At least two rules are required to configure queues, following -which any -.Em pass -or -.Em block -rule can reference the defined queues by name. -The queue name last referenced is where any packets from -.Em pass -rules will be queued, while for -.Em block -rules it specifies where any resulting -.Em icmp -or -.Em TCP RST -packets should be enqueued. -.Pp -.Em altq on -specifies on which interface queues will be set up. -The -.Em scheduler -type is required where currently only CBQ is supported. -.Em bandwidth -is optional and specifies the maximum rate for all queues on this interface. -All queues for this interface have to be listed after -.Em queue . -.Pp -For example, the interface -.Pa dc0 -should queue up to 5 Mbit/s in two queues using CBQ. -.Bd -literal - altq on dc0 scheduler cbq bandwidth 5Mb queue { qname1, qname2 } -.Ed -.Pp -Parameters for the queues are specified in -.Em queue -rules. The queuename must match the definition in the -.Em altq -rule. -.Em bandwidth -sets the maximum bitrate that can be processed by this queue. -The value must not exceed the value of the parent queue and can be specified -in absolute and percentage values. -Between queues a -.Em priority -level can be set. -The range is 0..7 with a default of 1. -Queues with a higher priority level are preferred in the case of overload. -The scheduler can get additional parameters with -.Em cbq( <parameters> ) . -Parameters are as follows: -.Pp -.Bl -tag -width Fl -.It Em default -Packets not matched by another queue are assigned to this one. -Exactly one default queue is required. -.It Em borrow -The queue can borrow bandwidth from the parent. -.It Em control -Control class packets (RSVP, IGMP, ICMP) are assigned to this queue. -.It Em red -Enables RED (Random Early Detection) on this queue. -RED drops packets with a probability proportional to the average -queue length. -.It Em rio -Enables RIO on this queue. RIO is RED with IN/OUT, thus running -RED two times more then RED would do. -RIO is currently not supported in the GENERIC kernel. -.It Em ecn -Enables ECN (Explicit Congestion Notification) on this queue. -ECN implies RED. -.El -.Pp -Furthermore child queues can be specified like in an -.Em altq -rule. -.Pp -Following the previous example, this would specify the two referenced -queues, plus one child queue: -.Pp -.Bd -literal - queue qname1 bandwidth 50% cbq(default ecn) queue { qname1a } - queue qname1a bandwidth 1Mb cbq(borrow) - queue qname2 bandwidth 1000 priority 3 -.Ed -.Pp -Please note that child queues must not exceed the bandwidth definition -of the parent. -Relative values are calculated against the bandwidth of the parent queue. .Sh FRAGMENT HANDLING The size of IP datagrams (packets) can be significantly larger than the the maximum transmission unit (MTU) of the network. In cases when it is necessary or more efficient to send such large packets, -the large packet will be fragmented into many smaller packets that will each +the large packet will be fragmented into many smaller packets that will each fit onto the wire. Unfortunately for a firewalling device, only the first logical fragment will contain the necessary header information for the subprotocol that allows -.Em pf +.Xr pf 4 to filter on things such as TCP ports or to perform NAT. .Pp There are four options for handling fragments in the packet filter: .Pp -Using scrub rules, fragments can be reassembled by normalization. -In this case, fragments are buffered until they form a complete -packet, and only the completed packet is passed on to the filter. -The advantage is that filter rules have to deal only with complete -packets, and can ignore fragments. -The drawback of caching fragments is the additional memory cost. -But the full reassembly method is the only method that currently works with NAT. -Full reassembly is triggered by the -.Pa fragment reassemble -modifier on a -.Pa scrub -rule. This is the default behavior of a -.Pa scrub -rule if no fragmentation modifier is supplied. -.Pp -Scrub also has two additional methods to track fragments without the -high memory cost of full reassembly. -The first is enabled via the -.Pa fragment crop -modifier. -.Em pf -will track the fragments and cache a small range descriptor. -Duplicate fragments are dropped and overlaps are cropped. -Thus data will only occur once on the wire with ambiguities resolving to -the first occurrence. -Unlike the -.Pa fragment reassemble -modifier, fragments are not buffered, they are passed as soon as they -are received. -This reassembly mechanism does not yet work with NAT. -.Pp -Scrub's other method is the -.Pa fragment drop-ovl -modifier. -It is almost identical to the -.Pa fragment crop -modifier except that all overlapping or duplicate fragments will be -dropped and will cause the following corresponding fragments to be -dropped as well. +Use scrub rules. See the section on +.Em TRAFFIC NORMALIZATION. .Pp The alternative is to filter individual fragments with filter rules. -If no scrub rule applies to a fragment, it is passed to the filter. +If no +.Pa scrub +rule applies to a fragment, it is passed to the filter. Filter rules with matching IP header parameters decide whether the fragment is passed or blocked, in the same way as complete packets are filtered. @@ -1113,7 +1158,7 @@ block in quick on $ext_if from any to 255.255.255.255 # addresses, they are either spoofed or misconfigured, we can't reply to # them anyway (hence, no return-rst). block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, \\ - 192.168.0.0/16, 255.255.255.255/32 } to any + 192.168.0.0/16, 255.255.255.255/32 } to any # ICMP @@ -1140,12 +1185,12 @@ pass out on $ext_if proto tcp all modulate state # pass in certain TCP connections and keep state (SSH, SMTP, DNS, IDENT) pass in on $ext_if proto tcp from any to any port { ssh, smtp, domain, \\ - auth } flags S/SA keep state + auth } flags S/SA keep state # pass in data mode connections for ftp-proxy running on this host. # (see ftp-proxy(8) for details) pass in on $ext_if proto tcp from any to 157.161.48.183 port >= 49152 \\ - flags S/SA keep state + flags S/SA keep state .Ed .Sh TRANSLATION EXAMPLES @@ -1206,7 +1251,7 @@ nat on kue0 inet from ! (kue0) to any -> (kue0) # an arbitrary port # in this case, proxy outgoing isakmp with port 500 on the gateway nat on kue0 inet proto udp from any port = isakmp to any -> (kue0) \\ - port 500 + port 500 # BINAT # translate outgoing packets' source address (any protocol) @@ -1218,9 +1263,9 @@ binat on kue0 from 10.1.2.150 to any -> (kue0) # translate incoming packets' destination addresses # as an example, redirect a TCP and UDP port to an internal machine rdr on kue0 inet proto tcp from any to (kue0) port 8080 -> 10.1.2.151 \\ - port 22 + port 22 rdr on kue0 inet proto udp from any to (kue0) port 8080 -> 10.1.2.151 \\ - port 53 + port 53 # RDR # translate outgoing ftp control connections to send them to localhost @@ -1229,15 +1274,15 @@ rdr on fxp0 proto tcp from any to any port 21 -> 127.0.0.1 port 8081 .Ed .Sh GRAMMAR Syntax for -.Em pf.conf +.Nm in BNF: .Bd -literal line = ( option | pf_rule | nat_rule | binat_rule | rdr_rule | antispoof_rule | altq_rule | queue_rule ) option = set ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] | - [ "optimization" [ "default" | "normal" | - "high-latency" | "satellite" | + [ "optimization" [ "default" | "normal" | + "high-latency" | "satellite" | "aggressive" | "conservative" ] ] [ "limit" ( limit | "{" limit-list "}" ) ] | [ "loginterface" ( interface-name | "none" ) ] | @@ -1334,11 +1379,11 @@ flags = "flags" ( flag-set | flag-set "/" flag-set | flag-set = [ "F" ] [ "S" ] [ "R" ] [ "P" ] [ "A" ] [ "U" ] [ "E" ] [ "W" ] . -icmp-type = "icmp-type" ( icmp-type-code | "{" icmp-list "}" ) . -ipv6-icmp-type = "ipv6-icmp-type" ( icmp-type-code | "{" icmp-list "}" ) . +icmp-type = "icmp-type" ( icmp-type-code | "{" icmp-list "}" ) . +ipv6-icmp-type = "ipv6-icmp-type" ( icmp-type-code | "{" icmp-list "}" ) . icmp-type-code = ( icmp-type-name | icmp-type-number ) [ "code" ( icmp-code-name | icmp-code-number ) ] . -icmp-list = icmp-type-code [ [ "," ] icmp-list ] . +icmp-list = icmp-type-code [ [ "," ] icmp-list ] . tos = "tos" ( "lowdelay" | "throughput" | "reliability" | [ "0x" ] number ) . @@ -1357,7 +1402,7 @@ timeout = ( "tcp.first" | "tcp.opening" | "tcp.established" | "other.first" | "other.multiple" ) seconds . seconds = number . -limit-list = limit [ [ "," ] limit-list ] . +limit-list = limit [ [ "," ] limit-list ] . limit = ( "states" | "frags" ) number . pooltype = ( "bitmask" | "random" | "source-hash" | "round-robin" ) . @@ -1370,15 +1415,15 @@ cbq-type = ( "default" | "control" | "borrow" | "red" | "ecn" | "rio" ) . .Sh FILES .Bl -tag -width "/etc/protocols" -compact .It Pa /etc/hosts -host name database +Host name database .It Pa /etc/pf.conf -default location of the ruleset file +Default location of the ruleset file .It Pa /etc/protocols -protocol name database +Protocol name database .It Pa /etc/services -service name database +Service name database .It Pa /usr/share/pf -example rulesets +Example rulesets .El .Sh SEE ALSO .Xr pf 4 , @@ -1387,7 +1432,7 @@ example rulesets .Xr services 5 , .Xr ftp-proxy 8 , .Xr pfctl 8 , -.Xr pflogd 8 , +.Xr pflogd 8 .Sh HISTORY The .Nm |