diff options
Diffstat (limited to 'share/man/man5/pf.conf.5')
-rw-r--r-- | share/man/man5/pf.conf.5 | 88 |
1 files changed, 37 insertions, 51 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index ca3a2347e7d..2186f766607 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.439 2009/04/27 15:32:52 jmc Exp $ +.\" $OpenBSD: pf.conf.5,v 1.440 2009/04/27 19:04:42 jmc Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" All rights reserved. @@ -38,7 +38,7 @@ The .Xr pf 4 packet filter modifies, drops, or passes packets according to rules or definitions specified in -.Nm pf.conf . +.Nm . .Pp Comments can be put anywhere in the file using a hash mark .Pq Sq # , @@ -51,13 +51,13 @@ include "/etc/pf/sub.filter.conf" .Ed .Pp There are six types of statements in -.Nm pf.conf : +.Nm : .Bl -tag -width xxxx .It Cm Macros User-defined variables may be defined and used later, simplifying the configuration file. Macros must be defined before they are referenced in -.Nm pf.conf . +.Nm . .It Cm Tables Tables provide a mechanism for increasing the performance and flexibility of rules with large numbers of source or destination addresses. @@ -126,13 +126,13 @@ before or after the ruleset has been loaded. Table definitions can be placed directly in this file and loaded at the same time as other rules are loaded, atomically. Table definitions inside -.Nm pf.conf +.Nm use the .Ar table statement, and are especially useful to define non-persistent tables. The contents of a pre-existing table defined without a list of addresses to initialize it is not altered when -.Nm pf.conf +.Nm is loaded. A table initialized with the empty list, .Li { } , @@ -182,9 +182,8 @@ The private table cannot have its contents changed and the badhosts table will exist even when no active filter rules reference it. Addresses may later be added to the badhosts table, so that traffic from these hosts can be blocked by using the following: -.Bd -literal -offset indent -# pfctl -t badhosts -Tadd 204.92.77.111 -.Ed +.Pp +.Dl # pfctl -t badhosts -Tadd 204.92.77.111 .Pp A table can also be initialized with an address list specified in one or more external files, using the following syntax: @@ -280,15 +279,13 @@ entries (generated by rules which do not specify .Ar no state ) to 20000: -.Bd -literal -offset indent -set limit states 20000 -.Ed +.Pp +.Dl set limit states 20000 .Pp To set the maximum number of entries in the memory pool used for fragment reassembly to 20000: -.Bd -literal -offset indent -set limit frags 20000 -.Ed +.Pp +.Dl set limit frags 20000 .Pp To set the maximum number of entries in the memory pool used for tracking source IP addresses (generated by the @@ -296,9 +293,8 @@ source IP addresses (generated by the and .Ar src.track options) to 2000: -.Bd -literal -offset indent -set limit src-nodes 2000 -.Ed +.Pp +.Dl set limit src-nodes 2000 .Pp To set limits on the memory pools used by tables: .Bd -literal -offset indent @@ -318,21 +314,18 @@ set limit { states 20000, frags 20000, src-nodes 2000 } Enable collection of packet and byte count statistics for the given interface or interface group. These statistics can be viewed using: -.Bd -literal -offset indent -# pfctl -s info -.Ed +.Pp +.Dl # pfctl -s info .Pp In this example .Xr pf 4 collects statistics on the interface named dc0: -.Bd -literal -offset indent -set loginterface dc0 -.Ed +.Pp +.Dl set loginterface dc0 .Pp One can disable the loginterface using: -.Bd -literal -offset indent -set loginterface none -.Ed +.Pp +.Dl set loginterface none .It Ar set optimization Optimize state timeouts for one of the following network environments: .Pp @@ -431,9 +424,8 @@ option sets the state options for states created from rules without an explicit .Ar keep state . For example: -.Bd -literal -offset indent -set state-defaults pflow, no-sync -.Ed +.Pp +.Dl set state-defaults pflow, no-sync .It Ar set state-policy The .Ar state-policy @@ -555,7 +547,7 @@ control. At least two declarations are required to configure queues, and later any packet filtering rule can reference the defined queues by name. During the filtering component of -.Nm pf.conf , +.Nm , the last referenced .Ar queue name is where any packets from @@ -832,7 +824,7 @@ Translation rules modify either the source or destination address of the packets associated with a stateful connection. A stateful connection is automatically created to track packets matching such a rule as long as they are not blocked by the filtering section of -.Nm pf.conf . +.Nm . The translation engine modifies the specified address and/or port in the packet, recalculates IP, TCP, and UDP checksums as necessary, and passes it to the packet filter for evaluation. @@ -1093,9 +1085,8 @@ as the code to support this feature has not yet been implemented. .Pp The simplest mechanism to block everything by default and only pass packets that match explicit rules is specify a first filter rule of: -.Bd -literal -offset indent -block all -.Ed +.Pp +.Dl block all .It Ar match The packet is matched. This mechanism is used to provide fine grained filtering @@ -1511,9 +1502,8 @@ A probability attribute can be attached to a rule, with a value set between In that case, the rule will be honoured using the given probability value only. For example, the following rule will drop 20% of incoming ICMP packets: -.Bd -literal -offset indent -block in proto icmp probability 20% -.Ed +.Pp +.Dl block in proto icmp probability 20% .Pp .It Xo Ar queue Aq Ar queue .No \*(Ba ( Aq Ar queue , @@ -1722,9 +1712,8 @@ For example, to allow echo requests (such as those created by .Xr ping 8 ) out statefully and match incoming echo replies correctly to states: -.Bd -literal -offset indent -pass out inet proto icmp all icmp-type echoreq -.Ed +.Pp +.Dl pass out inet proto icmp all icmp-type echoreq .Pp Also, looking up states is usually faster than evaluating rules. If there are 50 rules, all of them are evaluated sequentially in O(n). @@ -2097,9 +2086,8 @@ may be either a hex or decimal number. .El .Pp For example: -.Bd -literal -offset indent -match in all scrub (no-df max-mss 1440) -.Ed +.Pp +.Dl match in all scrub (no-df max-mss 1440) .Ss Fragment Handling The size of IP datagrams (packets) can be significantly larger than the maximum transmission unit (MTU) of the network. @@ -2162,9 +2150,8 @@ to the specified interface(s) from entering the system through any other interface. .Pp For example: -.Bd -literal -offset indent -compact -antispoof for lo0 -.Ed +.Pp +.Dl antispoof for lo0 .Pp Expands to: .Bd -literal -offset indent -compact @@ -2176,9 +2163,8 @@ For non-loopback interfaces, there are additional rules to block incoming packets with a source IP address identical to the interface's IP(s). For example, assuming the interface wi0 had an IP address of 10.0.0.1 and a netmask of 255.255.255.0: -.Bd -literal -offset indent -antispoof for wi0 inet -.Ed +.Pp +.Dl antispoof for wi0 inet .Pp Expands to: .Bd -literal -offset indent -compact @@ -2305,7 +2291,7 @@ rule after the anchor rule. When .Xr pfctl 8 loads -.Nm pf.conf , +.Nm , it will also load all the rules from the file .Pa /etc/pf-spam.conf into the anchor. |