summaryrefslogtreecommitdiff
path: root/share/man/man5/pf.conf.5
diff options
context:
space:
mode:
Diffstat (limited to 'share/man/man5/pf.conf.5')
-rw-r--r--share/man/man5/pf.conf.5254
1 files changed, 144 insertions, 110 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 8a844fe474f..4157afe870d 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pf.conf.5,v 1.342 2006/03/14 11:09:44 djm Exp $
+.\" $OpenBSD: pf.conf.5,v 1.343 2006/04/30 10:12:21 jmc Exp $
.\"
.\" Copyright (c) 2002, Daniel Hartmeier
.\" All rights reserved.
@@ -181,9 +181,9 @@ when running with
.Pp
For example,
.Bd -literal -offset indent
-table <private> const { 10/8, 172.16/12, 192.168/16 }
-table <badhosts> persist
-block on fxp0 from { <private>, <badhosts> } to any
+table \*(Ltprivate\*(Gt const { 10/8, 172.16/12, 192.168/16 }
+table \*(Ltbadhosts\*(Gt persist
+block on fxp0 from { \*(Ltprivate\*(Gt, \*(Ltbadhosts\*(Gt } to any
.Ed
.Pp
creates a table called private, to hold RFC 1918 private network
@@ -201,8 +201,8 @@ these hosts can be blocked by using
A table can also be initialized with an address list specified in one or more
external files, using the following syntax:
.Bd -literal -offset indent
-table <spam> persist file \&"/etc/spammers\&" file \&"/etc/openrelays\&"
-block on fxp0 from <spam> to any
+table \*(Ltspam\*(Gt persist file \&"/etc/spammers\&" file \&"/etc/openrelays\&"
+block on fxp0 from \*(Ltspam\*(Gt to any
.Ed
.Pp
The files
@@ -491,7 +491,7 @@ For example:
.Pp
.Dl set fingerprints \&"/etc/pf.os.devel\&"
.Pp
-.It Ar set skip on <ifspec>
+.It Ar set skip on Aq Ar ifspec
List interfaces for which packets should not be filtered.
Packets passing in or out on such interfaces are passed as if pf was
disabled, i.e. pf does not process them in any way.
@@ -558,9 +558,9 @@ Using the
modifier (see below) is recommended in combination with the
.Ar no-df
modifier to ensure unique IP identifiers.
-.It Ar min-ttl <number>
+.It Ar min-ttl Aq Ar number
Enforces a minimum TTL for matching IP packets.
-.It Ar max-mss <number>
+.It Ar max-mss Aq Ar number
Enforces a maximum MSS for matching TCP packets.
.It Ar random-id
Replaces the IP identification field with random values to compensate
@@ -771,9 +771,9 @@ declaration.
.Ar altq on
has the following keywords:
.Bl -tag -width xxxx
-.It Ar <interface>
+.It Aq Ar interface
Queueing is enabled on the named interface.
-.It Ar <scheduler>
+.It Aq Ar scheduler
Specifies which queueing scheduler to use.
Currently supported values
are
@@ -783,7 +783,7 @@ for Class Based Queueing,
for Priority Queueing and
.Ar hfsc
for the Hierarchical Fair Service Curve scheduler.
-.It Ar bandwidth <bw>
+.It Ar bandwidth Aq Ar bw
The maximum bitrate for all queues on an
interface may be specified using the
.Ar bandwidth
@@ -802,14 +802,14 @@ The value must not exceed the interface bandwidth.
If
.Ar bandwidth
is not specified, the interface bandwidth is used.
-.It Ar qlimit <limit>
+.It Ar qlimit Aq Ar limit
The maximum number of packets held in the queue.
The default is 50.
-.It Ar tbrsize <size>
+.It Ar tbrsize Aq Ar size
Adjusts the size, in bytes, of the token bucket regulator.
If not specified, heuristics based on the
interface bandwidth are used to determine the size.
-.It Ar queue <list>
+.It Ar queue Aq Ar list
Defines a list of subqueues to create on an interface.
.El
.Pp
@@ -838,10 +838,10 @@ in a parent
declaration.
The following keywords can be used:
.Bl -tag -width xxxx
-.It Ar on <interface>
+.It Ar on Aq Ar interface
Specifies the interface the queue operates on.
If not given, it operates on all matching interfaces.
-.It Ar bandwidth <bw>
+.It Ar bandwidth Aq Ar bw
Specifies the maximum bitrate to be processed by the queue.
This value must not exceed the value of the parent
.Ar queue
@@ -851,7 +851,7 @@ If not specified, defaults to 100% of the parent queue's bandwidth.
The
.Ar priq
scheduler does not support bandwidth specification.
-.It Ar priority <level>
+.It Ar priority Aq Ar level
Between queues a priority level can be set.
For
.Ar cbq
@@ -867,7 +867,7 @@ queues with a higher priority are always served first.
and
.Ar Hfsc
queues with a higher priority are preferred in the case of overload.
-.It Ar qlimit <limit>
+.It Ar qlimit Aq Ar limit
The maximum number of packets held in the queue.
The default is 50.
.El
@@ -875,7 +875,9 @@ The default is 50.
The
.Ar scheduler
can get additional parameters with
-.Ar <scheduler> Ns Li (\& Ar <parameters> No ) .
+.Xo Aq Ar scheduler
+.Pf ( Aq Ar parameters ) .
+.Xc
Parameters are as follows:
.Bl -tag -width Fl
.It Ar default
@@ -909,15 +911,16 @@ The
.Ar scheduler
supports some additional options:
.Bl -tag -width Fl
-.It Ar realtime <sc>
+.It Ar realtime Aq Ar sc
The minimum required bandwidth for the queue.
-.It Ar upperlimit <sc>
+.It Ar upperlimit Aq Ar sc
The maximum allowed bandwidth for the queue.
-.It Ar linkshare <sc>
+.It Ar linkshare Aq Ar sc
The bandwidth share of a backlogged queue.
.El
.Pp
-<sc> is an acronym for
+.Aq Ar sc
+is an acronym for
.Ar service curve .
.Pp
The format for service curve specifications is
@@ -1047,9 +1050,9 @@ The packet is redirected to another destination and possibly a
different port.
.Ar rdr
rules can optionally specify port ranges instead of single ports.
-rdr ... port 2000:2999 -> ... port 4000
+rdr ... port 2000:2999 -\*(Gt ... port 4000
redirects ports 2000 to 2999 (inclusive) to port 4000.
-rdr ... port 2000:2999 -> ... port 4000:*
+rdr ... port 2000:2999 -\*(Gt ... port 4000:*
redirects port 2000 to 4000, 2001 to 4001, ..., 2999 to 4999.
.El
.Pp
@@ -1094,7 +1097,7 @@ or to the firewall itself.
Note that redirecting external incoming connections to the loopback
address, as in
.Bd -literal -offset indent
-rdr on ne3 inet proto tcp to port spamd -> 127.0.0.1 port smtp
+rdr on ne3 inet proto tcp to port spamd -\*(Gt 127.0.0.1 port smtp
.Ed
.Pp
will effectively allow an external host to connect to daemons
@@ -1253,16 +1256,16 @@ If a packet matches a rule which has the
option set, this rule
is considered the last matching rule, and evaluation of subsequent rules
is skipped.
-.It Ar on <interface>
+.It Ar on Aq Ar interface
This rule applies only to packets coming in on, or going out through, this
particular interface or interface group.
-.It Ar <af>
+.It Aq Ar af
This rule applies only to packets of this address family.
Supported values are
.Ar inet
and
.Ar inet6 .
-.It Ar proto <protocol>
+.It Ar proto Aq Ar protocol
This rule applies only to packets of this protocol.
Common protocols are
.Xr icmp 4 ,
@@ -1275,8 +1278,11 @@ For a list of all the protocol name to number mappings used by
see the file
.Em /etc/protocols .
.It Xo
-.Ar from <source> port <source> os <source>
-.Ar to <dest> port <dest>
+.Ar from Aq Ar source
+.Ar port Aq Ar source
+.Ar os Aq Ar source
+.Ar to Aq Ar dest
+.Ar port Aq Ar dest
.Xc
This rule applies only to packets with the specified source and destination
addresses and ports.
@@ -1287,9 +1293,9 @@ symbolic host names or interface names, or as any of the following keywords:
.Bl -tag -width xxxxxxxxxxxxxx -compact
.It Ar any
Any address.
-.It Ar route <label>
+.It Ar route Aq Ar label
Any address whose associated route has label
-.Ar <label> .
+.Aq Ar label .
See
.Xr route 4
and
@@ -1300,7 +1306,7 @@ Any address which is not currently routable.
Any source address that fails a unicast reverse path forwarding (URPF)
check, i.e. packets coming in on an interface other than that which holds
the route back to the packet's source address.
-.It Ar <table>
+.It Aq Ar table
Any address that matches the given table.
.El
.Pp
@@ -1347,30 +1353,33 @@ Ports and ranges of ports are specified by using these operators:
.Bd -literal -offset indent
= (equal)
!= (unequal)
-< (less than)
-<= (less than or equal)
-> (greater than)
->= (greater than or equal)
+\*(Lt (less than)
+\*(Le (less than or equal)
+\*(Gt (greater than)
+\*(Ge (greater than or equal)
: (range including boundaries)
->< (range excluding boundaries)
-<> (except range)
+\*(Gt\*(Lt (range excluding boundaries)
+\*(Lt\*(Gt (except range)
.Ed
.Pp
-><, <> and :
+.Sq \*(Gt\*(Lt ,
+.Sq \*(Lt\*(Gt
+and
+.Sq \&:
are binary operators (they take two arguments).
For instance:
.Bl -tag -width Fl
.It Ar port 2000:2004
means
-.Sq all ports >= 2000 and <= 2004 ,
+.Sq all ports \*(Ge 2000 and \*(Le 2004 ,
hence ports 2000, 2001, 2002, 2003 and 2004.
-.It Ar port 2000 >< 2004
+.It Ar port 2000 \*(Gt\*(Lt 2004
means
-.Sq all ports > 2000 and < 2004 ,
+.Sq all ports \*(Gt 2000 and \*(Lt 2004 ,
hence ports 2001, 2002 and 2003.
-.It Ar port 2000 <> 2004
+.It Ar port 2000 \*(Lt\*(Gt 2004
means
-.Sq all ports < 2000 or > 2004 ,
+.Sq all ports \*(Lt 2000 or \*(Gt 2004 ,
hence ports 1-1999 and 2005-65535.
.El
.Pp
@@ -1386,20 +1395,20 @@ The host, port and OS specifications are optional, as in the following examples:
.Bd -literal -offset indent
pass in all
pass in from any to any
-pass in proto tcp from any port <= 1024 to any
+pass in proto tcp from any port \*(Le 1024 to any
pass in proto tcp from any to any port 25
-pass in proto tcp from 10.0.0.0/8 port > 1024 \e
+pass in proto tcp from 10.0.0.0/8 port \*(Gt 1024 \e
to ! 10.1.2.3 port != ssh
pass in proto tcp from any os "OpenBSD" flags S/SA
pass in proto tcp from route "DTAG"
.Ed
.It Ar all
This is equivalent to "from any to any".
-.It Ar group <group>
+.It Ar group Aq Ar group
Similar to
.Ar user ,
this rule only applies to packets of sockets owned by the specified group.
-.It Ar user <user>
+.It Ar user Aq Ar user
This rule only applies to packets of sockets owned by the specified user.
For outgoing connections initiated from the firewall, this is the user
that opened the connection.
@@ -1432,7 +1441,7 @@ can only be used with the operators
and
.Cm != .
Other constructs like
-.Cm user >= unknown
+.Cm user \*(Ge unknown
are invalid.
Forwarded packets with unknown user and group ID match only rules
that explicitly compare against
@@ -1442,22 +1451,25 @@ with the operators
or
.Cm != .
For instance
-.Cm user >= 0
+.Cm user \*(Ge 0
does not match forwarded packets.
The following example allows only selected users to open outgoing
connections:
.Bd -literal -offset indent
block out proto { tcp, udp } all
pass out proto { tcp, udp } all \e
- user { < 1000, dhartmei } keep state
+ user { \*(Lt 1000, dhartmei } keep state
.Ed
-.It Ar flags <a>/<b> | /<b>
+.It Xo Ar flags Aq Ar a
+.Pf / Ns Aq Ar b
+.No \*(Ba / Ns Aq Ar b
+.Xc
This rule only applies to TCP packets that have the flags
-.Ar <a>
+.Aq Ar a
set out of set
-.Ar <b> .
+.Aq Ar b .
Flags not specified in
-.Ar <b>
+.Aq Ar b
are ignored.
The flags are: (F)IN, (S)YN, (R)ST, (P)USH, (A)CK, (U)RG, (E)CE, and C(W)R.
.Bl -tag -width Fl
@@ -1472,8 +1484,12 @@ This is more restrictive than the previous example.
If the first set is not specified, it defaults to none.
All of SYN, FIN, RST and ACK must be unset.
.El
-.It Ar icmp-type <type> code <code>
-.It Ar icmp6-type <type> code <code>
+.It Xo Ar icmp-type Aq Ar type
+.Ar code Aq Ar code
+.Xc
+.It Xo Ar icmp6-type Aq Ar type
+.Ar code Aq Ar code
+.Xc
This rule only applies to ICMP or ICMPv6 packets with the specified type
and code.
Text names for ICMP types and codes are listed in
@@ -1503,7 +1519,7 @@ The implicit
.Ar pass
rule that is used when a packet does not match any rules does not
allow IP options.
-.It Ar label <string>
+.It Ar label Aq Ar string
Adds a label (name) to the rule, which can be used to identify the rule.
For instance,
pfctl -s labels
@@ -1532,21 +1548,24 @@ For example:
.Bd -literal -offset indent
ips = \&"{ 1.2.3.4, 1.2.3.5 }\&"
pass in proto tcp from any to $ips \e
- port > 1023 label \&"$dstaddr:$dstport\&"
+ port \*(Gt 1023 label \&"$dstaddr:$dstport\&"
.Ed
.Pp
expands to
.Bd -literal -offset indent
pass in inet proto tcp from any to 1.2.3.4 \e
- port > 1023 label \&"1.2.3.4:>1023\&"
+ port \*(Gt 1023 label \&"1.2.3.4:\*(Gt1023\&"
pass in inet proto tcp from any to 1.2.3.5 \e
- port > 1023 label \&"1.2.3.5:>1023\&"
+ port \*(Gt 1023 label \&"1.2.3.5:\*(Gt1023\&"
.Ed
.Pp
The macro expansion for the
.Ar label
directive occurs only at configuration file parse time, not during runtime.
-.It Ar queue <queue> | ( <queue> , <queue> )
+.It Xo Ar queue Aq Ar queu
+.No \*(Ba ( Aq Ar queue ,
+.Aq Ar queue )
+.Xc
Packets matching this rule will be assigned to the specified queue.
If two queues are given, packets which have a
.Em tos
@@ -1562,7 +1581,7 @@ For example:
pass in proto tcp to port 25 queue mail
pass in proto tcp to port 22 queue(ssh_bulk, ssh_prio)
.Ed
-.It Ar tag <string>
+.It Ar tag Aq Ar string
Packets matching this rule will be tagged with the
specified string.
The tag acts as an internal marker that can be used to
@@ -1584,7 +1603,7 @@ or
.Ar binat
rules in addition to filter rules.
Tags take the same macros as labels (see above).
-.It Ar tagged <string>
+.It Ar tagged Aq Ar string
Used with filter or translation rules to specify that packets must already
be tagged with the given tag in order to match the rule.
Inverse tag matching can also be done
@@ -1593,7 +1612,7 @@ by specifying the
operator before the
.Ar tagged
keyword.
-.It Ar probability <number>
+.It Ar probability Aq Ar number
A probability attribute can be attached to a rule, with a value set between
0 and 1, bounds not included.
In that case, the rule will be honoured using the given probability value
@@ -1932,7 +1951,7 @@ and
support the following options:
.Pp
.Bl -tag -width xxxx -compact
-.It Ar max <number>
+.It Ar max Aq Ar number
Limits the number of concurrent states the rule may create.
When this limit is reached, further packets matching the rule that would
create state are dropped, until existing states time out.
@@ -1940,7 +1959,9 @@ create state are dropped, until existing states time out.
Prevent state changes for states created by this rule from appearing on the
.Xr pfsync 4
interface.
-.It Ar <timeout> <seconds>
+.It Xo Aq Ar timeout
+.Aq Ar seconds
+.Xc
Changes the timeout values used for states created by this rule.
For a list of all valid timeout names, see
.Sx OPTIONS
@@ -1981,10 +2002,10 @@ each individual rule's limits.
The following limits can be set:
.Pp
.Bl -tag -width xxxx -compact
-.It Ar max-src-nodes <number>
+.It Ar max-src-nodes Aq Ar number
Limits the maximum number of source addresses which can simultaneously
have state table entries.
-.It Ar max-src-states <number>
+.It Ar max-src-states Aq Ar number
Limits the maximum number of simultaneous state entries that a single
source address can create with this rule.
.El
@@ -1994,10 +2015,12 @@ which have completed the TCP 3-way handshake) can also be enforced
per source IP.
.Pp
.Bl -tag -width xxxx -compact
-.It Ar max-src-conn <number>
+.It Ar max-src-conn Aq Ar number
Limits the maximum number of simultaneous TCP connections which have
completed the 3-way handshake that a single host can make.
-.It Ar max-src-conn-rate <number> / <seconds>
+.It Xo Ar max-src-conn-rate Aq Ar number
+.No / Aq Ar seconds
+.Xc
Limit the rate of new connections over a time interval.
The connection rate is an approximation calculated as a moving average.
.El
@@ -2005,7 +2028,7 @@ The connection rate is an approximation calculated as a moving average.
Because the 3-way handshake ensures that the source address is not being
spoofed, more aggressive action can be taken based on these limits.
With the
-.Ar overload <table>
+.Ar overload Aq Ar table
state option, source IP addresses which hit either of the limits on
established connections will be added to the named table.
This table can be used in the ruleset to block further activity from
@@ -2024,13 +2047,15 @@ offending host, regardless of which rule created the state.
For example, the following rules will protect the webserver against
hosts making more than 100 connections in 10 seconds.
Any host which connects faster than this rate will have its address added
-to the <bad_hosts> table and have all states originating from it flushed.
+to the
+.Aq bad_hosts
+table and have all states originating from it flushed.
Any new packets arriving from this host will be dropped unconditionally
by the block rule.
.Bd -literal -offset indent
-block quick from <bad_hosts>
+block quick from \*(Ltbad_hosts\*(Gt
pass in on $ext_if proto tcp to $webserver port www flags S/SA keep state \e
- (max-src-conn-rate 100/10, overload <bad_hosts> flush global)
+ (max-src-conn-rate 100/10, overload \*(Ltbad_hosts\*(Gt flush global)
.Ed
.Sh OPERATING SYSTEM FINGERPRINTING
Passive OS Fingerprinting is a mechanism to inspect nuances of a TCP
@@ -2043,17 +2068,23 @@ upon.
The fingerprints may be specified by operating system class, by
version, or by subtype/patchlevel.
The class of an operating system is typically the vendor or genre
-and would be OpenBSD for the
+and would be
+.Ox
+for the
.Xr pf 4
firewall itself.
-The version of the oldest available OpenBSD release on the main ftp site
+The version of the oldest available
+.Ox
+release on the main FTP site
would be 2.6 and the fingerprint would be written
.Pp
.Dl \&"OpenBSD 2.6\&"
.Pp
The subtype of an operating system is typically used to describe the
patchlevel if that patch led to changes in the TCP stack behavior.
-In the case of OpenBSD, the only subtype is for a fingerprint that was
+In the case of
+.Ox ,
+the only subtype is for a fingerprint that was
normalized by the
.Ar no-df
scrub option and would be specified as
@@ -2235,25 +2266,28 @@ attachment point
using the following kinds
of rules:
.Bl -tag -width xxxx
-.It Ar nat-anchor <name>
+.It Ar nat-anchor Aq Ar name
Evaluates the
.Ar nat
rules in the specified
.Ar anchor .
-.It Ar rdr-anchor <name>
+.It Ar rdr-anchor Aq Ar name
Evaluates the
.Ar rdr
rules in the specified
.Ar anchor .
-.It Ar binat-anchor <name>
+.It Ar binat-anchor Aq Ar name
Evaluates the
.Ar binat
rules in the specified
.Ar anchor .
-.It Ar anchor <name>
+.It Ar anchor Aq Ar name
Evaluates the filter rules in the specified
.Ar anchor .
-.It Ar load anchor <name> from <file>
+.It Xo Ar load anchor
+.Aq Ar name
+.Ar from Aq Ar file
+.Xc
Loads the rules from the specified file into the
anchor
.Ar name .
@@ -2414,7 +2448,7 @@ and therefore lacks permission to bind to port 80).
ext_if = \&"ne3\&"
# map daemon on 8080 to appear to be on 80
-rdr on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 port 8080
+rdr on $ext_if proto tcp from any to any port 80 -\*(Gt 127.0.0.1 port 8080
.Ed
.Pp
If the
@@ -2422,7 +2456,7 @@ If the
modifier is given, packets matching the translation rule are passed without
inspecting the filter rules:
.Bd -literal
-rdr pass on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 \e
+rdr pass on $ext_if proto tcp from any to any port 80 -\*(Gt 127.0.0.1 \e
port 8080
.Ed
.Pp
@@ -2435,7 +2469,7 @@ network appear as though it is the Internet routable address
for the nodes on vlan12.
(Thus, 192.168.168.1 can talk to the 192.168.168.0/24 nodes.)
.Bd -literal
-nat on ! vlan12 from 192.168.168.0/24 to any -> 204.92.77.111
+nat on ! vlan12 from 192.168.168.0/24 to any -\*(Gt 204.92.77.111
.Ed
.Pp
In the example below, the machine sits between a fake internal 144.19.74.*
@@ -2446,7 +2480,7 @@ rule excludes protocol AH from being translated.
.Bd -literal
# NO NAT
no nat on $ext_if proto ah from 144.19.74.0/24 to any
-nat on $ext_if from 144.19.74.0/24 to any -> 204.92.77.100
+nat on $ext_if from 144.19.74.0/24 to any -\*(Gt 204.92.77.100
.Ed
.Pp
In the example below, packets bound for one specific server, as well as those
@@ -2455,7 +2489,7 @@ generated by the sysadmins are not proxied; all other connections are.
# NO RDR
no rdr on $int_if proto { tcp, udp } from any to $server port 80
no rdr on $int_if proto { tcp, udp } from $sysadmins to any port 80
-rdr on $int_if proto { tcp, udp } from any to any port 80 -> 127.0.0.1 \e
+rdr on $int_if proto { tcp, udp } from any to any port 80 -\*(Gt 127.0.0.1 \e
port 80
.Ed
.Pp
@@ -2473,33 +2507,33 @@ manpage.
# NAT
# Translate outgoing packets' source addresses (any protocol).
# In this case, any address but the gateway's external address is mapped.
-nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
+nat on $ext_if inet from ! ($ext_if) to any -\*(Gt ($ext_if)
# NAT PROXYING
# Map outgoing packets' source port to an assigned proxy port instead of
# an arbitrary port.
# In this case, proxy outgoing isakmp with port 500 on the gateway.
-nat on $ext_if inet proto udp from any port = isakmp to any -> ($ext_if) \e
+nat on $ext_if inet proto udp from any port = isakmp to any -\*(Gt ($ext_if) \e
port 500
# BINAT
# Translate outgoing packets' source address (any protocol).
# Translate incoming packets' destination address to an internal machine
# (bidirectional).
-binat on $ext_if from 10.1.2.150 to any -> $ext_if
+binat on $ext_if from 10.1.2.150 to any -\*(Gt $ext_if
# RDR
# Translate incoming packets' destination addresses.
# As an example, redirect a TCP and UDP port to an internal machine.
rdr on $ext_if inet proto tcp from any to ($ext_if) port 8080 \e
- -> 10.1.2.151 port 22
+ -\*(Gt 10.1.2.151 port 22
rdr on $ext_if inet proto udp from any to ($ext_if) port 8080 \e
- -> 10.1.2.151 port 53
+ -\*(Gt 10.1.2.151 port 53
# RDR
# Translate outgoing ftp control connections to send them to localhost
# for proxying with ftp-proxy(8) running on port 8021.
-rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
+rdr on $int_if proto tcp from any to any port 21 -\*(Gt 127.0.0.1 port 8021
.Ed
.Pp
In this example, a NAT gateway is set up to translate internal addresses
@@ -2511,13 +2545,13 @@ network.
# Translate outgoing packets' source addresses using an address pool.
# A given source address is always translated to the same pool address by
# using the source-hash keyword.
-nat on $ext_if inet from any to any -> 192.0.2.16/28 source-hash
+nat on $ext_if inet from any to any -\*(Gt 192.0.2.16/28 source-hash
# RDR ROUND ROBIN
# Translate incoming web server connections to a group of web servers on
# the internal network.
rdr on $ext_if proto tcp from any to any port 80 \e
- -> { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin
+ -\*(Gt { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin
.Ed
.Sh FILTER EXAMPLES
.Bd -literal
@@ -2537,7 +2571,7 @@ block return log on $ext_if all
# block anything coming from source we have no back routes for
block in from no-route to any
-# block packets whose ingress interface does not match the one in
+# block packets whose ingress interface does not match the one in
# the route back to their source address
block in from urpf-failed to any
@@ -2610,8 +2644,8 @@ pass out on $ext_if proto tcp from any to any port 80 keep state
# tag incoming packets as they are redirected to spamd(8). use the tag
# to pass those packets through the packet filter.
-rdr on $ext_if inet proto tcp from <spammers> to port smtp \e
- tag SPAMD -> 127.0.0.1 port spamd
+rdr on $ext_if inet proto tcp from \*(Ltspammers\*(Gt to port smtp \e
+ tag SPAMD -\*(Gt 127.0.0.1 port spamd
block in on $ext_if
pass in on $ext_if inet proto tcp tagged SPAMD keep state
@@ -2660,7 +2694,7 @@ filteropt = user | group | flags | icmp-type | icmp6-type | tos |
nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
[ "on" ifspec ] [ af ]
[ protospec ] hosts [ "tag" string ] [ "tagged" string ]
- [ "->" ( redirhost | "{" redirhost-list "}" )
+ [ "-\*(Gt" ( redirhost | "{" redirhost-list "}" )
[ portspec ] [ pooltype ] [ "static-port" ] ]
binat-rule = [ "no" ] "binat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
@@ -2668,19 +2702,19 @@ binat-rule = [ "no" ] "binat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
[ "proto" ( proto-name | proto-number ) ]
"from" address [ "/" mask-bits ] "to" ipspec
[ "tag" string ] [ "tagged" string ]
- [ "->" address [ "/" mask-bits ] ]
+ [ "-\*(Gt" address [ "/" mask-bits ] ]
rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
[ "on" ifspec ] [ af ]
[ protospec ] hosts [ "tag" string ] [ "tagged" string ]
- [ "->" ( redirhost | "{" redirhost-list "}" )
+ [ "-\*(Gt" ( redirhost | "{" redirhost-list "}" )
[ portspec ] [ pooltype ] ]
antispoof-rule = "antispoof" [ "log" ] [ "quick" ]
"for" ( interface-name | "{" interface-list "}" )
[ af ] [ "label" string ]
-table-rule = "table" "<" string ">" [ tableopts-list ]
+table-rule = "table" "\*(Lt" string "\*(Gt" [ tableopts-list ]
tableopts-list = tableopts-list tableopts | tableopts
tableopts = "persist" | "const" | "file" string |
"{" [ tableaddr-list ] "}"
@@ -2734,7 +2768,7 @@ hosts = "all" |
"{" host-list "}" | "route" string ) [ port ]
ipspec = "any" | host | "{" host-list "}"
-host = [ "!" ] ( address [ "/" mask-bits ] | "<" string ">" )
+host = [ "!" ] ( address [ "/" mask-bits ] | "\*(Lt" string "\*(Gt" )
redirhost = address [ "/" mask-bits ]
routehost = "(" interface-name [ address [ "/" mask-bits ] ] ")"
address = ( interface-name | "(" interface-name ")" | hostname |
@@ -2749,9 +2783,9 @@ os = "os" ( os-name | "{" os-list "}" )
user = "user" ( unary-op | binary-op | "{" op-list "}" )
group = "group" ( unary-op | binary-op | "{" op-list "}" )
-unary-op = [ "=" | "!=" | "<" | "<=" | ">" | ">=" ]
+unary-op = [ "=" | "!=" | "\*(Lt" | "\*(Le" | "\*(Gt" | "\*(Ge" ]
( name | number )
-binary-op = number ( "<>" | "><" | ":" ) number
+binary-op = number ( "\*(Lt\*(Gt" | "\*(Gt\*(Lt" | ":" ) number
op-list = ( unary-op | binary-op ) [ [ "," ] op-list ]
os-name = operating-system-name
@@ -2776,7 +2810,7 @@ state-opt = ( "max" number | "no-sync" | timeout |
"max-src-nodes" number | "max-src-states" number |
"max-src-conn" number |
"max-src-conn-rate" number "/" number |
- "overload" "<" string ">" [ "flush" ] |
+ "overload" "\*(Lt" string "\*(Gt" [ "flush" ] |
"if-bound" | "floating" )
fragmentation = [ "fragment reassemble" | "fragment crop" |