packet-filter — format of packet-filter component configuration
General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the packet-filter component configuration.
Repeatable sections/items are marked by
the '*' before section/item name.
Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).
Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.
The following enumerations are used in packet-filter configuration directives:
ip-version (see common(5))in-out (see common(5))protocol (name-usage obligatory)OSI layer 4 protocols.
any, icmp, ipv6-icmp, ipencap, tcp, udp, tcp-udp, gre, ipv6, ipv6-frag, ipv6-nonxt, ipv6-opts, ipv6-route, esp, ah, esp-ah, carp, pfsync, l2tp, ospf, egp, igp, eigrp
icmp-type (name-usage optional)ICMP types.
echorep (0), unreach (3), squench (4), redir (5), althost (6), echoreq (8), routeradv (9), routersol (10), timex (11), paramprob (12), timereq (13), timerep (14), inforeq (15), inforep (16), maskreq (17), maskrep (18)
bandwidth-mode (name-usage obligatory)PF bandwidth config modes.
absAbsolute bandwidth
ratioBandwidth relative to parent
interface-mode (name-usage obligatory)PF interface config modes.
anyNo interface name used
nameInterface limitation by name
pf-scheduler (name-usage obligatory)PF schedulers.
cbq, priq, hfsc
pf-sc-setting (name-usage obligatory)PF Service Curve setting.
total, initial
Configuration of packet-filter library component consists of following prototypes:
pf-sc ... ;
pf-sched-options { ... }
* pf-queue name { ... }
* peer-list ... ;
* pf-raw-acl name { ... }
* pf-acl name { ... }
packet-filter { ... }
pf-sc [total] total-bw;pf-sc initial init-bw milliseconds total-bw;PF - HFSC Service Curve.
pf-sc-setting, optional, default: total)init-bw (type: uint64)milliseconds (type: uint32)total-bw (type: uint64)pf-sched-options {
default ... ;
red ... ;
rio ... ;
ecn ... ;
borrow ... ;
realtime ... ;
upperlimit ... ;
linkshare ... ;
}
default;red;rio;ecn;borrow;realtime [total] total-bw;realtime initial init-bw milliseconds total-bw;PF - HFSC Service Curve.
pf-sc-setting, optional, default: total)init-bw (type: uint64)milliseconds (type: uint32)total-bw (type: uint64)upperlimit [total] total-bw;upperlimit initial init-bw milliseconds total-bw;PF - HFSC Service Curve.
pf-sc-setting, optional, default: total)init-bw (type: uint64)milliseconds (type: uint32)total-bw (type: uint64)linkshare [total] total-bw;linkshare initial init-bw milliseconds total-bw;PF - HFSC Service Curve.
pf-sc-setting, optional, default: total)init-bw (type: uint64)milliseconds (type: uint32)total-bw (type: uint64)[End of section pf-sched-options description.]
pf-queue name {
parent ... ;
on ... ;
bandwidth ... ;
priority ... ;
qlimit ... ;
cbq { ... }
priq { ... }
hfsc { ... }
}
Packet filter QUEUE definition.
For configuration attributes details, see pf.conf(5).
CBQ, PRIQ and HFSC are mutually exclusive.
parent name;Parent queue definition (child queue only).
name (type: name of pf-queue, see above)on name;name (type: name of interface, see interface(5))bandwidth [abs] bits;bandwidth ratio percent;Queue bandwidth limit.
If omitted, 100% of parent bandwidth assumed.
bandwidth-mode, optional, default: abs)bits (type: uint64)Required bandwidth in bps.
percent (type: uint8)Required part of parent bandwidth.
Percent value must be less 100.
priority prty;prty (type: uint8)qlimit packets;packets (type: uint32)cbq {
default ... ;
red ... ;
rio ... ;
ecn ... ;
borrow ... ;
}
cbq section is derived from
pf-sched-options section prototype.
For detail description of it, see above.
cbq section:Item realtime is not valid.
Item upperlimit is not valid.
Item linkshare is not valid.
priq {
default ... ;
red ... ;
rio ... ;
ecn ... ;
}
priq section is derived from
pf-sched-options section prototype.
For detail description of it, see above.
priq section:Item borrow is not valid.
Item realtime is not valid.
Item upperlimit is not valid.
Item linkshare is not valid.
hfsc {
default ... ;
red ... ;
rio ... ;
ecn ... ;
realtime ... ;
upperlimit ... ;
linkshare ... ;
}
hfsc section is derived from
pf-sched-options section prototype.
For detail description of it, see above.
hfsc section:Item borrow is not valid.
[End of section pf-queue description.]
peer-list [addr [port port]];Packet Filter peer list definition.
addr (type: host-set, optional, default: *)Set of peer addresses/names.
port port (type: port-set, optional, default: *)Set of ports (valid with TCP/UDP only)
Regexps and discontiguous masks not allowed in PF lists.
pf-raw-acl name {
* descr ... ;
* raw ... ;
}
Packet Filter raw rule set definition.
descr text;Rule set comment.
text (type: str)raw line;Raw line to be put into pf.conf.
line (type: str)[End of section pf-raw-acl description.]
pf-acl name {
* descr ... ;
* raw ... ;
* from ... ;
* to ... ;
* iface ... ;
ip ... ;
* protocol ... ;
tagged ... ;
deny ... ;
accept ... ;
anchor ... ;
symmetric ... ;
}
Packet Filter general rule set definition.
pf-acl section is derived from
pf-raw-acl section prototype.
For detail description of it, see above.
pf-acl section:Exactly one of DENY, ACCEPT, ANCHOR and RAW must be specified.
Cannot specify entry condition if RAW used.
Valid transport protocol required if PORT used.
from [addr [port port]];Entry condition - source addresses.
addr (type: host-set, optional, default: *)Set of peer addresses/names.
port port (type: port-set, optional, default: *)Set of ports (valid with TCP/UDP only)
Regexps and discontiguous masks not allowed in PF lists.
to [addr [port port]];Entry condition - destination addresses.
addr (type: host-set, optional, default: *)Set of peer addresses/names.
port port (type: port-set, optional, default: *)Set of ports (valid with TCP/UDP only)
Regexps and discontiguous masks not allowed in PF lists.
iface any [dir];iface [name] name [dir];Entry condition - incoming interface.
interface-mode, optional, default: name)name (type: name of interface, see interface(5))dir (type: in-out, optional, default: both)ip version;IP protocol version (IPv4 and IPv6 if not specified).
version (type: ip-version)protocol any;protocol icmp [icmp-type icmp-type];protocol ipv6-icmp;protocol ipencap;protocol tcp [flags flags];protocol udp;protocol tcp-udp [flags flags];protocol gre;protocol ipv6;protocol ipv6-frag;protocol ipv6-nonxt;protocol ipv6-opts;protocol ipv6-route;protocol esp;protocol ah;protocol esp-ah;protocol carp;protocol pfsync;protocol l2tp;protocol ospf;protocol egp;protocol igp;protocol eigrp;Entry condition - OSI layer 4 protocol.
protocol)flags flags (type: str, optional, default: <NULL>)icmp-type icmp-type (type: icmp-type-list, optional, default: <NULL>)tagged tag;Entry condition - packet tag.
tag (type: str)deny;Global decision mode: operation will not be served.
accept;Global decision mode: operation will be served.
anchor path;Apply anchor rules.
path (type: str)symmetric;Use rules for symmetric routing, too.
If used, rules for opposite direction are generated, too, e.g. besides "pass in on ep0 from <A> to <B>", also "pass out on ep0 from <B> to <A>" is generated.
[End of section pf-acl description.]
packet-filter {
* set-option ... ;
timeouts { ... }
* altq name { ... }
* scrub-acl name { ... }
* rdr-acl name { ... }
* nat-acl name { ... }
* binat-acl name { ... }
* filter-acl name { ... }
* load-anchor ... ;
}
Packet filter configuration.
This section allows to define almost all common features for the /etc/pf.conf configuration file with one important exception. The PF tables are used by the KGB for internal purposes to achieve maximal effectiveness and user cannot define them by own.
If this section is not used, the /etc/pf.conf file will be left untought.
For configuration attributes details, see pf.conf(5).
set-option line;Setting PF options by SET directive.
line (type: str)Option setting (w/o SET keyword).
timeouts {
tcp-closing ... ;
tcp-finwait ... ;
tcp-closed ... ;
}
tcp-closing seconds;seconds (type: uint32)tcp-finwait seconds;seconds (type: uint32)tcp-closed seconds;seconds (type: uint32)[End of section packet-filter.timeouts description.]
altq name {
on ... ;
scheduler ... ;
bandwidth ... ;
qlimit ... ;
tbrsize ... ;
* queue ... ;
}
ALTQ per interface definition.
Interface name must be defined.
Bandwidth must be defined.
At least one queue must be defined.
on name;name (type: name of interface, see interface(5))scheduler [name];name (type: pf-scheduler, optional, default: cbq)bandwidth bits;bits (type: uint64)qlimit packets;packets (type: uint32)tbrsize bytes;bytes (type: uint64)queue name;name (type: name of pf-queue, see above)[End of section packet-filter.altq description.]
scrub-acl name {
* descr ... ;
* raw ... ;
* from ... ;
* to ... ;
* iface ... ;
ip ... ;
* protocol ... ;
deny ... ;
accept ... ;
symmetric ... ;
log ... ;
}
Traffic normalization definition.
If not used, the SCRUB IN ALL directive will be generated.
scrub-acl section is derived from
pf-acl section prototype.
For detail description of it, see above.
scrub-acl section:Item tagged is not valid.
Item anchor is not valid.
log [all];Log packets.
all (type: key, optional)[End of section packet-filter.scrub-acl description.]
rdr-acl name {
* descr ... ;
* raw ... ;
* from ... ;
* to ... ;
* iface ... ;
ip ... ;
* protocol ... ;
tagged ... ;
deny ... ;
accept ... ;
anchor ... ;
rdr-to ... ;
tag ... ;
}
NAT redirection definition.
rdr-acl section is derived from
pf-acl section prototype.
For detail description of it, see above.
rdr-acl section:Item symmetric is not valid.
RDR-TO must be specified if ACCEPT used.
Valid transport protocol required if PORT used.
iface (see above)Interface direction not allowed.
rdr-to addr [port port];addr (type: host)New target address
port port (type: port, optional, default: 0)New target port (valid with TCP/UDP only)
tag name;name (type: str)[End of section packet-filter.rdr-acl description.]
nat-acl name {
* descr ... ;
* raw ... ;
* from ... ;
* to ... ;
* iface ... ;
ip ... ;
* protocol ... ;
tagged ... ;
deny ... ;
accept ... ;
anchor ... ;
map-to ... ;
tag ... ;
}
NAT mapping definition.
nat-acl section is derived from
pf-acl section prototype.
For detail description of it, see above.
nat-acl section:Item symmetric is not valid.
MAP-TO must be specified if ACCEPT used.
Valid transport protocol required if PORT used.
iface (see above)Interface direction not allowed.
map-to addr [port port];addr (type: host)New source address
port port (type: port, optional, default: 0)New source port (valid with TCP/UDP only)
tag name;name (type: str)[End of section packet-filter.nat-acl description.]
binat-acl name {
* descr ... ;
* raw ... ;
}
BINAT mapping definition.
binat-acl section is derived from
pf-raw-acl section prototype.
For detail description of it, see above.
filter-acl name {
* descr ... ;
* raw ... ;
* from ... ;
* to ... ;
* iface ... ;
ip ... ;
* protocol ... ;
tagged ... ;
deny ... ;
accept ... ;
anchor ... ;
symmetric ... ;
antispoof ... ;
log ... ;
continue ... ;
return ... ;
fastroute ... ;
route-to ... ;
queue ... ;
tag ... ;
keep-state ... ;
* option ... ;
}
Filter rule set definition.
filter-acl section is derived from
pf-acl section prototype.
For detail description of it, see above.
filter-acl section:RETURN/ANTISPOOF can be used only with DENY.
QUEUE, TAG, KEEP-STATE and OPTION can be used only with ACCEPT.
FASTROUTE and ROUTE-TO are mutually exclusive.
Cannot specify other entry conditions if ANTISPOOF used.
antispoof [loop] [routes];Special entry condition (blocking of faked source addresses).
loop (type: key, optional)Include blocking for loopback, too.
routes (type: key, optional)Include blocking for routes, too.
log [all];Log packets.
all (type: key, optional)continue;Last-match applied for all rules in this ACL.
By default, first-match (i.e. QUICK) mode is used.
return [icmp] [code];Return mode definition.
If not used, denial will be done by DROPping packets.
icmp (type: key, optional)code (type: uint8, optional, default: 0)ICMP message code, ICMP UNREACHABLE by default.
fastroute;route-to iface [addr];iface (type: name of interface, see interface(5))addr (type: host, optional, default: [0.0.0.0])queue name;name (type: name of pf-queue, see above)tag name;name (type: str)keep-state;option text;Free-form rule option.
text (type: str)[End of section packet-filter.filter-acl description.]
load-anchor path from from;Loading rules from file into anchor.
path (type: str)Anchor name.
from from (type: str)File name.
[End of section packet-filter description.]