Name

packet-filter — format of packet-filter component configuration

DESCRIPTION

General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the packet-filter component configuration.

Repeatable sections/items are marked by the '*' before section/item name.

TYPES

Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).

Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.

The following enumerations are used in packet-filter configuration directives:

yes-no (see common(5))

on-off (see common(5))

name-selection (see common(5))

ip-version (see common(5))

in-out (see common(5))

time-cond (see common(5))

zip-mode (see common(5))

dbglev (see log(5))

logfail-mode (see log(5))

week-day (see time(5))

month (see time(5))

pf-osi4-proto (name-usage obligatory)

OSI layer 4 protocols.

any, icmp, ipv6-icmp, ipencap, tcp, udp, tcp-udp, gre, ipv6, ipv6-frag, ipv6-nonxt, ipv6-opts, ipv6-route, esp, ah, esp-ah, carp, pfsync, l2tp, ospf, egp, igp, eigrp

icmp-type (name-usage optional)

ICMP types.

echorep (0), unreach (3), squench (4), redir (5), althost (6), echoreq (8), routeradv (9), routersol (10), timex (11), paramprob (12), timereq (13), timerep (14), inforeq (15), inforep (16), maskreq (17), maskrep (18)

pf-scheduler (name-usage obligatory)

PF schedulers.

cbq, priq, hfsc

pf-proc-mode (name-usage obligatory)

PF packet processing modes.

direct

Forward packet directly without any further processing.

Technically, the packet is tagged by the NONTRANSP tag.

application

Let the packet normally process by Kernun applications.

Technically, the packet is tagged by the APPLICATION tag.

tag

Process packet normally by Kernun and tag it by a new tag.

notag

Process packet normally by Kernun and do not tag it.

proxy-ng

Process packet with proxy-ng transparent listen socket.

ITEMS AND SECTIONS

Configuration of packet-filter library component consists of following prototypes:


* peer-list ... ;
  pf-processing ... ;
* pf-raw-acl name { ... }
* pf-acl name { ... }
  packet-filter { ... }
    

Description:

peer-list [addr [port port]];

Packet Filter peer list definition.

addr (type: host-set, optional, default: *)

Set of peer addresses/names.

port port (type: port-set, optional, default: *)

Set of ports (valid with TCP/UDP only).

Constraints:

Host list must not be empty.

Regexps and discontiguous masks not allowed in PF lists.

pf-processing [direct];

pf-processing application;

pf-processing tag tag;

pf-processing notag;

pf-processing proxy-ng listen-socket-id listen-socket-id;

Packet processing mode definition.

<branching element> (type: pf-proc-mode, optional, default: direct)

tag (type: str)

listen-socket-id listen-socket-id (type: str)

ID of the PROXY-NG transparent listening socket.

pf-raw-acl name {


* descr ... ;
* raw ... ;
}

        

Packet Filter raw rule set definition.

Items & subsections:

descr text;

Rule set comment.

text (type: str)

raw line;

Raw line to be put into pf.conf.

line (type: str)

[End of section pf-raw-acl description.]

pf-acl name {


* descr ... ;
* raw ... ;
* from ... ;
* to ... ;
* iface ... ;
  ip ... ;
* protocol ... ;
  tagged ... ;
  time-period-set { ... }
  deny ... ;
  accept ... ;
  anchor ... ;
  symmetric ... ;
}

        

Packet Filter general rule set definition.

The pf-acl section is derived from pf-raw-acl section prototype. For detail description of it, see above.

Changes to the pf-acl section:

Exactly one of DENY, ACCEPT, ANCHOR and RAW must be specified.

Cannot specify entry condition if RAW used.

Valid transport protocol required if PORT used.

Added items & subsections:

from [addr [port port]];

Entry condition - source addresses.

addr (type: host-set, optional, default: *)

Set of peer addresses/names.

port port (type: port-set, optional, default: *)

Set of ports (valid with TCP/UDP only).

Constraints:

Host list must not be empty.

Regexps and discontiguous masks not allowed in PF lists.

to [addr [port port]];

Entry condition - destination addresses.

addr (type: host-set, optional, default: *)

Set of peer addresses/names.

port port (type: port-set, optional, default: *)

Set of ports (valid with TCP/UDP only).

Constraints:

Host list must not be empty.

Regexps and discontiguous masks not allowed in PF lists.

iface any [dir];

iface [name] name [dir];

Entry condition - incoming interface.

<branching element> (type: name-selection, optional, default: name)

name (type: name of interface, see interface(5))

dir (type: in-out, optional, default: both)

ip version;

IP protocol version (IPv4 and IPv6 if not specified).

version (type: ip-version)

protocol any;

protocol icmp [icmp-type icmp-type];

protocol ipv6-icmp;

protocol ipencap;

protocol tcp [flags flags];

protocol udp;

protocol tcp-udp [flags flags];

protocol gre;

protocol ipv6;

protocol ipv6-frag;

protocol ipv6-nonxt;

protocol ipv6-opts;

protocol ipv6-route;

protocol esp;

protocol ah;

protocol esp-ah;

protocol carp;

protocol pfsync;

protocol l2tp;

protocol ospf;

protocol egp;

protocol igp;

protocol eigrp;

Entry condition - OSI layer 4 protocol.

<branching element> (type: pf-osi4-proto)

flags flags (type: str, optional, default: <NULL>)

icmp-type icmp-type (type: icmp-type-list, optional, default: <NULL>)

tagged tag;

Entry condition - packet tag.

tag (type: str)

time-period-set {


  exclude ... ;
* time-spec name { ... }
}

            

The time-period-set section is derived from time-period-set section prototype. For detail description of it, see time(5).

deny;

Global decision mode: operation will not be served.

accept;

Global decision mode: operation will be served.

anchor path;

Apply anchor rules.

path (type: str)

symmetric;

Use rules for symmetric routing, too.

If used, rules for opposite direction are generated, too, e.g. besides "pass in on ep0 from <A> to <B>", also "pass out on ep0 from <B> to <A>" is generated.

[End of section pf-acl description.]

packet-filter {


  phase ... ;
* tag ... ;
  log-debug { ... }
  log-stats { ... }
  use-resolver ... ;
  cfg-resolution ... ;
  stats-daily { ... }
  stats-weekly { ... }
  stats-monthly { ... }
  nodaemon ... ;
  singleproc ... ;
  app-user ... ;
  idle-timeout ... ;
  run-block-sigalrm ... ;
  pflog ... ;
  pfsync ... ;
  comm-dir ... ;
  ignore-iface ... ;
  pcap-timeout ... ;
  buffer-size ... ;
* set-option ... ;
  timeouts { ... }
  limits { ... }
  logging-frequence ... ;
* altq name { ... }
* scrub-acl name { ... }
* rdr-acl name { ... }
* nat-acl name { ... }
* binat-acl name { ... }
* filter-acl name { ... }
* load-anchor ... ;
}

        

Packet filter configuration.

This section allows to define almost all common features for the /etc/pf.conf configuration file with one important exception. The PF tables are used by the KGB for internal purposes to achieve maximal effectiveness and user cannot define them by own.

If this section is not used, the /etc/pf.conf file will be left untought.

For configuration attributes details, see pf.conf(5).

The packet-filter section is derived from alone-application section prototype. For detail description of it, see application(5).

Changes to the packet-filter section:

Section monitoring is not valid.

Item phase (see common(5))

Element number is optional, default: 30.

Added items & subsections:

pflog [dev];

Device for pflog monitoring.

dev (type: str, optional, default: "pflog0")

pfsync [dev];

Device for pfsync monitoring.

dev (type: str, optional, default: "pfsync0")

comm-dir [path];

Directory for communication with pfctl.

path (type: str, optional, default: "/tmp")

ignore-iface ifaces;

Set of interfaces not monitored by pflogger.

ifaces (type: str-set)

pcap-timeout [sec];

Timeout for pcap reader.

sec (type: uint32, optional, default: 500)

buffer-size [bytes];

Buffer size for pcap reader.

bytes (type: uint32, optional, default: 20Mi)

set-option line;

Setting PF options by SET directive.

line (type: str)

Option setting (w/o SET keyword).

timeouts {


  tcp-closing ... ;
  tcp-finwait ... ;
  tcp-closed ... ;
  udp-first ... ;
  udp-single ... ;
  udp-multiple ... ;
}

            

Setting various PF timeouts.

Items & subsections:

tcp-closing seconds;

Time limit for the state after the first FIN has been sent.

seconds (type: uint32)

tcp-finwait seconds;

Time limit for the state after both FINs have been exchanged and the connection is closed.

seconds (type: uint32)

tcp-closed seconds;

Time limit for the state after one endpoint sends an RST.

seconds (type: uint32)

udp-first seconds;

Time limit for the state after the first packet.

seconds (type: uint32)

udp-single seconds;

Time limit for the state if the source host sends more than one packet but the destination host has never sent one back.

seconds (type: uint32)

udp-multiple seconds;

Time limit for the state if both hosts have sent packets.

seconds (type: uint32)

[End of section packet-filter.timeouts description.]

limits {


  states ... ;
  frags ... ;
  table-entries ... ;
}

            

Setting various PF limits.

Items & subsections:

states [size];

Maximum number of entries in the memory pool used for state table entries

size (type: uint32, optional, default: 100000)

frags [size];

Maximum number of entries in the memory pool used for packet reassembly (scrub rules).

size (type: uint32, optional, default: 50000)

table-entries [size];

Maximum number of addresses stored in the packet filter tables.

The adaptive-firewall tables have a separate limit.

size (type: uint32, optional, default: 200000)

[End of section packet-filter.limits description.]

logging-frequence [sec];

Frequence of logging stateless events counter.

sec (type: uint32, optional, default: 60)

altq name {


  on ... ;
  scheduler ... ;
  bandwidth ... ;
  qlimit ... ;
  tbrsize ... ;
* queue ... ;
}

            

ALTQ per interface definition.

Constraints:

Interface name must be defined.

Bandwidth must be defined.

At least one queue must be defined.

Items & subsections:

on name;

name (type: name of interface, see interface(5))

scheduler [name];

name (type: pf-scheduler, optional, default: cbq)

bandwidth bits;

bits (type: uint64)

qlimit packets;

packets (type: uint32)

tbrsize bytes;

bytes (type: uint64)

queue name;

name (type: name of pf-queue, see pf-queue(5))

[End of section packet-filter.altq description.]

scrub-acl name {


* descr ... ;
* raw ... ;
* from ... ;
* to ... ;
* iface ... ;
  ip ... ;
* protocol ... ;
  time-period-set { ... }
  deny ... ;
  accept ... ;
  symmetric ... ;
  no-df ... ;
  max-mss ... ;
  log ... ;
}

            

Traffic normalization definition.

If not used, the SCRUB IN ALL directive will be generated.

The scrub-acl section is derived from pf-acl section prototype. For detail description of it, see above.

Changes to the scrub-acl section:

Item tagged is not valid.

Item anchor is not valid.

Added items & subsections:

no-df;

Clear the dont-fragment bit from IP packets.

max-mss number;

Enforce a maximum MSS for matching TCP packets.

number (type: uint32)

log [mode];

Log packets.

mode (type: on-off, optional, default: on=1)

[End of section packet-filter.scrub-acl description.]

rdr-acl name {


* descr ... ;
* raw ... ;
* from ... ;
* to ... ;
* iface ... ;
  ip ... ;
* protocol ... ;
  tagged ... ;
  time-period-set { ... }
  deny ... ;
  accept ... ;
  anchor ... ;
  rdr-to ... ;
  process ... ;
}

            

NAT redirection definition.

The rdr-acl section is derived from pf-acl section prototype. For detail description of it, see above.

Changes to the rdr-acl section:

Item symmetric is not valid.

RDR-TO must be specified if ACCEPT used.

Valid transport protocol required if PORT used.

Item iface (see above)

Interface direction not allowed.

Item protocol (see above)

ICMP type constraint not allowed.

Added items & subsections:

rdr-to addr [port port];

addr (type: host)

New target address

port port (type: port, optional, default: 0)

New target port (valid with TCP/UDP only)

process [direct];

process application;

process tag tag;

process notag;

process proxy-ng listen-socket-id listen-socket-id;

Packet processing mode definition.

<branching element> (type: pf-proc-mode, optional, default: direct)

tag (type: str)

listen-socket-id listen-socket-id (type: str)

ID of the PROXY-NG transparent listening socket.

[End of section packet-filter.rdr-acl description.]

nat-acl name {


* descr ... ;
* raw ... ;
* from ... ;
* to ... ;
* iface ... ;
  ip ... ;
* protocol ... ;
  tagged ... ;
  time-period-set { ... }
  deny ... ;
  accept ... ;
  anchor ... ;
  map-to ... ;
  process ... ;
  static-port ... ;
}

            

NAT mapping definition.

The nat-acl section is derived from pf-acl section prototype. For detail description of it, see above.

Changes to the nat-acl section:

Item symmetric is not valid.

MAP-TO must be specified if ACCEPT used.

Valid transport protocol required if PORT used.

Item iface (see above)

Interface direction not allowed.

Item protocol (see above)

ICMP type constraint not allowed.

Added items & subsections:

map-to addr [port port];

addr (type: host-list)

New source addresses list

port port (type: port, optional, default: 0)

New source port (valid with TCP/UDP only)

process [direct];

process application;

process tag tag;

process notag;

process proxy-ng listen-socket-id listen-socket-id;

Packet processing mode definition.

<branching element> (type: pf-proc-mode, optional, default: direct)

tag (type: str)

listen-socket-id listen-socket-id (type: str)

ID of the PROXY-NG transparent listening socket.

static-port;

STATIC-PORT option of NAT rule.

[End of section packet-filter.nat-acl description.]

binat-acl name {


* descr ... ;
* raw ... ;
}

            

BINAT mapping definition.

The binat-acl section is derived from pf-raw-acl section prototype. For detail description of it, see above.

filter-acl name {


* descr ... ;
* raw ... ;
* from ... ;
* to ... ;
* iface ... ;
  ip ... ;
* protocol ... ;
  tagged ... ;
  time-period-set { ... }
  deny ... ;
  accept ... ;
  anchor ... ;
  symmetric ... ;
  antispoof ... ;
  log ... ;
  continue ... ;
  return ... ;
  fastroute ... ;
  route-to ... ;
  queue ... ;
  process ... ;
  no-state ... ;
* option ... ;
}

            

Filter rule set definition.

The filter-acl section is derived from pf-acl section prototype. For detail description of it, see above.

Changes to the filter-acl section:

RETURN/ANTISPOOF can be used only with DENY.

QUEUE, PROCESS and OPTION can be used only with ACCEPT.

FASTROUTE and ROUTE-TO are mutually exclusive.

ANCHOR and LOG are mutually exclusive.

Cannot specify other entry conditions if ANTISPOOF used.

FASTROUTE should be used together with an IFACE.NAME.

Added items & subsections:

antispoof [loop] [routes];

Special entry condition - blocking of faked source addresses on particular interfaces.

If this ACL has a particular interface defined by the IFACE item, antispoof rules are valid for this interface. Otherwise, the rules are applied to all interfaces.

By default, an ACL with ANTISPOOF guarantees filtering of all packets with source addresses from given interface address set coming from other interfaces. Packets sent either locally, or to the local end of a CARP interface are allowed.

This ACL must have DENY policy.

loop (type: key, optional)

Include blocking for loopback interface, too.

With this keyword option, packets with source address from given interface address set, sent either locally, or to the local end of a CARP interface are denied, too.

routes (type: key, optional)

Include blocking for routes, too.

With this keyword option, addresses of all networks routes via given interface are added to the list of denied source addresses.

log [mode];

Log packets.

mode (type: on-off, optional, default: on=1)

continue;

Last-match applied for all rules in this ACL.

By default, first-match (i.e. QUICK) mode is used.

return [icmp] [code];

Return mode definition.

If not used, denial will be done by DROPping packets.

icmp (type: key, optional)

code (type: uint8, optional, default: 0)

ICMP message code, ICMP UNREACHABLE by default.

fastroute;

route-to iface [addr];

iface (type: name of interface, see interface(5))

addr (type: host, optional, default: [0.0.0.0])

queue name;

name (type: name of pf-queue, see pf-queue(5))

process [direct];

process application;

process tag tag;

process notag;

process proxy-ng listen-socket-id listen-socket-id;

Packet processing mode definition.

<branching element> (type: pf-proc-mode, optional, default: direct)

tag (type: str)

listen-socket-id listen-socket-id (type: str)

ID of the PROXY-NG transparent listening socket.

no-state;

Disable PF state establishment.

For denial ACLs this item has no meaning since this behavior is default one in this case.

option text;

Free-form rule option.

text (type: str)

[End of section packet-filter.filter-acl description.]

load-anchor path from from;

Loading rules from file into anchor.

path (type: str)

Anchor name.

from from (type: str)

File name.

[End of section packet-filter description.]

SEE ALSO

configuration(7), altq(4), application(5), common(5), interface(5), log(5), pf-queue(5), pf.conf(5), time(5)