pf-control
Prev Kernun UTM Reference (8) Next

Name

pf-control — Packet filter control daemon

Synopsis

pf-control [-hv] [-d dbglev] -f cfgfile

Description

The packet filter function of Kernun is configured by the packet-filter CML section and controlled by a special component PF of type pf-control.

When started, this application tries to resolve all domain names in the configuration, prepares PF tables and schedules itself to make necessary changes if the configuration contains time-limited rules. Then it enables the PF in the system (see pfctl(8)) and starts logging of PF events and monitoring of changes due to DNS resolution or time contraints. When stopped, the program disables the PF in the system.

The daemon runs in fact as three processes, like Kernun proxies do. The main process just controls run of its children. The Asynchronous Configuration Resolver provides for DNS resolution refreshing. The regular child process handles PF tables and reads pflog(4) and pfsync(4) devices as a source of PF event information to log it to both log-debug and log-stats logs.

Logging

The pf-control daemon uses the same principles for configuration of logging like other Kernun components (see logging(7)). However, some aspects of its logging are a bit special. Every ACL from the packet-filter configuration controls some events that are logged according their nature and the same is true for raw rules configured manually. The extent of logging can be also changed by using a special ACL item or PF rule attribute log.

The ACL item has four possible values (some are not valid for some types):

default

Default way of logging according to the event type.

off

Logging is suppressed to the minimum extent. It corresponds to raw rules with no log option.

on

Logging is switched on. It corresponds to raw rules with log option.

all

Logging is switched to the maximum extent (all packets). It corresponds to raw rules with log(all) option.

The event types behaves according to this schema:

Blocking rules

By default, an event is logged to both log-debug and log-stats logs with the I-level. No modification of this mode is allowed.

Stateful PASS rules

By default, an event is logged to the log-stats log at the end with the I-level, and to the log-debug log also at the start with the D-level. Values off and all can be used for varying the quantity of log-debug messages.

Stateless PASS rules

By default, an event is logged only to the log-debug log with the D-level. Value off can be used for switching off the logging at all.

NAT and RDR rules

By default, an event is logged to the log-stats log at the end with the I-level. No modification of this mode is allowed.

Signals

The pf-control daemon handles following signals:

SIGUSR1

Log level increasing.

SIGUSR2

Log level decreasing.

SIGINFO

Operation status logging; parent process logs info about all children, child process logs current rule map.

SIGHUP

Service termination; the daemon keeps the PF tables, rules and states.

SIGINT, SIGQUIT, SIGTERM

Immediate termination; the daemon flushes the PF states and disables PF at all.

Options

-h

Print usage information.

-v

Display version information and exit.

-d dbglev

Set debuging level to a specific number. Permitted values are 3 through to 9, 3 being the least and 9 the most verbose. See logging(7) for details. This setting is relevant only till configuration reading is finished.

-f cfgfile

Read cfgfile for configuration information.

See Also

Kernun:

application(5), pf-control.cfg(5), configuration(7), logging(7), resolving(7)

FreeBSD:

pf.conf(5), pfctl(8)

Authors

This man page is a part of Kernun Firewall.
Copyright © 2000–2023 Trusted Network Solutions, a. s.
All rights reserved.

Prev Up Next
kavhttpd Home pikemon