pf-control.cfg
Prev Kernun UTM Reference (5) Next

Name

pf-control.cfg — format of pf-control program configuration file

DESCRIPTION

General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the pf-control.cfg configuration file.

Repeatable sections/items are marked by the '*' before section/item name.

TYPES

Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).

Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.

The following enumerations are used in pf-control.cfg configuration directives:

enabling (see common(5))

yes-no (see common(5))

on-off (see common(5))

name-selection (see common(5))

ip-version (see common(5))

osi4-proto (see common(5))

in-out (see common(5))

report-mode (see common(5))

time-cond (see common(5))

zip-mode (see common(5))

inline-file-format (see common(5))

task-frequency (see common(5))

dbglev (see log(5))

logfail-mode (see log(5))

week-day (see time(5))

month (see time(5))

bandwidth-mode (see pf-queue(5))

pf-sc-setting (see pf-queue(5))

source-address-mode (see source-address(5))

lagg-protocol (see interface(5))

listen-on-sock (see listen-on(5))

log-in-vain-proto (see sysctl(5))

blackhole-proto (see sysctl(5))

ids-agent-log-level (see adaptive-firewall(5))

ids-agent-detection-direction (see adaptive-firewall(5))

ids-agent-protocol (see adaptive-firewall(5))

ids-agent-rule-action (see adaptive-firewall(5))

ids-agent-threshold-type (see adaptive-firewall(5))

ids-agent-threshold-track-by (see adaptive-firewall(5))

ids-agent-rate-filter-track-by (see adaptive-firewall(5))

ids-agent-suppress-direction (see adaptive-firewall(5))

policy-level (see adaptive-firewall(5))

pf-osi4-proto (see packet-filter(5))

icmp-type (see packet-filter(5))

pf-scheduler (see packet-filter(5))

pf-proc-mode (see packet-filter(5))

membertype (name-usage obligatory)

host, any

ITEMS AND SECTIONS

Program pf-control recognizes following items and sections:


  adaptive-firewall { ... }
* shared-file name { ... }
* interface name { ... }
* pf-queue name { ... }
* resolver name { ... }
  sysctl { ... }
  use-resolver ... ;
  pf { ... }
  ipv6-mode ... ;
    

Description:

adaptive-firewall {


  ids-agent { ... }
* watchdog name { ... }
  honeypot { ... }
  auto-blocking { ... }
  adaptive-database { ... }
  address-groups { ... }
  port-groups { ... }
  whitelist ... ;
  blacklist ... ;
  stats-daily { ... }
  stats-weekly { ... }
  stats-monthly { ... }
}

        

The adaptive-firewall section is derived from adaptive-firewall section prototype. For detail description of it, see adaptive-firewall(5).

shared-file name {


  path ... ;
  format ... ;
}

        

The shared-file section is derived from shared-file section prototype. For detail description of it, see common(5).

interface name {


  dev ... ;
  ipv4 ... ;
  ipv6 ... ;
  mac ... ;
  aggregate ... ;
  pike ... ;
  vlan ... ;
  tunnel ... ;
  dhcp-client ... ;
  ipv6-rtadv { ... }
* alias name { ... }
* tag ... ;
}

        

The interface section is derived from interface section prototype. For detail description of it, see interface(5).

pf-queue name {


  parent ... ;
  bandwidth ... ;
  priority ... ;
  qlimit ... ;
  cbq { ... }
  priq { ... }
  hfsc { ... }
}

        

The pf-queue section is derived from pf-queue section prototype. For detail description of it, see pf-queue(5).

resolver name {


* server ... ;
  search ... ;
  preference ... ;
  edns ... ;
  conf-timeout ... ;
  initial-timeout ... ;
  final-timeout ... ;
  conn-timeout ... ;
  disable-deresolution ... ;
}

        

The resolver section is derived from resolver section prototype. For detail description of it, see resolver(5).

sysctl {


* variable ... ;
  portrange-default ... ;
  portrange-high ... ;
  portrange-low ... ;
  portrange-reserved ... ;
  somaxconn ... ;
  log-in-vain ... ;
  blackhole ... ;
}

        

The sysctl section is derived from sysctl section prototype. For detail description of it, see sysctl(5).

use-resolver name;

Resolver Section Specification.

This item defines name of global (system) resolver section used in particular configuration environment. Namely, it is applicable within SYSTEM section and within any section derived from PROXY prototype. The former usage defines system-wide values, the latter one values valid for particular proxy.

name (type: name of resolver, see resolver(5))

pf {


  phase ... ;
* tag ... ;
  log-debug { ... }
  log-stats { ... }
  use-resolver ... ;
  cfg-resolution ... ;
  stats-daily { ... }
  stats-weekly { ... }
  stats-monthly { ... }
  nodaemon ... ;
  singleproc ... ;
  app-user ... ;
  idle-timeout ... ;
  run-block-sigalrm ... ;
  pflog ... ;
  pfsync ... ;
  comm-dir ... ;
  ignore-iface ... ;
  pcap-timeout ... ;
  buffer-size ... ;
* set-option ... ;
  timeouts { ... }
  limits { ... }
  logging-frequence ... ;
* altq name { ... }
* scrub-acl name { ... }
* rdr-acl name { ... }
* nat-acl name { ... }
* binat-acl name { ... }
* filter-acl name { ... }
* load-anchor ... ;
  pf-conf ... ;
* table name { ... }
}

        

The pf section is derived from pf section prototype. For detail description of it, see above.

ipv6-mode [status];

Enabling/Disabling IPv6 Mode.

status (type: enabling, optional, default: enable)

SEE ALSO

configuration(7), pf-control(8), adaptive-firewall(5), common(5), interface(5), listen-on(5), log(5), packet-filter(5), pf-queue(5), resolver(5), source-address(5), sysctl(5), time(5)

Prev Up Next
packet-filter Home pf-queue