pf.conf.5 96.5 KB
Newer Older
1
2
.\"    $FreeBSD$
.\"	$OpenBSD: pf.conf.5,v 1.406 2009/01/31 19:37:12 sobrado Exp $
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
.\"
.\" Copyright (c) 2002, Daniel Hartmeier
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\"    - Redistributions of source code must retain the above copyright
.\"      notice, this list of conditions and the following disclaimer.
.\"    - Redistributions in binary form must reproduce the above
.\"      copyright notice, this list of conditions and the following
.\"      disclaimer in the documentation and/or other materials provided
.\"      with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
.\" FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
.\" COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
.\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
31
.Dd September 10, 2021
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
.Dt PF.CONF 5
.Os
.Sh NAME
.Nm pf.conf
.Nd packet filter configuration file
.Sh DESCRIPTION
The
.Xr pf 4
packet filter modifies, drops or passes packets according to rules or
definitions specified in
.Nm pf.conf .
.Sh STATEMENT ORDER
There are seven types of statements in
.Nm pf.conf :
.Bl -tag -width xxxx
.It Cm Macros
User-defined variables may be defined and used later, simplifying
the configuration file.
Macros must be defined before they are referenced in
.Nm pf.conf .
.It Cm Tables
Tables provide a mechanism for increasing the performance and flexibility of
rules with large numbers of source or destination addresses.
.It Cm Options
Options tune the behaviour of the packet filtering engine.
.It Cm Traffic Normalization Li (e.g. Em scrub )
Traffic normalization protects internal machines against inconsistencies
in Internet protocols and implementations.
.It Cm Queueing
Queueing provides rule-based bandwidth control.
.It Cm Translation Li (Various forms of NAT)
Translation rules specify how addresses are to be mapped or redirected to
other addresses.
.It Cm Packet Filtering
66
Packet filtering provides rule-based blocking or passing of packets.
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
.El
.Pp
With the exception of
.Cm macros
and
.Cm tables ,
the types of statements should be grouped and appear in
.Nm pf.conf
in the order shown above, as this matches the operation of the underlying
packet filtering engine.
By default
.Xr pfctl 8
enforces this order (see
.Ar set require-order
below).
Max Laier's avatar
Max Laier committed
82
83
84
85
86
87
88
89
90
91
92
.Pp
Comments can be put anywhere in the file using a hash mark
.Pq Sq # ,
and extend to the end of the current line.
.Pp
Additional configuration files can be included with the
.Ic include
keyword, for example:
.Bd -literal -offset indent
include "/etc/pf/sub.filter.conf"
.Ed
93
.Sh MACROS
94
Macros can be defined that will later be expanded in context.
95
96
97
98
99
100
101
102
103
104
105
106
Macro names must start with a letter, and may contain letters, digits
and underscores.
Macro names may not be reserved words (for example
.Ar pass ,
.Ar in ,
.Ar out ) .
Macros are not expanded inside quotes.
.Pp
For example,
.Bd -literal -offset indent
ext_if = \&"kue0\&"
all_ifs = \&"{\&" $ext_if lo0 \&"}\&"
107
108
pass out on $ext_if from any to any
pass in  on $ext_if proto tcp from any to any port 25
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
.Ed
.Sh TABLES
Tables are named structures which can hold a collection of addresses and
networks.
Lookups against tables in
.Xr pf 4
are relatively fast, making a single rule with tables much more efficient,
in terms of
processor usage and memory consumption, than a large number of rules which
differ only in IP address (either created explicitly or automatically by rule
expansion).
.Pp
Tables can be used as the source or destination of filter rules,
.Ar scrub
rules
or
translation rules such as
.Ar nat
or
.Ar rdr
(see below for details on the various rule types).
Tables can also be used for the redirect address of
.Ar nat
and
.Ar rdr
rules and in the routing options of filter rules, but only for
.Ar round-robin
pools.
.Pp
Tables can be defined with any of the following
.Xr pfctl 8
mechanisms.
As with macros, reserved words may not be used as table names.
.Bl -tag -width "manually"
.It Ar manually
Persistent tables can be manually created with the
.Ar add
or
.Ar replace
option of
.Xr pfctl 8 ,
before or after the ruleset has been loaded.
.It Pa pf.conf
Table definitions can be placed directly in this file, and loaded at the
same time as other rules are loaded, atomically.
Table definitions inside
.Nm pf.conf
use the
.Ar table
statement, and are especially useful to define non-persistent tables.
The contents of a pre-existing table defined without a list of addresses
to initialize it is not altered when
.Nm pf.conf
is loaded.
A table initialized with the empty list,
.Li { } ,
will be cleared on load.
.El
.Pp
168
Tables may be defined with the following attributes:
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
.Bl -tag -width persist
.It Ar persist
The
.Ar persist
flag forces the kernel to keep the table even when no rules refer to it.
If the flag is not set, the kernel will automatically remove the table
when the last rule referring to it is flushed.
.It Ar const
The
.Ar const
flag prevents the user from altering the contents of the table once it
has been created.
Without that flag,
.Xr pfctl 8
can be used to add or remove addresses from the table at any time, even
when running with
185
.Xr securelevel 7
186
= 2.
187
188
189
190
191
.It Ar counters
The
.Ar counters
flag enables per-address packet and byte counters which can be displayed with
.Xr pfctl 8 .
192
Note that this feature carries significant memory overhead for large tables.
193
194
195
196
.El
.Pp
For example,
.Bd -literal -offset indent
197
198
199
table \*(Ltprivate\*(Gt const { 10/8, 172.16/12, 192.168/16 }
table \*(Ltbadhosts\*(Gt persist
block on fxp0 from { \*(Ltprivate\*(Gt, \*(Ltbadhosts\*(Gt } to any
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
.Ed
.Pp
creates a table called private, to hold RFC 1918 private network
blocks, and a table called badhosts, which is initially empty.
A filter rule is set up to block all traffic coming from addresses listed in
either table.
The private table cannot have its contents changed and the badhosts table
will exist even when no active filter rules reference it.
Addresses may later be added to the badhosts table, so that traffic from
these hosts can be blocked by using
.Bd -literal -offset indent
# pfctl -t badhosts -Tadd 204.92.77.111
.Ed
.Pp
A table can also be initialized with an address list specified in one or more
external files, using the following syntax:
.Bd -literal -offset indent
217
218
table \*(Ltspam\*(Gt persist file \&"/etc/spammers\&" file \&"/etc/openrelays\&"
block on fxp0 from \*(Ltspam\*(Gt to any
219
220
221
222
223
224
225
226
227
228
229
230
231
232
.Ed
.Pp
The files
.Pa /etc/spammers
and
.Pa /etc/openrelays
list IP addresses, one per line.
Any lines beginning with a # are treated as comments and ignored.
In addition to being specified by IP address, hosts may also be
specified by their hostname.
When the resolver is called to add a hostname to a table,
.Em all
resulting IPv4 and IPv6 addresses are placed into the table.
IP addresses can also be entered in a table by specifying a valid interface
233
name, a valid interface group or the
234
235
236
237
238
239
240
241
242
243
244
.Em self
keyword, in which case all addresses assigned to the interface(s) will be
added to the table.
.Sh OPTIONS
.Xr pf 4
may be tuned for various situations using the
.Ar set
command.
.Bl -tag -width xxxx
.It Ar set timeout
.Pp
245
.Bl -tag -width "src.track" -compact
246
247
248
249
.It Ar interval
Interval between purging expired states and fragments.
.It Ar frag
Seconds before an unassembled fragment is expired.
250
251
252
.It Ar src.track
Length of time to retain a source tracking entry after the last state
expires.
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
.El
.Pp
When a packet matches a stateful connection, the seconds to live for the
connection will be updated to that of the
.Ar proto.modifier
which corresponds to the connection state.
Each packet which matches this state will reset the TTL.
Tuning these values may improve the performance of the
firewall at the risk of dropping valid idle connections.
.Pp
.Bl -tag -width xxxx -compact
.It Ar tcp.first
The state after the first packet.
.It Ar tcp.opening
The state before the destination host ever sends a packet.
.It Ar tcp.established
The fully established state.
.It Ar tcp.closing
The state after the first FIN has been sent.
.It Ar tcp.finwait
The state after both FINs have been exchanged and the connection is closed.
Some hosts (notably web servers on Solaris) send TCP packets even after closing
the connection.
Increasing
.Ar tcp.finwait
(and possibly
.Ar tcp.closing )
can prevent blocking of such packets.
.It Ar tcp.closed
The state after one endpoint sends an RST.
.El
.Pp
ICMP and UDP are handled in a fashion similar to TCP, but with a much more
limited set of states:
.Pp
.Bl -tag -width xxxx -compact
.It Ar udp.first
The state after the first packet.
.It Ar udp.single
The state if the source host sends more than one packet but the destination
host has never sent one back.
.It Ar udp.multiple
The state if both hosts have sent packets.
.It Ar icmp.first
The state after the first packet.
.It Ar icmp.error
The state after an ICMP error came back in response to an ICMP packet.
.El
.Pp
Other protocols are handled similarly to UDP:
.Pp
.Bl -tag -width xxxx -compact
.It Ar other.first
.It Ar other.single
.It Ar other.multiple
.El
.Pp
Timeout values can be reduced adaptively as the number of state table
entries grows.
.Pp
.Bl -tag -width xxxx -compact
.It Ar adaptive.start
When the number of state entries exceeds this value, adaptive scaling
begins.
All timeout values are scaled linearly with factor
(adaptive.end - number of states) / (adaptive.end - adaptive.start).
.It Ar adaptive.end
When reaching this number of state entries, all timeout values become
zero, effectively purging all state entries immediately.
This value is used to define the scale factor, it should not actually
be reached (set a lower state limit, see below).
.El
.Pp
326
327
328
329
330
331
Adaptive timeouts are enabled by default, with an adaptive.start value
equal to 60% of the state limit, and an adaptive.end value equal to
120% of the state limit.
They can be disabled by setting both adaptive.start and adaptive.end to 0.
.Pp
The adaptive timeout values can be defined both globally and for each rule.
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
When used on a per-rule basis, the values relate to the number of
states created by the rule, otherwise to the total number of
states.
.Pp
For example:
.Bd -literal -offset indent
set timeout tcp.first 120
set timeout tcp.established 86400
set timeout { adaptive.start 6000, adaptive.end 12000 }
set limit states 10000
.Ed
.Pp
With 9000 state table entries, the timeout values are scaled to 50%
(tcp.first 60, tcp.established 43200).
.It Ar set loginterface
Max Laier's avatar
Max Laier committed
347
348
Enable collection of packet and byte count statistics for the given
interface or interface group.
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
These statistics can be viewed using
.Bd -literal -offset indent
# pfctl -s info
.Ed
.Pp
In this example
.Xr pf 4
collects statistics on the interface named dc0:
.Bd -literal -offset indent
set loginterface dc0
.Ed
.Pp
One can disable the loginterface using:
.Bd -literal -offset indent
set loginterface none
.Ed
.It Ar set limit
Sets hard limits on the memory pools used by the packet filter.
See
368
.Xr zone 9
369
370
371
372
373
374
375
376
377
for an explanation of memory pools.
.Pp
For example,
.Bd -literal -offset indent
set limit states 20000
.Ed
.Pp
sets the maximum number of entries in the memory pool used by state table
entries (generated by
378
379
380
381
.Ar pass
rules which do not specify
.Ar no state )
to 20000.
382
383
384
385
386
387
388
389
390
Using
.Bd -literal -offset indent
set limit frags 20000
.Ed
.Pp
sets the maximum number of entries in the memory pool used for fragment
reassembly (generated by
.Ar scrub
rules) to 20000.
391
Using
392
393
394
395
396
397
398
399
.Bd -literal -offset indent
set limit src-nodes 2000
.Ed
.Pp
sets the maximum number of entries in the memory pool used for tracking
source IP addresses (generated by the
.Ar sticky-address
and
400
.Ar src.track
401
options) to 2000.
402
403
404
405
406
407
408
409
410
411
Using
.Bd -literal -offset indent
set limit tables 1000
set limit table-entries 100000
.Ed
.Pp
sets limits on the memory pools used by tables.
The first limits the number of tables that can exist to 1000.
The second limits the overall number of addresses that can be stored
in tables to 100000.
412
.Pp
413
Various limits can be combined on a single line:
414
.Bd -literal -offset indent
415
set limit { states 20000, frags 20000, src-nodes 2000 }
416
.Ed
417
418
419
420
421
.It Ar set ruleset-optimization
.Bl -tag -width xxxxxxxx -compact
.It Ar none
Disable the ruleset optimizer.
.It Ar basic
Max Laier's avatar
Max Laier committed
422
423
424
Enable basic ruleset optimization.
This is the default behaviour.
Basic ruleset optimization does four things to improve the
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
performance of ruleset evaluations:
.Pp
.Bl -enum -compact
.It
remove duplicate rules
.It
remove rules that are a subset of another rule
.It
combine multiple rules into a table when advantageous
.It
re-order the rules to improve evaluation performance
.El
.Pp
.It Ar profile
Uses the currently loaded ruleset as a feedback profile to tailor the
ordering of quick rules to actual network traffic.
.El
.Pp
It is important to note that the ruleset optimizer will modify the ruleset
to improve performance.
A side effect of the ruleset modification is that per-rule accounting
statistics will have different meanings than before.
If per-rule accounting is important for billing purposes or whatnot,
either the ruleset optimizer should not be used or a label field should
be added to all of the accounting rules to act as optimization barriers.
.Pp
Optimization can also be set as a command-line argument to
.Xr pfctl 8 ,
overriding the settings in
.Nm .
455
.It Ar set optimization
456
Optimize state timeouts for one of the following network environments:
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
.Pp
.Bl -tag -width xxxx -compact
.It Ar normal
A normal network environment.
Suitable for almost all networks.
.It Ar high-latency
A high-latency environment (such as a satellite connection).
.It Ar satellite
Alias for
.Ar high-latency .
.It Ar aggressive
Aggressively expire connections.
This can greatly reduce the memory usage of the firewall at the cost of
dropping idle connections early.
.It Ar conservative
Extremely conservative settings.
Avoid dropping legitimate connections at the
expense of greater memory utilization (possibly much greater on a busy
network) and slightly increased processor utilization.
.El
.Pp
For example:
.Bd -literal -offset indent
set optimization aggressive
.Ed
.It Ar set block-policy
The
.Ar block-policy
option sets the default behaviour for the packet
.Ar block
action:
.Pp
.Bl -tag -width xxxxxxxx -compact
.It Ar drop
Packet is silently dropped.
.It Ar return
A TCP RST is returned for blocked TCP packets,
an ICMP UNREACHABLE is returned for blocked UDP packets,
and all other packets are silently dropped.
.El
.Pp
For example:
.Bd -literal -offset indent
set block-policy return
.Ed
502
503
504
.It Ar set fail-policy
The
.Ar fail-policy
Gordon Bergling's avatar
Gordon Bergling committed
505
506
507
option sets the behaviour of rules which should pass a packet but were
unable to do so.
This might happen when a nat or route-to rule uses an empty table as list
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
of targets or if a rule fails to create state or source node.
The following
.Ar block
actions are possible:
.Pp
.Bl -tag -width xxxxxxxx -compact
.It Ar drop
Incoming packet is silently dropped.
.It Ar return
Incoming packet is dropped and TCP RST is returned for TCP packets,
an ICMP UNREACHABLE is returned for UDP packets,
and no response is sent for other packets.
.El
.Pp
For example:
.Bd -literal -offset indent
set fail-policy return
.Ed
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
.It Ar set state-policy
The
.Ar state-policy
option sets the default behaviour for states:
.Pp
.Bl -tag -width group-bound -compact
.It Ar if-bound
States are bound to interface.
.It Ar floating
States can match packets on any interfaces (the default).
.El
.Pp
For example:
.Bd -literal -offset indent
set state-policy if-bound
.Ed
542
543
544
545
546
547
548
549
.It Ar set state-defaults
The
.Ar state-defaults
option sets the state options for states created from rules
without an explicit
.Ar keep state .
For example:
.Bd -literal -offset indent
550
set state-defaults no-sync
551
.Ed
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
.It Ar set hostid
The 32-bit
.Ar hostid
identifies this firewall's state table entries to other firewalls
in a
.Xr pfsync 4
failover cluster.
By default the hostid is set to a pseudo-random value, however it may be
desirable to manually configure it, for example to more easily identify the
source of state table entries.
.Bd -literal -offset indent
set hostid 1
.Ed
.Pp
The hostid may be specified in either decimal or hexadecimal.
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
.It Ar set require-order
By default
.Xr pfctl 8
enforces an ordering of the statement types in the ruleset to:
.Em options ,
.Em normalization ,
.Em queueing ,
.Em translation ,
.Em filtering .
Setting this option to
.Ar no
disables this enforcement.
There may be non-trivial and non-obvious implications to an out of
order ruleset.
Consider carefully before disabling the order enforcement.
.It Ar set fingerprints
Load fingerprints of known operating systems from the given filename.
By default fingerprints of known operating systems are automatically
loaded from
.Xr pf.os 5
in
.Pa /etc
but can be overridden via this option.
Setting this option may leave a small period of time where the fingerprints
referenced by the currently active ruleset are inconsistent until the new
ruleset finishes loading.
.Pp
For example:
.Pp
.Dl set fingerprints \&"/etc/pf.os.devel\&"
597
.It Ar set skip on Aq Ar ifspec
598
599
600
601
602
603
604
605
List interfaces for which packets should not be filtered.
Packets passing in or out on such interfaces are passed as if pf was
disabled, i.e. pf does not process them in any way.
This can be useful on loopback and other virtual interfaces, when
packet filtering is not desired and can have unexpected effects.
For example:
.Pp
.Dl set skip on lo0
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
.It Ar set debug
Set the debug
.Ar level
to one of the following:
.Pp
.Bl -tag -width xxxxxxxxxxxx -compact
.It Ar none
Don't generate debug messages.
.It Ar urgent
Generate debug messages only for serious errors.
.It Ar misc
Generate debug messages for various errors.
.It Ar loud
Generate debug messages for common conditions.
.El
621
622
623
624
625
626
627
.It Ar set keepcounters
Preserve rule counters across rule updates.
Usually rule counters are reset to zero on every update of the ruleset.
With
.Ar keepcounters
set pf will attempt to find matching rules between old and new rulesets
and preserve the rule counters.
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
.El
.Sh TRAFFIC NORMALIZATION
Traffic normalization is used to sanitize packet content in such
a way that there are no ambiguities in packet interpretation on
the receiving side.
The normalizer does IP fragment reassembly to prevent attacks
that confuse intrusion detection systems by sending overlapping
IP fragments.
Packet normalization is invoked with the
.Ar scrub
directive.
.Pp
.Ar scrub
has the following options:
.Bl -tag -width xxxx
.It Ar no-df
Clears the
.Ar dont-fragment
bit from a matching IP packet.
Some operating systems are known to generate fragmented packets with the
.Ar dont-fragment
bit set.
This is particularly true with NFS.
.Ar Scrub
will drop such fragmented
.Ar dont-fragment
packets unless
.Ar no-df
is specified.
.Pp
Unfortunately some operating systems also generate their
.Ar dont-fragment
packets with a zero IP identification field.
Clearing the
.Ar dont-fragment
bit on packets with a zero IP ID may cause deleterious results if an
upstream router later fragments the packet.
Using the
.Ar random-id
modifier (see below) is recommended in combination with the
.Ar no-df
modifier to ensure unique IP identifiers.
670
.It Ar min-ttl Aq Ar number
671
Enforces a minimum TTL for matching IP packets.
672
.It Ar max-mss Aq Ar number
673
Enforces a maximum MSS for matching TCP packets.
674
675
676
677
678
679
680
681
682
.It Xo Ar set-tos Aq Ar string
.No \*(Ba Aq Ar number
.Xc
Enforces a
.Em TOS
for matching IP packets.
.Em TOS
may be
given as one of
683
684
.Ar critical ,
.Ar inetcontrol ,
685
.Ar lowdelay ,
686
.Ar netcontrol ,
687
688
.Ar throughput ,
.Ar reliability ,
689
690
or one of the DiffServ Code Points:
.Ar ef ,
691
.Ar va ,
692
693
.Ar af11 No ... Ar af43 ,
.Ar cs0 No ... Ar cs7 ;
694
or as either hex or decimal.
695
696
697
.It Ar random-id
Replaces the IP identification field with random values to compensate
for predictable values generated by many hosts.
698
This option only applies to packets that are not fragmented
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
after the optional fragment reassembly.
.It Ar fragment reassemble
Using
.Ar scrub
rules, fragments can be reassembled by normalization.
In this case, fragments are buffered until they form a complete
packet, and only the completed packet is passed on to the filter.
The advantage is that filter rules have to deal only with complete
packets, and can ignore fragments.
The drawback of caching fragments is the additional memory cost.
.It Ar reassemble tcp
Statefully normalizes TCP connections.
.Ar scrub reassemble tcp
rules may not have the direction (in/out) specified.
.Ar reassemble tcp
performs the following normalizations:
.Pp
.Bl -tag -width timeout -compact
.It ttl
Neither side of the connection is allowed to reduce their IP TTL.
An attacker may send a packet such that it reaches the firewall, affects
the firewall state, and expires before reaching the destination host.
.Ar reassemble tcp
will raise the TTL of all packets back up to the highest value seen on
the connection.
724
.It timestamp modulation
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
Modern TCP stacks will send a timestamp on every TCP packet and echo
the other endpoint's timestamp back to them.
Many operating systems will merely start the timestamp at zero when
first booted, and increment it several times a second.
The uptime of the host can be deduced by reading the timestamp and multiplying
by a constant.
Also observing several different timestamps can be used to count hosts
behind a NAT device.
And spoofing TCP packets into a connection requires knowing or guessing
valid timestamps.
Timestamps merely need to be monotonically increasing and not derived off a
guessable base time.
.Ar reassemble tcp
will cause
.Ar scrub
to modulate the TCP timestamps with a random number.
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
.It extended PAWS checks
There is a problem with TCP on long fat pipes, in that a packet might get
delayed for longer than it takes the connection to wrap its 32-bit sequence
space.
In such an occurrence, the old packet would be indistinguishable from a
new packet and would be accepted as such.
The solution to this is called PAWS: Protection Against Wrapped Sequence
numbers.
It protects against it by making sure the timestamp on each packet does
not go backwards.
.Ar reassemble tcp
also makes sure the timestamp on the packet does not go forward more
than the RFC allows.
By doing this,
.Xr pf 4
artificially extends the security of TCP sequence numbers by 10 to 18
bits when the host uses appropriately randomized timestamps, since a
blind attacker would have to guess the timestamp as well.
759
760
761
762
763
764
765
.El
.El
.Pp
For example,
.Bd -literal -offset indent
scrub in on $ext_if all fragment reassemble
.Ed
766
767
768
769
770
771
772
773
774
.Pp
The
.Ar no
option prefixed to a scrub rule causes matching packets to remain unscrubbed,
much in the same way as
.Ar drop quick
works in the packet filter (see below).
This mechanism should be used when it is necessary to exclude specific packets
from broader scrub rules.
775
.Sh QUEUEING with ALTQ
776
777
778
779
The ALTQ system is currently not available in the GENERIC kernel nor as
loadable modules.
In order to use the herein after called queueing options one has to use a
custom built kernel.
780
Please refer to
781
.Xr altq 4
782
to learn about the related kernel options.
783
.Pp
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
Packets can be assigned to queues for the purpose of bandwidth
control.
At least two declarations are required to configure queues, and later
any packet filtering rule can reference the defined queues by name.
During the filtering component of
.Nm pf.conf ,
the last referenced
.Ar queue
name is where any packets from
.Ar pass
rules will be queued, while for
.Ar block
rules it specifies where any resulting ICMP or TCP RST
packets should be queued.
The
.Ar scheduler
defines the algorithm used to decide which packets get delayed, dropped, or
sent out immediately.
There are three
.Ar schedulers
currently supported.
.Bl -tag -width xxxx
.It Ar cbq
Class Based Queueing.
.Ar Queues
attached to an interface build a tree, thus each
.Ar queue
can have further child
.Ar queues .
Each queue can have a
.Ar priority
and a
.Ar bandwidth
assigned.
.Ar Priority
mainly controls the time packets take to get sent out, while
.Ar bandwidth
has primarily effects on throughput.
822
823
824
825
826
827
828
829
830
831
832
833
.Ar cbq
achieves both partitioning and sharing of link bandwidth
by hierarchically structured classes.
Each class has its own
.Ar queue
and is assigned its share of
.Ar bandwidth .
A child class can borrow bandwidth from its parent class
as long as excess bandwidth is available
(see the option
.Ar borrow ,
below).
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
.It Ar priq
Priority Queueing.
.Ar Queues
are flat attached to the interface, thus,
.Ar queues
cannot have further child
.Ar queues .
Each
.Ar queue
has a unique
.Ar priority
assigned, ranging from 0 to 15.
Packets in the
.Ar queue
with the highest
.Ar priority
are processed first.
.It Ar hfsc
Hierarchical Fair Service Curve.
.Ar Queues
attached to an interface build a tree, thus each
.Ar queue
can have further child
.Ar queues .
Each queue can have a
.Ar priority
and a
.Ar bandwidth
assigned.
.Ar Priority
mainly controls the time packets take to get sent out, while
.Ar bandwidth
Max Laier's avatar
Max Laier committed
866
primarily affects throughput.
867
868
869
870
871
872
873
874
.Ar hfsc
supports both link-sharing and guaranteed real-time services.
It employs a service curve based QoS model,
and its unique feature is an ability to decouple
.Ar delay
and
.Ar bandwidth
allocation.
875
876
877
878
879
880
881
882
883
.El
.Pp
The interfaces on which queueing should be activated are declared using
the
.Ar altq on
declaration.
.Ar altq on
has the following keywords:
.Bl -tag -width xxxx
884
.It Aq Ar interface
885
Queueing is enabled on the named interface.
886
.It Aq Ar scheduler
887
888
889
890
891
892
893
894
895
Specifies which queueing scheduler to use.
Currently supported values
are
.Ar cbq
for Class Based Queueing,
.Ar priq
for Priority Queueing and
.Ar hfsc
for the Hierarchical Fair Service Curve scheduler.
896
.It Ar bandwidth Aq Ar bw
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
The maximum bitrate for all queues on an
interface may be specified using the
.Ar bandwidth
keyword.
The value can be specified as an absolute value or as a
percentage of the interface bandwidth.
When using an absolute value, the suffixes
.Ar b ,
.Ar Kb ,
.Ar Mb ,
and
.Ar Gb
are used to represent bits, kilobits, megabits, and
gigabits per second, respectively.
The value must not exceed the interface bandwidth.
If
.Ar bandwidth
914
915
916
917
is not specified, the interface bandwidth is used
(but take note that some interfaces do not know their bandwidth,
or can adapt their bandwidth rates).
.It Ar qlimit Aq Ar limit
918
919
The maximum number of packets held in the queue.
The default is 50.
920
.It Ar tbrsize Aq Ar size
921
922
923
Adjusts the size, in bytes, of the token bucket regulator.
If not specified, heuristics based on the
interface bandwidth are used to determine the size.
924
.It Ar queue Aq Ar list
925
926
927
928
Defines a list of subqueues to create on an interface.
.El
.Pp
In the following example, the interface dc0
929
should queue up to 5Mbps in four second-level queues using
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
Class Based Queueing.
Those four queues will be shown in a later example.
.Bd -literal -offset indent
altq on dc0 cbq bandwidth 5Mb queue { std, http, mail, ssh }
.Ed
.Pp
Once interfaces are activated for queueing using the
.Ar altq
directive, a sequence of
.Ar queue
directives may be defined.
The name associated with a
.Ar queue
must match a queue defined in the
.Ar altq
directive (e.g. mail), or, except for the
.Ar priq
.Ar scheduler ,
in a parent
.Ar queue
declaration.
The following keywords can be used:
.Bl -tag -width xxxx
953
.It Ar on Aq Ar interface
954
955
Specifies the interface the queue operates on.
If not given, it operates on all matching interfaces.
956
.It Ar bandwidth Aq Ar bw
957
958
959
960
961
Specifies the maximum bitrate to be processed by the queue.
This value must not exceed the value of the parent
.Ar queue
and can be specified as an absolute value or a percentage of the parent
queue's bandwidth.
962
If not specified, defaults to 100% of the parent queue's bandwidth.
963
964
965
The
.Ar priq
scheduler does not support bandwidth specification.
966
.It Ar priority Aq Ar level
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
Between queues a priority level can be set.
For
.Ar cbq
and
.Ar hfsc ,
the range is 0 to 7 and for
.Ar priq ,
the range is 0 to 15.
The default for all is 1.
.Ar Priq
queues with a higher priority are always served first.
.Ar Cbq
and
.Ar Hfsc
queues with a higher priority are preferred in the case of overload.
982
.It Ar qlimit Aq Ar limit
983
984
985
986
987
988
989
The maximum number of packets held in the queue.
The default is 50.
.El
.Pp
The
.Ar scheduler
can get additional parameters with
990
991
992
.Xo Aq Ar scheduler
.Pf ( Aq Ar parameters ) .
.Xc
993
994
995
996
997
998
999
1000
Parameters are as follows:
.Bl -tag -width Fl
.It Ar default
Packets not matched by another queue are assigned to this one.
Exactly one default queue is required.
.It Ar red
Enable RED (Random Early Detection) on this queue.
RED drops packets with a probability proportional to the average
For faster browsing, not all history is shown. View entire blame