PF, quick reference guide
m (→Tables) |
(→Resources) |
||
(10 intermediate revisions by one user not shown) | |||
Line 1: | Line 1: | ||
− | + | pf.conf is divided into the sections: | |
* Macros - Variables are defined in this section. This simplifies changing hardware, or makes it easier to list a lot of arguments as a variable. IP's are not set here, but instead in the next section. | * Macros - Variables are defined in this section. This simplifies changing hardware, or makes it easier to list a lot of arguments as a variable. IP's are not set here, but instead in the next section. | ||
Line 17: | Line 17: | ||
Macros are defined with an {{code|<nowiki>=</nowiki>}} equal sign with arguments to be used in the rules in {{code|"}} quotes. | Macros are defined with an {{code|<nowiki>=</nowiki>}} equal sign with arguments to be used in the rules in {{code|"}} quotes. | ||
wireless_card_to_internet="ath0" | wireless_card_to_internet="ath0" | ||
− | tcp="{ http ntp 443 }" | + | tcp="{ '''http ntp 443''' }" # this is often used, but doesn't limit protocols to tcp |
To reference these later use {{code|$}}, for instance {{code|$tcp}}. This simply allows lists to be kept neatly instead of having to retype the same lines inconveniently, or allows a simple change to be made without replacing all references to the change. | To reference these later use {{code|$}}, for instance {{code|$tcp}}. This simply allows lists to be kept neatly instead of having to retype the same lines inconveniently, or allows a simple change to be made without replacing all references to the change. | ||
+ | |||
+ | ===characters=== | ||
+ | These are used throughout the rules file, not only in the macros section. | ||
+ | * {{code|<nowiki>{ }</nowiki>}} is used for lists, a space must be present between parenthesis and each list item. | ||
+ | * Greater than {{code|>}} and less than {{code|<}} are useful for port definitions. Their equal to corespondents {{code|<nowiki>>=</nowiki>}}, and {{code|<nowiki><=</nowiki>}} can also be used. | ||
+ | * {{code|><}} is used to define a range. To define numbers outside of a range (inverse range) use {{code|<>}}. | ||
==Tables== | ==Tables== | ||
Line 26: | Line 32: | ||
table <'''ipfile'''> file "'''/dir/file'''" | table <'''ipfile'''> file "'''/dir/file'''" | ||
Files can also be used to set table variables as shown in the example with the {{code|file}} argument. {{code|overload < >}} from the "filter rules" section can also set variable ips here, for instance for mapping brute force ips. | Files can also be used to set table variables as shown in the example with the {{code|file}} argument. {{code|overload < >}} from the "filter rules" section can also set variable ips here, for instance for mapping brute force ips. | ||
+ | |||
+ | ==Options== | ||
+ | Options start with "{{code|set}}". {{code|set skip lo0}} is an important option to prevent PF from blocking local services. | ||
+ | |||
+ | ==Scrub== | ||
+ | scrub in all | ||
+ | antispoof for $interface | ||
==Filter rules== | ==Filter rules== | ||
Line 34: | Line 47: | ||
* direction - in, out | * direction - in, out | ||
* log - log, log (all) | * log - log, log (all) | ||
− | * interface - | + | * interface - $network_interface |
* af - inet, inet6 | * af - inet, inet6 | ||
− | * proto - tcp, udp, sctp, icmp6; see {{file|/etc/protocols}} | + | * proto - tcp, udp, sctp, icmp6; see {{file|/etc/protocols}}. Can be a number or named. |
− | * port - see {{file|/etc/services}} | + | * port - see {{file|/etc/services}}. |
Some arguments are optional, depending on circumstances. | Some arguments are optional, depending on circumstances. | ||
− | ==References== | + | ==Notice== |
+ | Rule instructions may vary according to newer versions of PF. Newer versions of PF such as on OpenBSD contain more abilities, and some syntax changes compared to PF on FreeBSD. | ||
+ | |||
+ | ==Resources== | ||
+ | ===References=== | ||
* [http://www.openbsd.org/faq/pf/index.html PF: The OpenBSD Packet Filter] | * [http://www.openbsd.org/faq/pf/index.html PF: The OpenBSD Packet Filter] | ||
* [http://home.nuug.no/~peter/pf/ Firewalling with PF / Brannmur med PF] | * [http://home.nuug.no/~peter/pf/ Firewalling with PF / Brannmur med PF] | ||
* Network Administration with FreeBSD 7: Network Configuration - Firewalls | * Network Administration with FreeBSD 7: Network Configuration - Firewalls | ||
* FreeBSD Documentation | * FreeBSD Documentation | ||
+ | |||
+ | ===Further Reading=== | ||
+ | * {{file|/usr/share/examples/pf/}} | ||
+ | * Book of PF | ||
[[Category:Securing FreeBSD]] | [[Category:Securing FreeBSD]] |
Latest revision as of 19:23, 6 December 2015
pf.conf is divided into the sections:
- Macros - Variables are defined in this section. This simplifies changing hardware, or makes it easier to list a lot of arguments as a variable. IP's are not set here, but instead in the next section.
- Tables - Variables for IP's are defined here. This can be also set by the overload argument from rules in the filtering section.
- Options - Options lines start with "set"
- Scrub - Scrub packets
- Queueing -
- Translation - Nat translation settings
- Filter rules - Here is where rules are set up. PF rules work where the last line takes effect over the lines before it.
Contents |
[edit] Macros
Macros are defined with an = equal sign with arguments to be used in the rules in " quotes.
wireless_card_to_internet="ath0" tcp="{ http ntp 443 }" # this is often used, but doesn't limit protocols to tcp
To reference these later use $, for instance $tcp. This simply allows lists to be kept neatly instead of having to retype the same lines inconveniently, or allows a simple change to be made without replacing all references to the change.
[edit] characters
These are used throughout the rules file, not only in the macros section.
- { } is used for lists, a space must be present between parenthesis and each list item.
- Greater than > and less than < are useful for port definitions. Their equal to corespondents >=, and <= can also be used.
- >< is used to define a range. To define numbers outside of a range (inverse range) use <>.
[edit] Tables
IP table variable settings are kept here, and not in the macros section. This has uses for your network gateways, and for ips generated by PF filter rules, for instance tracking brute force attempts. These rules start with table, and use < > to define the variables.
table <ips> table <ipvariable> table <ipfile> file "/dir/file"
Files can also be used to set table variables as shown in the example with the file argument. overload < > from the "filter rules" section can also set variable ips here, for instance for mapping brute force ips.
[edit] Options
Options start with "set". set skip lo0 is an important option to prevent PF from blocking local services.
[edit] Scrub
scrub in all antispoof for $interface
[edit] Filter rules
[edit] Syntax
[action] [direction] log quick on $interface [af] proto $protocol from $ip port $port to $ip port $port flags $tcpflags [state] ([state options])
- action - block, pass
- direction - in, out
- log - log, log (all)
- interface - $network_interface
- af - inet, inet6
- proto - tcp, udp, sctp, icmp6; see /etc/protocols. Can be a number or named.
- port - see /etc/services.
Some arguments are optional, depending on circumstances.
[edit] Notice
Rule instructions may vary according to newer versions of PF. Newer versions of PF such as on OpenBSD contain more abilities, and some syntax changes compared to PF on FreeBSD.
[edit] Resources
[edit] References
- PF: The OpenBSD Packet Filter
- Firewalling with PF / Brannmur med PF
- Network Administration with FreeBSD 7: Network Configuration - Firewalls
- FreeBSD Documentation
[edit] Further Reading
- /usr/share/examples/pf/
- Book of PF