Skip to content

Latest commit

 

History

History
51 lines (49 loc) · 3.32 KB

packetfilter.md

File metadata and controls

51 lines (49 loc) · 3.32 KB
Raw

PacketFilter

Note: The PF generator is currently in alpha testing. The output should be compatible with OpenBSD v4.7 PF and later.

target:: packetfilter filter-name {inet|inet6|mixed} {in|out} {nostate}
  • filter-name: a short, descriptive policy identifier
  • inet: specifies that the resulting filter should only render IPv4 addresses.
  • inet6: specifies that the resulting filter should only render IPv6 addresses.
  • mixed: specifies that the resulting filter should only render IPv4 and IPv6 addresses (default).
  • in: match ingoing packets (default: both directions).
  • out: match outgoing packets (default: both directions).
  • nostate: do not keep state on connections (default: keep state).

Term Format

  • action:: The action to take when matched. See Actions section for valid options.
  • comment:: A text comment enclosed in double-quotes. The comment can extend over multiple lines if desired, until a closing quote is encountered.
  • destination-address:: One or more destination address tokens
  • destination-exclude:: Exclude one or more address tokens from the specified destination-address
  • destination-interface:: Specify the destination interface. Implicitly changes the term direction to out for this term. Mutually exclusive with source-interface::.
  • source-interface:: Specify the source interface. Implicitly changes the term direction to in for this term. Mutually exclusive with destination-interface::.
  • destination-port:: One or more service definition tokens
  • expiration:: stop rendering this term after specified date. YYYY-MM-DD
  • icmp-type:: Specify icmp-type code to match, see section ICMP TYPES for list of valid arguments
  • logging:: Specify that this packet should be logged via syslog.
  • name:: Name of the term.
  • option:: See platforms supported Options section.
  • platform:: one or more target platforms for which this term should ONLY be rendered. *_platform-exclude:: one or more target platforms for which this term should NEVER be rendered.
  • protocol:: the network protocols this term will match, such as tcp, udp, icmp, or a numeric value.
  • source-address:: one or more source address tokens.
  • source-exclude:: exclude one or more address tokens from the specified source-address.
  • source-port:: one or more service definition tokens.
  • verbatim:: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

  • accept
  • deny
  • next
  • reject

Option

  • ack:: Match on ACK flag being present.
  • all:: Matches all protocols.
  • established:: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
  • fin:: Match on FIN flag being present.
  • is-fragment:: Matches on if a packet is a fragment.
  • psh:: Match on PSH flag being present.
  • rst:: Match on RST flag being present.
  • syn:: Match on SYN flag being present.
  • tcp-established:: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
  • urg:: Match on URG flag being present.