分类: BSD
2005-03-14 19:17:30
TRAFFIC
"Spoofing" is the faking of IP addresses, typically for malicious purpos-
es. The antispoof directive expands to a set of filter rules which will
block all traffic with a source IP from the network(s) directly connected
to the specified interface(s) from entering the system through any other
interface.
For example, the line
antispoof for lo0
expands to
block drop in on ! lo0 inet from 127.0.0.1/8 to any
block drop in on ! lo0 inet6 from ::1 to any
For non-loopback interfaces, there are additional rules to block incoming
packets with a source IP address identical to the interface's IP(s). For
example, assuming the interface wi0 had an IP address of 10.0.0.1 and a
netmask of 255.255.255.0, the line
antispoof for wi0 inet
expands to
block drop in on ! wi0 inet from 10.0.0.0/24 to any
block drop in inet from 10.0.0.1 to any
Caveat: Rules created by the antispoof directive interfere with packets
sent over loopback interfaces to local addresses. One should pass these
explicitly.
OPTIONS
All three of keep state, modulate state and synproxy state support the
following options:
max _number_
Limits the number of concurrent states the rule may create. When
this limit is reached, further packets matching the rule that would
create state are dropped, until existing states time out.
no-sync
Prevent state changes for states created by this rule from appear-
ing on the interface.
_timeout_ _seconds_
Changes the timeout values used for states created by this rule.
When the source-track keyword is specified, the number of states
per source IP is tracked. The following limits can be set:
max-src-nodes
Limits the maximum number of source addresses which can si-
multaneously have state table entries.
max-src-states
Limits the maximum number of simultaneous state entries that
a single source address can create with this rule.
For a list of all valid timeout names, see OPTIONS above.
Multiple options can be specified, separated by commas:
pass in proto tcp from any to any
port www flags S/SA keep state
(max 100, source-track rule, max-src-nodes 75,
max-src-states 3, tcp.established 60, tcp.closing 5)
may be tuned for various situations using the set command.
set timeout
interval Interval between purging expired states and fragments.
frag Seconds before an unassembled fragment is expired.
src.track
Length of time to retain a source tracking entry after
the last state expires.
When a packet matches a stateful connection, the seconds to live
for the connection will be updated to that of the proto.modifier
which corresponds to the connection state. Each packet which
matches this state will reset the TTL. Tuning these values may im-
prove the performance of the firewall at the risk of dropping valid
idle connections.
tcp.first
The state after the first packet.
tcp.opening
The state before the destination host ever sends a packet.
tcp.established
The fully established state.
tcp.closing
The state after the first FIN has been sent.
tcp.finwait
The state after both FINs have been exchanged and the connec-
tion is closed. Some hosts (notably web servers on Solaris)
send TCP packets even after closing the connection. Increas-
ing tcp.finwait (and possibly tcp.closing) can prevent block-
ing of such packets.
tcp.closed
The state after one endpoint sends an RST.
ICMP and UDP are handled in a fashion similar to TCP, but with a
much more limited set of states:
udp.first
The state after the first packet.
udp.single
The state if the source host sends more than one packet but
the destination host has never sent one back.
udp.multiple
The state if both hosts have sent packets.
icmp.first
The state after the first packet.
icmp.error
The state after an ICMP error came back in response to an
ICMP packet.
Other protocols are handled similarly to UDP:
other.first
other.single
other.multiple
Timeout values can be reduced adaptively as the number of state
table entries grows.
adaptive.start
When the number of state entries exceeds this value, adaptive
scaling begins. All timeout values are scaled linearly with
factor (adaptive.end - number of states) / (adaptive.end -
adaptive.start).
adaptive.end
When reaching this number of state entries, all timeout val-
ues become zero, effectively purging all state entries imme-
diately. This value is used to define the scale factor, it
should not actually be reached (set a lower state limit, see
below).
These values can be defined both globally and for each rule. When
used on a per-rule basis, the values relate to the number of states
created by the rule, otherwise to the total number of states.
For example:
set timeout tcp.first 120
set timeout tcp.established 86400
set timeout { adaptive.start 6000, adaptive.end 12000 }
set limit states 10000
With 9000 state table entries, the timeout values are scaled to 50%
(tcp.first 60, tcp.established 43200).
set loginterface
Enable collection of packet and byte count statistics for the given
interface. These statistics can be viewed using
# pfctl -s info
In this example collects statistics on the interface named
dc0:
set loginterface dc0
One can disable the loginterface using:
set loginterface none
set limit
Sets hard limits on the memory pools used by the packet filter.
See for an explanation of memory pools.
For example,
set limit states 20000
sets the maximum number of entries in the memory pool used by state
table entries (generated by keep state rules) to 20000. Using
set limit frags 20000
sets the maximum number of entries in the memory pool used for
fragment reassembly (generated by scrub rules) to 20000. Finally,
set limit src-nodes 2000
sets the maximum number of entries in the memory pool used for
tracking source IP addresses (generated by the sticky-address and
source-track options) to 2000.
These can be combined:
set limit { states 20000, frags 20000, src-nodes 2000 }
set optimization
Optimize the engine for one of the following network environments:
normal
A normal network environment. Suitable for almost all net-
works.
high-latency
A high-latency environment (such as a satellite connection).
satellite
Alias for high-latency.
aggressive
Aggressively expire connections. This can greatly reduce the
memory usage of the firewall at the cost of dropping idle
connections early.
conservative
Extremely conservative settings. Avoid dropping legitimate
connections at the expense of greater memory utilization
(possibly much greater on a busy network) and slightly in-
creased processor utilization.
For example:
set optimization aggressive
set block-policy
The block-policy option sets the default behaviour for the packet
block action:
drop Packet is silently dropped.
return A TCP RST is returned for blocked TCP packets, an ICMP
UNREACHABLE is returned for blocked UDP packets, and all
other packets are silently dropped.
For example:
set block-policy return
set state-policy
The state-policy option sets the default behaviour for states:
if-bound States are bound to interface.
group-bound States are bound to interface group (i.e. ppp)
floating States can match packets on any interfaces (the de-
fault).
For example:
set state-policy if-bound
set require-order
By default enforces an ordering of the statement types in
the ruleset to: options, normalization, queueing, translation,
filtering. Setting this option to no disables this enforcement.
There may be non-trivial and non-obvious implications to an out of
order ruleset. Consider carefully before disabling the order en-
forcement.
set fingerprints
Load fingerprints of known operating systems from the given file-
name. By default fingerprints of known operating systems are auto-
matically loaded from in /etc but can be overridden via
this option. Setting this option may leave a small period of time
where the fingerprints referenced by the currently active ruleset
are inconsistent until the new ruleset finishes loading.
For example:
set fingerprints "/etc/pf.os.devel"
set debug
Set the debug level to one of the following:
none Don't generate debug messages.
urgent Generate debug messages only for serious errors.
misc Generate debug messages for various errors.
loud Generate debug messages for common conditions.