$Id: README,v 1.12 2021/11/23 02:53:38 nanons Exp $

pf(4) configuration (pf.conf(5))

To enable these rulesets, copy them to /etc/pf.conf, read their comments
and edit them if necessary, then reload pf(4):

	# pfctl -f /etc/pf.conf

To aid in debugging custom rulesets, see their internal representation:

	# pfctl -s rules

To print a rule's internal representation without loading it:

	$ echo "antispoof for egress" | pfctl -nvf -

dhclient(8), dhcpleased(8) and ipsec(4) flows don't need filtering
because they completely bypass pf(4).  ICMP error messages don't need
filtering because pf(4) keeps connection state.

IGMP and other protocols that use IP options are blocked and logged by
default.  To not clutter the log, block them explicitly with a "quick"
rule.  To permit them, use the "allow-opts" keyword:

	$ man -Otag=allow-opts pf.conf

Logging
=======

Logging packets in pf(4) is very useful for debugging rulesets and is as
easy as adding "log" to any rule.  For example, to block and log all
packets going to IP address 1.2.3.4:

	block out log to 1.2.3.4

pflogd(8) must be enabled and running:

	# rcctl enable pflogd
	# rcctl start pflogd

Logged packets can be printed with tcpdump(8):

	# tcpdump -ner /var/log/pflog

Or watched in real time with:

	# tcpdump -nei pflog0

To additionally log the system user who sent or received packets, use:

	block out log (user) to 1.2.3.4

Then use tcpdump(8)'s -v flag to print the user IDs:

	# tcpdump -vner /var/log/pflog
	# tcpdump -vnei pflog0

With -v, logs usually look like this:
12:34:56.789012 rule 3/(match) [uid 0, pid 12345] block out on em0: [uid 1000, pid 6789] 192.168.1.1.1234 > 1.2.3.4.70: <data>

Where:
* 12:34:56 - Time at which the packet was logged.  To print the full
  time and date, use tcpdump(8)'s -ttt flags.
* rule 3 - pf(4) rule that logged the packet.  To print the actual rule:

	# pfctl -s rules -R 3

* match - Reason the packet was logged, always "match" for log rules.
* uid 0, pid 12345 - User ID and process ID of the pfctl(8) process that
  loaded the rule.
* block - Action taken for the packet.
* out - Packet direction (inbound or outbound).
* em0 - Network interface of the packet.
* uid 1000, pid 6789 - User ID and process ID of the process where the
  packet originated or was destined to arrive.
* 192.168.1.1.1234 - Source IP and port.
* 1.2.3.4.70 - Destination IP and port.
* <data> - Summary of packet header contents.

See also pflogd(8) and tcpdump(8) for more information.
