# Guide: pf.conf quick reference



## sidetone (Dec 5, 2015)

PF is divided into the sections:

* Macros - Variables are defined in this section. This simplifies changing hardware, or makes it easier to list a lot of arguments as a variable. IP's are not set here, but instead in the next section.
* Tables - Variables for IP's are defined here. This can be also set by the overload argument from rules in the filtering section.
* Options - Option lines start with set
* Scrub - Scrub packets
* Queueing -
* Translation - Nat translation settings
* Filter rules - Here is where rules are set up. PF rules work where the last line takes effect over the lines before it.

*Macros*
Macros are defined with an = equal sign with arguments to be used in the rules in " quotes.

```
wireless_card_to_internet="ath0"
tcp="{ http ntp 443 }" # this is often used, but doesn't limit protocols to tcp
```
To reference these later use $, for instance $tcp. This simply allows lists to be kept neatly instead of having to retype the same lines inconveniently, or allows a simple change to be made without replacing all references to the change.

_  characters_
These are used throughout the rules file, not only in the macros section.
* { } is used for lists, a space must be present between parenthesis and each list item.
* Greater than > and less than < are useful for port definitions. Their equal to corespondents >=, and <= can also be used.
* >< is used to define a range. To define numbers outside of a range (inverse range) use <>. A space on each side and the numbers go outside these range characters.

*Tables*
IP table variable settings are kept here, and not in the macros section. This has uses for your network gateways, and for ips generated by PF filter rules, for instance tracking brute force attempts. These rules start with table, and use < > to define the variables.

```
table <ips>
table <ipvariable>
table <ipfile> file "/dir/file"
```
Files can also be used to set table variables as shown in the example with the file argument. overload <> from state options in the "filter rules" section can also set variable ips here, for instance for mapping brute force ips.

*Options*
Options start with set.

To prevent PF from blocking local services.

```
set skip lo0
```

*Scrub*

```
scrub in all
antispoof for $interface
```

*Filter rules*
* [action] - block, pass
* [direction] - in, out
* [log] - log, log (all)
* quick - This is optional, and only used to supersede the order of PF rules.
* [interface] - on $interface, use this if you need to differentiate rules on different network interfaces
* [af] - inet, inet6
* [proto] tcp, udp, sctp, icmp6; see /etc/protocols.
* [ip] - $ip, <iptablevariable>
* [network port] - port $port; see /etc/services for port values.  Port values can be a number or named.
* [flags] - tcpflags
* [state] ([state_options]) - keep state, synproxy state, modulate state, no state. State options are contained in ().

Most arguments are optional, depending on circumstances. any and all are keywords that can replace a few variables in the rules. from and to can precede arguments in the rules syntax to direct them.

examples:

```
block all
pass out log modulate state
block quick on dc0 inet proto { tcp udp } from <table1> port html no state
```

see /usr/share/examples/pf/

*References*
* PF: The OpenBSD Packet Filter
* Firewalling with PF / Brannmur med PF
* FreeBSD documentation
* Network Administration with FreeBSD 7: Network Configuration - Firewalls


----------

