svcadm(8)을 검색하려면 섹션에서 8 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
pfctl(8)
System Administration Commands pfctl(8)
NAME
pfctl - control the packet filter (PF) device
SYNOPSIS
pfctl [-deghnPqrvz] [-a anchor] [-D macro=value] [-F modifier] [-f file]
[-i interface] [-K host | network] [-k host | network | label | id]
[-o level] [-p device] [-s modifier [-R id]]
[-t table -T command [address ...]] [-x level]
DESCRIPTION
The pfctl utility communicates with the packet filter device using the
ioctl interface. It allows ruleset and parameter configuration, and
retrieval of status information from the packet filter. Packet filter‐
ing restricts the types of packets that pass through network interfaces
entering or leaving the host based on filter rules as described in
pf.conf(7). The packet filter can also replace addresses and ports of
packets.
The packet filter is disabled by default. Should pfctl be unable to
load a ruleset, an error occurs and the original ruleset remains in
place.
The packet filter does not itself forward packets between interfaces.
Packet forwarding must be allowed using ipadm(8).
OPTIONS
The following options are supported:
-a anchor
Apply flags -f, -F, and -s only to the rules in the specified
anchor. In addition to the main ruleset, pfctl can load and manipu‐
late additional rulesets by name, called anchors. The main ruleset
is the default anchor.
Anchors are referenced by name and may be nested, with the various
components of the anchor path separated by '/' characters, similar
to how file system hierarchies are laid out. The last component of
the anchor path is where ruleset operations are performed.
Evaluation of anchor rules from the main ruleset is described in
pf.conf(7).
Private tables can also be put inside anchors, either by having ta‐
ble statements in the pf.conf(7) file that is loaded in the anchor,
or by using regular table commands, as in:
# pfctl -a foo/bar -t mytable -T add 1.2.3.4 5.6.7.8
When a rule referring to a table is loaded in an anchor, the rule
will use the private table if one is defined, and then fall back to
the table defined in the main ruleset, if there is one. This is
similar to C rules for variable scope. It is possible to create
distinct tables with the same name in the global ruleset and in an
anchor, but this is often bad design and a warning will be issued
in that case.
By default, recursive inline printing of anchors applies only to
unnamed anchors specified inline in the ruleset. If the anchor name
is terminated with a '*' character, the -s flag will recursively
print all anchors in a brace delimited block. For example the fol‐
lowing will print the authpf ruleset recursively:
# pfctl -a 'authpf/*' -sr
To print the main ruleset recursively, specify only '*' as the
anchor name:
# pfctl -a '*' -sr
-D macro=value
Define macro to be set to value on the command line. Overrides the
definition of macro in the ruleset.
-d
Temporarily disable the packet filter.
-e
Temporarily enable the packet filter.
-F modifier
Flush the filter parameters specified by modifier (may be abbrevi‐
ated):
-F rules Flush the filter rules.
-F states Flush the state table (NAT and filter).
-F Sources Flush the source tracking table.
-F info Flush the filter information (statistics that are not
bound to rules).
-F Tables Flush the tables.
-F osfp Flush the passive operating system fingerprints.
-F all Flush all of the above.
-f file
Replace the current ruleset with the rules contained in file. This
file may contain macros, tables, options, and normalization, queue‐
ing, translation, and filtering rules. With the exception of macros
and tables, the statements must appear in that order.
-g
Include output helpful for debugging.
-h
Help.
-i interface
Restrict the operation to the given interface.
-K host | network
Kill all of the source tracking entries originating from the speci‐
fied host or network. A second -K host or -K network option may
be specified, which will kill all the source tracking entries from
the first host/network to the second.
-k host | network | label | id
Kill all of the state entries matching the specified host, network,
label, or id.
For example, to kill all of the state entries originating from
"host":
# pfctl -k host
A second -k host or -k network option may be specified, which will
kill all the state entries from the first host/network to the sec‐
ond. To kill all of the state entries from "host1" to "host2":
# pfctl -k host1 -k host2
To kill all states originating from 192.168.1.0/24 to
172.16.0.0/16:
# pfctl -k 192.168.1.0/24 -k 172.16.0.0/16
A network prefix length of 0 can be used as a wildcard. To kill all
states with the target "host2":
# pfctl -k 0.0.0.0/0 -k host2
It is also possible to kill states by rule label or state ID. In
this mode the first -k argument is used to specify the type of the
second argument. The following command would kill all states that
have been created from rules carrying the label "foobar":
# pfctl -k label -k foobar
To kill one specific state by its unique state ID (as shown by
pfctl -s state -vv), use the id modifier and as a second argument
the state ID and optional creator ID. To kill a state with ID
4823e84500000003 use:
# pfctl -k id -k 4823e84500000003
To kill a state with ID 4823e84500000018 created from a backup
firewall with hostid 00000002 use:
# pfctl -k id -k 4823e84500000018/2
-n
Do not actually load rules, just parse them.
-o level
Control the ruleset optimizer, overriding any rule file settings.
-o none Disable the ruleset optimizer.
-o basic Enable basic ruleset optimizations. This is the
default behaviour.
-o profile Enable basic ruleset optimizations with profiling.
For further information on the ruleset optimizer, see pf.conf(7).
-P
Print ports using their names in /etc/services if available.
-p device
Use the device file device instead of the default /dev/pf.
-q
Only print errors and warnings.
-r
Perform reverse DNS lookups on states when displaying them.
-s modifier
Show the filter parameters specified by modifier (may be abbrevi‐
ated):
-s rules Show the currently loaded filter rules. If -R id
is specified as well, only the rule with the spec‐
ified numeric ID is shown. When used together with
-v, the per-rule statistics (number of evalua‐
tions, packets, and bytes) are also shown. Note
that the "skip step" optimization done automati‐
cally by the kernel will skip evaluation of rules
where possible. Packets passed statefully are
counted in the rule that created the state (even
though the rule is not evaluated more than once
for the entire connection).
-s Anchors Show the currently loaded anchors directly
attached to the main ruleset. If -a anchor is
specified as well, the anchors loaded directly
below the given anchor are shown instead. If -v is
specified, all anchors attached under the target
anchor will be displayed recursively.
-s states Show the contents of the state table.
-s Sources Show the contents of the source tracking table.
-s info Show filter information (statistics and counters).
When used together with -v, source tracking sta‐
tistics are also shown.
-s labels Show per-rule statistics (label, evaluations,
packets total, bytes total, packets in, bytes in,
packets out, bytes out, state creations) of filter
rules with labels, useful for accounting. If -R id
is specified as well, only the statistics for the
rule with the specified numeric ID are shown.
-s timeouts Show the current global timeouts.
-s memory Show the current pool memory hard limits.
-s Tables Show the list of tables.
-s osfp Show the list of operating system fingerprints.
-s Interfaces Show the list of interfaces and interface drivers
available to PF. When used together with -v, it
additionally lists which interfaces have skip
rules activated. When used together with -vv,
interface statistics are also shown. -i can be
used to select an interface or a group of inter‐
faces.
-s all Show all of the above, except for the lists of
interfaces and operating system fingerprints.
Counters shown with -s info are:
match explicit rule match
bad-offset currently unused
fragment invalid fragments dropped
short short packets dropped
normalize dropped by normalizer: illegal packets
memory memory could not be allocated
bad-timestamp bad TCP timestamp; RFC 1323
congestion network interface queue congested
ip-option bad IP/IPv6 options
proto-cksum invalid protocol checksum
state-mismatch packet was associated with a state entry, but
sequence numbers did not match
state-insert state insertion failure
state-limit configured state limit was reached
src-limit source node/connection limit
synproxy dropped by synproxy
translate no free ports in translation port range
-T command [address ...]
Specify the command (may be abbreviated) to apply to the table.
Commands include:
-T kill Kill a table.
-T flush Flush all addresses of a table.
-T add Add one or more addresses in a table. Automati‐
cally create a nonexisting table.
-T delete Delete one or more addresses from a table.
-T expire number Delete addresses which had their statistics
cleared more than number seconds ago. For
entries which have never had their statistics
cleared, number refers to the time since they
were added to the table.
-T replace Replace the addresses of the table. Automati‐
cally create a nonexisting table.
-T show Show the content (addresses) of a table.
-T test Test if the given addresses match a table.
-T zero Clear all the statistics of a table.
For the add, delete, replace, and test commands, the list of addresses
can be specified either directly on the command line and/or in an
unformatted text file, using the -f flag. Comments starting with a '#'
are allowed in the text file. With these commands, the -v flag can also
be used once or twice, in which case pfctl will print the detailed
result of the operation for each individual address, prefixed by one of
the following letters:
A The address/network has been added.
C The address/network has been changed (negated).
D The address/network has been deleted.
M The address matches (test operation only).
X The address/network is duplicated and therefore ignored.
Y The address/network cannot be added/deleted due to 287 conflicting
'!' attributes.
Z The address/network has been cleared (statistics).
Each table can maintain a set of counters that can be retrieved using
the -v flag of pfctl. For example, the following commands define a wide
open firewall which will keep track of packets going to or coming from
the OpenBSD FTP server. The following commands configure the firewall
and send 10 pings to the FTP server:
# printf "table <test> counters { ftp.openbsd.org }\n \
pass out to <test>\n" | pfctl -f-
# ping -qc10 ftp.openbsd.org
We can now use the table show command to output, for each address and
packet direction, the number of packets and bytes that are being
passed, matched or blocked by rules referencing the table. Note that
the match counters are incremented for every match rule in which they
are referenced, meaning that a single packet may be counted multiple
times. The time at which the current accounting started is also shown
with the "Cleared" line.
# pfctl -t test -vTshow
198.51.100.81
Cleared: Fri Jun 28 11:17:37 2013
In/Block: [ Packets: 0 Bytes: 0 ]
In/Match [ Packets: 54 Bytes: 10028 ]
In/Pass: [ Packets: 5 Bytes: 1949 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Match [ Packets: 65 Bytes: 12684 ]
Out/Pass: [ Packets: 6 Bytes: 389 ]
Similarly, it is possible to view global information about the tables
by using the -v modifier twice and the -s Tables command. This will
display the number of addresses on each table, the number of rules
which reference the table, and the global packet statistics for the
whole table:
# pfctl -vvsTables
--a-r-C test
Addresses: 1
Cleared: Fri Jun 28 11:17:37 2013
References: [ Anchors: 0 Rules: 4 ]
Evaluations: [ NoMatch: 35 Match: 8 ]
In/Block: [ Packets: 0 Bytes: 0 ]
In/Match: [ Packets: 54 Bytes: 10028 ]
In/Pass: [ Packets: 5 Bytes: 1949 ]
In/XPass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Match: [ Packets: 65 Bytes: 12684 ]
Out/Pass: [ Packets: 6 Bytes: 389 ]
Out/XPass: [ Packets: 0 Bytes: 0 ]
Only packets creating state are matched in the Evaluations line, but
all packets passing as a result of the state are correctly accounted
for. Reloading the table(s) or ruleset will not affect packet account‐
ing in any way. The two "XPass" counters are incremented instead of the
"Pass" counters when a "stateful" packet is passed but doesn't match
the table anymore. This will happen in our example if someone flushes
the table while the ping(8) command is running.
When used with a single -v, pfctl will only display the first line con‐
taining the table flags and name. The flags are defined as follows:
c For constant tables, which cannot be altered outside
pf.conf(7).
p For persistent tables, which don't get automatically killed
when no rules refer to them.
a For tables which are part of the active tableset. Tables
without this flag do not really exist, cannot contain
addresses, and are only listed if the -g flag is given.
i For tables which are part of the inactive tableset. This
flag can only be witnessed briefly during the loading of
pf.conf(7).
r For tables which are referenced (used) by rules.
h This flag is set when a table in the main ruleset is hidden
by one or more tables of the same name from anchors
attached below it.
C This flag is set when per-address counters are enabled on
the table.
-t table Specify the name of the table.
-v Produce more verbose output. A second use of -v will pro‐
duce even more verbose output including ruleset warnings.
See the previous section for its effect on table commands.
-x level Set the debug level, which limits the severity of log mes‐
sages printed by 'PF'. This should be a keyword from the
following ordered list (highest to lowest): emerg, alert,
crit, err, warning, notice, info, and debug.
-z Clear per-rule statistics.
SMF
The PF firewall is managed by the service management facility (smf(7))
under the service identifier:
svc:/network/firewall:default
The PF firewall service can be enabled and disabled by using the svcadm
command:
# svcadm enable svc:/network/firewall:default
# svcadm disable svc:/network/firewall:default
To update the PF kernel module with new policy configuration, refresh
the PF firewall service:
# svcadm refresh svc:/network/firewall:default
To edit the firewall configuration, use the pfedit command. The pfedit
command checks the authorizations required for editing firewall config‐
uration files. For more information, see the pfedit(8) man page.
The smf(7) manifest for PF firewall service defines two properties:
firewall/rules defines a location of pf.conf(7)
firewall/fingerprints defines a location of pf.os(7)
Refreshing the firewall service through svcadm refresh reloads the con‐
figuration file. Especially, no anchors, tables, or states are flushed.
However, restarting the firewall service through svcadm restart flushes
all anchors as if '-F all' is used on each such anchor.
After this, the svcadm restart command loads the configuration file.
SECURITY
The process, which alters PF kernel module configuration, must have
sys_ip_config privilege. Solaris comes with a profile named Network
Firewall Management, which grants privilege to user/role.
FILES
/etc/pf.conf Packet filter rules file.
/etc/pf.os Passive operating system fingerprint database.
SEE ALSO
pf.conf(7), pf.os(7), smf(7), svcadm(8)
HISTORY
The pfctl program and the PF filter mechanism first appeared in OpenBSD
3.0. It was added to Oracle Solaris in Solaris 11.3.0.
SOLARIS
PF has been introduced to Solaris as a part of firewall modernization
project. The project brings slightly modified version of PF to Solaris.
The manual page has been tailored to match a PF feature set found on
Solaris Operating System. The PF version is derived from OpenBSD 5.5
release.
Oracle Solaris 11.4 21 Jun 2021 pfctl(8)