How to read an take a action based on one tcp header, like a string.
Is this posible with PF?
A more throrugh description of what you want to do would be helpful here.
The source port, destination port, and flags portions of the TCP header are all directly supported by pf filtering rules.
Though TCP/IP doesn't really match the OSI 7-layer model, TCP is commonly mapped into layers 4 and/or 5.
You're asking about filtering based on layer 7 TCP headers. Your question is not internally consistent, and therefore has no reasonable answer.
I'm guessing that what you want to do is filter basing on the contents of HTTP (layer 7 protocol) headers (which are strings.)
Pf does not work at the HTTP level. You're going to need an HTTP filtering proxy like https://www.privoxy.org/.
If you give us a little bit more detail, we might be able to point you to some solutions that exist outside of pf.
Not all protocols have strings that you can interpret. You're definitely not going to have any luck on port 443 if it's used in the normal way for HTTPS. That protocol is encrypted so all you're going to get is a stream of seemingly random bytes. Again, you'll need a proxy that decrypts the protocol into HTTP before you can inspect any strings to filter. You'll have to install a custom certificate authority in all the clients behind your proxy in order for this to work. See this, for exampleProcess packages looking for strings,like mallware,etc
at start in 443 port but I want process all ports
scrub
and antispoof
in the pf.conf(5) manual page.