OpenBSD PF: Runtime Options (original) (raw)

Options are used to control PF's operation. They are specified in pf.conf using the setdirective.

set block-policy _option_

Sets the default behavior for filter rules that specify the block action.

• drop - packet is silently dropped.
• return - a TCP RST packet is returned for blocked TCP packets and an ICMP Unreachable packet is returned for all others.

Note that individual filter rules can override the default response. The default is drop.

set debug _option_

Set pf's debugging level. Choices include emerg, alert, crit,err, warning, notice,info and debug.

set fingerprints _file_

Sets the file to load operating system fingerprints from. For use with passive OS fingerprinting. The default is /etc/pf.os.

set limit _option value_

Set various limits on pf's operation. The current settings of these values can be viewed with pfctl -s memory.

• frags - maximum number of entries in the memory pool used for packet reassembly (scrub rules). Default is 5000.
• src-nodes - maximum number of entries in the memory pool used for tracking source IP addresses (generated by thesticky-address and source-track options). Default is 10000.
• states - maximum number of entries in the memory pool used for state table entries (filter rules that specify keep state). Default is 100000.
• tables - maximum number oftables that can be created. Default is 1000.
• table-entries - the overall limit on how many addresses can be stored in all tables. Default is 200000. If the system has less than 100MB of physical memory, the default is set to 100000.

set loginterface _interface_

Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked. Statistics can only be gathered for one interface at a time. Note that the match, bad-offset, etc., counters and the state table counters are recorded regardless of whetherloginterface is set or not. To turn this option off, set it to none. Default is none.

set optimization _option_

Optimize PF for one of the following network environments:

• normal - suitable for almost all networks.
• high-latency - high latency networks such as satellite connections.
• aggressive - aggressively expires connections from the state table. This can greatly reduce the memory requirements on a busy firewall at the risk of dropping idle connections early.
• conservative - extremely conservative settings. This avoids dropping idle connections at the expense of greater memory utilization and slightly increased processor utilization.

The default is normal.

set ruleset-optimization _option_

Control operation of the PF ruleset optimizer.

• none - disable the optimizer altogether.
• basic - enables the following ruleset optimizations:
  1. remove duplicate rules
  2. remove rules that are a subset of another rule
  3. combine multiple rules into a table when advantageous
  4. re-order the rules to improve evaluation performance
• profile - uses the currently loaded ruleset as a feedback profile to tailor the ordering of quick rules to actual network traffic.

The default is basic. See pf.conf(5) for a more complete description.

set skip on _interface_

Skip all PF processing on _interface_. This can be useful on loopback interfaces where filtering, normalization, queueing, etc, are not required. This option can be used multiple times. By default, this option is not set.

set state-policy _option_

Sets PF's behavior when it comes to keeping state. This behavior can be overridden on a per-rule basis. See keeping state.

• if-bound - states are bound to the interface they're created on. If traffic matches a state table entry but is not crossing the interface recorded in that state entry, the match is rejected. The packet must then match a filter rule or will be dropped/rejected altogether.
• floating - states can match packets on any interface. As long as the packet matches a state entry and is passing in the same direction as it was on the interface when the state was created, it does not matter what interface it's crossing. It will pass.

The default is floating.

set timeout _option value_

Set various timeouts (in seconds).

• interval - seconds between purges of expired states and packet fragments. Default is 10.
• frag - seconds before an unassembled fragment is expired. Default is 30.
• src.track - seconds to keep asource tracking entry in memory after the last state expires. Default is 0.

Example:

set timeout interval 10 set timeout frag 30 set limit { frags 5000, states 2500 } set optimization high-latency set block-policy return set loginterface dc0 set fingerprints "/etc/pf.os.test" set skip on lo0 set state-policy if-bound