[Previous: Shortcuts For Creating Rulesets] [Contents] [Next: Scrub (Packet Normalization]

PF: Runtime Options

Options are used to control PF's operation. Options are specified in pf.conf using the set directive.

set block-policy

Sets the default behavior for filter rules that specify the block action.

• drop - packet is silently dropped.
• return - a TCP RST packet is returned for blocked TCP packets and an ICMP Unreachable packet is returned for all others.

Note that individual filter rules can override the default response.

set debug

Set pf's debugging level.

• none - no debugging messages are shown.
• urgent - debug messages generated for serious errors. This is the default.
• misc - debug messages generated for various errors (e.g., to see status from the packet normalizer/scrubber and for state creation failures).
• loud - debug messages generated for common conditions (e.g., to see status from the passive OS fingerprinter).

set fingerprints file

Sets the file to load operating system fingerprints from. For use with passive OS fingerprinting. The default is /etc/pf.os.

set limit

frags - maximum number of entries in the memory pool used for packet reassembly (scrub rules). Default is 5000.

src-nodes - maximum number of entries in the memory pool used for tracking source IP addresses (generated by the sticky-address and source-track options). Default is 10000.

states - maximum number of entries in the memory pool used for state table entries (filter rules that specify keep state). Default is 10000.

set loginterface int

Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked. Statistics can only be gathered for one interface at a time. Note that the match, bad-offset, etc., counters and the state table counters are recorded regardless of whether loginterface is set or not.

set optimization

Optimize PF for one of the following network environments:

• normal - suitable for almost all networks. This is the default.
• high-latency - high latency networks such as satellite connections.
• aggressive - aggressively expires connections from the state table. This can greatly reduce the memory requirements on a busy firewall at the risk of dropping idle connections early.
• conservative - extremely conservative settings. This avoids dropping idle connections at the expense of greater memory utilization and slightly increased processor utilization.

set state-policy

Sets PF's behavior when it comes to keeping state. This behavior can be overridden on a per rule basis. See Keeping State.

• if-bound - states are bound to the interface they're created on. If traffic matches a state table entry but is not crossing the interface recorded in that state entry, the match is rejected. The packet must then match a filter rule or will be dropped/rejected altogether.
• group-bound - same behavior as if-bound except packets are allowed to cross interfaces in the same group, i.e., all ppp interfaces, etc.
• floating - states can match packets on any interface. As long as the packet matches a state entry it does not matter what interface it's crossing, it will pass. This is the default.

set timeout

interval - seconds between purges of expired states and packet fragments.

frag - seconds before an unassembled fragment is expired.

Example:

set timeout interval 10 set timeout frag 30 set limit { frags 5000, states 2500 } set optimization high-latency set block-policy return set loginterface dc0 set fingerprints /etc/pf.os.test set state-policy if-bound

[Previous: Shortcuts For Creating Rulesets] [Contents] [Next: Scrub (Packet Normalization]