PF Options

PF Options

Runtime Options #

Options are used to control PF’s operation. Options are specified in ‘pf.conf’ using the ‘set’ directive.

set block-policy option #

Sets the default behavior for filter rules that specify the ‘block’ action.

  • ‘drop’ - packet is silently dropped.
  • ‘return’ - a TCP RST packet is returned for blocked TCP packets and an ICMP Unreachable packet is returned for all others.

Note that individual filter rules can override the default response. The default is ‘drop’.

set debug option #

Set pf’s debugging level. Choices include ’emerg’, ‘alert’, ‘crit’, ’err’, ‘warning’, ’notice’, ‘info’ and ‘debug’.

set fingerprints file #

Sets the file to load operating system fingerprints from. For use with passive OS fingerprinting . The default is ‘/etc/pf.os’.

set limit option value #

Set various limits on pf’s operation. The current settings of these values can be viewed with ‘pfctl -s memory’.

  • ‘frags’ - maximum number of entries in the memory pool used for packet reassembly (scrub rules). Default is 5000.
  • ‘src-nodes’ - maximum number of entries in the memory pool used for tracking source IP addresses (generated by the ‘sticky-address’ and ‘source-track’ options). Default is 10000.
  • ‘states’ - maximum number of entries in the memory pool used for state table entries (filter rules that specify ‘keep state’). Default is 100000.
  • ’tables’ - maximum number of tables that can be created. Default is 1000.
  • ’table-entries’ - the overall limit on how many addresses can be stored in all tables. Default is 200000. If the system has less than 100MB of physical memory, the default is set to 100000.

set loginterface interface #

Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked. Statistics can only be gathered for one interface at a time. Note that the ‘match’, ‘bad-offset’, etc., counters and the state table counters are recorded regardless of whether ’loginterface’ is set or not. To turn this option off, set it to ’none’. Default is ’none’.

set optimization option #

Optimize PF for one of the following network environments:

  • ’normal’ - suitable for almost all networks.
  • ‘high-latency’ - high latency networks such as satellite connections.
  • ‘aggressive’ - aggressively expires connections from the state table. This can greatly reduce the memory requirements on a busy firewall at the risk of dropping idle connections early.
  • ‘conservative’ - extremely conservative settings. This avoids dropping idle connections at the expense of greater memory utilization and slightly increased processor utilization.

The default is ’normal’.

set ruleset-optimization option #

Control operation of the PF ruleset optimizer.

  • ’none’ - disable the optimizer altogether.
  • ‘basic’ - enables the following ruleset optimizations:
    1. remove duplicate rules
    2. remove rules that are a subset of another rule
    3. combine multiple rules into a table when advantageous
    4. re-order the rules to improve evaluation performance
  • ‘profile’ - uses the currently loaded ruleset as a feedback profile to tailor the ordering of quick rules to actual network traffic.

Starting in OpenBSD 4.2, the default is ‘basic’. See pf.conf for a more complete description.

set skip on interface #

Skip all PF processing on ‘interface’. This can be useful on loopback interfaces where filtering, normalization, queueing, etc, are not required. This option can be used multiple times. By default, this option is not set.

set state-policy option #

Sets PF’s behavior when it comes to keeping state. This behavior can be overridden on a per-rule basis. See keeping state .

  • ‘if-bound’ - states are bound to the interface they’re created on. If traffic matches a state table entry but is not crossing the interface recorded in that state entry, the match is rejected. The packet must then match a filter rule or will be dropped/rejected altogether.
  • ‘floating’ - states can match packets on any interface. As long as the packet matches a state entry and is passing in the same direction as it was on the interface when the state was created, it does not matter what interface it’s crossing. It will pass.

The default is ‘floating’.

set timeout option value #

Set various timeouts (in seconds).

  • ‘interval’ - seconds between purges of expired states and packet fragments. Default is ‘10’.
  • ‘frag’ - seconds before an unassembled fragment is expired. Default is ‘30’.
  • ‘src.track’ - seconds to keep a source tracking entry in memory after the last state expires. Default is ‘0’.

Example:

set timeout interval 10
set timeout frag 30
set limit { frags 5000, states 2500 }
set optimization high-latency
set block-policy return
set loginterface dc0
set fingerprints "/etc/pf.os.test"
set skip on lo0
set state-policy if-bound
Report a bug