[Previous: Shortcuts For Creating Rulesets] [Contents] [Next: Scrub (Packet Normalization)]

PF: Runtime Options

Options are used to control PF's operation. Options are specified in pf.conf using the set directive.

NOTE: In OpenBSD 3.7 and later, the behavior of runtime options has changed. Previously, once an option was set it was never reset to its default value, even if the ruleset was reloaded. Starting in OpenBSD 3.7, whenever a ruleset is loaded, the runtime options are reset to default values before the ruleset is parsed. Thus, if an option is set and is then removed from the ruleset and the ruleset reloaded, the option will be reset to its default value.

set block-policy option
Sets the default behavior for filter rules that specify the block action.
Note that individual filter rules can override the default response. The default is drop.

set debug option
Set pf's debugging level.
The default is urgent.

set fingerprints file
Sets the file to load operating system fingerprints from. For use with passive OS fingerprinting. The default is /etc/pf.os.

set limit option value
Set various limits on pf's operation.

set loginterface interface
Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked. Statistics can only be gathered for one interface at a time. Note that the match, bad-offset, etc., counters and the state table counters are recorded regardless of whether loginterface is set or not. To turn this option off, set it to none. The default is none.

set optimization option
Optimize PF for one of the following network environments:
The default is normal.

set ruleset-optimization option
Control operation of the PF ruleset optimizer.
Starting in OpenBSD 4.2, the default is basic. See pf.conf(5) for a more complete description.

set skip on interface
Skip all PF processing on interface. This can be useful on loopback interfaces where filtering, normalization, queueing, etc, are not required. This option can be used multiple times. By default this option is not set.

set state-policy option
Sets PF's behavior when it comes to keeping state. This behavior can be overridden on a per rule basis. See Keeping State.
The default is floating.

set timeout option value
Set various timeouts (in seconds).


set timeout interval 10 set timeout frag 30 set limit { frags 5000, states 2500 } set optimization high-latency set block-policy return set loginterface dc0 set fingerprints "/etc/pf.os.test" set skip on lo0 set state-policy if-bound

[Previous: Shortcuts For Creating Rulesets] [Contents] [Next: Scrub (Packet Normalization)]

[back] www@openbsd.org
$OpenBSD: options.html,v 1.17 2007/11/01 02:57:56 joel Exp $