Options are used to control PF's operation. Options are specified in
pf.conf using the set directive.
NOTE: In OpenBSD 3.7 and later, the
behavior of runtime options has changed.
Previously, once an option was set it was never reset to its default
value, even if the ruleset was reloaded.
Starting in OpenBSD 3.7, whenever a ruleset is loaded, the runtime
options are reset to default values before the ruleset is parsed.
Thus, if an option is set and is then removed from the ruleset and the
ruleset reloaded, the option will be reset to its default value.
set block-policy option
Sets the default behavior for filter rules
that specify the block action.
drop - packet is silently dropped.
return - a TCP RST packet is returned for blocked TCP
packets and an ICMP Unreachable packet is returned for all others.
Note that individual filter rules can override the default response.
The default is drop.
set debug option
Set pf's debugging level.
none - no debugging messages are shown.
urgent - debug messages generated for serious errors.
misc - debug messages generated for various errors (e.g.,
to see status from the packet normalizer/scrubber and for state creation
failures).
loud - debug messages generated for common conditions
(e.g., to see status from the passive OS fingerprinter).
The default is urgent.
set fingerprints file
Sets the file to load operating system fingerprints from. For use
with passive OS fingerprinting.
The default is /etc/pf.os.
set limit option value
Set various limits on pf's operation.
frags - maximum number of entries in the memory pool used
for packet reassembly (scrub rules). Default
is 5000.
src-nodes - maximum number of entries in the memory pool
used for tracking source IP addresses (generated by the
sticky-address and source-track options).
Default is 10000.
states - maximum number of entries in the memory pool used
for state table entries (filter rules that
specify keep state). Default is 10000.
tables - maximum number of
tables that can be created.
The default is 1000.
table-entries - the overall limit on how many addresses can
be stored in all tables.
The default is 200000.
If the system has less than 100MB of physical memory, the default is
set to 100000.
set loginterface interface
Sets the interface for which PF should gather statistics such as bytes
in/out and packets passed/blocked. Statistics can only be
gathered for one interface at a time. Note that the
match, bad-offset, etc., counters and the state table
counters are recorded regardless of whether loginterface is set
or not.
To turn this option off, set it to none.
The default is none.
set optimization option
Optimize PF for one of the following network environments:
normal - suitable for almost all networks.
high-latency - high latency networks such as satellite
connections.
aggressive - aggressively expires connections from the state
table. This can greatly reduce the memory requirements on a busy
firewall at the risk of dropping idle connections early.
conservative - extremely conservative settings. This avoids
dropping idle connections at the expense of greater memory utilization
and slightly increased processor utilization.
The default is normal.
set ruleset-optimization option
Control operation of the PF ruleset optimizer.
none - disable the optimizer altogether.
basic - enables the following ruleset optimizations:
remove duplicate rules
remove rules that are a subset of another rule
combine multiple rules into a table when advantageous
re-order the rules to improve evaluation performance
profile - uses the currently loaded ruleset as a feedback
profile to tailor the ordering of quick rules to actual network traffic.
Starting in OpenBSD 4.2, the default is basic.
See
pf.conf(5) for a more complete description.
set skip on interface
Skip all PF processing on interface.
This can be useful on loopback interfaces where filtering,
normalization, queueing, etc, are not required.
This option can be used multiple times.
By default this option is not set.
set state-policy option
Sets PF's behavior when it comes to
keeping state.
This behavior can be overridden on a per rule basis.
See Keeping State.
if-bound - states are bound to the interface they're
created on.
If traffic matches a state table entry but is not crossing the interface
recorded in that state entry, the match is rejected.
The packet must then match a filter rule or will be dropped/rejected
altogether.
group-bound - same behavior as if-bound except
packets are allowed to cross interfaces in the same group, i.e., all
ppp interfaces, etc.
floating - states can match packets on any interface.
As long as the packet matches a state entry and is passing in the same
direction as it was on the interface when the state was created, it does
not matter what interface it's crossing, it will pass.
The default is floating.
set timeout option value
Set various timeouts (in seconds).
interval - seconds between purges of expired states and
packet fragments.
The default is 10.
frag - seconds before an unassembled fragment is expired.
The default is 30.
src.track - seconds to keep a
source tracking entry in memory
after the last state expires.
The default is 0 (zero).
Example:
set timeout interval 10
set timeout frag 30
set limit { frags 5000, states 2500 }
set optimization high-latency
set block-policy return
set loginterface dc0
set fingerprints "/etc/pf.os.test"
set skip on lo0
set state-policy if-bound
![[OpenBSD]](../../images/smalltitle.gif){kind=small}
![[back]](../../images/back.gif){kind=small}
www@openbsd.org