[OpenBSD]

[Previous: Shortcuts For Creating Rulesets] [Contents] [Next: Scrub (Packet Normalization]

PF: Runtime Options


Options are used to control PF's operation. Options are specified in pf.conf using the set directive.

set block-policy
Sets the default behavior for filter rules that specify the block action.
Note that individual filter rules can override the default response.

set limit
frags - maximum number of entries in the memory pool used for packet reassembly (scrub rules). Default is 5000.
states - maximum number of entries in the memory pool used for state table entries (filter rules that specify keep state). Default is 10000.

set loginterface int
Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked. Statistics can only be gathered for one interface at a time. Note that the match, bad-offset, etc., counters and the state table counters are recorded regardless of whether loginterface is set or not.

set optimization
Optimize PF for one of the following network environments:

set timeout
interval - seconds between purges of expired states and packet fragments.
frag - seconds before an unassembled fragment is expired.

Example:

set timeout interval 10
set timeout frag 30
set limit { frags 5000, states 2500 }
set optimization high-latency
set block-policy return
set loginterface dc0

[Previous: Shortcuts For Creating Rulesets] [Contents] [Next: Scrub (Packet Normalization]


[back] www@openbsd.org
$OpenBSD: options.html,v 1.6 2004/01/01 04:16:17 nick Exp $