![[OpenBSD]](../../images/smalltitle.gif)
[Previous: Shortcuts For Creating Rulesets]
[Contents]
[Next: Scrub (Packet Normalization]
PF: Runtime Options
Options are used to control PF's operation. Options are specified in
pf.conf using the set directive.
- set block-policy
- Sets the default behavior for filter rules
that specify the block action.
- drop - packet is silently dropped.
- return - a TCP RST packet is returned for blocked TCP
packets and an ICMP Unreachable packet is returned for all others.
- Note that individual filter rules can override the default response.
- set limit
- frags - maximum number of entries in the memory pool used
for packet reassembly (scrub rules). Default
is 5000.
- states - maximum number of entries in the memory pool used
for state table entries (filter rules that
specify keep state). Default is 10000.
- set loginterface int
- Sets the interface for which PF should gather statistics such as bytes
in/out and packets passed/blocked. Statistics can only be
gathered for one interface at a time. Note that the
match, bad-offset, etc., counters and the state table
counters are recorded regardless of whether loginterface is set
or not.
- set optimization
- Optimize PF for one of the following network environments:
- normal - suitable for almost all networks. This is the
default.
- high-latency - high latency networks such as satellite
connections.
- aggressive - aggressively expires connections from the state
table. This can greatly reduce the memory requirements on a busy
firewall at the risk of dropping idle connections early.
- conservative - extremely conservative settings. This avoids
dropping idle connections at the expense of greater memory utilization
and slightly increased processor utilization.
- set timeout
- interval - seconds between purges of expired states and
packet fragments.
- frag - seconds before an unassembled fragment is expired.
Example:
set timeout interval 10
set timeout frag 30
set limit { frags 5000, states 2500 }
set optimization high-latency
set block-policy return
set loginterface dc0
|
[Previous: Shortcuts For Creating Rulesets]
[Contents]
[Next: Scrub (Packet Normalization]
![[back]](../../images/back.gif)
www@openbsd.org
$OpenBSD: options.html,v 1.6 2004/01/01 04:16:17 nick Exp $