Options are used to control PF's operation.
They are specified in pf.conf using the set
directive.
set block-policy option
- Sets the default behavior for filter rules
that specify the
block action.
drop - packet is silently dropped.
return - a TCP RST packet is returned for blocked TCP
packets and an ICMP Unreachable packet is returned for all others.
- Note that individual filter rules can override the default response.
The default is
drop.
set debug option
- Set pf's debugging level.
Choices include
emerg, alert, crit,
err, warning, notice,
info and debug.
set fingerprints file
- Sets the file to load operating system fingerprints from.
For use with passive OS fingerprinting.
The default is
/etc/pf.os.
set limit option value
- Set various limits on pf's operation. The current settings of
these values can be viewed with
pfctl -s memory.
frags - maximum number of entries in the memory pool
used for packet reassembly (scrub rules).
Default is 5000.
src-nodes - maximum number of entries in the memory pool
used for tracking source IP addresses (generated by the
sticky-address and source-track options).
Default is 10000.
states - maximum number of entries in the memory pool
used for state table entries (filter rules
that specify keep state).
Default is 100000.
tables - maximum number of
tables that can be created.
Default is 1000.
table-entries - the overall limit on how many addresses
can be stored in all tables.
Default is 200000.
If the system has less than 100MB of physical memory, the default is
set to 100000.
set loginterface interface
- Sets the interface for which PF should gather statistics such as bytes
in/out and packets passed/blocked.
Statistics can only be gathered for one interface at a time.
Note that the
match, bad-offset, etc., counters
and the state table counters are recorded regardless of whether
loginterface is set or not.
To turn this option off, set it to none.
Default is none.
set optimization option
- Optimize PF for one of the following network environments:
normal - suitable for almost all networks.
high-latency - high latency networks such as satellite
connections.
aggressive - aggressively expires connections from the
state table.
This can greatly reduce the memory requirements on a busy firewall
at the risk of dropping idle connections early.
conservative - extremely conservative settings.
This avoids dropping idle connections at the expense of greater
memory utilization and slightly increased processor utilization.
- The default is
normal.
set ruleset-optimization option
- Control operation of the PF ruleset optimizer.
none - disable the optimizer altogether.
basic - enables the following ruleset optimizations:
- remove duplicate rules
- remove rules that are a subset of another rule
- combine multiple rules into a table when advantageous
- re-order the rules to improve evaluation performance
profile - uses the currently loaded ruleset as a
feedback profile to tailor the ordering of quick rules to actual
network traffic.
- The default is
basic.
See pf.conf(5) for a more
complete description.
set skip on interface
- Skip all PF processing on
interface.
This can be useful on loopback interfaces where filtering, normalization,
queueing, etc, are not required.
This option can be used multiple times.
By default, this option is not set.
set state-policy option
- Sets PF's behavior when it comes to keeping state.
This behavior can be overridden on a per-rule basis.
See keeping state.
if-bound - states are bound to the interface they're
created on.
If traffic matches a state table entry but is not crossing the
interface recorded in that state entry, the match is rejected.
The packet must then match a filter rule or will be dropped/rejected
altogether.
floating - states can match packets on any interface.
As long as the packet matches a state entry and is passing in the
same direction as it was on the interface when the state was created,
it does not matter what interface it's crossing.
It will pass.
- The default is
floating.
set timeout option value
- Set various timeouts (in seconds).
interval - seconds between purges of expired states and
packet fragments.
Default is 10.
frag - seconds before an unassembled fragment is
expired.
Default is 30.
src.track - seconds to keep a
source tracking entry in memory
after the last state expires.
Default is 0.
Example:
set timeout interval 10
set timeout frag 30
set limit { frags 5000, states 2500 }
set optimization high-latency
set block-policy return
set loginterface dc0
set fingerprints "/etc/pf.os.test"
set skip on lo0
set state-policy if-bound
¡®Yes, sir. I felt sure you understood that. She said she had told you.¡¯ "Why, eh,--I--I don't know that my movements need have anything to do with his. Yours, of course,--" "Ah, but if it saved your life!" "No, I'm not," grumbled the Doctor, "I've had enough of this wild-goose chase. And besides, it's nearly dinner time." "I am coming to that," Lawrence said, lighting a fresh cigarette. "As soon as Bruce was in trouble and the plot began to reel off I saw that it was mine. Of course there were large varyings in the details, but the scheme was mine. It was even laid on the same spot as my skeleton story. When I grasped that, I knew quite well that somebody must have stolen my plot." Judy In a coach-house, through which we passed on our way to see the prince's favourite horses with the state carriages¡ªquite commonplace and comfortable, and made at Palitana¡ªwas a chigram,[Pg 68] off which its silk cover was lifted; it was painted bright red and spangled with twinkling copper nails. This carriage, which is hermetically closed when the Ranee goes out in it, was lined with cloth-of-gold patterned with Gohel Sheri's initials within a horseshoe: a little hand-glass on one of the cushions, two boxes of chased silver, the curtains and hangings redolent of otto of roses. "Are you certain of it? You have seen so very little of him, and you may be mistaken." "And your wife?" "I drawed on my man's bundle o' wood," said Gid, "and then dropped a little, so's to git him where he was biggest and make sure o' him." HoME²¨¶àÒ°½áÒÂ×óÏßÊÓƵ
ENTER NUMBET 0016www.langtel.com.cn
eyeman.net.cn
www.jmwjdq.org.cn
fenjints.com.cn
www.hudaj.com.cn
www.wejgbd.com.cn
www.trenso.com.cn
www.wfybie.com.cn
www.wqbw.com.cn
www.xbdggm.com.cn