OpenBSD PF - Runtime Options [Contents]


Options are used to control PF's operation. They are specified in pf.conf using the set directive.

set block-policy option
Sets the default behavior for filter rules that specify the block action.
Note that individual filter rules can override the default response. The default is drop.

set debug option
Set pf's debugging level. Choices include emerg, alert, crit, err, warning, notice, info and debug.

set fingerprints file
Sets the file to load operating system fingerprints from. For use with passive OS fingerprinting. The default is /etc/pf.os.

set limit option value
Set various limits on pf's operation. The current settings of these values can be viewed with pfctl -s memory.

set loginterface interface
Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked. Statistics can only be gathered for one interface at a time. Note that the match, bad-offset, etc., counters and the state table counters are recorded regardless of whether loginterface is set or not. To turn this option off, set it to none. Default is none.

set optimization option
Optimize PF for one of the following network environments:
The default is normal.

set ruleset-optimization option
Control operation of the PF ruleset optimizer.
The default is basic. See pf.conf(5) for a more complete description.

set skip on interface
Skip all PF processing on interface. This can be useful on loopback interfaces where filtering, normalization, queueing, etc, are not required. This option can be used multiple times. By default, this option is not set.

set state-policy option
Sets PF's behavior when it comes to keeping state. This behavior can be overridden on a per-rule basis. See keeping state.
The default is floating.

set timeout option value
Set various timeouts (in seconds).
Example:
set timeout interval 10
set timeout frag 30
set limit { frags 5000, states 2500 }
set optimization high-latency
set block-policy return
set loginterface dc0
set fingerprints "/etc/pf.os.test"
set skip on lo0
set state-policy if-bound