pf options question

doughy · Nov 29, 2011

I'm reading the man page for pf and under OPTIONS it says

pf(4)may be tuned for various situations using the set command.

I looked under pf(4) man page but it doesn't have any of the options that the man page lists.

ex: tcp.first
The state after the first packet.

Are these enabled in the pf.conf file? If so where do the parameters go (assuming there are parameters to tcp.first, etc.

Thanks in advance

kpa · Nov 29, 2011

They go after tables but before any traffic normalisation (scrub) rules pf.conf(5). For example:

Code:

set loginterface $WAN
set skip on $LOOPBACK

You can see the current values for some of the options in the output of # pfctl -s timeouts and # pfctl -s memory

doughy · Nov 29, 2011

how would I use an option such as tcp.first or tcp.finwait?

DutchDaemon · Nov 30, 2011

From pf.conf(5):

Code:

           For example:

                 set timeout tcp.first 120
                 set timeout tcp.established 86400
                 set timeout { adaptive.start 6000, adaptive.end 12000 }
                 set limit states 10000

See the bottom of [cmd=]pfctl -sa[/cmd] for present 'set' values.

doughy · Dec 2, 2011

It says something about adaptive timeout values being defined both globally and for each rule. How do you set the timeout globally and for each rule?

DutchDaemon · Dec 3, 2011

The syntax for usage in the options is in pf.conf(5) as explained, and for the rules it can be deduced from the GRAMMAR section of same manual. The PF FAQ may have written-out examples. Note that FreeBSD has an older version of PF than the FAQ is about.

pf options question

doughy

kpa

doughy

DutchDaemon

Administrator

doughy

DutchDaemon

Administrator