Firewall Advanced Options in pfSense

Previously, I covered the advanced admin access options in pfSense (Web Configurator Options, Admin Access Options). In this article, I will cover the advanced firewall options. These you can find by navigating to System -> Advanced and click on the “Firewall/NAT” tab.

Firewall Advanced Options


Advanced firewall options in pfSense.

Under the “Firewall Advanced” heading, you will find several options. First is the “Clear invalid DF bits instead of dropping the packets” check box. This will allow communication with hosts the generate fragmented packets with the don’t fragment bit set (DF), such as Linux NFS. This will cause the filter to not drop such packets; it will instead clear the DF bit. Next is the “Insert a stronger id into IP header of packets passing through the filter” check box. This will replace the IP identification field of packets with random values to compensate for operating systems that use predictable values. It only applies to packets that are not fragmented after the optional packet reassembly.

The next option is “Firewall Optimization Options“. There are four options for state table optimization in the dropdown box:

  1. normal – this is the normal optimization algorithm.
  2. high-latency – this is used for high latency links, such as satellite links (where there is a large delay between frames). When invoked, it expires idle connections later than the default.
  3. aggressive – this expires idle connections more quickly. It makes more efficient use of CPU and memory but can drop legitimate connections. This is best used with low-latency connections.
  4. conservative – this will cause pfSense to try to avoid dropping any legitimate connections at the expense of increased memory usage and CPU utilization.

Next is the “Disable all packet filtering” check box. Checking this check box will convert pfSense into a routing-only platform and also turn off NAT. You probably should only use this option if you know what you’re doing. The next check box is “Disables the PF scrubbing option which can sometimes interfere with NFS and PPTP traffic“. The scrubbing process will cause PF to drop any incoming packets with illegal TCP flag combinations (such as SYN and RST) and to normalize potentially ambiguous combinations (such as SYN and FIN). There may be certain situations where you want to allow illegal/ambiguous TCP flag settings, so check this box if such a situation arises.

Next is “Firewall Maximum States“, which is the maximum number of connections to hold in the firewall state table. “Firewall Maximum Tables” allows you to set the maximum number of tables for systems such as aliases, sshlockout, snort, etc. After this is “Firewall Maximum Table Entries“, the maximum number of table entries, where lists of IPs are held. In all three of these edit boxes, you can leave them blank to retain the default setting. It should be noted that for these settings, the default values are determined based on the amount of RAM available in the system. More RAM means a larger default. The default is designed to be reasonable for most cases, but in some cases, it would need to be increased. You can set these numbers as high as you can handle in terms of RAM. For example, 1 state equals 1K of RAM, so 1 million states = 1K * 1 million, or 1 GB of RAM. Thus you will need 1 GB plus whatever you need for the firewall tables which contain IP addresses.

In the next article in this series, we will continue our look at advanced firewall and NAT options.

External Links:

How to solve connectivity issues with dropped RA and PA packets at

Be Sociable, Share!

Speak Your Mind


© 2013 David Zientara. All rights reserved. Privacy Policy