[*] -  SecureInfo.eu, /Network/PFCTL.md

Back

basic pfctl control Related: http://www.OpenBSD.org Last update: Tue Dec 28, 2004

Note: this document is only provided as a basic overview for some common pfctl commands and is by no means a replacement for the pfctl and pf manual pages.

General PFCTL Commands

Disable packet-filtering

pfctl -d

Enable packet-filtering

pfctl -e

Run quiet

pfctl -q

Run even more verbose

pfctl -v -v

Loading PF Rules

Load /etc/pf.conf

pfctl -f /etc/pf.conf

Parse /etc/pf.conf, but dont load it

pfctl -n -f /etc/pf.conf

Load only the FILTER rules

pfctl -R -f /etc/pf.conf

Load only the NAT rules

pfctl -N -f /etc/pf.conf

Load only the OPTION rules

pfctl -O -f /etc/pf.conf

Clearing PF Rules & Counters

flush ALL

pfctl -F all

Flush only the RULES

pfctl -F rules

Flush only queue’s

pfctl -F queue

Flush only NAT

pfctl -F nat

Flush all stats that are not part of any rule.

pfctl -F info

note: flushing rules do not touch any existing stateful connections

pfctl -z clear all counters

Output PF Information

Show filter information

pfctl -s rules

Show filter information for what FILTER rules hit..

pfctl -v -s rules

Show filter information as above and prepend rule numbers

pfctl -vvsr

Show NAT information, for which NAT rules hit..

pfctl -v -s nat

Show NAT information for interface xl1

pfctl -s nat -i xl1

Show QUEUE information

pfctl -s queue

Show LABEL information

pfctl -s label

Show contents of the STATE table

pfctl -s state

Show statistics for state tables and packet normalization

pfctl -s info

Show everything

pfctl -s all

Maintaining PF Tables

Show table addvhosts

pfctl -t addvhosts -T show

View global information about all tables

pfctl -vvs Tables

Add entry to table addvhosts

pfctl -t addvhosts -T add 192.168.1.50

Add a network to table addvhosts

pfctl -t addvhosts -T add 192.168.1.0/16

Delete nework from table addvhosts

pfctl -t addvhosts -T delete 192.168.1.0/16

Remove all entries from table addvhosts

pfctl -t addvhosts -T flush

Delete table addvhosts entirely

pfctl -t addvhosts -T kill

Reload table addvhosts on the fly

pfctl -t addvhosts -T replace -f /etc/addvhosts

Find ip address 192.168.1.40 in table addvhosts

pfctl -t addvhosts -T test 192.168.1.40

Load a new table definition

pfctl -T load -f /etc/pf.conf

Output stats for each ip address in table addvhosts

pfctl -t addvhosts -T show -v

Reset all counters for table addvhosts

pfctl -t addvhosts -T zero
⬆️ Top
admin