pfctl cheat sheet

General PFCTL Commands #

Disable packet-filtering:

pfctl -d

Enable packet-filtering:

pfctl -e

Run quiet:

pfctl -q

Run more verbose than normal:

pfctl -v

Run even more verbose:

pfctl -v -v

Loading PF Rules #

Load /etc/pf.conf:

pfctl -f /etc/pf.conf

Test the rules: (parse /etc/pf.conf but dont load it)

pfctl -n -f /etc/pf.conf

Load only the FILTER rules:

pfctl -R -f /etc/pf.conf

Load only the NAT rules:

pfctl -N -f /etc/pf.conf

Load only the OPTION rules:

pfctl -O -f /etc/pf.conf

Clearing PF Rules & Counters #

Flushing rules does not influence or impact any already existing stateful connections

Flush ALL:

pfctl -F all

Flush only the RULES:

pfctl -F rules

Flush only QUEUE:

pfctl -F queue

Flush only NAT:

pfctl -F nat

Flush all statistics that are not part of any rule:

pfctl -F info

Clear all counters:

pfctl -z

Output PF Information #

Show filter information:

pfctl -s rules

or

pfctl -sr

Show filter information for which FILTER rules hit:

pfctl -v -s rules

Filter information as above and prepend rule numbers:

pfctl -vvsr show

Show NAT information, for which NAT rules hit:

pfctl -v -s nat

Show NAT information for interface xl1:

pfctl -s nat -i xl1

Show QUEUE information:

pfctl -s queue

Show LABEL information:

pfctl -s label

Show contents of the STATE table:

pfctl -s state

Show statistics for state tables and packet normalization:

pfctl -s info

Show everything:

pfctl -s all

Maintaining PF Tables #

Show table addvhosts:

pfctl -t addvhosts -T show

View global information about all tables:

pfctl -vvsTables

Add entry to table addvhosts

pfctl -t addvhosts -T add 192.168.0.5

Add a network to table addvhosts:

pfctl -t addvhosts -T add 192.168.0.0/16

Delete nework from table addvhosts:

pfctl -t addvhosts -T delete 192.168.0.0/16

Remove all entries from table addvhosts:

pfctl -t addvhosts -T flush

Delete table addvhosts entirely:

pfctl -t addvhosts -T kill

Reload table addvhosts on the fly:

pfctl -t addvhosts -T replace -f /etc/addvhosts

Find ip address 192.168.0.140 in table addvhosts:

pfctl -t addvhosts -T test 192.168.0.140

Load a new table definition:

pfctl -T load -f /etc/pf.conf

Output stats for each ip address in table addvhosts:

pfctl -t addvhosts -T show -vi

Reset all counters for table addvhosts:

pfctl -t addvhosts -T zero