General PFCTL Commands #
Disable packet-filtering:
pfctl -d
Enable packet-filtering:
pfctl -e
Run quiet:
pfctl -q
Run more verbose than normal:
pfctl -v
Run even more verbose:
pfctl -v -v
Loading PF Rules #
Load /etc/pf.conf:
pfctl -f /etc/pf.conf
Test the rules: (parse /etc/pf.conf but dont load it)
pfctl -n -f /etc/pf.conf
Load only the FILTER rules:
pfctl -R -f /etc/pf.conf
Load only the NAT rules:
pfctl -N -f /etc/pf.conf
Load only the OPTION rules:
pfctl -O -f /etc/pf.conf
Clearing PF Rules & Counters #
Flushing rules does not influence or impact any already existing stateful connections
Flush ALL:
pfctl -F all
Flush only the RULES:
pfctl -F rules
Flush only QUEUE:
pfctl -F queue
Flush only NAT:
pfctl -F nat
Flush all statistics that are not part of any rule:
pfctl -F info
Clear all counters:
pfctl -z
Output PF Information #
Show filter information:
pfctl -s rules
or
pfctl -sr
Show filter information for which FILTER rules hit:
pfctl -v -s rules
Filter information as above and prepend rule numbers:
pfctl -vvsr show
Show NAT information, for which NAT rules hit:
pfctl -v -s nat
Show NAT information for interface xl1:
pfctl -s nat -i xl1
Show QUEUE information:
pfctl -s queue
Show LABEL information:
pfctl -s label
Show contents of the STATE table:
pfctl -s state
Show statistics for state tables and packet normalization:
pfctl -s info
Show everything:
pfctl -s all
Maintaining PF Tables #
Show table addvhosts:
pfctl -t addvhosts -T show
View global information about all tables:
pfctl -vvsTables
Add entry to table addvhosts
pfctl -t addvhosts -T add 192.168.0.5
Add a network to table addvhosts:
pfctl -t addvhosts -T add 192.168.0.0/16
Delete nework from table addvhosts:
pfctl -t addvhosts -T delete 192.168.0.0/16
Remove all entries from table addvhosts:
pfctl -t addvhosts -T flush
Delete table addvhosts entirely:
pfctl -t addvhosts -T kill
Reload table addvhosts on the fly:
pfctl -t addvhosts -T replace -f /etc/addvhosts
Find ip address 192.168.0.140 in table addvhosts:
pfctl -t addvhosts -T test 192.168.0.140
Load a new table definition:
pfctl -T load -f /etc/pf.conf
Output stats for each ip address in table addvhosts:
pfctl -t addvhosts -T show -vi
Reset all counters for table addvhosts:
pfctl -t addvhosts -T zero