############################# #### General PFCTL Commands #### ############################# disable packet-filtering: #pfctl -d enable packet-filtering: #pfctl -e run quiet: ~#pfctl -q run even more verbose: ~#pfctl -v ###################### #### Loading PF Rules #### ###################### load /etc/pf.conf: ~#pfctl -f /etc/pf.conf parse /etc/pf.conf, but dont load it: ~#pfctl -n -f /etc/pf.conf load only the FILTER rules: ~#pfctl -R -f /etc/pf.conf load only the NAT rules: ~#pfctl -N -f /etc/pf.conf load only the OPTION rules: ~#pfctl -O -f /etc/pf.conf ############################### #### Clearing PF Rules & Counters #### ############################### flush ALL: ~#pfctl -F all flush only the RULES: ~#pfctl -F rules flush only queue's: ~#pfctl -F queue flush only NAT: ~#pfctl -F nat flush all stats that are not part of any rule: ~#pfctl -F info clear all counters: ~#pfctl -z # note: flushing rules do not touch any existing stateful connections ######################### #### Output PF Information #### ######################### show filter information: ~#pfctl -s rules show filter information for what FILTER rules hit: ~#pfctl -v -s rules filter information as above and prepend rule numbers: ~#pfctl -vvsr show show NAT information, for which NAT rules hit: ~#pfctl -v -s nat show NAT information for interface xl1: ~#pfctl -s nat -i xl1 show QUEUE information: ~#pfctl -s queue show LABEL information: ~#pfctl -s label show contents of the STATE table: ~#pfctl -s state show statistics for state tables and packet normalization: ~#pfctl -s info show everything: ~#pfctl -s all ######################## #### Maintaining PF Tables #### ######################### show table addvhosts: ~#pfctl -t addvhosts -T show view global information about all tables: ~#pfctl -vvsTables add entry to table addvhosts: ~#pfctl -t addvhosts -T add 192.168.1.50 add a network to table addvhosts: ~#pfctl -t addvhosts -T add 192.168.1.0/16 delete nework from table addvhosts: ~#pfctl -t addvhosts -T delete 192.168.1.0/16 remove all entries from table addvhosts: ~#pfctl -t addvhosts -T flush delete table addvhosts entirely: ~#pfctl -t addvhosts -T kill reload table addvhosts on the fly: ~#pfctl -t addvhosts -T replace -f /etc/addvhosts find ip address 192.168.1.40 in table addvhosts: ~#pfctl -t addvhosts -T test 192.168.1.40 load a new table definition: ~#pfctl -T load -f /etc/pf.conf output stats for each ip address in table addvhosts: ~#pfctl -t addvhosts -T show -v reset all counters for table addvhosts: ~#pfctl -t addvhosts -T zero