pfctl cheat sheet

General PFCTL Commands

Disable packet-filtering:

pfctl -d

enable packet-filtering:

pfctl -e

Run quiet:

pfctl -q

Run even more verbose:

pfctl -v

Loading PF Rules

Load /etc/pf.conf:

pfctl -f /etc/pf.conf

Parse /etc/pf.conf, but dont load it:

pfctl -n -f /etc/pf.conf

Load only the FILTER rules:

pfctl -R -f /etc/pf.conf

Load only the NAT rules:

pfctl -N -f /etc/pf.conf

Load only the OPTION rules:

pfctl -O -f /etc/pf.conf

Clearing PF Rules & Counters

Flushing rules do not touch any existing stateful connections

Flush ALL:

pfctl -F all

Flush only the RULES:

pfctl -F rules

Flush only queue’s:

pfctl -F queue

Flush only NAT:

pfctl -F nat

Flush all stats that are not part of any rule:

pfctl -F info

Clear all counters:

pfctl -z

Output PF Information

Show filter information:

pfctl -s rules

Show filter information for what FILTER rules hit:

pfctl -v -s rules

Filter information as above and prepend rule numbers:

pfctl -vvsr show

Show NAT information, for which NAT rules hit:

pfctl -v -s nat

Show NAT information for interface xl1:

pfctl -s nat -i xl1

Show QUEUE information:

pfctl -s queue

Show LABEL information:

pfctl -s label

Show contents of the STATE table:

pfctl -s state

Show statistics for state tables and packet normalization:

pfctl -s info

Show everything:

pfctl -s all

Maintaining PF Tables

Show table addvhosts:

pfctl -t addvhosts -T show

View global information about all tables:

pfctl -vvsTables

Add entry to table addvhosts

pfctl -t addvhosts -T add 192.168.1.50

Add a network to table addvhosts:

pfctl -t addvhosts -T add 192.168.1.0/16

Delete nework from table addvhosts:

pfctl -t addvhosts -T delete 192.168.1.0/16

Remove all entries from table addvhosts:

pfctl -t addvhosts -T flush

Delete table addvhosts entirely:

pfctl -t addvhosts -T kill

Reload table addvhosts on the fly:

pfctl -t addvhosts -T replace -f /etc/addvhosts

Find ip address 192.168.1.40 in table addvhosts:

pfctl -t addvhosts -T test 192.168.1.40

Load a new table definition:

pfctl -T load -f /etc/pf.conf

Output stats for each ip address in table addvhosts:

pfctl -t addvhosts -T show -vi

Reset all counters for table addvhosts:

pfctl -t addvhosts -T zero