Created
September 20, 2018 15:51
-
-
Save skinsch/5607da4505bad33ac06cea9dfc969fd3 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Basic pfctl control | |
| General PFCTL Commands | |
| ====================== | |
| disable packet-filtering: | |
| pfctl -d | |
| enable packet-filtering: | |
| pfctl -e | |
| run quiet: | |
| pfctl -q | |
| run even more verbose: | |
| pfctl -v | |
| Loading PF Rules | |
| ================ | |
| load /etc/pf.conf: | |
| pfctl -f /etc/pf.conf | |
| parse /etc/pf.conf, but dont load it: | |
| pfctl -n -f /etc/pf.conf | |
| load only the FILTER rules: | |
| pfctl -R -f /etc/pf.conf | |
| load only the NAT rules: | |
| pfctl -N -f /etc/pf.conf | |
| load only the OPTION rules: | |
| pfctl -O -f /etc/pf.conf | |
| Clearing PF Rules & Counters | |
| ============================ | |
| flush ALL: | |
| pfctl -F all | |
| flush only the RULES: | |
| pfctl -F rules | |
| flush only queue’s: | |
| pfctl -F queue | |
| flush only NAT: | |
| pfctl -F nat | |
| flush all stats that are not part of any rule: | |
| pfctl -F info | |
| clear all counters: | |
| pfctl -z | |
| note: flushing rules do not touch any existing stateful connections | |
| Output PF Information | |
| ===================== | |
| show filter information: | |
| pfctl -s rules | |
| show filter information for what FILTER rules hit: | |
| pfctl -v -s rules | |
| filter information as above and prepend rule numbers: | |
| pfctl -vvsr show | |
| show NAT information, for which NAT rules hit: | |
| pfctl -v -s nat | |
| show NAT information for interface xl1: | |
| pfctl -s nat -i xl1 | |
| show QUEUE information: | |
| pfctl -s queue | |
| show LABEL information: | |
| pfctl -s label | |
| show contents of the STATE table: | |
| pfctl -s state | |
| show statistics for state tables and packet normalization: | |
| pfctl -s info | |
| show everything: | |
| pfctl -s all | |
| Maintaining PF Tables | |
| ===================== | |
| show table addvhosts: | |
| pfctl -t addvhosts -T show | |
| view global information about all tables: | |
| pfctl -vvsTables | |
| add entry to table addvhosts | |
| pfctl -t addvhosts -T add 192.168.1.50 | |
| add a network to table addvhosts: | |
| pfctl -t addvhosts -T add 192.168.1.0/16 | |
| delete nework from table addvhosts: | |
| pfctl -t addvhosts -T delete 192.168.1.0/16 | |
| remove all entries from table addvhosts: | |
| pfctl -t addvhosts -T flush | |
| delete table addvhosts entirely: | |
| pfctl -t addvhosts -T kill | |
| reload table addvhosts on the fly: | |
| pfctl -t addvhosts -T replace -f /etc/addvhosts | |
| find ip address 192.168.1.40 in table addvhosts: | |
| pfctl -t addvhosts -T test 192.168.1.40 | |
| load a new table definition: | |
| pfctl -T load -f /etc/pf.conf | |
| output stats for each ip address in table addvhosts: | |
| pfctl -t addvhosts -T show -v | |
| reset all counters for table addvhosts: | |
| pfctl -t addvhosts -T zero |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment