Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
pfctl cheat sheet
# basic pfctl control
# ==
# Related: http://www.OpenBSD.org
# Last update: Tue Dec 28, 2004
# ==
# Note:
# this document is only provided as a basic overview
# for some common pfctl commands and is by no means
# a replacement for the pfctl and pf manual pages.
#### General PFCTL Commands ####
# pfctl -d disable packet-filtering
# pfctl -e enable packet-filtering
# pfctl -q run quiet
# pfctl -v -v run even more verbose
#### Loading PF Rules ####
# pfctl -f /etc/pf.conf load /etc/pf.conf
# pfctl -n -f /etc/pf.conf parse /etc/pf.conf, but dont load it
# pfctl -R -f /etc/pf.conf load only the FILTER rules
# pfctl -N -f /etc/pf.conf load only the NAT rules
# pfctl -O -f /etc/pf.conf load only the OPTION rules
#### Clearing PF Rules & Counters ####
# pfctl -F all flush ALL
# pfctl -F rules flush only the RULES
# pfctl -F queue flush only queue’s
# pfctl -F nat flush only NAT
# pfctl -F info flush all stats that are not part of any rule.
# pfctl -z clear all counters
# note: flushing rules do not touch any existing stateful connections
#### Output PF Information ####
# pfctl -s rules show filter information
# pfctl -v -s rules show filter information for what FILTER rules hit..
# pfctl -vvsr show filter information as above and prepend rule numbers
# pfctl -v -s nat show NAT information, for which NAT rules hit..
# pfctl -s nat -i xl1 show NAT information for interface xl1
# pfctl -s queue show QUEUE information
# pfctl -s label show LABEL information
# pfctl -s state show contents of the STATE table
# pfctl -s info show statistics for state tables and packet normalization
# pfctl -s all show everything
#### Maintaining PF Tables ####
# pfctl -t addvhosts -T show show table addvhosts
# pfctl -vvsTables view global information about all tables
# pfctl -t addvhosts -T add 192.168.1.50 add entry to table addvhosts
# pfctl -t addvhosts -T add 192.168.1.0/16 add a network to table addvhosts
# pfctl -t addvhosts -T delete 192.168.1.0/16 delete nework from table addvhosts
# pfctl -t addvhosts -T flush remove all entries from table addvhosts
# pfctl -t addvhosts -T kill delete table addvhosts entirely
# pfctl -t addvhosts -T replace -f /etc/addvhosts reload table addvhosts on the fly
# pfctl -t addvhosts -T test 192.168.1.40 find ip address 192.168.1.40 in table addvhosts
# pfctl -T load -f /etc/pf.conf load a new table definition
# pfctl -t addvhosts -T show -v output stats for each ip address in table addvhosts
# pfctl -t addvhosts -T zero reset all counters for table addvhosts
@achempion

This comment has been minimized.

Copy link

commented Feb 16, 2016

Thank you so much!

@Niemi

This comment has been minimized.

Copy link

commented Jun 17, 2016

Good cheat-sheet! Thanks!

@mailinglists35

This comment has been minimized.

Copy link

commented Jul 26, 2016

can you put # symbols where command ends and comment begins, for lazy copypasting?

@aes512

This comment has been minimized.

Copy link

commented Aug 17, 2016

+1 @mailinglists35 ...... this gist is kinda dumbsauce as is #rageguy

@DefiantBidet

This comment has been minimized.

Copy link

commented Jan 10, 2017

thanks for this. reformatted to separate comments from commands

# basic pfctl control
# ==
# Related: http://www.OpenBSD.org
# Last update: Tue Dec 28, 2004
# ==
# Note:
# this document is only provided as a basic overview
# for some common pfctl commands and is by no means
# a replacement for the pfctl and pf manual pages.

#############################
#### General PFCTL Commands ####
#############################

# disable packet-filtering:
# pfctl -d

# enable packet-filtering:
# pfctl -e

# run quiet:
# pfctl -q

# run even more verbose:
# pfctl -v

######################
#### Loading PF Rules ####
######################

# load /etc/pf.conf:
# pfctl -f /etc/pf.conf

# parse /etc/pf.conf, but dont load it:
# pfctl -n -f /etc/pf.conf

# load only the FILTER rules:
# pfctl -R -f /etc/pf.conf

# load only the NAT rules:
# pfctl -N -f /etc/pf.conf

# load only the OPTION rules:
# pfctl -O -f /etc/pf.conf

###############################
#### Clearing PF Rules & Counters ####
###############################

# flush ALL:
# pfctl -F all

# flush only the RULES:
# pfctl -F rules

# flush only queue’s:
# pfctl -F queue

# flush only NAT:
# pfctl -F nat

# flush all stats that are not part of any rule:
# pfctl -F info

# clear all counters:
# pfctl -z

# note: flushing rules do not touch any existing stateful connections

#########################
#### Output PF Information ####
#########################

# show filter information:
# pfctl -s rules

# show filter information for what FILTER rules hit:
# pfctl -v -s rules

# filter information as above and prepend rule numbers:
# pfctl -vvsr show

# show NAT information, for which NAT rules hit:
# pfctl -v -s nat

# show NAT information for interface xl1:
# pfctl -s nat -i xl1

# show QUEUE information:
# pfctl -s queue

# show LABEL information:
# pfctl -s label

$ show contents of the STATE table:
# pfctl -s state

# show statistics for state tables and packet normalization:
# pfctl -s info

# show everything:
# pfctl -s all

#########################
#### Maintaining PF Tables ####
#########################

# show table addvhosts:
# pfctl -t addvhosts -T show

# view global information about all tables:
# pfctl -vvsTables

# add entry to table addvhosts
# pfctl -t addvhosts -T add 192.168.1.50 

# add a network to table addvhosts:
# pfctl -t addvhosts -T add 192.168.1.0/16

# delete nework from table addvhosts:
# pfctl -t addvhosts -T delete 192.168.1.0/16

# remove all entries from table addvhosts:
# pfctl -t addvhosts -T flush

# delete table addvhosts entirely:
# pfctl -t addvhosts -T kill

# reload table addvhosts on the fly:
# pfctl -t addvhosts -T replace -f /etc/addvhosts

# find ip address 192.168.1.40 in table addvhosts:
# pfctl -t addvhosts -T test 192.168.1.40

#load a new table definition:
# pfctl -T load -f /etc/pf.conf 

# output stats for each ip address in table addvhosts:
# pfctl -t addvhosts -T show -v

# reset all counters for table addvhosts:
# pfctl -t addvhosts -T zero
@ghost

This comment has been minimized.

Copy link

commented Mar 17, 2017

give me any idea plz ........

@hoang-tranviet

This comment has been minimized.

Copy link

commented Apr 24, 2017

Thank you @tracfil and @DefiantBidet
@tracfil, Could you update the comments as DefiantBidet did?

@Saitamata

This comment has been minimized.

Copy link

commented Jul 12, 2018

This is the markdown format version:

basic pfctl control


Related: http://www.OpenBSD.org
Last update: Tue Dec 28, 2004

Note:
this document is only provided as a basic overview
for some common pfctl commands and is by no means
a replacement for the pfctl and pf manual pages.


General PFCTL Commands

disable packet-filtering:
pfctl -d

enable packet-filtering:
pfctl -e

run quiet:
pfctl -q

run even more verbose:
pfctl -v


Loading PF Rules

load /etc/pf.conf:
pfctl -f /etc/pf.conf

parse /etc/pf.conf, but dont load it:
pfctl -n -f /etc/pf.conf

load only the FILTER rules:
pfctl -R -f /etc/pf.conf

load only the NAT rules:
pfctl -N -f /etc/pf.conf

load only the OPTION rules:
pfctl -O -f /etc/pf.conf


Clearing PF Rules & Counters

flush ALL:
pfctl -F all

flush only the RULES:
pfctl -F rules

flush only queue’s:
pfctl -F queue

flush only NAT:
pfctl -F nat

flush all stats that are not part of any rule:
pfctl -F info

clear all counters:
pfctl -z

note: flushing rules do not touch any existing stateful connections


Output PF Information

show filter information:
pfctl -s rules

show filter information for what FILTER rules hit:
pfctl -v -s rules

filter information as above and prepend rule numbers:
pfctl -vvsr show

show NAT information, for which NAT rules hit:
pfctl -v -s nat

show NAT information for interface xl1:
pfctl -s nat -i xl1

show QUEUE information:
pfctl -s queue

show LABEL information:
pfctl -s label

show contents of the STATE table:
pfctl -s state

show statistics for state tables and packet normalization:
pfctl -s info

show everything:
pfctl -s all


Maintaining PF Tables

show table addvhosts:
pfctl -t addvhosts -T show

view global information about all tables:
pfctl -vvsTables

add entry to table addvhosts
pfctl -t addvhosts -T add 192.168.1.50

add a network to table addvhosts:
pfctl -t addvhosts -T add 192.168.1.0/16

delete nework from table addvhosts:
pfctl -t addvhosts -T delete 192.168.1.0/16

remove all entries from table addvhosts:
pfctl -t addvhosts -T flush

delete table addvhosts entirely:
pfctl -t addvhosts -T kill

reload table addvhosts on the fly:
pfctl -t addvhosts -T replace -f /etc/addvhosts

find ip address 192.168.1.40 in table addvhosts:
pfctl -t addvhosts -T test 192.168.1.40

load a new table definition:
pfctl -T load -f /etc/pf.conf

output stats for each ip address in table addvhosts:
pfctl -t addvhosts -T show -v

reset all counters for table addvhosts:
pfctl -t addvhosts -T zero

@drevni

This comment has been minimized.

Copy link

commented Aug 6, 2018

Thank You , very usefull

@K4bl0-Skat3R

This comment has been minimized.

Copy link

commented Aug 30, 2018

great notes!!
a little update
pfctl -sr # we can see all rules from /etc/pf.conf

@inieves

This comment has been minimized.

Copy link

commented Sep 14, 2019

Apparently it is not recommended to be adding rules/anchors directly to /etc/pf.conf. I have read that major releases of osx may overwrite that file back to its original state or a new state (without user modifications).

That leaves open the question of how to actually add pf rules safely/correctly (in the context of osx).

pfctl -f (according to the man pages) states: " Use of this option, could result in flushing of rules present in the main rule-
set added by the system at startup. See /etc/pf.conf for further details."

neither the man pages nor the /etc/pf.conf explain how to actually add rules without the risk of flushing.

Any ideas?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.