pfctl(8) control the packet filter (PF) device
NAME
pfctl - control the packet filter (PF) device
SYNOPSIS
pfctl [-deghmnqrvz] [-a anchor] [-D macro= value] [-F modifier] [-f file]
[-i interface] [-K host | network] [-k host | network | label | id] [-L
statefile] [-o level] [-p device] [-S statefile] [-s modifier] [-t table
-T command [address ...]] [-x level]
DESCRIPTION
The pfctl utility communicates with the packet filter device using the
ioctl interface described in pf(4) . It allows ruleset and parameter
configuration and retrieval of status information from the packet filter.
After boot, PF operation can be managed using the pfctl(8) program. Some example commands are:
# pfctl -f /etc/pf.conf Load the pf.conf file # pfctl -nf /etc/pf.conf Parse the file, but don't load it # pfctl -Nf /etc/pf.conf Load only the NAT rules from the file # pfctl -Rf /etc/pf.conf Load only the filter rules from the file # pfctl -sn Show the current NAT rules # pfctl -sr Show the current filter rules # pfctl -ss Show the current state table # pfctl -si Show filter stats and counters # pfctl -sa Show EVERYTHING it can show
Some sample Tables related commands
# pfctl -s Tables Show Tables # pfctl -Tshow -t table-name Display entries in table 'table-name' # pfctl -Tshow -vt table-name Display table counters for 'table-name' # pfctl --vs Tables Display global information
To get more detailed usage data for each show values option, pfctl can be invoked with the “-v” (verbose) option. The following example shows how to get detailed usage data for each firewall rule:
% sudo pfctl -v -s rules
scrub in all no-df fragment reassemble [ Evaluations: 373620187 Packets: 179290329 Bytes: 45895535624 States: 0 ] [ Inserted: uid 0 pid 24100 ] scrub out all no-df fragment reassemble [ Evaluations: 194329858 Packets: 194329858 Bytes: 58848165945 States: 0 ] [ Inserted: uid 0 pid 24100 ] block drop in log on ! lo0 inet from 127.0.0.0/8 to any [ Evaluations: 2934066 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 24100 ]
When refreshing firewall rules, you can kill state information by explicitly using the “-k | -K” pfctl option.
-K host | network
Kill all of the source tracking entries originating from the
specified host or network. A second -K host or -K network option
may be specified, which will kill all the source tracking entries
from the first host/network to the second.
-k host | network | label | id
Kill all of the state entries matching the specified host,
network, label, or id.
For example, to kill all of the state entries originating from
``host'':
# pfctl -k host
A second -k host or -k network option may be specified, which
will kill all the state entries from the first host/network to
the second. To kill all of the state entries from ``host1'' to
``host2'':
# pfctl -k host1 -k host2
To kill all states originating from 192.168.1.0/24 to
172.16.0.0/16:
# pfctl -k 192.168.1.0/24 -k 172.16.0.0/16
A network prefix length of 0 can be used as a wildcard. To kill
all states with the target ``host2'':
# pfctl -k 0.0.0.0/0 -k host2
It is also possible to kill states by rule label or state ID. In
this mode the first -k argument is used to specify the type of
the second argument. The following command would kill all states
that have been created from rules carrying the label ``foobar'':
# pfctl -k label -k foobar
To kill one specific state by its unique state ID (as shown by
pfctl -s state -vv), use the id modifier and as a second argument
the state ID and optional creator ID. To kill a state with ID
4823e84500000003 use:
# pfctl -k id -k 4823e84500000003
To kill a state with ID 4823e84500000018 created from a backup
firewall with hostid 00000002 use:
# pfctl -k id -k 4823e84500000018/2