Created
August 5, 2016 16:16
Revisions
-
tracphil created this gist
Dec 21, 2012 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,57 @@ # basic pfctl control # == # Related: http://www.OpenBSD.org # Last update: Tue Dec 28, 2004 # == # Note: # this document is only provided as a basic overview # for some common pfctl commands and is by no means # a replacement for the pfctl and pf manual pages. #### General PFCTL Commands #### # pfctl -d disable packet-filtering # pfctl -e enable packet-filtering # pfctl -q run quiet # pfctl -v -v run even more verbose #### Loading PF Rules #### # pfctl -f /etc/pf.conf load /etc/pf.conf # pfctl -n -f /etc/pf.conf parse /etc/pf.conf, but dont load it # pfctl -R -f /etc/pf.conf load only the FILTER rules # pfctl -N -f /etc/pf.conf load only the NAT rules # pfctl -O -f /etc/pf.conf load only the OPTION rules #### Clearing PF Rules & Counters #### # pfctl -F all flush ALL # pfctl -F rules flush only the RULES # pfctl -F queue flush only queue’s # pfctl -F nat flush only NAT # pfctl -F info flush all stats that are not part of any rule. # pfctl -z clear all counters # note: flushing rules do not touch any existing stateful connections #### Output PF Information #### # pfctl -s rules show filter information # pfctl -v -s rules show filter information for what FILTER rules hit.. # pfctl -vvsr show filter information as above and prepend rule numbers # pfctl -v -s nat show NAT information, for which NAT rules hit.. # pfctl -s nat -i xl1 show NAT information for interface xl1 # pfctl -s queue show QUEUE information # pfctl -s label show LABEL information # pfctl -s state show contents of the STATE table # pfctl -s info show statistics for state tables and packet normalization # pfctl -s all show everything #### Maintaining PF Tables #### # pfctl -t addvhosts -T show show table addvhosts # pfctl -vvsTables view global information about all tables # pfctl -t addvhosts -T add 192.168.1.50 add entry to table addvhosts # pfctl -t addvhosts -T add 192.168.1.0/16 add a network to table addvhosts # pfctl -t addvhosts -T delete 192.168.1.0/16 delete nework from table addvhosts # pfctl -t addvhosts -T flush remove all entries from table addvhosts # pfctl -t addvhosts -T kill delete table addvhosts entirely # pfctl -t addvhosts -T replace -f /etc/addvhosts reload table addvhosts on the fly # pfctl -t addvhosts -T test 192.168.1.40 find ip address 192.168.1.40 in table addvhosts # pfctl -T load -f /etc/pf.conf load a new table definition # pfctl -t addvhosts -T show -v output stats for each ip address in table addvhosts # pfctl -t addvhosts -T zero reset all counters for table addvhosts