BSD man(ual) pages
BSD Documentation

Articles

pfctl cheatsheet for FreeBSD, NetBSD, and OpenBSD

Some simple, and basic pfctl commands

General pfctl commands
pfctl -d : disable packet-filtering
pfctl -e : enable packet-filtering
pfctl -q : run quietly
pfctl -v -v : run VERY verbosely
Loading pf rules
pfctl -f /etc/pf.conf : Load the configuration file /etc/pf.conf
pfctl -n -f /etc/pf.conf : Parse the configuration file /etc/pf.conf, but dont load it
pfctl -R -f /etc/pf.conf : Load ONLY the FILTER rules
pfctl -N -f /etc/pf.conf : Load ONLY the NAT rules
pfctl -O -f /etc/pf.conf : Load ONLY the OPTION rules
Clearing the pf Rules, and their counters
pfctl -F all : flush ALL
pfctl -F rules : Only flush the RULES
pfctl -F queue : Only flush queue’s
pfctl -F nat : Only flush NAT
pfctl -F info : flush all stats that are not part of any rule
pfctl -z : clear all counters
NOTE that flushing rules does not touch any existing stateful connections
Getting pf informational output
pfctl -s rules : Show filter information
pfctl -v -s rules : Show filter information for what FILTER rules hit
pfctl -vvsr : Show filter information as above, and prepend rule numbers
pfctl -v -s nat : Show NAT information for which NAT rules hit
pfctl -s nat -i xl1 : Show NAT information for interface xl1
pfctl -s queue : Show QUEUE information
pfctl -s label : Show LABEL information
pfctl -s state : Show contents of the STATE table
pfctl -s info : Show statistics for state tables, and packet normalization
pfctl -s all : Show everything
Maintaining pf tables
pfctl -t badhosts -T show : Show the table badhosts
pfctl -vvsTables : View global information about all tables
pfctl -t badhosts -T add 192.168.1.50 : Add an entry to table badhosts
pfctl -t badhosts -T add 192.168.1.0/16 : Add a CIDR network to table badhosts
pfctl -t badhosts -T delete 192.168.1.0/16 : Delete a CIDR network from table badhosts
pfctl -t badhosts -T flush : Remove all entries from the table badhosts
pfctl -t badhosts -T kill : Delete the table badhosts entirely
pfctl -t badhosts -T replace -f /etc/badhosts : Reload the table badhosts on the fly
pfctl -t badhosts -T test 192.168.1.40 : Find the IP address 192.168.1.40 in the table badhosts
pfctl -T load -f /etc/pf.conf : Load a new table definition from /etc/pf.conf
pfctl -t badhosts -T show -v : Output the stats for each IP address in the table badhosts
pfctl -t badhosts -T zero : Reset all the counters for the table badhosts

Additional FreeBSD related Articles, and man pages.

See also:
BSD forge
Damn Small BSD
Man Pages

Copyright 1995-2025 © BSDwatch, All rights reserved. Page compiled in 0.000016 seconds