[Contents] [Next: Lists and Macros]

PF: Getting Started

Table of Contents

• Activation
• Configuration
• Control

Activation

pf=NO

You can also manually activate and deactivate PF by using the pfctl(8) program:

# pfctl -e
# pfctl -d

to enable and disable, respectively. Note that this just enables or disables PF, it doesn't actually load a ruleset. The ruleset must be loaded separately, either before or after PF is enabled.

Configuration

PF reads its configuration rules from /etc/pf.conf at boot time, as loaded by the rc scripts. Note that while /etc/pf.conf is the default and is loaded by the system rc scripts, it is just a text file loaded and interpreted by pfctl(8) and inserted into pf(4). For some applications, other rulesets may be loaded from other files after boot. As with any well designed Unix application, PF offers great flexibility.

The pf.conf file has five parts:

• Macros: User-defined variables that can hold IP addresses, interface names, etc.
• Tables: A structure used to hold lists of IP addresses.
• Options: Various options to control how PF works.
• Queueing: Provides bandwidth control and packet prioritization.
• Filter Rules: Allows the selective filtering or blocking of packets as they pass through any of the interfaces.
  Filter rules can be given parameters to specify network address translation (NAT) and packet redirection.

Blank lines are ignored, and lines beginning with # are treated as comments.

Control

     # pfctl -f /etc/pf.conf     Load the pf.conf file
     # pfctl -nf /etc/pf.conf    Parse the file, but don't load it

     # pfctl -sr                 Show the current ruleset
     # pfctl -ss                 Show the current state table
     # pfctl -si                 Show filter stats and counters
     # pfctl -sa                 Show EVERYTHING it can show

For a complete list of commands, please see the pfctl(8) man page.

[Contents] [Next: Lists and Macros]