General PFCTL Commands

# disable packet-filtering:

# pfctl -d

# enable packet-filtering:
# pfctl -e

# run quiet:
# pfctl -q

# run even more verbose:
# pfctl -v


Loading PF Rules

# load /etc/pf.conf:
# pfctl -f /etc/pf.conf

# parse /etc/pf.conf, but dont load it:
# pfctl -n -f /etc/pf.conf

# load only the FILTER rules:
# pfctl -R -f /etc/pf.conf

# load only the NAT rules:
# pfctl -N -f /etc/pf.conf

# load only the OPTION rules:
# pfctl -O -f /etc/pf.conf

Clearing PF Rules & Counters

# flush ALL:
# pfctl -F all

# flush only the RULES:
# pfctl -F rules

# flush only queue’s:
# pfctl -F queue

# flush only NAT:
# pfctl -F nat

# flush all stats that are not part of any rule:
# pfctl -F info

# clear all counters:
# pfctl -z

# note: flushing rules do not touch any existing stateful connections

Output PF Information

# show filter information:
# pfctl -s rules

# show filter information for what FILTER rules hit:
# pfctl -v -s rules

# filter information as above and prepend rule numbers:
# pfctl -vvsr show

# show NAT information, for which NAT rules hit:
# pfctl -v -s nat

# show NAT information for interface xl1:
# pfctl -s nat -i xl1

# show QUEUE information:
# pfctl -s queue

# show LABEL information:
# pfctl -s label

$ show contents of the STATE table:
# pfctl -s state

# show statistics for state tables and packet normalization:
# pfctl -s info

# show everything:
# pfctl -s all

Maintaining PF Tables

# show table addvhosts:
# pfctl -t addvhosts -T show

# view global information about all tables:
# pfctl -vvsTables

# add entry to table addvhosts
# pfctl -t addvhosts -T add 192.168.1.50

# add a network to table addvhosts:
# pfctl -t addvhosts -T add 192.168.1.0/16

# delete nework from table addvhosts:
# pfctl -t addvhosts -T delete 192.168.1.0/16

# remove all entries from table addvhosts:
# pfctl -t addvhosts -T flush

# delete table addvhosts entirely:
# pfctl -t addvhosts -T kill

# reload table addvhosts on the fly:
# pfctl -t addvhosts -T replace -f /etc/addvhosts

# find ip address 192.168.1.40 in table addvhosts:
# pfctl -t addvhosts -T test 192.168.1.40

#load a new table definition:
# pfctl -T load -f /etc/pf.conf

# output stats for each ip address in table addvhosts:
# pfctl -t addvhosts -T show -v

# reset all counters for table addvhosts:
# pfctl -t addvhosts -T zero