Site Navigation

FreeBSD Manual Pages

   man apropos
 
   All Sections 1 - General Commands 2 - System Calls 3 - Subroutines 4 - Special Files 5 - File Formats 6 - Games 7 - Macros and Conventions 8 - Maintenance Commands 9 - Kernel Interface n - New Commands FreeBSD 15.0-CURRENT FreeBSD 14.0-RELEASE FreeBSD 14.0-RELEASE and Ports FreeBSD 14.0-STABLE FreeBSD 13.3-RELEASE FreeBSD 13.3-RELEASE and Ports FreeBSD 13.3-STABLE FreeBSD 13.2-RELEASE FreeBSD 13.2-RELEASE and Ports FreeBSD 13.1-RELEASE FreeBSD 13.1-RELEASE and Ports FreeBSD 13.0-RELEASE FreeBSD 13.0-RELEASE and Ports FreeBSD 12.4-RELEASE FreeBSD 12.4-RELEASE and Ports FreeBSD 12.3-RELEASE FreeBSD 12.3-RELEASE and Ports FreeBSD 12.2-RELEASE FreeBSD 12.2-RELEASE and Ports FreeBSD 12.1-RELEASE FreeBSD 12.1-RELEASE and Ports FreeBSD 12.0-RELEASE FreeBSD 12.0-RELEASE and Ports FreeBSD 11.4-RELEASE FreeBSD 11.4-RELEASE and Ports FreeBSD 11.3-RELEASE FreeBSD 11.3-RELEASE and Ports FreeBSD 11.2-RELEASE FreeBSD 11.2-RELEASE and Ports FreeBSD 11.1-RELEASE FreeBSD 11.1-RELEASE and Ports FreeBSD 11.0-RELEASE FreeBSD 11.0-RELEASE and Ports FreeBSD 10.4-RELEASE FreeBSD 10.4-RELEASE and Ports FreeBSD 10.3-RELEASE FreeBSD 10.3-RELEASE and Ports FreeBSD 10.2-RELEASE FreeBSD 10.2-RELEASE and Ports FreeBSD 10.1-RELEASE FreeBSD 10.1-RELEASE and Ports FreeBSD 10.0-RELEASE FreeBSD 10.0-RELEASE and Ports FreeBSD 9.3-RELEASE FreeBSD 9.3-RELEASE and Ports FreeBSD 9.2-RELEASE FreeBSD 9.2-RELEASE and Ports FreeBSD 9.1-RELEASE FreeBSD 9.1-RELEASE and Ports FreeBSD 9.0-RELEASE FreeBSD 9.0-RELEASE and Ports FreeBSD 8.4-RELEASE FreeBSD 8.4-RELEASE and Ports FreeBSD 8.3-RELEASE FreeBSD 8.3-RELEASE and Ports FreeBSD 8.2-RELEASE FreeBSD 8.2-RELEASE and Ports FreeBSD 8.1-RELEASE FreeBSD 8.1-RELEASE and Ports FreeBSD 8.0-RELEASE FreeBSD 8.0-RELEASE and Ports FreeBSD 7.4-RELEASE FreeBSD 7.4-RELEASE and Ports FreeBSD 7.3-RELEASE FreeBSD 7.3-RELEASE and Ports FreeBSD 7.2-RELEASE FreeBSD 7.2-RELEASE and Ports FreeBSD 7.1-RELEASE FreeBSD 7.1-RELEASE and Ports FreeBSD 7.0-RELEASE FreeBSD 6.4-RELEASE FreeBSD 6.4-RELEASE and Ports FreeBSD 6.3-RELEASE FreeBSD 6.3-RELEASE and Ports FreeBSD 6.2-RELEASE FreeBSD 6.1-RELEASE FreeBSD 6.0-RELEASE FreeBSD 6.0-RELEASE and Ports FreeBSD 5.5-RELEASE FreeBSD 5.5-RELEASE and Ports FreeBSD 5.4-RELEASE FreeBSD 5.4-RELEASE and Ports FreeBSD 5.3-RELEASE FreeBSD 5.3-RELEASE and Ports FreeBSD 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE and Ports FreeBSD 5.2-RELEASE FreeBSD 5.2-RELEASE and Ports FreeBSD 5.1-RELEASE FreeBSD 5.0-RELEASE FreeBSD 4.11-RELEASE FreeBSD 4.11-RELEASE and Ports FreeBSD 4.10-RELEASE FreeBSD 4.10-RELEASE and Ports FreeBSD 4.9-RELEASE FreeBSD 4.9-RELEASE and Ports FreeBSD 4.8-RELEASE FreeBSD 4.8-RELEASE and Ports FreeBSD 4.7-RELEASE FreeBSD 4.6.2-RELEASE FreeBSD 4.6.2-RELEASE and Ports FreeBSD 4.6-RELEASE FreeBSD 4.6-RELEASE and Ports FreeBSD 4.5-RELEASE FreeBSD 4.5-RELEASE and Ports FreeBSD 4.4-RELEASE FreeBSD 4.3-RELEASE FreeBSD 4.3-RELEASE and Ports FreeBSD 4.2-RELEASE FreeBSD 4.2-RELEASE and Ports FreeBSD 4.1.1-RELEASE FreeBSD 4.1.1-RELEASE and Ports FreeBSD 4.1-RELEASE FreeBSD 4.0-RELEASE FreeBSD 3.5.1-RELEASE FreeBSD 3.5.1-RELEASE and Ports FreeBSD 3.5-RELEASE and Ports FreeBSD 3.4-RELEASE FreeBSD 3.4-RELEASE and Ports FreeBSD 3.3-RELEASE FreeBSD 3.2-RELEASE FreeBSD 3.1-RELEASE FreeBSD 3.0-RELEASE FreeBSD 2.2.8-RELEASE FreeBSD 2.2.8-RELEASE and Ports FreeBSD 2.2.7-RELEASE FreeBSD 2.2.6-RELEASE FreeBSD 2.2.5-RELEASE FreeBSD 2.2.2-RELEASE FreeBSD 2.2.1-RELEASE FreeBSD 2.1.7.1-RELEASE FreeBSD 2.1.6.1-RELEASE FreeBSD 2.1.5-RELEASE FreeBSD 2.1.0-RELEASE FreeBSD 2.0.5-RELEASE FreeBSD 2.0-RELEASE FreeBSD 1.1.5.1-RELEASE FreeBSD 1.1-RELEASE FreeBSD 1.0-RELEASE FreeBSD Ports 14.0 FreeBSD Ports 13.3 FreeBSD Ports 13.2 FreeBSD Ports 13.1 FreeBSD Ports 13.0 FreeBSD Ports 12.4 FreeBSD Ports 12.3 FreeBSD Ports 12.2 FreeBSD Ports 12.1 FreeBSD Ports 12.0 FreeBSD Ports 11.4 FreeBSD Ports 11.3 FreeBSD Ports 11.2 FreeBSD Ports 11.1 FreeBSD Ports 11.0 FreeBSD Ports 10.4 FreeBSD Ports 10.3 FreeBSD Ports 10.2 FreeBSD Ports 10.1 FreeBSD Ports 10.0 FreeBSD Ports 9.3 FreeBSD Ports 9.2 FreeBSD Ports 9.1 FreeBSD Ports 9.0 FreeBSD Ports 8.4 FreeBSD Ports 8.3 FreeBSD Ports 8.2 FreeBSD Ports 8.1 FreeBSD Ports 8.0 FreeBSD Ports 7.4 FreeBSD Ports 7.3 FreeBSD Ports 7.2 FreeBSD Ports 7.1 FreeBSD Ports 7.0 FreeBSD Ports 6.4 FreeBSD Ports 6.3 FreeBSD Ports 6.2 FreeBSD Ports 6.0 FreeBSD Ports 5.5 FreeBSD Ports 5.4 FreeBSD Ports 5.3 FreeBSD Ports 5.2.1 FreeBSD Ports 5.2 FreeBSD Ports 5.1 FreeBSD Ports 4.11 FreeBSD Ports 4.10 FreeBSD Ports 4.9 FreeBSD Ports 4.8 FreeBSD Ports 4.7 FreeBSD Ports 4.6.2 FreeBSD Ports 4.6 FreeBSD Ports 4.5 FreeBSD Ports 4.3 FreeBSD Ports 4.2 FreeBSD Ports 4.1.1 FreeBSD Ports 3.5.1 FreeBSD Ports 3.5 FreeBSD Ports 3.4 FreeBSD Ports 2.2.8 4.4BSD Lite2 4.3BSD NET/2 4.3BSD Reno 2.11 BSD 2.10 BSD 2.9.1 BSD 2.8 BSD 386BSD 0.1 386BSD 0.0 CentOS 7.9 CentOS 7.8 CentOS 7.7 CentOS 7.6 CentOS 7.5 CentOS 7.4 CentOS 7.3 CentOS 7.2 CentOS 7.1 CentOS 7.0 CentOS 6.10 CentOS 6.9 CentOS 6.8 CentOS 6.7 CentOS 6.6 CentOS 6.5 CentOS 6.4 CentOS 6.3 CentOS 6.2 CentOS 6.1 CentOS 6.0 CentOS 5.11 CentOS 5.10 CentOS 5.9 CentOS 5.8 CentOS 5.7 CentOS 5.6 CentOS 5.5 CentOS 5.4 CentOS 4.8 CentOS 3.9 Darwin 8.0.1/ppc Darwin 7.0.1 Darwin 6.0.2/x86 Darwin 1.4.1/x86 Darwin 1.3.1/x86 Debian 13.0 unstable Debian 12.5.0 Debian 11.9.0 Debian 10.13.0 Debian 9.13.0 Debian 8.11.1 Debian 7.11.0 Debian 6.0.10 Debian 5.0.10 Debian 4.0.9 Debian 3.1.8 Debian 2.2.7 Debian 2.0.0 DragonFly 6.4.0 DragonFly 5.8.3 DragonFly 4.8.1 DragonFly 3.8.2 DragonFly 2.10.1 DragonFly 1.12.1 DragonFly 1.0A HP-UX 11.22 HP-UX 11.20 HP-UX 11.11 HP-UX 11.00 HP-UX 10.20 HP-UX 10.10 HP-UX 10.01 HP-UX 9.07 HP-UX 8.07 Inferno 4th Edition IRIX 6.5.30 Linux Slackware 3.1 MACH 2.5/i386 macOS 14.3.1 macOS 13.6.5 macOS 12.7.3 macOS 10.13.6 Minix 3.3.0 Minix 3.2.1 Minix 3.2.0 Minix 3.1.7 Minix 3.1.6 Minix 3.1.5 Minix 2.0.0 NetBSD 10.0 NetBSD 9.3 NetBSD 9.2 NetBSD 9.1 NetBSD 9.0 NetBSD 8.2 NetBSD 8.1 NetBSD 8.0 NetBSD 7.1 NetBSD 7.0 NetBSD 6.1.5 NetBSD 6.0 NetBSD 5.1 NetBSD 5.0 NetBSD 4.0.1 NetBSD 4.0 NetBSD 3.1 NetBSD 3.0 NetBSD 2.1 NetBSD 2.0.2 NetBSD 2.0 NetBSD 1.6.2 NetBSD 1.6.1 NetBSD 1.6 NetBSD 1.5.3 NetBSD 1.5.2 NetBSD 1.5.1 NetBSD 1.5 NetBSD 1.4.3 NetBSD 1.4.2 NetBSD 1.4.1 NetBSD 1.4 NetBSD 1.3.3 NetBSD 1.3.2 NetBSD 1.3.1 NetBSD 1.3 NetBSD 1.2.1 NetBSD 1.2 NetBSD 1.1 NetBSD 1.0 NeXTSTEP 3.3 OpenBSD 7.5 OpenBSD 7.4 OpenBSD 7.3 OpenBSD 7.2 OpenBSD 7.1 OpenBSD 7.0 OpenBSD 6.9 OpenBSD 6.8 OpenBSD 6.7 OpenBSD 6.6 OpenBSD 6.5 OpenBSD 6.4 OpenBSD 6.3 OpenBSD 6.2 OpenBSD 6.1 OpenBSD 6.0 OpenBSD 5.9 OpenBSD 5.8 OpenBSD 5.7 OpenBSD 5.6 OpenBSD 5.5 OpenBSD 5.4 OpenBSD 5.3 OpenBSD 5.2 OpenBSD 5.1 OpenBSD 5.0 OpenBSD 4.9 OpenBSD 4.8 OpenBSD 4.7 OpenBSD 4.6 OpenBSD 4.5 OpenBSD 4.4 OpenBSD 4.3 OpenBSD 4.2 OpenBSD 4.1 OpenBSD 4.0 OpenBSD 3.9 OpenBSD 3.8 OpenBSD 3.7 OpenBSD 3.6 OpenBSD 3.5 OpenBSD 3.4 OpenBSD 3.3 OpenBSD 3.2 OpenBSD 3.1 OpenBSD 3.0 OpenBSD 2.9 OpenBSD 2.8 OpenBSD 2.7 OpenBSD 2.6 OpenBSD 2.5 OpenBSD 2.4 OpenBSD 2.3 OpenBSD 2.2 OpenBSD 2.1 OpenBSD 2.0 OpenDarwin 7.2.1 OpenDarwin 6.6.2/x86 OpenDarwin 6.6.1/x86 OpenDarwin 20030208pre4/ppc OpenStep 4.2 OSF1 V5.1/alpha OSF1 V4.0/alpha OSF1 V1.0/mips Plan 9 Red Hat 8.0 Red Hat 7.3 Red Hat 7.2 Red Hat 7.1 Red Hat 7.0 Red Hat 6.2 Red Hat 6.1 Red Hat 5.2 Red Hat 5.0 Red Hat 4.2 Red Hat 9 Rhapsody DR1 Rhapsody DR2 Rocky 9.3 Rocky 9.2 Rocky 9.1 Rocky 9.0 Rocky 8.9 Rocky 8.8 Rocky 8.7 Rocky 8.6 Rocky 8.5 Rocky 8.4 Rocky 8.3 Sun UNIX 0.4 SunOS 5.10 SunOS 5.9 SunOS 5.8 SunOS 5.7 SunOS 5.6 SunOS 5.5.1 SunOS 4.1.3 SuSE 11.3 SuSE 11.2 SuSE 11.1 SuSE 11.0 SuSE 10.3 SuSE 10.2 SuSE 10.1 SuSE 10.0 SuSE 9.3 SuSE 9.2 SuSE 8.2 SuSE 8.1 SuSE 8.0 SuSE 7.3 SuSE 7.2 SuSE 7.1 SuSE 7.0 SuSE 6.4 SuSE 6.3 SuSE 6.1 SuSE 6.0 SuSE 5.3 SuSE 5.2 SuSE 5.0 SuSE 4.3 SuSE ES 10 SP1 Ubuntu 23.10 mantic Ubuntu 22.04 jammy Ubuntu 20.04 focal Ubuntu 18.04 bionic Ubuntu 16.04 xenial Ubuntu 14.04 trusty ULTRIX 4.2 Ultrix-32 2.0/VAX Unix Seventh Edition X11R7.4 X11R7.3.2 X11R7.2 X11R6.9.0 X11R6.8.2 X11R6.7.0 XFree86 4.8.0 XFree86 4.7.0 XFree86 4.6.0 XFree86 4.5.0 XFree86 4.4.0 XFree86 4.3.0 XFree86 4.2.99.3 XFree86 4.2.0 XFree86 4.1.0 XFree86 4.0.2 XFree86 4.0.1 XFree86 4.0 XFree86 3.3.6 XFree86 3.3 XFree86 2.1 All Architectures html pdf ascii

home | help

---

PFCTL(8)		    System Manager's Manual		      PFCTL(8)

NAME
       pfctl --	control	the packet filter (PF) device

SYNOPSIS
       pfctl  [-AdeghMmNnOPqRrvz]  [-a anchor] [-D macro= value] [-F modifier]
	     [-f file] [-i interface] [-K host | network] [-k host | network |
	     label | id	| gateway] [-o level] [-p device]  [-s	modifier]  [-t
	     table -T command [address ...]] [-x level]

DESCRIPTION
       The  pfctl utility communicates with the	packet filter device using the
       ioctl interface described in pf(4).  It allows  ruleset	and  parameter
       configuration  and retrieval of status information from the packet fil-
       ter.

       Packet filtering	restricts the types of packets that pass through  net-
       work  interfaces	 entering or leaving the host based on filter rules as
       described in pf.conf(5).	 The packet filter can also replace  addresses
       and ports of packets.  Replacing	source addresses and ports of outgoing
       packets is called NAT (Network Address Translation) and is used to con-
       nect  an	internal network (usually reserved address space) to an	exter-
       nal one (the Internet) by making	all connections	to external hosts  ap-
       pear  to	 come  from  the gateway.  Replacing destination addresses and
       ports of	incoming packets is used to redirect connections to  different
       hosts  and/or ports.  A combination of both translations, bidirectional
       NAT, is also supported.	Translation rules are described	in pf.conf(5).

       When the	variable pf is set to YES in rc.conf(5), the rule file	speci-
       fied  with  the	variable pf_rules is loaded automatically by the rc(8)
       scripts and the packet filter is	enabled.

       The packet filter does not itself forward packets  between  interfaces.
       Forwarding   can	  be   enabled	by  setting  the  sysctl(8)  variables
       net.inet.ip.forwarding and/or net.inet6.ip6.forwarding to 1.  Set  them
       permanently in sysctl.conf(5).

       The  pfctl  utility provides several commands.  The options are as fol-
       lows:

       -A      Load only the queue rules present  in  the  rule	 file.	 Other
	       rules and options are ignored.

       -a anchor
	       Apply  flags  -f, -F, and -s only to the	rules in the specified
	       anchor.	In addition to the main	ruleset, pfctl	can  load  and
	       manipulate  additional  rulesets	 by name, called anchors.  The
	       main ruleset is the default anchor.

	       Anchors are referenced by name and may be nested, with the var-
	       ious components of the anchor path separated by `/' characters,
	       similar to how file system hierarchies are laid out.  The  last
	       component  of  the  anchor path is where	ruleset	operations are
	       performed.

	       Evaluation of anchor rules from the main	ruleset	 is  described
	       in pf.conf(5).

	       For  example, the following will	show all filter	rules (see the
	       -s flag below) inside the  anchor  "authpf/smith(1234)",	 which
	       would  have  been  created  for	user "smith" by	authpf(8), PID
	       1234:

		     # pfctl -a	"authpf/smith(1234)" -s	rules

	       Private tables can also be put inside anchors, either by	having
	       table statements	in the pf.conf(5) file that is loaded  in  the
	       anchor, or by using regular table commands, as in:

		     # pfctl -a	foo/bar	-t mytable -T add 1.2.3.4 5.6.7.8

	       When  a	rule  referring	to a table is loaded in	an anchor, the
	       rule will use the private table if one  is  defined,  and  then
	       fall back to the	table defined in the main ruleset, if there is
	       one.   This  is	similar	 to C rules for	variable scope.	 It is
	       possible	to create distinct tables with the same	 name  in  the
	       global  ruleset	and in an anchor, but this is often bad	design
	       and a warning will be issued in that case.

	       By default, recursive inline printing of	anchors	 applies  only
	       to unnamed anchors specified inline in the ruleset.  If the an-
	       chor  name is terminated	with a `*' character, the -s flag will
	       recursively print all anchors in	a brace	delimited block.   For
	       example	the  following	will print the "authpf"	ruleset	recur-
	       sively:

		     # pfctl -a	'authpf/*' -sr

	       To print	the main ruleset recursively, specify only `*' as  the
	       anchor name:

		     # pfctl -a	'*' -sr

       -D macro=value
	       Define macro to be set to value on the command line.  Overrides
	       the definition of macro in the ruleset.

       -d      Disable the packet filter.

       -e      Enable the packet filter.

       -F modifier
	       Flush  the  filter parameters specified by modifier (may	be ab-
	       breviated):

	       -F nat	     Flush the NAT rules.
	       -F queue	     Flush the queue rules.
	       -F ethernet   Flush the Ethernet	filter rules.
	       -F rules	     Flush the filter rules.
	       -F states     Flush the state table (NAT	and filter).
	       -F Sources    Flush the source tracking table.
	       -F info	     Flush the filter information (statistics that are
			     not bound to rules).
	       -F Tables     Flush the tables.
	       -F osfp	     Flush the passive operating system	fingerprints.
	       -F all	     Flush all of the above.

       -f file
	       Load the	rules  contained  in  file.   This  file  may  contain
	       macros,	tables,	options, and normalization, queueing, transla-
	       tion, and filtering rules.  With	the exception  of  macros  and
	       tables, the statements must appear in that order.

       -g      Include output helpful for debugging.

       -h      Help.

       -i interface
	       Restrict	the operation to the given interface.

       -K host | network
	       Kill  all  of  the source tracking entries originating from the
	       specified host or network.  A second -K host or -K network  op-
	       tion  may be specified, which will kill all the source tracking
	       entries from the	first host/network to the second.

       -k host | network | label | id |	gateway
	       Kill all	of the state  entries  matching	 the  specified	 host,
	       network,	label, id, or gateway.

	       For  example, to	kill all of the	state entries originating from
	       "host":

		     # pfctl -k	host

	       A second	-k host	or -k network option may be  specified,	 which
	       will  kill all the state	entries	from the first host/network to
	       the second.  To kill all	of the state entries from  "host1"  to
	       "host2":

		     # pfctl -k	host1 -k host2

	       To   kill   all	 states	 originating  from  192.168.1.0/24  to
	       172.16.0.0/16:

		     # pfctl -k	192.168.1.0/24 -k 172.16.0.0/16

	       A network prefix	length of 0 can	be used	 as  a	wildcard.   To
	       kill all	states with the	target "host2":

		     # pfctl -k	0.0.0.0/0 -k host2

	       It  is  also possible to	kill states by rule label or state ID.
	       In this mode the	first -k argument is used to specify the  type
	       of  the	second argument.  The following	command	would kill all
	       states that have	been created from  rules  carrying  the	 label
	       "foobar":

		     # pfctl -k	label -k foobar

	       To  kill	one specific state by its unique state ID (as shown by
	       pfctl -s	state -vv), use	the id modifier	and as a second	 argu-
	       ment  the  state	 ID  and optional creator ID.  To kill a state
	       with ID 4823e84500000003	use:

		     # pfctl -k	id -k 4823e84500000003

	       To kill a state with ID 4823e84500000018	created	from a	backup
	       firewall	with hostid 00000002 use:

		     # pfctl -k	id -k 4823e84500000018/2

	       It is also possible to kill states created from a rule with the
	       route-to/reply-to parameter set to route	the connection through
	       a  particular gateway.  Note that rules routing via the default
	       routing table (not via a	route-to rule) will have their rt_addr
	       set as 0.0.0.0 or ::.  To kill all states using	a  gateway  of
	       192.168.0.1 use:

		     # pfctl -k	gateway	-k 192.168.0.1

	       A  network  prefix  length  can also be specified.  To kill all
	       states using a gateway in 192.168.0.0/24:

		     # pfctl -k	gateway	-k 192.168.0.0/24

       -M      Kill matching states in the opposite direction (on other	inter-
	       faces) when killing states.  This applies to states killed  us-
	       ing the -k option and also will apply to	the flush command when
	       flushing	states.	 This is useful	when an	interface is specified
	       when flushing states.  Example:

		     # pfctl -M	-i interface -Fs

       -m      Merge in	explicitly given options without resetting those which
	       are omitted.  Allows single options to be modified without dis-
	       turbing the others:

		     # echo "set loginterface fxp0" | pfctl -mf	-

       -N      Load  only the NAT rules	present	in the rule file.  Other rules
	       and options are ignored.

       -n      Do not actually load rules, just	parse them.

       -O      Load only the options present in	the rule  file.	  Other	 rules
	       and options are ignored.

       -o level
	       Control	the  ruleset  optimizer, overriding any	rule file set-
	       tings.

	       -o none	     Disable the ruleset optimizer.
	       -o basic	     Enable basic ruleset optimizations.  This is  the
			     default behaviour.
	       -o profile    Enable  basic  ruleset optimizations with profil-
			     ing.
	       For  further  information  on  the   ruleset   optimizer,   see
	       pf.conf(5).

       -P      Do not perform service name lookup for port specific rules, in-
	       stead display the ports numerically.

       -p device
	       Use the device file device instead of the default /dev/pf.

       -q      Only print errors and warnings.

       -R      Load  only  the	filter	rules present in the rule file.	 Other
	       rules and options are ignored.

       -r      Perform reverse DNS lookups on states when displaying them.

       -s modifier
	       Show the	filter parameters specified by modifier	(may be	abbre-
	       viated):

	       -s nat	      Show the currently loaded	NAT rules.
	       -s queue	      Show the currently  loaded  queue	 rules.	  When
			      used  together with -v, per-queue	statistics are
			      also shown.  When	 used  together	 with  -v  -v,
			      pfctl  will  loop	and show updated queue statis-
			      tics  every  five	 seconds,  including  measured
			      bandwidth	and packets per	second.
	       -s ether	      Show  the	currently loaded Ethernet rules.  When
			      used together with -v, the  per-rule  statistics
			      (number  of evaluations, packets,	and bytes) are
			      also shown.
	       -s rules	      Show the currently loaded	 filter	 rules.	  When
			      used  together  with -v, the per-rule statistics
			      (number of evaluations, packets, and bytes)  are
			      also shown.  Note	that the "skip step" optimiza-
			      tion  done automatically by the kernel will skip
			      evaluation of  rules  where  possible.   Packets
			      passed  statefully  are counted in the rule that
			      created the state	(even though the rule  is  not
			      evaluated	 more than once	for the	entire connec-
			      tion).
	       -s Anchors     Show the currently loaded	anchors	 directly  at-
			      tached  to  the  main  ruleset.  If -a anchor is
			      specified	as well, the anchors  loaded  directly
			      below the	given anchor are shown instead.	 If -v
			      is  specified,  all  anchors  attached under the
			      target anchor will be displayed recursively.
	       -s states      Show the contents	of the state table.
	       -s Sources     Show the contents	of the source tracking table.
	       -s info	      Show filter information  (statistics  and	 coun-
			      ters).   When  used  together  with  -v,	source
			      tracking statistics are also shown.
	       -s Running     Show the running status and provide  a  non-zero
			      exit status when disabled.
	       -s labels      Show  per-rule  statistics  (label, evaluations,
			      packets total, bytes total,  packets  in,	 bytes
			      in,  packets out,	bytes out, state creations) of
			      filter rules with	labels,	useful for accounting.
	       -s timeouts    Show the current global timeouts.
	       -s memory      Show the current pool memory hard	limits.
	       -s Tables      Show the list of tables.
	       -s osfp	      Show the list of operating system	fingerprints.
	       -s Interfaces  Show the list of interfaces and  interface  dri-
			      vers  available  to PF.  When used together with
			      -v, it additionally lists	which interfaces  have
			      skip  rules  activated.  When used together with
			      -vv, interface statistics	are  also  shown.   -i
			      can be used to select an interface or a group of
			      interfaces.
	       -s all	      Show  all	 of the	above, except for the lists of
			      interfaces and operating system fingerprints.

       -T command [address ...]
	       Specify the command (may	be abbreviated)	to apply to the	table.
	       Commands	include:

	       -T kill	     Kill a table.
	       -T flush	     Flush all addresses of a table.
	       -T add	     Add one or	more addresses in a table.   Automati-
			     cally create a nonexisting	table.
	       -T delete     Delete one	or more	addresses from a table.
	       -T expire number
			     Delete   addresses	 which	had  their  statistics
			     cleared more than number seconds  ago.   For  en-
			     tries  which  have	 never	had  their  statistics
			     cleared, number refers  to	 the  time  they  were
			     added to the table.
	       -T replace    Replace  the  addresses  of the table.  Automati-
			     cally create a nonexisting	table.
	       -T show	     Show the content (addresses) of a table.
	       -T test	     Test if the given addresses match a table.
	       -T zero	     Clear all the statistics of a table.
	       -T load	     Load only the table definitions from  pf.conf(5).
			     This  is used in conjunction with the -f flag, as
			     in:

				   # pfctl -Tl -f pf.conf

	       For the add, delete, replace, and test commands,	 the  list  of
	       addresses  can be specified either directly on the command line
	       and/or in an unformatted	text file, using the  -f  flag.	  Com-
	       ments  starting	with a `#' are allowed in the text file.  With
	       these commands, the -v flag can also be used once or twice,  in
	       which  case  pfctl will print the detailed result of the	opera-
	       tion for	each individual	address, prefixed by one of  the  fol-
	       lowing letters:

	       A    The	address/network	has been added.
	       C    The	address/network	has been changed (negated).
	       D    The	address/network	has been deleted.
	       M    The	address	matches	(test operation	only).
	       X    The	address/network	is duplicated and therefore ignored.
	       Y    The	 address/network  cannot  be added/deleted due to con-
		    flicting `!' attributes.
	       Z    The	address/network	has been cleared (statistics).

	       Each table can maintain a set of	counters that can be retrieved
	       using the -v flag of pfctl.  For	example,  the  following  com-
	       mands  define  a	 wide  open  firewall which will keep track of
	       packets going to	or coming from the OpenBSD  FTP	 server.   The
	       following  commands configure the firewall and send 10 pings to
	       the FTP server:

		     # printf "table <test> counters { ftp.openbsd.org }\n \
			 pass out to <test>\n" | pfctl -f-
		     # ping -qc10 ftp.openbsd.org

	       We can now use the table	show command to	output,	for  each  ad-
	       dress  and  packet  direction,  the number of packets and bytes
	       that are	being passed or	blocked	by rules referencing  the  ta-
	       ble.   The time at which	the current accounting started is also
	       shown with the "Cleared"	line.

		     # pfctl -t	test -vTshow
			129.128.5.191
			 Cleared:     Thu Feb 13 18:55:18 2003
			 In/Block:    [	Packets: 0	  Bytes: 0	  ]
			 In/Pass:     [	Packets: 10	  Bytes: 840	  ]
			 Out/Block:   [	Packets: 0	  Bytes: 0	  ]
			 Out/Pass:    [	Packets: 10	  Bytes: 840	  ]

	       Similarly, it is	possible to view global	information about  the
	       tables  by  using  the -v modifier twice	and the	-s Tables com-
	       mand.  This will	display	the number of addresses	on each	table,
	       the number of rules which reference the table, and  the	global
	       packet statistics for the whole table:

		     # pfctl -vvsTables
		     --a-r-C test
			 Addresses:   1
			 Cleared:     Thu Feb 13 18:55:18 2003
			 References:  [	Anchors: 0	  Rules: 1	  ]
			 Evaluations: [	NoMatch: 3496	  Match: 1	  ]
			 In/Block:    [	Packets: 0	  Bytes: 0	  ]
			 In/Pass:     [	Packets: 10	  Bytes: 840	  ]
			 In/XPass:    [	Packets: 0	  Bytes: 0	  ]
			 Out/Block:   [	Packets: 0	  Bytes: 0	  ]
			 Out/Pass:    [	Packets: 10	  Bytes: 840	  ]
			 Out/XPass:   [	Packets: 0	  Bytes: 0	  ]

	       As  we can see here, only one packet - the initial ping request
	       - matched the table, but	all packets passing as the  result  of
	       the  state are correctly	accounted for.	Reloading the table(s)
	       or ruleset will not affect packet accounting in any  way.   The
	       two  "XPass"  counters  are  incremented	 instead of the	"Pass"
	       counters	when a "stateful" packet is passed but does not	 match
	       the  table anymore.  This will happen in	our example if someone
	       flushes the table while the ping(8) command is running.

	       When used with a	single -v, pfctl will only display  the	 first
	       line  containing	 the  table flags and name.  The flags are de-
	       fined as	follows:

	       c    For	constant  tables,  which  cannot  be  altered  outside
		    pf.conf(5).
	       p    For	 persistent  tables,  which  do	 not get automatically
		    killed when	no rules refer to them.
	       a    For	tables which are part of the active tableset.	Tables
		    without  this flag do not really exist, cannot contain ad-
		    dresses, and are only listed if the	-g flag	is given.
	       i    For	tables which are part of the inactive tableset.	  This
		    flag  can  only be witnessed briefly during	the loading of
		    pf.conf(5).
	       r    For	tables which are referenced (used) by rules.
	       h    This flag is set when a table in the main ruleset is  hid-
		    den	 by  one  or more tables of the	same name from anchors
		    attached below it.
	       C    This flag is set when per-address counters are enabled  on
		    the	table.

       -t table
	       Specify the name	of the table.

       -v      Produce	more  verbose output.  A second	use of -v will produce
	       even more verbose output	including ruleset warnings.   See  the
	       previous	section	for its	effect on table	commands.

       -x level
	       Set  the	debug level (may be abbreviated) to one	of the follow-
	       ing:

	       -x none	     Do	not generate debug messages.
	       -x urgent     Generate debug messages only for serious errors.
	       -x misc	     Generate debug messages for various errors.
	       -x loud	     Generate debug messages for common	conditions.

       -z      Clear per-rule statistics.

FILES
       /etc/pf.conf  Packet filter rules file.
       /etc/pf.os    Passive operating system fingerprint database.

SEE ALSO
       pf(4), pf.conf(5), pf.os(5), rc.conf(5),	 services(5),  sysctl.conf(5),
       authpf(8), ftp-proxy(8),	rc(8), sysctl(8)

HISTORY
       The   pfctl   program  and  the	pf(4)  filter  mechanism  appeared  in
       OpenBSD 3.0.  They first	appeared in FreeBSD 5.3	ported from  the  ver-
       sion in OpenBSD 3.5

FreeBSD	13.2		       February	22, 2021		      PFCTL(8)

---

NAME | SYNOPSIS | DESCRIPTION | FILES | SEE ALSO | HISTORY

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=pfctl&sektion=8&manpath=FreeBSD+14.0-RELEASE+and+Ports>

home | help

---

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact