pfctl

PF firewall configuration commands

Supplementary instructions

pfctl command is the configuration command of PF firewall. PF firewall (full name: Packet Filter) is a software system for TCP/ip traffic filtering and network address translation on UNIX LIKE systems. PF can also provide TCP/IP traffic shaping and control, and provides bandwidth control and packet priority set control. PF was originally developed by Daniel Hartmeier, and is now developed and maintained by Daniel and other members of the openBSD team.

PF firewall has many functions. This site only lists some basic configurations.

activation

To activate pf and have it call the configuration file at startup, edit the /etc/rc.conf file and modify the line that configures pf:

pf=yes

Restart the operating system for the configuration to take effect.

PF can also be started and stopped through the pfctl program:

pfctl -e
pfctl -d

Note that this only starts and shuts down PF. It does not actually load the rule set. The rule set is either loaded when the system starts or is loaded separately through a command after PF is started.

Configuration

When the system boots to run PF in the rc script file, PF loads the configuration rules from the /etc/pf.conf file. Note that when the /etc/pf.conf file is the default configuration file, when the system calls the rc script file, it is only loaded as a text file by pfctl and interpreted and inserted into pf. For some applications, additional rule sets can be loaded from other files after the system boots. PF provides enough flexibility for some very well designed Unix programs.

The pf.conf file has 7 sections:

1. Macro: User-defined variables, including IP address, interface name, etc.
2. Table: A structure used to save a list of IP addresses.
3. Options: Variables that control how PF works.
4. Shaping: Reprocessing packets for normalization and defragmentation.
5. Queuing: Provides bandwidth control and packet priority control.
6. Translation: Control network address translation and packet redirection.
7. Filtering rules: Allows selective filtering and blocking of data packets as they pass through the interface.

Except for macros and tables, other sections should also appear in this order in the configuration file, although not all sections are necessary for some specific applications.

Empty lines are ignored and lines starting with # are considered comments.

control

After booting, PF can be operated through the pfctl program. Here are some examples:

pfctl -f /etc/pf.conf # Load pf.conf file
pfctl -nf /etc/pf.conf # Parse the file, but do not load it
pfctl -Nf /etc/pf.conf #Load only the NAT rules in the file
pfctl -Rf /etc/pf.conf #Load only the filtering rules in the file
pfctl -sn # Display current NAT rules
pfctl -sr # Display the current filtering rules
pfctl -ss # Display the current status table
pfctl -si # Display filter status and count
pfctl -sa # Display any displayable

For a complete list of commands, see the pfctl man page.