pfctl is the PF command-line tool for managing the PF kernel driver. This section provides examples of using pfctl to administer firewall.
The pfctl command can display the syntax of the rules and order of execution, verify the validity of the configuration file, and perform other useful administration tasks.
The following examples assume that you have been assigned the Network Firewall Management rights profile and that you are running the pfctl commands in a pfbash shell.
Use the –sr options to display the main, or root, rule set.
$ pfbash $ pfctl -sr
Use the –a and –sr options to display the complete rule set from the root to the leaf.
$ pfctl -a '*' -sr
Use the –sA option to display all anchors in the rule set tree.
$ pfctl -sA anchor
Use the –n option to check the syntax of a rule file without loading the rules into the kernel. For example, the following command checks the syntax of the rules in the pf.conf file in the /etc/firewall/test directory.
$ pfctl -nf /etc/firewall/test/pf.conf
Use the –x option to set the debugging level. The default debugging level is error.
$ pfctl -x debug # dmesg
The debug messages print to the console only. The dmseg command finds recent diagnostic messages in the system buffer and prints them to standard output.
Use the –g option to debug problems with the rule parser.
$ pfctl -g -n -f /etc/firewall/test/pf.conf
Use the –v and –vv options to display verbose output.
$ pfctl -vv
Use the –r option to perform DNS lookups on states when displaying them.
$ pfctl -r -sr
For more options, see the pfctl(1M) man page.
For an example of an entire IP Filter configuration file changed to a PF configuration file, see Example 7, PF Configuration File Based on an IP Filter Configuration File.