pfctl is the PF command-line tool for managing the PF kernel driver. This section provides examples of using pfctl to administer firewall.
The following examples assume that you have been assigned the Network Firewall Management rights profile and that you are running the pfctl commands in a pfbash shell.
$ pfbash $ pfctl -sr
Use the –a and –sr options to display the complete rule set from the root to the leaf.
$ pfctl -a '*' -sr
$ pfctl -sA anchor
Use the –n option to check the syntax of a rule file without loading the rules into the kernel. For example, the following command checks the syntax of the rules in the pf.conf file in the /etc/firewall/test directory.
$ pfctl -nf /etc/firewall/test/pf.conf
$ pfctl -x debug # dmesg
The debug messages print to the console only. The dmseg command finds recent diagnostic messages in the system buffer and prints them to standard output.
$ pfctl -g -n -f /etc/firewall/test/pf.conf
$ pfctl -vv
$ pfctl -r -sr
For more options, see the pfctl(1M) man page.
For an example of an entire IP Filter configuration file changed to a PF configuration file, see Example 7, PF Configuration File Based on an IP Filter Configuration File.