If you have IPF rules to migrate to PF rules, you need to be clear about what policy you are trying to enforce and create PF rules that reflect the policy.
Some PF features can help you test portions of your rules, display the syntax of the rules and order of execution, and perform other useful transition tasks.
You can place rules in different files in PF, though this arrangement is not the default. To do so, you add an INCLUDE statement to the PF configuration file.
$ pfedit /etc/firewall/pf.conf ... include "/etc/firewall/pfzones.conf"
$ pfctl -a '*' -sr
Use the –n option to check the syntax of a rule file without loading the rules into the kernel. For example, the following command checks the syntax of the rules in the pf.conf file in the /etc/firewall/test directory.
$ pfctl -n -f /etc/firewall/test/pf.conf
# pfctl -x debug # dmesg
The debug messages print to the console only. The dmseg command finds recent diagnostic messages in the system buffer and prints them to standard output.
$ pfctl -x debug -g -f testfile -n
$ pfctl -vv
For more options, see the pfctl(1M) man page.
For an example of an entire IP Filter configuration file changed to a PF configuration file, see Example 8, PF Configuration File Based on an IP Filter Configuration File.