Pf usage

From wikinotes

Logs

# Firstly, log packets affected by your 'block-everything' rule 
# using the syntax:    `block log all`

sudo tcpdump -n -e -ttt -i pflog0          # watch log
sudo tcpdump -n -e -ttt -r /var/log/pflog  # show log contents

log filtering 

# only show packets from 192.168.1.3:80
tcpdump -n -e -ttt -r /var/log/pflog \
  port 80 and host 192.168.1.3

# watch packets that were blocked from interface wi0
tcpdump -n -e -ttt -i pflog0 \
  inbound and action block and on wi0

Rules

pfctl -sr  # show only firewall rules
pfctl -sn  # show only nat rules
pfctl -sa  # show all rules (and more..)

Configuration

pfctl -nf /etc/pf.conf                # test contents of /etc/pf.conf for errors
pfctl -F all -f /etc/pf.conf          # flush all tables, setup new tables defined in /etc/pf.conf

Tables

pfctl -t fail2ban -T show             # show all ips contained in <fail2ban>
pfctl -t fail2ban -T add x.x.x.x      # adds x.x.x.x to the table fail2ban
pfctl -t fail2ban -T delete x.x.x.x   # deletes x.x.x.x from the table <fail2ban>
Retrieved from "http://willpittman.net:8080/index.php?title=Pf_usage&oldid=18939"