Pf usage
From wikinotes
Logs
# Firstly, log packets affected by your 'block-everything' rule # using the syntax: `block log all` sudo tcpdump -n -e -ttt -i pflog0 # watch log sudo tcpdump -n -e -ttt -r /var/log/pflog # show log contentslog filtering
# only show packets from 192.168.1.3:80 tcpdump -n -e -ttt -r /var/log/pflog \ port 80 and host 192.168.1.3 # watch packets that were blocked from interface wi0 tcpdump -n -e -ttt -i pflog0 \ inbound and action block and on wi0
Rules
pfctl -sr # show only firewall rules pfctl -sn # show only nat rules pfctl -sa # show all rules (and more..)
Configuration
pfctl -nf /etc/pf.conf # test contents of /etc/pf.conf for errors pfctl -F all -f /etc/pf.conf # flush all tables, setup new tables defined in /etc/pf.conf
Tables
pfctl -t fail2ban -T show # show all ips contained in <fail2ban> pfctl -t fail2ban -T add x.x.x.x # adds x.x.x.x to the table fail2ban pfctl -t fail2ban -T delete x.x.x.x # deletes x.x.x.x from the table <fail2ban>