PF cheatsheet

Cheatsheet for the PF firewall (*BSD, macOS/iOS, Solaris, QNX/BlackBerry).

Show rules:

# pfctl -sr

The same, but more verbose:

# pfctl -vsr

Show anchors:

# pfctl -sA

Show anchors recursively:

# pfctl -vsA

Show rules recursively (including anchors):

# pfctl -a '*' -sr

Show anchors within the f2b anchor:

# pfctl -a 'f2b' -sA

Show rules for f2b/sshd anchor:

# pfctl -a 'f2b/sshd' -sr

Show rules recursively within the f2b anchor:

# pfctl -a 'f2b/*' -sr

Show tables:

# pfctl -sT

The same, but more verbose:

# pfctl -vsT

Show tables for f2b/sshd anchor:

# pfctl -a 'f2b/sshd' -sT

Recursively listing tables is not possible.

Show the contents of table <trusted>:

# pfctl -t 'trusted' -Ts

Show the contents of table <f2b-sshd> in the anchor f2b/sshd:

# pfctl -a 'f2b/sshd' -t 'f2b-sshd' -Ts

The same, but more verbose:

# pfctl -a 'f2b/sshd' -t 'f2b-sshd' -vTs

Add an IP address or IP range to table <trusted>:

# pfctl -t 'trusted' -Ta 203.0.113.12
# pfctl -t 'trusted' -Ta 203.0.113.0/24

Delete an IP address or IP range from table <trusted>:

# pfctl -t 'trusted' -Td 203.0.113.12
# pfctl -t 'trusted' -Td 203.0.113.0/24

Empty (flush) table <blocked>:

# pfctl -t 'blocked' -Tf

It may be a good idea to verify the syntax of the configuration file before restarting the firewall:

# pfctl -n -f /etc/pf.conf

Logging must be enabled explicitly in pf.conf on a per-rule basis; see the PF User’s guide for more info.

Display log in real time:

# tcpdump -tttt -n -e -i pflog0

End output with ^C.

List all log entries for outbound traffic to port 80:

# tcpdump -tttt -n -e -r /var/log/pflog outbound and port 80

The same, but more verbose:

# tcpdump -v -tttt -n -e -r /var/log/pflog outbound and port 80

Get even more verbosity with -vv or -vvv.

Search the log file for a certain IP address:

# tcpdump -tttt -n -e -r /var/log/pflog host 203.0.113.12

The same, but with a compressed log file:

# bunzip2 -c /var/log/pflog.0.bz2 | tcpdump -tttt -n -e -r - host 203.0.113.12

List inbound traffic, except traffic to the Tor relay or Tor directory info:

# tcpdump -tttt -n -e -r /var/log/pflog inbound and not port 9001 and not port 9030

List blocked inbound traffic to the Tor relay:

# tcpdump -tttt -n -e -r /var/log/pflog inbound and dst port 9001 and action block

Since the output of tcpdump is plaintext, it can be further processed by tools like grep, sed, awk, etc.

Find all outgoing traffic that was not initiated by the users with UIDs 53, 123 and 256:

# tcpdump -tttt -n -e -r /var/log/pflog outbound | grep -Ev '\[uid (53|123|256)\]'

Logging of UIDs must be enabled explicitly in pf.conf, e.g.:

pass out log (user) all keep state

More info:


Note:

When using fail2ban, the f2b anchors should NOT be specified like this in pf.conf:

anchor "f2b/*"

Instead, all anchors should be specified explicitly, otherwise recursive listing won’t work:

anchor f2b {
    anchor apache-auth
    anchor dovecot
    anchor postfix
    anchor sshd
}

REPUBLISHING TERMS

You may republish this article online or in print under our Creative Commons license. You may not edit or shorten the text, you must attribute the article to OhReally.nl and you must include the author’s name in your republication.

If you have any questions, please email rob@ohreally.nl

License

Creative Commons License AttributionCreative Commons Attribution
PF cheatsheet