Network
pfctl
Control the OpenBSD Packet Filter firewall.
Additional Notes
pfctl is the command-line tool for controlling the Packet Filter (PF) firewall on BSD systems (OpenBSD, FreeBSD, macOS). PF is a stateful firewall that provides packet filtering, network address translation (NAT), traffic shaping, and bandwidth management.
While pfctl is native to BSD systems, it may appear on Linux systems that use the pf kernel module (via pf-kernel or similar projects) or on macOS. The tool controls firewall rules, displays state tables, logs traffic, and manages the PF configuration. On Linux, iptables/nftables are more common, but understanding pfctl is useful for cross-platform network administration.
Syntax
pfctl [options] [ruleset-file]
Parameters
options: Flags that change howpfctlbehaves.target: Optional file, device, interface, user, service, or command target when the command supports one.
Common Options
-e: Enable the Packet Filter firewall.-d: Disable the Packet Filter firewall.-f file: Load rules from a configuration file.-N: Load only the NAT rules.-R: Load only the filter rules.-s: Show PF status information. Combined with keywords likerules,nat,states,queue.-sr: Show the currently loaded filter rules.-sn: Show the currently loaded NAT rules.-ss: Show the current state table.-si: Show interface statistics.-sa: Show all PF information.-F: Flush PF components. Combined withstates,rules,nat,info,all.-k host: Kill all states matching the specified host.-K host: Kill all states matching the specified gateway.-t table: Operate on a PF table (add, delete, replace, test, show).-T add/delete/replace/test/show: Table operations.-v: Verbose output.-o: Enable optimization (skip rules when possible).-q: Quiet mode (less output).-p device: Specify the alternate device for /dev/pf.
Examples
pfctl -e
Enable the PF firewall.
pfctl -d
Disable the PF firewall.
pfctl -f /etc/pf.conf
Load firewall rules from the default configuration file.
pfctl -sr
Display currently loaded filter rules.
pfctl -sn
Display currently loaded NAT rules.
pfctl -ss
Show the current state table (active connections tracked by PF).
pfctl -sa
Show all PF information (stats, rules, states, queues, tables).
pfctl -F all
Flush all states, rules, NAT rules, and queue definitions.
pfctl -F states
Flush all connection states without changing rules.
pfctl -t blocked_hosts -T add 192.168.1.100
Add an IP address to a table named blocked_hosts.
pfctl -t blocked_hosts -T show
Show all entries in the blocked_hosts table.
pfctl -k 10.0.0.5
Kill all states involving the host 10.0.0.5.
Practical Notes
pfctlrequires root privileges. Usesudoor run as root.- On macOS, PF is built-in and managed with
pfctl, but it is disabled by default. Enable withpfctl -e. - The PF configuration file is typically
/etc/pf.conf. Always test configuration withpfctl -nf /etc/pf.confbefore loading. - After making changes to
pf.conf, load the new rules withpfctl -f /etc/pf.conf. - On Linux, the equivalent functionality is provided by
iptablesornftables.pfctlis not installed by default on most Linux distributions.