pfctl -d | Disable the packet filter |
pfctl -e | Enable the packet filter |
pfctl -Fa -f /etc/pf.conf | Flush all (nat, filter, queue, state, info, table) rules and reload from the file /etc/pf.conf |
pfctl -s rules | Report on the currently loaded filter ruleset. |
pfctl -s nat | Report on the currently loaded nat ruleset. |
pfctl -s state | Report on the currently running state table (very useful). |
pfctl -v -n -f /etc/pf.conf | This does not actually load any rules, but allows you to check for errors in the file before you do load the ruleset. This is obviously good for testing. |
pflogd logs in tcpdump binary format
To watch only packets that match a certain interface use the following:
tcpdump -n -e -ttt -i pflog0 host 192.168.0.1
To watch packets that match a specific port:
tcpdump -n -e -ttt -i pflog0 port 443
To determine a specific rule as identified from tcpdump. For example rule #100 below. Note: This is not the same as simply editing the pf.conf file and going to line #100. PF expands rules due to macros etc...
pfctl -vvs rules|grep \@100
No comments:
Post a Comment