pf Quickstart Guide

OpenBSD Packet Filter (pf) is a stateful packet filter firewall. pf was developed for OpenBSD, but has been ported to many other operating systems. This quickstart guide outlines several useful commands and techniques to assist debugging pf.

Enable and start pf #

To enable pf at boot, add pf_enable=yes to /etc/rc.conf:

# sysrc pf_enable=yes

Start pf manually.

# pfctl -e

View the pf ruleset #

Show the current ruleset.

# pfctl -sr

Show everything possible.

# pfctl -sa

Stop and disable pf #

Stop pf.

# pfctl -d

Disable pf at boot.

# rcctl disable pf

Example: Allow SSH, block all other #

This trivial example will allow SSH into the server while blocking everything else. Add the following to /etc/pf.conf.

block all
pass out proto tcp to any port 22 keep state

More Information #

See the pf documentation for more details.

Powered by BetterDocs