PFSENSE - PFCTL Basic Usage: Difference between revisions

From IT-Arts.net
Created page with "Category:Wiki == pfctl Command Overview == The `pfctl` command interacts with the PF firewall by managing states, rules, queues, and NAT configuration. It is a crucial tool for pfSense administrators who need to fine-tune firewall settings, troubleshoot issues, or examine the current state of the firewall. ### General Syntax <nowiki> pfctl [options]</nowiki> The options provide the functionality for various tasks such as listing rules, monitoring states, and man..."
 
m Text replacement - "Category:Wiki" to "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' "
 
(5 intermediate revisions by the same user not shown)
Line 1: Line 1:
[[Category:Wiki]]
[[Category:Wiki]]


== pfctl Command Overview ==
'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''


The `pfctl` command interacts with the PF firewall by managing states, rules, queues, and NAT configuration. It is a crucial tool for pfSense administrators who need to fine-tune firewall settings, troubleshoot issues, or examine the current state of the firewall.


### General Syntax
== Packet Filter architecture ==
pfctl is the userland control utility for PF (Packet Filter), the stateful firewall subsystem originating from OpenBSD and integrated into pfSense (FreeBSD-based). pfSense dynamically generates PF rules from its configuration and loads them into the kernel via pfctl.


<nowiki>
PF operates using:
pfctl [options]</nowiki>
* Stateful inspection
* Rule evaluation from top to bottom
* First matching rule (with quick exceptions)
* Separate rule sets for filtering, NAT, redirection, and normalization
* Anchors for modular rule management (heavily used by pfSense)


The options provide the functionality for various tasks such as listing rules, monitoring states, and managing filters.
== Rule evaluation flow ==
* Packet enters interface
* Normalization rules (scrub) applied
* NAT / RDR processed
* Filtering rules evaluated
* State table checked/updated
* Packet passed or blocked


== Viewing Firewall Information ==
== Anchors and pfSense integration ==
pfSense uses anchors extensively to isolate automatically generated rules:
* <nowiki>pfSense</nowiki>
* <nowiki>pfSense/*</nowiki>
* <nowiki>relayd</nowiki>


To view general information about the firewall, including statistics about the packet filter (PF), you can run:
Anchors allow dynamic insertion and removal of rules without reloading the entire ruleset.


<nowiki>
Example:
pfctl -s info</nowiki>
<nowiki>
pfctl -a pfSense -sr</nowiki>


This command displays details such as the number of rules, states, packets processed, and the status of PF. Example output might look like:
== State table management ==
PF is a stateful firewall; every allowed connection is tracked.


<nowiki>
Display states:
Status: Enabled for 56 days 2 hours 31 minutes
<nowiki>
Filters: 8 rules
pfctl -s state</nowiki>
States: 1454 active, 220 new</nowiki>


### Displaying Firewall Rules
Kill a specific state:
<nowiki>
pfctl -k 192.0.2.10 -k 198.51.100.20</nowiki>


To display all active rules, run:
Clear all states:
<nowiki>
pfctl -Fs</nowiki>


<nowiki>
=== Tables and dynamic address management ===
pfctl -sr</nowiki>
PF tables provide high-performance lookups for large address lists.


This shows the entire ruleset in use by PF, which could include rules for filtering traffic, NAT, and queueing.
List tables:
<nowiki>
pfctl -s Tables</nowiki>


If you want to filter and see only specific types of rules (such as NAT rules), you can use:
Show table content:
<nowiki>
pfctl -t bogons -T show</nowiki>


<nowiki>
Add an IP to a table:
pfctl -sn</nowiki>
<nowiki>
pfctl -t blocked_hosts -T add 203.0.113.45</nowiki>


This will show only the NAT rules configured in PF.
Remove an IP:
<nowiki>
pfctl -t blocked_hosts -T delete 203.0.113.45</nowiki>


### Viewing Active States and Connections
=== NAT and redirection inspection ===
Display NAT rules:
<nowiki>
pfctl -s nat</nowiki>


To view the list of active states or connections, use:
Display redirection rules:
<nowiki>
pfctl -s rdr</nowiki>


<nowiki>
Show all translation rules:
pfctl -ss</nowiki>
<nowiki>
pfctl -s rules | grep nat</nowiki>


This command displays active states (connections) in the firewall, which could be essential for monitoring real-time traffic or troubleshooting connectivity issues. For example:
=== Rule counters and performance metrics ===
PF tracks packets and bytes per rule.


<nowiki>
Show rules with counters:
TCP 192.168.1.100:12345 -> 93.184.216.34:80
<nowiki>
TCP 192.168.1.101:34567 -> 216.58.204.14:443</nowiki>
pfctl -vvsr</nowiki>


Each line represents an established or related connection with source and destination IPs and ports.
Reset counters:
<nowiki>
pfctl -z</nowiki>


### Flushing Rules and States
This is critical for traffic analysis and policy validation.


To clear the active states (flush states), use the following command:
=== Normalization and packet scrubbing ===
Scrub rules normalize packets to prevent evasion techniques:
* MSS clamping
* Fragment reassembly
* Invalid flag dropping


<nowiki>
Display scrub rules:
pfctl -F states</nowiki>
<nowiki>
pfctl -s all | grep scrub</nowiki>


This is useful when you need to reset all active connections, such as after a change in firewall rules.
== Security concepts ==


To flush (clear) all rules from the firewall, use:
=== Stateful filtering ===
Only packets belonging to a valid state are allowed to pass, reducing attack surface.


<nowiki>
=== Default deny policy ===
pfctl -F rules</nowiki>
pfSense enforces an implicit block at the end of rule sets.


This command removes the entire ruleset, effectively disabling filtering until new rules are loaded.
Verify block rules:
<nowiki>
pfctl -sr | grep block</nowiki>


### Reloading the pf Configuration
=== Antispoofing ===
PF can prevent IP spoofing on interfaces.


To reload the PF configuration after editing `/etc/pf.conf` or after changes in the firewall rules, use:
Example:
<nowiki>
antispoof quick for em0</nowiki>


<nowiki>
=== SYN flood protection ===
pfctl -f /etc/pf.conf</nowiki>
PF supports SYN proxies and connection rate limiting.


This will reapply the entire configuration, ensuring the latest rules are in effect.
Example rule:
<nowiki>
pass in proto tcp from any to any flags S/SA keep state (max-src-conn 100, max-src-conn-rate 50/10)</nowiki>


### Enabling and Disabling the Firewall
=== Table-based threat mitigation ===
Dynamic tables allow automatic blocking via IDS/IPS or scripts.


You can temporarily disable the PF firewall with:
Example integration:
* Snort / Suricata populating PF tables
* Fail2ban-style blocking


<nowiki>
=== Logging and diagnostics ===
pfctl -d</nowiki>
PF logs packets to pflog interfaces.


This turns off the firewall, which might be useful for debugging or performing maintenance. To enable the firewall again:
Enable logging on a rule:
<nowiki>
pass in log proto tcp from any to any port 22</nowiki>


<nowiki>
View logs:
pfctl -e</nowiki>
<nowiki>
tcpdump -n -e -ttt -i pflog0</nowiki>


It's important to be cautious when using these commands, as disabling the firewall could expose the system to potential security risks.
== Troubleshooting ==


== Managing IP Blocklists ==
=== Rules not matching ===
* Verify rule order
* Check for quick rules
* Inspect active rules instead of GUI configuration


You can dynamically manage IP blocklists using pfctl. For example, to add an IP address to a blocklist (such as blocking a malicious IP), use the following command:
<nowiki>
 
pfctl -sr</nowiki>
<nowiki>
pfctl -t blocklist -T add 192.168.1.100</nowiki>
 
This command adds the IP address `192.168.1.100` to a predefined table called `blocklist`. To remove an IP from the blocklist:
 
<nowiki>
pfctl -t blocklist -T delete 192.168.1.100</nowiki>
 
Tables can be defined in the `/etc/pf.conf` configuration file, and the `-t` option is used to specify the table, while the `-T` option manages entries within that table.
 
== Debugging pfctl Output ==
 
If you need more detailed information for debugging purposes, you can add verbosity to any pfctl command. For example, to display detailed information about rules:
 
<nowiki>
pfctl -v -s rules</nowiki>
 
The `-v` flag increases verbosity, showing additional information about the rules, including rule match statistics and more.
 
To debug rule matching for a specific source or destination, use the `-vv` flag for even more detailed output:
 
<nowiki>
pfctl -vv -s rules</nowiki>
 
### Monitoring Packets with pfctl
 
You can also monitor packet counters and match statistics with:
 
<nowiki>
pfctl -s stats</nowiki>


This will provide statistics on the number of packets that matched a specific rule, the number of packets dropped, passed, or rejected, and more. Example output might look like:
=== NAT not working ===
* Confirm NAT rules are loaded
* Ensure outbound NAT mode is correct
* Check rule auto-generation


<nowiki>
<nowiki>
match 2345 pass 1432 block 80
total 5800</nowiki>
 
This is useful for assessing the impact of specific firewall rules.
 
== Managing NAT Rules ==
 
To manage Network Address Translation (NAT) settings, pfctl provides an option to list NAT rules:
 
<nowiki>
pfctl -sn</nowiki>
 
To view NAT statistics, use:
 
<nowiki>
pfctl -s nat</nowiki>
pfctl -s nat</nowiki>


This command shows the NAT states, including address translations and port forwarding rules. You can also use pfctl to apply NAT settings dynamically after modifications in the `/etc/pf.conf` file.
=== Traffic blocked unexpectedly ===
 
* Inspect states
### Controlling Packet Queueing and Limitations
* Check floating rules
 
* Analyze logs in pflog
You can manage packet queueing for traffic shaping and bandwidth control by using:
 
<nowiki>
pfctl -sq</nowiki>
 
This command lists all the configured queues and their current status, including packet counts and throughput. To add or modify queue settings, you would typically edit the `/etc/pf.conf` file and then reload the configuration using:


<nowiki>
<nowiki>
pfctl -f /etc/pf.conf</nowiki>
pfctl -s state</nowiki>


### Viewing Anchor Rules
=== Performance degradation ===
* Check state table size
* Inspect table sizes
* Reset counters and monitor


In pfSense, you can configure rules that act as anchors, allowing for more modular configurations. To list all anchor rules, use:
<nowiki>
pfctl -si</nowiki>


<nowiki>
=== Rules disappear after reload ===
pfctl -sa</nowiki>
pfSense regenerates rules automatically. Manual pfctl changes are ephemeral and overwritten on reload or reboot.


This will show all loaded anchors and the rules associated with each anchor.
== Useful links ==
* https://man.openbsd.org/pfctl
* https://man.openbsd.org/pf.conf
* https://docs.netgate.com/pfsense/en/latest/firewall/index.html
* https://www.freebsd.org/cgi/man.cgi?query=pfctl
* https://www.openbsd.org/faq/pf/

Latest revision as of 07:05, 17 January 2026


Return to Wiki Index


Packet Filter architecture

pfctl is the userland control utility for PF (Packet Filter), the stateful firewall subsystem originating from OpenBSD and integrated into pfSense (FreeBSD-based). pfSense dynamically generates PF rules from its configuration and loads them into the kernel via pfctl.

PF operates using:

  • Stateful inspection
  • Rule evaluation from top to bottom
  • First matching rule (with quick exceptions)
  • Separate rule sets for filtering, NAT, redirection, and normalization
  • Anchors for modular rule management (heavily used by pfSense)

Rule evaluation flow

  • Packet enters interface
  • Normalization rules (scrub) applied
  • NAT / RDR processed
  • Filtering rules evaluated
  • State table checked/updated
  • Packet passed or blocked

Anchors and pfSense integration

pfSense uses anchors extensively to isolate automatically generated rules:

  • pfSense
  • pfSense/*
  • relayd

Anchors allow dynamic insertion and removal of rules without reloading the entire ruleset.

Example: 

pfctl -a pfSense -sr

State table management

PF is a stateful firewall; every allowed connection is tracked.

Display states: 

pfctl -s state

Kill a specific state: 

pfctl -k 192.0.2.10 -k 198.51.100.20

Clear all states: 

pfctl -Fs

Tables and dynamic address management

PF tables provide high-performance lookups for large address lists.

List tables: 

pfctl -s Tables

Show table content: 

pfctl -t bogons -T show

Add an IP to a table: 

pfctl -t blocked_hosts -T add 203.0.113.45

Remove an IP: 

pfctl -t blocked_hosts -T delete 203.0.113.45

NAT and redirection inspection

Display NAT rules: 

pfctl -s nat

Display redirection rules: 

pfctl -s rdr

Show all translation rules: 

pfctl -s rules | grep nat

Rule counters and performance metrics

PF tracks packets and bytes per rule.

Show rules with counters: 

pfctl -vvsr

Reset counters: 

pfctl -z

This is critical for traffic analysis and policy validation.

Normalization and packet scrubbing

Scrub rules normalize packets to prevent evasion techniques:

  • MSS clamping
  • Fragment reassembly
  • Invalid flag dropping

Display scrub rules: 

pfctl -s all | grep scrub

Security concepts

Stateful filtering

Only packets belonging to a valid state are allowed to pass, reducing attack surface.

Default deny policy

pfSense enforces an implicit block at the end of rule sets.

Verify block rules: 

pfctl -sr | grep block

Antispoofing

PF can prevent IP spoofing on interfaces.

Example: 

antispoof quick for em0

SYN flood protection

PF supports SYN proxies and connection rate limiting.

Example rule: 

pass in proto tcp from any to any flags S/SA keep state (max-src-conn 100, max-src-conn-rate 50/10)

Table-based threat mitigation

Dynamic tables allow automatic blocking via IDS/IPS or scripts.

Example integration:

  • Snort / Suricata populating PF tables
  • Fail2ban-style blocking

Logging and diagnostics

PF logs packets to pflog interfaces.

Enable logging on a rule: 

pass in log proto tcp from any to any port 22

View logs: 

tcpdump -n -e -ttt -i pflog0

Troubleshooting

Rules not matching

  • Verify rule order
  • Check for quick rules
  • Inspect active rules instead of GUI configuration
pfctl -sr

NAT not working

  • Confirm NAT rules are loaded
  • Ensure outbound NAT mode is correct
  • Check rule auto-generation
pfctl -s nat

Traffic blocked unexpectedly

  • Inspect states
  • Check floating rules
  • Analyze logs in pflog
pfctl -s state

Performance degradation

  • Check state table size
  • Inspect table sizes
  • Reset counters and monitor
pfctl -si

Rules disappear after reload

pfSense regenerates rules automatically. Manual pfctl changes are ephemeral and overwritten on reload or reboot.

Retrieved from "https://it-arts.net/index.php?title=PFSENSE_-_PFCTL_Basic_Usage&oldid=863"