≡ Menu

OpenBSD / FreeBSD / NetBSD: PF Firewall List Rules

I can use iptables -L -n command with Linux operating system to list the current firewall rules. How do I list all the current firewall rules under OpenBSD / FreeBSD / NetBSD operating systems? How can I see all pf firewall rules using command line tool?

Tutorial details
DifficultyEasy (rss)
Root privilegesYes
Requirementspfctl and *BSD
Estimated completion timeN/A

You need to use the pfctl command that communicates with the packet filter. It allows ruleset and parameter configuration and retrieval of status information from the packet filter. The syntax is:

pfctl -sr

OR

pfctl -ar

How do I see the current firewall rules

# pfctl -sr
Sample outputs:

pass all flags S/SA
block drop in on vr0 inet proto tcp from any to ! 202.54.1.2 port = 3306
block drop in on vr0 inet proto tcp from any to ! 202.54.1.10 port = 3306
block drop in on vr0 inet proto tcp from any to ! 202.54.1.15 port = 3306
block drop in on ! lo0 proto tcp from any to any port 6000:6010

How do I see the current firewall state table?

# pfctl -ss
Sample outputs:

all udp 255.255.255.255:17500 <- 192.168.1.104:17500       NO_TRAFFIC:SINGLE
 all udp 192.168.1.255:17500 <- 192.168.1.104:17500       NO_TRAFFIC:SINGLE
 

How do I see filter stats and counters?

# pfctl -si
Sample outputs:

Fig.01: PF firewall in action

Fig.01: PF firewall in action


You can also use the following command to see EVERYTHING:
# pfctl -sa
# pfctl -sa |more
# pfctl -sa |less
# pfctl -sa |grep something

Sample outputs:

 
FILTER RULES:
pass all flags S/SA
block drop in on vr0 inet proto tcp from any to ! 202.54.1.2 port = 3306
block drop in on vr0 inet proto tcp from any to ! 202.54.1.10 port = 3306
block drop in on vr0 inet proto tcp from any to ! 202.54.1.15 port = 3306
block drop in on ! lo0 proto tcp from any to any port 6000:6010
No queue in use
 
STATES:
all udp 192.168.1.255:17500 <- 192.168.1.104:17500       NO_TRAFFIC:SINGLE
 all tcp 192.168.1.20:22 <- 192.168.1.5:56534       FIN_WAIT_2:FIN_WAIT_2
 all udp 255.255.255.255:17500 <- 192.168.1.104:17500       NO_TRAFFIC:SINGLE
 all tcp 192.168.1.20:22 <- 192.168.1.5:56535       ESTABLISHED:ESTABLISHED
 
 INFO:
 Status: Enabled for 0 days 00:12:07              Debug: err
 
 State Table                          Total             Rate
   current entries                        4
   searches                             335            0.5/s
   inserts                               13            0.0/s
   removals                               9            0.0/s
 Counters
   match                                 13            0.0/s
   bad-offset                             0            0.0/s
   fragment                               0            0.0/s
   short                                  0            0.0/s
   normalize                              0            0.0/s
   memory                                 0            0.0/s
   bad-timestamp                          0            0.0/s
   congestion                             0            0.0/s
   ip-option                              0            0.0/s
   proto-cksum                            0            0.0/s
   state-mismatch                         0            0.0/s
   state-insert                           0            0.0/s
   state-limit                            0            0.0/s
   src-limit                              0            0.0/s
   synproxy                               0            0.0/s
 
 TIMEOUTS:
 tcp.first                   120s
 tcp.opening                  30s
 tcp.established           86400s
 tcp.closing                 900s
 tcp.finwait                  45s
 tcp.closed                   90s
 tcp.tsdiff                   30s
 udp.first                    60s
 udp.single                   30s
 udp.multiple                 60s
 icmp.first                   20s
 icmp.error                   10s
 other.first                  60s
 other.single                 30s
 other.multiple               60s
 frag                         30s
 interval                     10s
 adaptive.start             6000 states
 adaptive.end              12000 states
 src.track                     0s
 
 LIMITS:
 states        hard limit    10000
 src-nodes     hard limit    10000
 frags         hard limit     5000
 tables        hard limit     1000
 table-entries hard limit   200000
 
 OS FINGERPRINTS:
 700 fingerprints loaded
References
Tweet itFacebook itGoogle+ itPDF itFound an error/typo on this page?

{ 2 comments… add one }

  • jefri October 6, 2013, 3:37 am

    how to limit rate ping reply in pf firewall ?

    please help me..thanks

  • Chris December 23, 2014, 7:02 pm

    Best ever firewall, thanks for the tut..

Leave a Comment