I would like to tell my BSD based PF firewall to flush out the current configuration every 2 minutes. This will help me, when I’m testing a new rules and configuration options. [donotprint]
Tutorial details
Difficulty level Easy
Root privileges Yes
Requirements *BSD+pf
Est. reading time 1m
[/donotprint]Some time I find myself locked out of my own remote server. How do I reset PF firewall automatically without issuing hard reboot?

There is no need to write a shell script and call it from cron. You can load the rules from the /etc/pf.conf and sleep or 120 seconds then disable pf using the following syntax:
#/sbin/pfctl -f /etc/pf.conf && sleep 120 && /sbin/pfctl -d
  • -f /etc/pf.conf – Load the rules contained in /etc/pf.conf.
  • -d – Disable the packet filter.
  • sleep 120: The sleep command suspends execution for a minimum of 200 seconds before calling the next command.

You can also test pf.conf for syntax errors using the following options:
# /sbin/pfctl -nf /etc/pf.conf
Finally, && (AND list) shell control operator is to used run next command only if, first command returns an exit status of zero. So each command in list must be successful in order to run next command.
# /sbin/pfctl -nf /etc/pf.conf && /sbin/pfctl -f /etc/pf.conf && sleep 120 && /sbin/pfctl -d

See also

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 4 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
4 comments… add one
  • gregf May 13, 2009 @ 22:53

    This is great, although you might already have a working rule set. In which case you wouldn’t want to take down the whole firewall over a mistake. My working method has been about the same as above, but I keep new rules in there own file pf.testing. Then you can do the 120 second delay to load the original set if things went wrong. This way there is no open hole(s) in your firewall while your testing. Obviously it’s highly unlikely you’ll have an attack the moment you bring the firewall down. I just think it’s better practice if there is a choice.

  • eigenheit Jun 23, 2009 @ 1:22

    Thinking about it the command -nf is very useful in testing new rules, you are always kept behind your trustful gateway.

  • Nilesh Jan 17, 2011 @ 10:16


  • Toni Jan 15, 2015 @ 16:27

    pfctl -ngf is the best option, as will show you all syntax errors (on the logic ones, there is no magic :( )

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum