[Contents] [Next: Lists and Macros]

PF: Getting Started

Table of Contents


To activate PF and have it read its configuration file at boot, add the line
to the file /etc/rc.conf.local.

Reboot your system to have it take effect.

You can also activate and deactivate PF by using the pfctl(8) program:

# pfctl -e
# pfctl -d

to enable and disable, respectively. Note that this just enables or disables PF, it doesn't actually load a ruleset. The ruleset must be loaded separately, either before or after PF is enabled.


PF reads its configuration rules from /etc/pf.conf at boot time, as loaded by the rc scripts. Note that while /etc/pf.conf is the default and is loaded by the system rc scripts, it is just a text file loaded and interpreted by pfctl(8) and inserted into pf(4). For some applications, other rulesets may be loaded from other files after boot. As with any well designed Unix application, PF offers great flexibility.

The pf.conf file has seven parts:

With the exception of macros and tables, each section should appear in this order in the configuration file, though not all sections have to exist for any particular application.

Blank lines are ignored, and lines beginning with # are treated as comments.


After boot, PF operation can be managed using the pfctl(8) program. Some example commands are: # pfctl -f /etc/pf.conf Load the pf.conf file # pfctl -nf /etc/pf.conf Parse the file, but don't load it # pfctl -Nf /etc/pf.conf Load only the NAT rules from the file # pfctl -Rf /etc/pf.conf Load only the filter rules from the file # pfctl -sn Show the current NAT rules # pfctl -sr Show the current filter rules # pfctl -ss Show the current state table # pfctl -si Show filter stats and counters # pfctl -sa Show EVERYTHING it can show

For a complete list of commands, please see the pfctl(8) man page.

[Contents] [Next: Lists and Macros]

[back] www@openbsd.org
$OpenBSD: config.html,v 1.23 2007/11/01 02:57:56 joel Exp $