OpenBSD PF - Getting Started [Contents]


PF is enabled by default. If you wish to disable it on boot, use the rcctl(8) tool to do so:
# rcctl disable pf
Reboot your system to have it take effect.

You can also manually activate and deactivate PF by using the pfctl(8) program:

# pfctl -e
# pfctl -d
These would enable and disable PF. Note that it doesn't actually load a ruleset, however. The ruleset must be loaded separately, either before or after PF is enabled.


PF reads its configuration rules from pf.conf(5) at boot time, as loaded by the rc scripts. Note that while pf.conf(5) is the default and is loaded by the system rc scripts, it is just a text file loaded and interpreted by pfctl(8) and inserted into pf(4). For some applications, other rulesets may be loaded from other files after boot.

The pf.conf file has multiple parts:

Blank lines are ignored, and lines beginning with # are treated as comments.


After boot, PF operation can be managed using the pfctl(8) program. Some example commands are:
# pfctl -f  /etc/pf.conf  Load the pf.conf file
# pfctl -nf /etc/pf.conf  Parse the file, but don't load it
# pfctl -sr               Show the current ruleset
# pfctl -ss               Show the current state table
# pfctl -si               Show filter stats and counters
# pfctl -sa               Show EVERYTHING it can show
For a complete list of commands, please see the man page.