Control After boot, PF operation can be managed using the pfctl(8) program. Some example commands are:
# pfctl -f /etc/pf.conf loads the pf.conf file # pfctl -nf /etc/pf.conf parse the file, but don't load it # pfctl -Nf /etc/pf.conf Load only the NAT rules from the file # pfctl -Rf /etc/pf.conf Load only the filter rules from the file
# pfctl -sn Show the current NAT rules # pfctl -sr Show the current filter rules # pfctl -ss Show the current state table # pfctl -si Show filter stats and counters # pfctl -sa Show EVERYTHING it can show
For a complete list of commands, please see the pfctl(8) man page. --------
HTH. It certainly seems like changing nat and firewall rules on the fly are easier with pf. As I read and played with it, it seems to be much easier, particularly when using tables and lists.
I'm curious what you think is easier about the above than:
ipfw show (same as ipfw -a list) ipfw -d list (show dynamic rules) ipfw -S list (show the set each rule belongs to) ipfw add 00400 allow blah ipfw delete 00400 ipfw disable firewall ipfw enable firewall ipfw set disable (num) ipfw set enable (num)
Etc., etc.
With ipfw you can add or delete rules on the fly as well. I do it regularly.
If you want to reset counters to zero, use ipfw zero rulenum. If you want to reset the log to zero, use ipfw resetlog rulenum. (Or you can reset an entire set.)
Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
