Viewing the pf ruleset

pfSense® software handles translating the firewall rules in the GUI into a set of rules which can be interpreted by the packet filter (PF).

Generated Rules

The PF rules generated by the firewall are in /tmp/rules.debug. However, that file cannot be edited to make persistent changes - the firewall will overwrite it during the next filter reload event.

Note

There is rarely a need to manually edit firewall rules generated by the GUI. In most cases if it appears to be necessary, something is incorrect with the configuration.

If the generated rules truly must be edited, then the edits must be made to the source code which generates the ruleset in /etc/inc/filter.inc. Such changes will be lost when updating to a new version.

Interpreted Rules

PF can interpret the rules slightly differently than in the way they were generated by the filter code. To view the rule set as has been interpreted by PF, use one of the following methods.

Using the SSH console or Command Prompt field in the GUI, run the following:

Show Firewall Rules:

# pfctl -sr

Show NAT rules:

# pfctl -sn

Show all:

# pfctl -sa

For more verbose output including rule counters, ID numbers, and so on, use:

# pfctl -vvsr

There may be additional rules in anchors from packages or features such as UPnP. To view these rules, use:

# pfSsh.php playback pfanchordrill