Viewing the pf ruleset¶
pfSense® software handles translating the firewall rules in the GUI into a set of rules which can be interpreted by the packet filter (PF).
The PF rules generated by the firewall configuration are in
/tmp/rules.debug. However, that file cannot be edited to make persistent
changes - it will be overwritten by the next filter reload event.
There is rarely a need to manually edit firewall rules generated by the GUI. In most cases if it appears to be necessary, something is incorrect with the configuration.
If the generated rules truly must be edited, then the edits must be made to
the source code which generates the ruleset in
changes will be lost when updating to a new version.
PF can interpret the rules slightly differently than in the way they were generated by the filter code. To view the rule set as has been interpreted by PF, use one of the following methods.
Show Firewall Rules:
# pfctl -sr
Show NAT rules:
# pfctl -sn
# pfctl -sa
For more verbose output including rule counters, ID numbers, and so on, use:
# pfctl -vvsr
There may be additional rules in anchors from packages or features such as UPnP. To view these rules, use:
# pfSsh.php playback pfanchordrill