
Here are some commands that I’ve compiled over my time working with pfSense. My pfSense cheat sheet!
| Description | Command |
| Reload the Firewall with all the configuration. This also restarts the webgui and sshd – but keeps the current ssh sessions active just as a regular sshd restart. | /etc/rc.reload_all |
| Manually edit the configuration in /conf/config.xml. Once file has been saved and editor exited, the /tmp/config.cache is removed so the next config reload event will load config.xml, not the cached version. You could run the next command to trigger an instant reload. | viconfig |
| Show rule/filter information | pfctl -s rules |
| Show rule/filter info for what FILTER rules hit | pfctl -v -s rules |
| Show rule/filter info, includes rule counters, ID numbers, etc. | pfctl -vvsr |
| Shows the current state table | pfctl -ss |
| Shows current filter rules | pfctl -sr |
| Show as much as possible. | pfctl -sa |
| Shows current NAT rules | pfctl -sn |
| Show NAT information for which rules hit | pfctl -v -s nat |
| Show NAT information for interface GE1 | pfctl -s nat -i ge1 |
| Show QUEUE information | pfctl -s queue |
| Show LABEL information | pfctl -s label |
| Show contents of the STATE table | pfctl -s state |
| Show statistics for state tables and packet normalization | pfctl -s info |
| Show everything | pfctl -s all |
| Enable the packet filter – enables all firewall functions | pfctl -e |
| Disable the packet filter – disables all firewall functions | pfctl -d |
| Run qiuet | pfctl -q |
| flush ALL | pfctl -F all |
| flush only the RULES | pfctl -F rules |
| flush only queues | pfctl -f queue |
| flush only NAT | pfctl -F nat |
| pfctl -F info | flush all stats that are not part of any rule |
| pfctl -z clear | all counters |
| Playback Scripts | |
| Changes password for the defined user. Prompts to reset the account properties if it is disabled or expired | pfSsh.php playback changepassword |
| Enable/Disable CARP high availability functions. Will deactivate the CARP virtual IP addresses. Does not persist across reboots. |
pfSsh.php playback disablecard
|
| Enable/Disable CARP maintenance mode. This leaves CARP active but demotes the unit so that another can assume control. Maintenance mode will persist across reboots. |
pfSsh.php playback disablecarpmaint pfSsh.php playback enablecarpmaint |
| Removes all DHCP configuration from the firewall causing DHCP to be disabled. It completely removes all of its settings. |
pfSsh.php playback disabledhcp |
| Disables the HTTP_REFERER check in Browser HTTP_REFERER enforcement. This can aid in gaining access to the GUI if the browser session is triggering this protection. |
pfSsh.php playback disablereferercheck |
|
Adds an allow all rule for IPv4 and IPv6 to the WAN interface Be extremely careful with this option, it is meant to be a temporary measure to gain access to services on the WAN interface of the firewall in situations where the LAN is not usable. Once proper access rules are put in place, remove the rules added by this script. |
pfSsh.php playback enableallowallwan |
|
Enables the SSH daemon – same as the menu option or in the GUI |
pfSsh.php playback enablesshd |
|
This script looks for a config.xml file on the external device, such as a USB drive. Then move it in place for use by the firewall. |
pfSsh.php playback externalconfiglocator |
|
Prints the current gateway status and statistics. This also accepts an optional parameter brief, which prints only the gateway name and status, omitting the addresses and statistical data. |
pfSsh.php playback gatewaystatus |
|
Creates a new self-signed certificate for the firewall and activates for use in the GUI. This can be useful in cases where the previous certificate is invalid or unusable. It also fills in the certificate details using the firewall hostname and other custom information for better identifying your host. |
pfSsh.php playback generateguicert |
|
A complex script that synchronizes the PHP and other script sources with the files from the pfSense GitHub repository. This is most useful on development snapshots to pick up changes from more recent commits. This script can be dangerous to use in other circumstances. Only use this under the direction of a knowledgeable developer or support representative. |
pfSsh.php playback gitsync |
|
|
pfSsh.php playback install pkg pfSsh.php playback listpkg pfSsh.php playback uninstallpkg |
|
View additional rules in anchors from packages or features, such as UPnP. |
pfSsh.php playback pfanchordrill |
|
Prints the contents of all pf tables, which contain addresses used in firewall aliases, as well as built-in system tables for features such as bogon network blocking, snort, and GUI/SSH lockout. This is also useful for checking if a specific IP address is found in any table, rather than searching individually. |
pfSsh.php playback pftabledrill |
|
Removes all traces of package configuration data from the running config.xml. This can be useful if a package has corrupted settings or has otherwise left the packages in an inconsistent state. |
pfSsh.php playback removepkgconfig |
|
Removes ALTQ traffic shaper settings, which can be useful if the shaper configuration is preventing rules from loading or is otherwise incorrect and preventing proper operations of the firewall. |
pfSsh.php playback removeshaper |
|
Resets the GUI settings for widgets, dashboard columns, the theme, and other GUI-related settings. It can return the GUI, particularly the dashboard, to a stable state if it is not functioning properly. |
pfSsh.php playback resetwebgui |
|
Disables and re-enables each WAN-type interface, which reapplies the interface configuration |
pfSsh.php playback restartallwan |
|
Stops and restarts the DHCP daemon |
pfSsh.php playback restartdhcpd |
|
Rewrites and reloads the IPsec configuration for strongSwan |
pfSsh.php playback restartipsec |
|
Controls the services running on the firewall, similar to interacting with services at Status > Services The action can be stop, start, or restart. The service name is the name of the services as found under Status > Services. If the name includes a space, enclose the name in quotes. The service-specific options vary depending on the service, they are used to uniquely identify services with multiple instances, such as OpenVPN or Captive Portal entries. |
pfSsh.php playback svc playback svc <action> <service name> [service-specific options] |
|
|
|
|
The shell version of Easy Rule, easyrule, can add a firewall rule from a shell prompt. When the easyrule command is run without parameters, it prints a usage message to explain its syntax. The way easyrule adds a block rule using an alias, or a precise pass rule specifying the protocol, source, and destination, work similar to the GUI version.
|
easyrule pass/block <interface> <protocol> <source IP> <destination ip> [destination port] easyrule pass wan tcp 0.0.0.0/0 192.168.0.1 80 easyrule pass wan icmp 1.1.1.1 192.168.0.1 easyrule block wan 1.1.1.1 |
| show table addvhosts | pfctl -t addvhosts -T show |
| view global information about all tables | pfctl -vvsTables |
| add entry to table addvhosts | pfctl -t addvhosts -T add 192.168.1.50 |
| add a network to table addvhosts | pfctl -t addvhosts -T add 192.168.1.0/16 |
| delete nework from table addvhosts | pfctl -t addvhosts -T delete 192.168.1.0/16 |
| remove all entries from table addvhosts | pfctl -t addvhosts -T flush |
| delete table addvhosts entirely | pfctl -t addvhosts -T kill |
| reload table addvhosts on the fly | pfctl -t addvhosts -T replace -f /etc/addvhosts |
| find ip address 192.168.1.40 in table addvhosts | pfctl -t addvhosts -T test 192.168.1.40 |
| load a new table definition | pfctl -T load -f /etc/pf.conf |
| stats for each ip address in table addvhosts | pfctl -t addvhosts -T show -v output |
|
reset all counters for table addvhosts |
pfctl -t addvhosts -T zero |
|
Manual restart of openVPN process |
echo “<?php include(‘openvpn.inc’); openvpn_resync_all();?>” | php -q |
- Setting up Portainer on Synology NAS via Compose - February 28, 2025
- ERP Logistics Integration - October 22, 2024
- Mobile Device Management Consulting Services - September 22, 2024
Hi Mr Mooo 🙂
I just found your very helpful guide and maybe you can give me a clue where to solve my problem with pfsense.
I’m looking for the WAN interface configuration file that is created when I load a backup.xml file into the pfsense GUI.
The reason is simple 🙂 When I try to enter the necessary information (credentials, prefix, etc) manually, my provider denies the connection.
But when I upload the working config it works fine (and in the GUI all the fields are filled with exactly the same data). So my best guess is that there is additional information in the very file I’m looking for that isn’t displayed in the GUI.
Can you help me out and point me to that file?
Thanks a lot Dom