Validating Packet Filter rules

After editing Packet Filter rules you might want to verify what you just edited before enabling the rules. Here is what I usually do on my server to not screw up the whole installation and being able to quickly get back to my previous configuration.

First of all, I change pf_enable in /etc/pf.conf to NO. This makes it easier to disable the packet filter in case you lock yourself out of the server due to a bad rule. To disable it, I just have to reboot, which is possible through my providers web interface.

Next, I let pfctl parse and print the rules as it understands them. I use the following command to do that:

pfctl -nvvvf /etc/pf.conf

Note that your packet filter configuration file might have a different name. Cheers,
iss