Here are some commands that I’ve compiled over my time working with pfSense. My pfSense cheat sheet!

Description	Command
Reload the Firewall with all the configuration. This also restarts the webgui and sshd – but keeps the current ssh sessions active just as a regular sshd restart.	/etc/rc.reload_all
Manually edit the configuration in /conf/config.xml. Once file has been saved and editor exited, the /tmp/config.cache is removed so the next config reload event will load config.xml, not the cached version. You could run the next command to trigger an instant reload.	viconfig
Show rule/filter information	pfctl -s rules
Show rule/filter info for what FILTER rules hit	pfctl -v -s rules
Show rule/filter info, includes rule counters, ID numbers, etc.	pfctl -vvsr
Shows the current state table	pfctl -ss
Shows current filter rules	pfctl -sr
Show as much as possible.	pfctl -sa
Shows current NAT rules	pfctl -sn
Show NAT information for which rules hit	pfctl -v -s nat
Show NAT information for interface GE1	pfctl -s nat -i ge1
Show QUEUE information	pfctl -s queue
Show LABEL information	pfctl -s label
Show contents of the STATE table	pfctl -s state
Show statistics for state tables and packet normalization	pfctl -s info
Show everything	pfctl -s all
Enable the packet filter – enables all firewall functions	pfctl -e
Disable the packet filter – disables all firewall functions	pfctl -d
Run qiuet	pfctl -q
flush ALL	pfctl -F all
flush only the RULES	pfctl -F rules
flush only queues	pfctl -f queue
flush only NAT	pfctl -F nat
pfctl -F info	flush all stats that are not part of any rule
pfctl -z clear	all counters
Playback Scripts
Changes password for the defined user. Prompts to reset the account properties if it is disabled or expired	pfSsh.php playback changepassword
Enable/Disable CARP high availability functions. Will deactivate the CARP virtual IP addresses. Does not persist across reboots.	pfSsh.php playback disablecard pfSsh.php playback enablecarp
Enable/Disable CARP maintenance mode. This leaves CARP active but demotes the unit so that another can assume control. Maintenance mode will persist across reboots.	pfSsh.php playback disablecarpmaint pfSsh.php playback enablecarpmaint
Removes all DHCP configuration from the firewall causing DHCP to be disabled. It completely removes all of its settings.	pfSsh.php playback disabledhcp
Disables the HTTP_REFERER check in Browser HTTP_REFERER enforcement. This can aid in gaining access to the GUI if the browser session is triggering this protection.	pfSsh.php playback disablereferercheck
Adds an allow all rule for IPv4 and IPv6 to the WAN interface Be extremely careful with this option, it is meant to be a temporary measure to gain access to services on the WAN interface of the firewall in situations where the LAN is not usable. Once proper access rules are put in place, remove the rules added by this script.	pfSsh.php playback enableallowallwan
Enables the SSH daemon – same as the menu option or in the GUI	pfSsh.php playback enablesshd
This script looks for a config.xml file on the external device, such as a USB drive. Then move it in place for use by the firewall.	pfSsh.php playback externalconfiglocator
Prints the current gateway status and statistics. This also accepts an optional parameter brief, which prints only the gateway name and status, omitting the addresses and statistical data.	pfSsh.php playback gatewaystatus
Creates a new self-signed certificate for the firewall and activates for use in the GUI. This can be useful in cases where the previous certificate is invalid or unusable. It also fills in the certificate details using the firewall hostname and other custom information for better identifying your host.	pfSsh.php playback generateguicert
A complex script that synchronizes the PHP and other script sources with the files from the pfSense GitHub repository. This is most useful on development snapshots to pick up changes from more recent commits. This script can be dangerous to use in other circumstances. Only use this under the direction of a knowledgeable developer or support representative.	pfSsh.php playback gitsync
	pfSsh.php playback install pkg pfSsh.php playback listpkg pfSsh.php playback uninstallpkg
View additional rules in anchors from packages or features, such as UPnP.	pfSsh.php playback pfanchordrill
Prints the contents of all pf tables, which contain addresses used in firewall aliases, as well as built-in system tables for features such as bogon network blocking, snort, and GUI/SSH lockout. This is also useful for checking if a specific IP address is found in any table, rather than searching individually.	pfSsh.php playback pftabledrill
Removes all traces of package configuration data from the running config.xml. This can be useful if a package has corrupted settings or has otherwise left the packages in an inconsistent state.	pfSsh.php playback removepkgconfig
Removes ALTQ traffic shaper settings, which can be useful if the shaper configuration is preventing rules from loading or is otherwise incorrect and preventing proper operations of the firewall.	pfSsh.php playback removeshaper
Resets the GUI settings for widgets, dashboard columns, the theme, and other GUI-related settings. It can return the GUI, particularly the dashboard, to a stable state if it is not functioning properly.	pfSsh.php playback resetwebgui
Disables and re-enables each WAN-type interface, which reapplies the interface configuration	pfSsh.php playback restartallwan
Stops and restarts the DHCP daemon	pfSsh.php playback restartdhcpd
Rewrites and reloads the IPsec configuration for strongSwan	pfSsh.php playback restartipsec
Controls the services running on the firewall, similar to interacting with services at Status > Services The action can be stop, start, or restart. The service name is the name of the services as found under Status > Services. If the name includes a space, enclose the name in quotes. The service-specific options vary depending on the service, they are used to uniquely identify services with multiple instances, such as OpenVPN or Captive Portal entries.	pfSsh.php playback svc playback svc <action> <service name> [service-specific options]
The shell version of Easy Rule, easyrule, can add a firewall rule from a shell prompt. When the easyrule command is run without parameters, it prints a usage message to explain its syntax. The way easyrule adds a block rule using an alias, or a precise pass rule specifying the protocol, source, and destination, work similar to the GUI version.	easyrule pass/block <interface> <protocol> <source IP> <destination ip> [destination port] easyrule pass wan tcp 0.0.0.0/0 192.168.0.1 80 easyrule pass wan icmp 1.1.1.1 192.168.0.1 easyrule block wan 1.1.1.1
show table addvhosts	pfctl -t addvhosts -T show
view global information about all tables	pfctl -vvsTables
add entry to table addvhosts	pfctl -t addvhosts -T add 192.168.1.50
add a network to table addvhosts	pfctl -t addvhosts -T add 192.168.1.0/16
delete nework from table addvhosts	pfctl -t addvhosts -T delete 192.168.1.0/16
remove all entries from table addvhosts	pfctl -t addvhosts -T flush
delete table addvhosts entirely	pfctl -t addvhosts -T kill
reload table addvhosts on the fly	pfctl -t addvhosts -T replace -f /etc/addvhosts
find ip address 192.168.1.40 in table addvhosts	pfctl -t addvhosts -T test 192.168.1.40
load a new table definition	pfctl -T load -f /etc/pf.conf
stats for each ip address in table addvhosts	pfctl -t addvhosts -T show -v output
reset all counters for table addvhosts	pfctl -t addvhosts -T zero
Manual restart of openVPN process	echo “<?php include(‘openvpn.inc’); openvpn_resync_all();?>” | php -q

 

Source: Useful pfSense commands – OneByte | tech blog