# pfctl dynamically add and remove rules from commandline



## sagarsingha (Jun 28, 2018)

Hi,

I am trying to add and remove from commadline on the fly .I have tried like below--

1.I have written the  below line on /etc/pf.conf to create anchor.

```
"anchor goodguys"
```
2. Then I have loaded the pf.conf file like below
`pfctl -f /etc/pf.conf`
3.Then I have added a rule like below
`echo "block in proto icmp from 10.0.104.140 to any"| pfctl  -a goodguys -f -`
4. Up to this it's working fine.
But now If want to add new rule it replacing the previous rule .

How I will keep on add and delete the new rule on the same anchor on run time.

Please help.


----------



## SirDice (Jun 28, 2018)

The -f option replaces your existing anchor rules. Just like `pfctl -f /etc/pf.conf` replaces all your rules. If you want to add IP addresses to existing rules use a table.


----------



## sagarsingha (Jun 28, 2018)

SirDice said:


> The -f option replaces your existing anchor rules. Just like `pfctl -f /etc/pf.conf` replaces all your rules. If you want to add IP addresses to existing rules use a table.


Thanks for your reply.

But My requirement is If I want to add a new rules totally via commandline under the same anchor, then how I will achieve it


----------



## SirDice (Jun 28, 2018)

The only way to "add" rules would be be to read the existing rules, add your new rule to this list and load the adjusted rules. But I would suggest rethinking your solution, you're probably making it more complex than necessary.


----------



## sagarsingha (Jun 28, 2018)

SirDice said:


> The only way to "add" rules would be be to read the existing rules, add your new rule to this list and load the adjusted rules. But I would suggest rethinking your solution, you're probably making it more complex than necessary.



Thanks Dice.

Actually I am going to implement Firewall On MAC Endpoint. So we have a Policy Engine which used to send policy for the Endpoint for 
different server accessibility .Let assume we have server A and B, endpoint is C .So if the Policy is like for server A ICMP blocked and for server B SSH blocked,So want to add these two rule dynamically on same anchors, and in future On demand basis I have to delete and modify  the rules as well.So is this type of scenario is possible to achieve through command line pfctl or should I write the rules on file and load every time ??
Please suggest!


----------



## SirDice (Jun 28, 2018)

sagarsingha said:


> Actually I am going to implement Firewall On MAC Endpoint.


Do you mean MAC, MAC, MAC or MAC?


----------



## sagarsingha (Jun 28, 2018)

SirDice said:


> Do you mean MAC, MAC, MAC or MAC?


Sorry for the confusion. I mean to say macOS


----------



## SirDice (Jun 28, 2018)

We only support FreeBSD. I suggest you seek help on a MacOS forum.

Rule #7: FreeBSD Forums Rules

Thread closed.


----------

