Setting up correctly Packet Filter (pf) firewall on any macOS (from Sierra to Big Sur)


The rules

# Network interfaces
# Don't filter on local loopback
set skip on lo0
# Table allow IPs
table <local> persist file "/etc/auth_ips"
# Block all traffic on LAN interface en0 by default
block drop on $ether all
# Allow all traffic in/out in the local subnet
pass on $ether from <local>
# Allow SSH, VNC and echoreq ICMP type from Uni's IPs
pass on $ether proto tcp from to port 22
pass on $ether proto tcp from to port 5900
pass inet proto icmp from icmp-type echoreq

The launch daemon

The five locations where you can store the property lists read by launchd.
<?xml version="1.0" encoding="UTF-8"?> 
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE plist PUBLIC "-//Apple Computer/DTD PLIST 1.0//EN" "">
<plist version="1.0">

The firewall script

/bin/sleep 5
/usr/sbin/ipconfig waitall
/sbin/pfctl -E -f /etc/
anchor ""
load anchor "" from "/etc/pf.anchors/"

Time to try (and debug)

No ALTQ support in kernel 
ALTQ related functions disabled
Status: Enabled for 7 days 07:51:35 Debug: Urgent


  • /etc/pf.anchors/<rules>: our custom rules for pf.
  • /Library/LaunchDaemons/<custom pfcl>.plist: the property list file defining the global daemon.
  • /usr/local/bin/ the script actually enabling pf.
  • /etc/<custom anchor>.conf: the conf file defining and loading our rules.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store