Setting up correctly Packet Filter (pf) firewall on any macOS (from Sierra to Big Sur)

Introduction

The rules

# Network interfaces
ether=en0
# Don't filter on local loopback
set skip on lo0
# Table allow IPs
table <local> persist file "/etc/auth_ips"
# Block all traffic on LAN interface en0 by default
block drop on $ether all
# Allow all traffic in/out in the local subnet
pass on $ether from <local>
# Allow SSH, VNC and echoreq ICMP type from Uni's IPs
pass on $ether proto tcp from 134.60.0.0/16 to port 22
pass on $ether proto tcp from 134.60.0.0/16 to port 5900
pass inet proto icmp from 134.60.0.0/16 icmp-type echoreq

The launch daemon

The five locations where you can store the property lists read by launchd.
<?xml version="1.0" encoding="UTF-8"?> 
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Disabled</key>
<false/>
<key>Label</key>
<string>com.apple.pfctl</string>
<key>WorkingDirectory</key>
<string>/var/run</string>
<key>Program</key>
<string>/sbin/pfctl</string>
<key>ProgramArguments</key>
<array>
<string>pfctl</string>
<string>-f</string>
<string>/etc/pf.conf</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE plist PUBLIC "-//Apple Computer/DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>de.uni-ulm.medizin.pfctl.plist</string>
<key>Program</key>
<string>/usr/local/bin/firewall.sh</string>
<key>RunAtLoad</key>
<true/>
<key>LaunchOnlyOnce</key>
<true/>
<key>StandardOutPath</key>
<string>/Users/localadmin/pfctl_log.log</string>
<key>StandardErrorPath</key>
<string>/Users/localadmin/pfctl_error.log</string>
</dict>
</plist>

The firewall script

#!/bin/bash
/bin/sleep 5
/usr/sbin/ipconfig waitall
/sbin/pfctl -E -f /etc/pf.medizin.uni-ulm.de.conf
anchor "de.uni-ulm.medizin.pf"
load anchor "de.uni-ulm.medizin.pf" from "/etc/pf.anchors/medizin.uni-ulm.de"

Time to try (and debug)

No ALTQ support in kernel 
ALTQ related functions disabled
Status: Enabled for 7 days 07:51:35 Debug: Urgent

Summary

  • /etc/pf.anchors/<rules>: our custom rules for pf.
  • /Library/LaunchDaemons/<custom pfcl>.plist: the property list file defining the global daemon.
  • /usr/local/bin/firewall.sh: the script actually enabling pf.
  • /etc/<custom anchor>.conf: the conf file defining and loading our rules.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store