Load anchor "com.apple" from "/etc/pf.anchors/com.apple" The main PF configuration file is /etc/pf.conf, which defines the following main ruleset by default in OS X 10.9 & 10.10: scrub-anchor "com.apple/*" s References Show pf-enable reference statistics (pid/name of enabler, token, timestamp). Release the pf enable reference represented by the token passed. Here’s how they are documented in pfctl(8): -E Enable the packet filter and increment the pf enable reference count. These two flags, -E and -X, are absent from pfctl on other BSDs. # is disabled only when the last enable reference is released. # PF via -E and -X as documented in pfctl(8). # each component which utilizes PF is responsible for enabling and disabling PF will not be automatically enabled, however. Note that the latest OpenBSD version is 5.6 (as of January 2015) and the configuration syntax for PF changed around 4.6/4.7.Īpple has enhanced PF so that various system components might choose to enable and disable PF, as indicated by the following snippet in /etc/pf.conf: # This file contains the main ruleset, which gets automatically loaded Like FreeBSD 9.X and later, OS X appears to use the same version of PF as OpenBSD 4.5.
PF in OS X, however, appears to be based on the FreeBSD port of PF, but with some notable additions (see below). PF (Packet Filter) is OpenBSD’s system for filtering TCP/IP traffic and doing Network Address Translation. IPFW was deprecated in OS X 10.7, and was completely removed in OS X 10.10 it was replaced with PF.
Mac OS X 10.6 (and earlier) came with IPFW, a port of FreeBSD’s stateful firewall. See below, and in the sample pf.conf.ĭon’t forget to read the onboard man pages. Remember, pf won’t work even if you load it, unless it’s Enabled. It contains IPv6 settings as well as IPv4, and some settings that I’m working on as an experiment. That is, the sample pf.conf that follows this “tutorial” which in some cases is inaccurate… but mine works.
When the new release appears, I’ll check and update this post. This set of configurations are valid for OSX though, up to at least the latest macOS High Sierra Version 10.13.6. These include the following.Īpache 2.4, Postfix, Dovecot, Spamassassin, Amavis and numerous other small binaries needed to support them, and other things I’m doing. It IS running all the components of a server that I have either built myself or added with Homebrew. What you should do is copy your pf.conf into a file that won’t be destroyed, for example, your domain-name.pf.conf and then, if your plist file, use that file name, not pf.conf. However, you should be aware that an OS Update will wipe out your existing pf.conf … very bad, because you won’t notice. This can be avoided by upgrading to a version of the app that is signed by its developer.This post is material that comes from a slightly earlier version but is very relevant none the less. Instead, it the "Allow or Deny" dialog appears every time the app is opened. If the firewall recognizes such an app it doesn't sign it.
Some apps check their own integrity when they are opened without using code signing. If you want to deny a digitally signed application, you should first add it to the list and then explicitly deny it.
If you choose Deny, OS X adds it to the list but denies incoming connections intended for this app. If you choose Allow, OS X signs the application and automatically adds it to the firewall list. If you run an unsigned app that is not listed in the firewall list, a dialog appears with options to Allow or Deny connections for the app. Apps included in OS X are signed by Apple and are allowed to receive incoming connections when this setting is enabled. For example, since iTunes is already signed by Apple, it is automatically allowed to receive incoming connections through the firewall. Applications that are signed by a valid certificate authority are automatically added to the list of allowed apps, rather than prompting the user to authorize them.