Enable packet filter firewall (pfctl -Ef) temporarily stops all network connection

firewallNetwork

I've noticed that when re-setting my firewall with a new set of rules, all network communication completely stops for a short time, until it regains with the new set of rules.

In fact, it also occurs when I start firewall after it was previously closed or when it switch from enable to disable state.

Why does PacketFiler temporarily halt connection every time it changes state (using pfctl -Ef or pfctl -d) ?

Best Answer

Pf is a stateful firewall. It means it strictly accounts current state of connections and if you temporarily turn it off and then on again its internal view could become outdated so that some affected connections would stall and never recover.

There's a workaround that man pf.conf describes "…

If stateless filtering of individual packets is desired, the no state keyword can be used to specify that state will not be created if this is the last matching rule. A number of parameters can also be set to affect how packet filter handles state tracking. See STATEFUL TRACKING OPTIONS below for further details.

…"

But new ruleset loading with pfctl -f should not cause any troubles unless you're flushing states specifically, for e. g..

Best Answer

Related Solutions

MacOS – How to set up a private virtual LAN for the laptop and its guest VMs

How to fix when connecting to any server results in “Connecting to ‘…’” window that will leave up all day

Related Question