Is the firewall really pfctl, or another instance of pfctl

firewallpfctl

I was mucking around with pfctl a while back, didn't get very far and forgot about it.

Yesterday, I couldn't ssh into a remote machine. I disabled the firewall in system preferences but still had the problem. When I couldn't ping anything I wondered… So, I disabled pfctl with sudo pfctl -d and lo and behold ping and ssh were working again.

If pfctl was still running my ruleset regardless of whether the firewall in sys prefs was enabled or not then either:

the sys prefs firewall is a separate firewall app, not pfctl given a simple gui (as I'd assumed).
the firewall in sys prefs is a separate instance of pfctl, both can run independent of the other.

or it's something else (I like to give myself leeway). I've checked running processes and can only find Firewall, no pf/pfctl etc, I'm puzzled.

Which option is the truth?

Best Answer

There's no second instance of pfctl running. Pretty much everything you have to do with pfctl requires root priviliges.

For example, just getting a listing of rules without using sudo gives a "permission denied"

$ pfctl -sr
pfctl: /dev/pf: Permission denied

Adding sudo allows you to view the current rule set:

$ sudo pfctl -sr
No ALTQ support in kernel
ALTQ related functions disabled
scrub-anchor "com.apple/*" all fragment reassemble
anchor "com.apple/*" all

The issue you may be experiencing might be related to this post: Application Firewall is not enabling pfctl

Related Solutions

macOS – Fix Application Firewall Not Enabling pfctl

A workaround which worked for me:

System Preferences -> Security & Privacy -> Firewall -> Firewall options -> Check "Enable stealth mode"
Reboot

Check if pfctl is enabled now, in a Terminal:

sudo pfctl -s info | egrep -i --color=auto 'enabled|disabled'

pfctl – Adding, Activating and Loading an Anchor

In my understanding of pf your major anchor is missing. You may either use Apple's anchor(s) or a user defined anchor.

A user defined anchor is preferred:

Modify /private/etc/pf.conf:

Add two lines to pf.conf like this:

...
load anchor "com.apple" from "/etc/pf.anchors/com.apple"

#
# usr.home anchor point
#
anchor "usr.home/*"
load anchor "usr.home" from "/etc/pf.anchors/usr.home"

Create a file usr.home. In the example below I create an anchor SSH blocking SSH access from a local network to some IPs of the host:

sudo nano /etc/pf.anchors/usr.home

and add

#
# usr.home ruleset, referred to by the modified /etc/pf.conf file.
# See notes in that file regarding the anchor point in the main ruleset.
#

#
# SSH anchor point.
#

anchor "SSH"
load anchor "SSH" from "/etc/pf.rules/pfssh.rule"

Now create a new directory

sudo mkdir /etc/pf.rules

and the referenced file with:

sudo nano /etc/pf.rules/pfssh.rule

and the following content:

block in quick inet proto { tcp, udp } from 10.0.0.0/8 to { 10.128.8.145, 10.129.8.145 } port 22

Parse and test your pf.conf and your anchor file to make sure that they are error-free:
```
sudo pfctl -vnf /etc/pf.conf
sudo pfctl -vnf /etc/pf.anchors/usr.home
```

Reload pf:

sudo pfctl -d
sudo pfctl -e -f /etc/pf.conf

You can add additional anchors to your major usr.home anchor as demontrated in the major com.apple anchor.

You can also add additional dynamic sub-anchors with the following command (here I add a temporary block HTTP rule similar to the SSH rule - check the creation of a transitory sub-anchor: usr.home/HTTP here!):

echo "block drop in quick proto tcp from 10.0.0.0/8 to any port 80" | sudo pfctl -a usr.home/HTTP -f -

The temporary anchor doesn't survive a reboot!

One possible command to remove the temporary rule immediately is:

echo "" | sudo pfctl -a usr.home/HTTP -f -

A handy script to check all loaded anchors and rules is pfdump:

pfdump.sh:

#!/bin/bash

function pfprint() {
  if [ -n "$1" ];then
    sudo pfctl -a "$2" -s"$1" 2>/dev/null
  else
    sudo pfctl -s"$1" 2>/dev/null
  fi
}

function print_all() {

  local p=$(printf "%-40s" $1)
  (
    pfprint r "$1" | sed "s,^,r     ,"
    pfprint n "$1" | sed "s,^,n     ,"
    pfprint A "$1" | sed "s,^,A     ,"
  ) | sed "s,^,$p,"

  for a in `pfprint A "$1"`; do
    print_all "$a"
  done
}

print_all

All files mentioned require an empty new line at the end!

Best Answer

Related Solutions

macOS – Fix Application Firewall Not Enabling pfctl

pfctl – Adding, Activating and Loading an Anchor

Related Question