Okay, so I asked this question on security.stackexchange.com and superuser.com and no one on either of those forums answered. Hopefully someone here will know the answer.
I am running Mac OS X. I would like to be able to configure pf because it seems to be more sophisticated and flexible than the default Mac OS X firewall that you can access through the System Preferences. I tried using some pf commands and got some errors that I don't understand.
bash-3.2$ sudo pfctl -s rules
No ALTQ support in kernel
ALTQ related functions disabled
scrub-anchor "com.apple/*" all fragment reassemble
anchor "com.apple/*" all
bash-3.2$ sudo pfctl -s states
No ALTQ support in kernel
ALTQ related functions disabled
I looked up ALTQ on Wikipedia and it seems to be a queueing program that does statistical multiplexing of packets at the kernel level. It is the kernel module that BSD systems use for queueing of packets. And the Mac OS X kernel apparently doesn't support it.
Okay, so this doesn't really make sense. Why would Mac OS X include the BSD pf firewall but not include support for the queueing software necessary to make that firewall work? Isn't that kind of counter-productive? There must be some way to turn support for ALTQ on, but I have no idea what it is. I'm not even entirely sure what ALTQ is. Is it a loadable kernel module that I have to load using the kextload command? Or is the problem that it's already there but the kernel is just incompatible with it. I am utterly confused.
Best Answer
Let's clear up a few misconceptions here, and get your PF working for you. First, the ALTQ portion of PF handles QoS, or Quality of Service functionality, which might only be relevant to your needs if you were doing some sophisticated network routing through the machine and needed to prioritize the routing of certain types of latency-sensitive, network traffic -- video streams, cell phone calls, etc -- in order to reduce latency and assure such traffic of a greater responsiveness.
I would not worry about the QoS portion not having been implemented in Apple's port of what appears to be the FreeBSD version of PF. Apple must have envisioned less of an enterprise-level network routing usage of their operating system and more of a home-user and office-user usage in opting to skip the ALTQ inclusion.
Next, I find the following command more useful for an overview of what PF is doing:
Our next step is determining what you would like PF to do. The meat-and-potatoes configuration for PF is the file /etc/pf.conf. Is there something specific you would like PF to do, or would you like me to post a few example pf.conf files, in order to give you an idea of how it is used.
All in all, you make a wise choice in choosing to use PF. It is a shame that Apple, for one reason or another ( hint -- think Edward Snowden... ) has opted to deploy its operating system with its firewall onboard, but disabled by default, and without any packet filtering rules enabled by default...
Doors wide open, if you ask me...
Hope that this helps.