pfctl – Add Rules at Runtime Without Editing /etc/pf.conf

firewallmacospfctl

I have an app that (while it is running and only while it is running) needs to make changes to the packet filter (pf) so that it blocks or allows certain traffic. These rules should be in addition to the user's own rules in /etc/pf.conf – but i do not want to directly edit /etc/pf.conf as this is extremely intrusive.

I can do this trivially in linux using iptables and even in windows using wfp without altering any on-disk files, can i accomplish the same thing in osx with pf ?

Solution only has to work in yosemite (10.10) and above

Best Answer

I solved this myself.

cat /etc/pf.conf my_rules.conf | sudo /sbin/pfctl -Ef -

Where my_rules.conf contains our own rules, these get concatenated to the pf.conf rules but take precedence due to them being appended after pf.conf in the cat command.

Also note we use pfctl -Ef - the - forces pfctl to read from stdin

We can take this solution a step further and load our own rules from stdin by using this:

echo "block out all" | cat /etc/pf.conf - | sudo /sbin/pfctl -Ef -

Related Solutions

OS X Server – Remote HTTP Connections Ignored but Local Accepted

OS X actually has (at least) 3 firewalls. Since you've turned off the application firewall (in System Preferences -> Security & Privacy -> Firewall) and checked the Berkeley packet filter (pfctl -sa), I'm guessing it's the old ipfw that's doing the blocking. You can check with sudo ipfw show -- that'll list the active rules, along with counts of how many packets and bytes each one has applied to:

$ sudo ipfw show
01000 19228642 23229993542 allow ip from any to any via lo0
01010        0           0 deny ip from any to 127.0.0.0/8
[etc...]
65534    23505     3467352 deny ip from any to any
65535        0           0 allow ip from any to any

If your listing only shows rule #65535 (the allow rule at the end), my guess is wrong and you have to look elsewhere. If it does show other rules, you probably have a third-party firewall config program installed somewhere (I don't think the Apple-supplied ipfw config software is still there in 10.8); take a look in /Library/StartupItems and /Library/LaunchDaemons for things that might be relevant.

MacOS – Firewall: Add command-line tool to rules (mosh-server)

I knew I was being dumb: in the Finder dialog that pops up, press Shift+⌘+G and enter /usr. From there I can browse to the binary.

Turns out this is a completely ordinary Finder shortcut for "Go to folder".

Best Answer

Related Solutions

OS X Server – Remote HTTP Connections Ignored but Local Accepted

MacOS – Firewall: Add command-line tool to rules (mosh-server)

Related Question