I have an app that (while it is running and only while it is running) needs to make changes to the packet filter (pf
) so that it blocks or allows certain traffic. These rules should be in addition to the user's own rules in /etc/pf.conf
– but i do not want to directly edit /etc/pf.conf
as this is extremely intrusive.
I can do this trivially in linux using iptables
and even in windows using wfp
without altering any on-disk files, can i accomplish the same thing in osx with pf
?
Solution only has to work in yosemite
(10.10) and above
Best Answer
I solved this myself.
Where
my_rules.conf
contains our own rules, these get concatenated to thepf.conf
rules but take precedence due to them being appended afterpf.conf
in thecat
command.Also note we use
pfctl -Ef -
the-
forcespfctl
to read from stdinWe can take this solution a step further and load our own rules from stdin by using this: