So i can add an anchor to the already enabled firewall by doing something like this:
$ pfctl -a anchor_name -f /etc/anchor_rules.txt
the file "anchor_rules.txt" might contain something like this:
table <some-hosts> persist file /etc/someHostsToBlock.txt
block quick from any to some-hosts
Now, i can see the rules inside the anchor by doing this:
$ pfctl -a anchor_name -sr
No ALTQ support in kernel
ALTQ related functions disabled
block drop quick from any to some-hosts
However, when i show the current active ruleset with:
$ pfctl -sr
No ALTQ support in kernel
ALTQ related functions disabled
scrub-anchor "com.apple/*" all fragment reassemble
anchor "com.apple/*" all
i don't see the anchor called "anchor_name" which i just added. So the anchor is not actually active/loaded…
Why not, and how to load it?
Best Answer
In my understanding of pf your major anchor is missing. You may either use Apple's anchor(s) or a user defined anchor.
A user defined anchor is preferred:
Modify /private/etc/pf.conf:
Add two lines to pf.conf like this:
Create a file usr.home. In the example below I create an anchor SSH blocking SSH access from a local network to some IPs of the host:
and add
Now create a new directory
and the referenced file with:
and the following content:
Parse and test your pf.conf and your anchor file to make sure that they are error-free:
Reload pf:
You can add additional anchors to your major usr.home anchor as demontrated in the major com.apple anchor.
You can also add additional dynamic sub-anchors with the following command (here I add a temporary block HTTP rule similar to the SSH rule - check the creation of a transitory sub-anchor: usr.home/HTTP here!):
The temporary anchor doesn't survive a reboot!
One possible command to remove the temporary rule immediately is:
A handy script to check all loaded anchors and rules is pfdump:
pfdump.sh:
All files mentioned require an empty new line at the end!