> On 5 Mar 2016, at 15:38, Robert Chalmers <rob...@chalmers.com.au> wrote: > > Also, I can see that pfctl -e turns it on - enables it, but I can’t see how > that is put in place automatically. On re boot, it’s once again disabled, and > pf is not working. Even though the plist is loading.
Did you tell the OS to switch on the firewall? This is one of the configuration options under Security & Privacy in System Preferences. If the firewall is disabled, I think there’s a setting somewhere deep in MacOSX which means nothing happens whenever /etc/pf.conf gets loaded. Which seems counter-intuitive: why load pf rulesets into the kernel if it's not going to use them? Note that the MacOSX firewall is more than just pf. It can block or permit incoming and outgoing traffic on a per-application basis. Or restrict that to apps that have Apple-approved certificates. That extra granularity might be a lot of hassle, so a boot-time script which does a “pfctl -e” could be the path of least resistance. hth
