Jim, yes. I went for the line of least resistance, a plist file to enable pf at boot time. The system has a pfctl.plist that loads pf.conf, but there is no automatic way to then enable pf - which seems very odd.
So you have pfctl -f /etc/pf.conf loaded at boot-time, but the packet filter, pf, isn’t also enabled. So I rolled my own to enable it. Turning on the Firewall, which I have on by default on mine, makes no difference to the state of pf. Which is disabled by default. anyway, it’s running now, and I’ll try a reboot later to see if it ‘enables’ - I may have to time it so it enables after the pfctl loads the conf. cheers > On 5 Mar 2016, at 16:37, Jim Reid <j...@rfc1035.com> wrote: > > >> On 5 Mar 2016, at 15:38, Robert Chalmers <rob...@chalmers.com.au> wrote: >> >> Also, I can see that pfctl -e turns it on - enables it, but I can’t see how >> that is put in place automatically. On re boot, it’s once again disabled, >> and pf is not working. Even though the plist is loading. > > Did you tell the OS to switch on the firewall? This is one of the > configuration options under Security & Privacy in System Preferences. > > If the firewall is disabled, I think there’s a setting somewhere deep in > MacOSX which means nothing happens whenever /etc/pf.conf gets loaded. Which > seems counter-intuitive: why load pf rulesets into the kernel if it's not > going to use them? > > Note that the MacOSX firewall is more than just pf. It can block or permit > incoming and outgoing traffic on a per-application basis. Or restrict that to > apps that have Apple-approved certificates. That extra granularity might be a > lot of hassle, so a boot-time script which does a “pfctl -e” could be the > path of least resistance. > > hth > Robert Chalmers rob...@chalmers.com <mailto:rob...@chalmers.com>.au Quantum Radio: http://tinyurl.com/lwwddov Mac mini 6.2 - 2012, Intel Core i7,2.3 GHz, Memory:16 GB. El-Capitan 10.11. XCode 7.2.1 2TB: Drive 0:HGST HTS721010A9E630. Upper bay. Drive 1:ST1000LM024 HN-M101MBB. Lower Bay
