macOS Firewall Setup

macOS includes an application firewall, but it lacks the ability to filter traffic based on IP addresses. However, it's possible to manually add pf rules to the filter set.

Setup

1. Untar osx-pf-enable.tar (found in smb://shared.math.ucsb.edu/System Admin/Software/Mac) in the root directory. This will install the launch daemon and script needed to load the custom rules.
2. Edit /etc/pf.conf and add your rules at the bottom.
3. Check for syntax errors with pfctl -n -f /etc/pf.conf.
4. If the rules check out, run sudo launchctl load /Library/LaunchDaemons/org.scottlowe.pf.plist

pf rule notes

• pf rules are examined in strict top-down order
• A packet is checked against each rule; the last rule it matches "wins."
• Adding the keyword quick causes rule processing to stop when the rule matches; following rules are ignored.
• The application firewall, if enabled, gets first crack at packets, so services you want to allow must be enabled there too.

Here's a sample rule to limit bacula-fd to the local subnet:

pass in quick from 128.111.88.0/24
block in proto tcp to port 9102

This is also a good example of how rule processing works. If we left out "quick" in the first line, packets from the 128.111.88.0/24 subnet would still be blocked, because processing would continue to the second line and the last rule would win.