How to enable pfctl on boot time on MAC OS

Question

Every time when the MAC is booted up pfctl is by default is disable. I have to make it enable manually in every boot by "pfctl -e" command.

How can I make it persistant over boot.

And also how to apply rules through commandline by pfctl.

My Mac OS version:10.13.5

Answer 1

How can I make it persistent over boot?

In System Preferences / Security & Privacy / Firewall Options..., check "Enable stealth mode" and turn on Firewall.

Somehow this enables PF. You can check by running sudo pfctl -s info.

Tested on High Sierra and Mojave

Answer 2

You have to edit the launchctl plist file. Found at /System/Library/LaunchDaemons/com.apple.pfctl.plist Change the Disabled key from true, to false. Then do a restart with:

/usr/bin/sudo launchctl load /System/Library/LaunchDaemons/com.apple.pfctl.plist

Here is its enabled version:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"     "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Disabled</key>
    <false/>
    <key>Label</key>
    <string>local.pfctl</string>
    <key>Program</key>
    <string>/sbin/pfctl</string>
    <key>ProgramArguments</key>
    <array>
            <string>pfctl</string>
            <string>-E</string>
            <string>-f</string>
            <string>/etc/pf.conf</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
    <key>StandardErrorPath</key>
    <string>/tmp/local.pfctl.err</string>
    <key>StandardOutPath</key>
    <string>/tmp/local.pfctl.out</string>
    <key>WorkingDirectory</key>
    <string>/var/run</string>
</dict>
</plist>

Answer 3

Simply load the launchctl .plist file for pfctl, overriding the 'disabled' key forcing it to be set to "false":

sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.pfctl.plist

Be advised that that does not change the plist file contents, but adds an entry into the override database which survives reboots. If you change your mind later, you would have to remove that entry from the database when in recovery mode.

The main PF configuration file is /etc/pf.conf, which defines the main ruleset. By default, The main ruleset loads sub rulesets defined in /etc/pf.anchors/com.apple, using anchor.

If you want to add or edit rules, you could do that by editing the pf.conf file.

For example, add the following 3 lines to /etc/pf.conf (to block all incoming traffic except Bonjour but allow all outgoing traffic):

pass in quick proto udp to any port 5353
block in
pass out quick

Then reload pf.conf:

sudo pfctl -f /etc/pf.conf

You can check which rules are loaded with:

sudo pfctl -s rules

Also, things could get a bit more complicated if you enable the MacOS application firewall - especially with the "block all incoming connections" or "stealth mode" options enabled. The application firewall enables PF using pfctl -E. In addition to its own rules, the application firewall generates a set of dynamic rules (sub ruleset) for PF through the anchor point com.apple/250.ApplicationFirewall.

Each time a process enables PF, there is a reference to it. You can check all of the references to PF with:

sudo pfctl -s References

If you see a reference to "socketfilterfw", then the application firewall is on and it has invoked PF with its own rules which may interfere with your own. For simplicity, I disable the application firewall, but that is your choice.

For each packet or connection evaluated by PF, the last matching rule in the ruleset is the one which is applied.

If you would like to disable the application firewall it is probably best to just use the GUI and lock the settings.

Hope that helps.