- Pfctl man page (apple.com)
- Pf.conf man page (apple.com)
- How to secure your Mac when using it on wireless networks (sarfata.org)
- Pf on OS X 10.7 (zomo.co.uk)
- OpenBSD packet filter (PF): Real life example (daemon-notes.com)
- Firewalling with OpenBSD's PF packet filter (rlworkman.net)
- PF (OpenBSD) (readthedocs.org)
- PF rules (kernel-panic.it)
- Port Forwarding in Mac OS Yosemite (abetobing.com)
- Mac pfctl Port Forwarding (salferrarello.com)
- Port forwarding/redirecting (internally) on OS X Mavericks (chrisvanpatten.com)
- Transparent system-wide proxy (mblondel.org)
- OSX as Transparent Wifi MITM Proxy (pocoo.org)
- OSX (mitmproxy.org)
- Open a port in OSX Mavericks’ Firewall (rolfje.wordpress.com)
- Mac OS X pf firewall: Avoiding known bad guys (ikawnoclast.com)
- A Cheat Sheet For Using pf in OS X Lion and Up (krypted.com)
- Using pf on OS X Mountain Lion (scottlowe.org)
- PF on Mac OS X (pleiades.ucsc.edu)
- OS X 10.8: redirecting locally initiated ssh connections to localhost:22 (serverfault.com)
- iptables equivalent for mac os x (serverfault.com)
- How can I make sure all my Mac's TCP traffic goes through a SOCKS5 proxy? (superuser.com)
These are the flags used in the exampe commands below:
v
Verbose outputf
Load rules from a filen
Parse rules, don't applye
Enable the packet filterd
Disable the packet filter
Dry run:
pfctl -nvf /path/to/some.conf
Note: The f
flag has to be last in the list in the above example. It's taking the path the follows as its argument.
If there were no syntax errors, apply the rules:
pfctl -evf /path/to/some.conf
This, I think, just disables the firewall:
sudo pfctl -d
Flush all filter parameters and reload the default rules, /etc/pf.conf:
pfctl -F all -f /etc/pf.conf
You need to order your declaration in this order:
- Options -- tune the behaviour of the packet filtering engine
- Normalization -- protects internal machines against inconsistencies in Internet protocols and implementations
- Queueing -- provides rule-based bandwidth control
- Translation -- specify how addresses are to be mapped or redirected to other addresses
- Filtering -- provides rule-based blocking or passing of packets
I believe it's possible to disable the enforcement of ordering, but if you do that your rules probably won't work the way you want.
Macros can be defined that will later be expanded in context. Macro names must start with a letter, and may contain letters, digits and underscores. Macro names may not be reserved words (for example pass, in, out). Macros are not expanded inside quotes.
# Define an external interface to use in the following rules
ext_if = "en0"
pass in on $ext_if proto tcp from any to any port 25
Anchors are containers that can hold rules, address tables, and other anchors.
nat-anchor
- nat rulesrdr-anchor
- rdr rulesbinat-anchor
- binat rulesanchor
- filter rules
rdr-anchor "example"
load anchor "example" from "path/to/example.rule"
When you define a table you can specify:
persist
- keep the table after there are no rules usingconst
- table cannot be added to or have items removed
table <block> persist
Hey man just a heads up that first link in the resources leads to some pretty gnarly asian porn site