Some devs are experiencing problem with pow, once we connected to enova VPN (e.g. WFH).
Usually to connect to enova VPN we use Cisco AnyConnect Secure Mobility Client tool. And this tool is causing to stop pow working.
Actual problem connected with system firewall. Once Cisco AnyConnect tool make a connection, it also add some additional rulesets to the system firewall.
So, all firewall setting are living in file /etc/pf.conf. And it original content looks like this:
#
# Default PF configuration file.
#
# This file contains the main ruleset, which gets automatically loaded
# at startup. PF will not be automatically enabled, however. Instead,
# each component which utilizes PF is responsible for enabling and disabling
# PF via -E and -X as documented in pfctl(8). That will ensure that PF
# is disabled only when the last enable reference is released.
#
# Care must be taken to ensure that the main ruleset does not get flushed,
# as the nested anchors rely on the anchor point defined here. In addition,
# to the anchors loaded by this file, some system services would dynamically
# insert anchors into the main ruleset. These anchors will be added only when
# the system service is used and would removed on termination of the service.
#
# See pf.conf(5) for syntax.
#
#
# com.apple anchor point
#
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
But once cisco connected to enova VPN this file changes to:
#
# Default PF configuration file.
#
# This file contains the main ruleset, which gets automatically loaded
# at startup. PF will not be automatically enabled, however. Instead,
# each component which utilizes PF is responsible for enabling and disabling
# PF via -E and -X as documented in pfctl(8). That will ensure that PF
# is disabled only when the last enable reference is released.
#
# Care must be taken to ensure that the main ruleset does not get flushed,
# as the nested anchors rely on the anchor point defined here. In addition,
# to the anchors loaded by this file, some system services would dynamically
# insert anchors into the main ruleset. These anchors will be added only when
# the system service is used and would removed on termination of the service.
#
# See pf.conf(5) for syntax.
#
#
# com.apple anchor point
#
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "cisco.anyconnect.vpn"
load anchor "cisco.anyconnect.vpn" from "/opt/cisco/anyconnect/ac_pf.conf"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
There is you can see two lines which was added:
...
anchor "cisco.anyconnect.vpn"
load anchor "cisco.anyconnect.vpn" from "/opt/cisco/anyconnect/ac_pf.conf"
...
So now to make pow works again we just need to remove those two lines (using sudo).
After that run next command to restart pf service:
sudo pfctl -f /etc/pf.conf; sudo pfctl -eNow you are all set. Just goto any *.dev host.
And more automated way to fix pow is creating own script, which do everything above.
Create ruby file at any location in your machine, for example ~/cisco-pow-fix, with next contents:
#!/usr/bin/env ruby
cisco_matcher = /^(.*cisco\.anyconnect\.vpn.*)$/
pf_conf = '/etc/pf.conf'
content = File.read(pf_conf)
new_lines = content.gsub(cisco_matcher, '') # '# \1')
File.open(pf_conf, 'w') { |f| f.write(new_lines) }
`sudo pfctl -f /etc/pf.conf; sudo pfctl -e`Make script executable:
chmod +x ~/cisco-pow-fixAnd on every cisco vpn connection run this script with sudo:
sudo ~/cisco-pow-fix