4

I have PF working but when I start/restart the system the postfix 'master' program asks me if I want to grant permission to it to accept connections from the internet. Now, permission is set in the SystemFirewall, that you set up through preferences. However, I also have my own ruleset in /etc/pf.anchors/local.rules that pf loads at startup.

#
# com.apple anchor point
#
int_if  = "en0"
lan_net = "192.168.0.0/24"

set skip on lo0
tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s }"
udp_services = "{ domain }"


scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
#

So I start pfctl in the plist with pfctl -ef /etc/pf.anchors/local.rules

Everything is running fine with this - except for the postfix master. Which tells me that pfctl is not reading the 250.ApplicationFirewall/* anchor - which should be the ... ApplicationFirewall rules.

This 

sudo pfctl -a com.apple -sr

returns

No ALTQ support in kernel
ALTQ related functions disabled
anchor "200.AirDrop/*" all
anchor "250.ApplicationFirewall/*" all

Could it be that I shouldn't run the Application Firewall at the same time as the pf controller? Or, how do I tell pf rules to actually read the ApplicationFirewall rules?

Harry McGovern
  • 163

1 Answers1

1

2 Firewalls

On MacOS you have 2 independant firewalls: 1st one is working at protocol level and is Packet Filter from OpenBSD. It is activated with pfctl -e -f pf_configuration_file.

2nd one is ApplicationFirewall and is working at the socket level, but as a preliminary step enable PF. It is activated with the GUI System Preferences > Security & Privacy > Firewall > Firewall Options….

These 2 firewalls can work alone or together. But the GUI of MacOS brings the 2 up together.

The application firewall is loading its own set of PF rules anchored on:

/com.apple/250.ApplicationFirewall

unfortunately, the source of this set of rules is not accessible.

Then these 2 firewall should be working perfectly well independantly. Unfortunatey the GUI of the application firewall is starting PF on its own and this is not documented.

I think the work from Apple is not finished on these 2 layers of firewall. My best advice to get out of this undocumented GUI is to make a complete local copy of the tree:

/com.apple/250.ApplicationFirewall

1 Missing tool

It is very difficult to have a correct vision of the whole set of rules applied at a given time with PF and a tree of anchors.

There is no standard tool other than the pfctl to analyse security problems.

Here is a tool you can use to help you in this process:

pfdump

To analyze your problem I advise you to use nmap (see Brew or Macports) to check that your master is locally reachable on 25/tcp.

athena
  • 374
  • 2
  • 14