A stateful firewall program, common on BSD systems and also available on others.
Questions tagged [pf]
61 questions
28
votes
2 answers
pf error - "No ALTQ support in the kernel"... What does this mean?
I am running Mac OS X. I would like to be able to configure pf because it seems to be more sophisticated and flexible than the default Mac OS X firewall that you can access through the System Preferences. I tried using some pf commands and got…
Zen Hacker
- 483
14
votes
1 answer
How to convert “ipfw” to “pfctl” commands to forward port 80 and 443 in OS X?
I found a way to forward ports 80 and 443 to other arbitrary ports (3000 and 3001 in my case) using ipfw. But ipfw is deprecated and replaced by pfctl. Here are my ipfw declarations:
sudo ipfw flush
sudo ipfw add 100 fwd 127.0.0.1,3000 tcp from any…
Robert Audi
- 375
7
votes
1 answer
How to use new keyword dummynet-anchor in pf.conf of Mac OS X
Mac OS X introduced a new keyword “dummynet-anchor” in pf.conf file, which not used in FreeBSD and OpenBSD. The ipfw was removed in Mac OS X 10.10, How to use “dummynet-anchor”?
UPDATE:
What portion of ruleset will execute by "dummynet-anchor"?
Yaocl
- 73
6
votes
1 answer
OSX 10.11 (El Capitan beta) pf.conf behaviour changed?
I kind of expected things to break, but ...
My pf forwarding rules, which worked previously on Yosemite, no longer work on 10.11.
My forwarding rule is as follows: rdr pass on lo0 inet proto tcp from any to any port = 80 -> 127.0.0.1 port 8080
I can…
Tyler Sebastian
- 182
5
votes
1 answer
limiting upload bandwidth in Mac OS X Yosemite (10.10)
I have ADSL internet, and when there is an application uploading to the Internet at full speed (e.g. Skype or Chrome during file uploads), the download bandwidth becomes very very slow. Meaning I cannot practically browse webpages during uploads and…
psmith
- 535
4
votes
1 answer
Hints on diagnosing performance issue in OpenBSD firewall
My OpenBSD 4.6 pf firewall has started having really bad performance in the past few weeks. I've isolated the firewall (as opposed to the WAN connection, switch, cable, etc.) as the problem, but need a hint on how to further diagnose or fix the…
Tom
- 41
4
votes
1 answer
How to do IP masquerading on MacOS 10.14+?
I am looking for the equivalent Macos command to the linux:
sudo iptables -t nat -A POSTROUTING -o en0 -j MASQUERADE
The reason i want to do this is I have a VPN that has the default route, but i would like certain apps to go over the physical…
horseyguy
- 269
4
votes
1 answer
PF on macOS Sierra doesn't seem to be reading ApplicationFirewall
I have PF working but when I start/restart the system the postfix 'master' program asks me if I want to grant permission to it to accept connections from the internet.
Now, permission is set in the SystemFirewall, that you set up through…
Harry McGovern
- 163
4
votes
2 answers
In pf, why can IPv6 be specified as a 'protocol' as well as an address family?
In the pf firewall, the pf.conf man page 'parameters' section states that "protocol" is anything from /etc/protocols, and that it's distinct from "address family" ("") which is inet or inet6. /etc/protocols in turn includes "IPv6" as a…
Stilez
- 1,825
4
votes
2 answers
How to make a VPN kill-switch for mac OS X
What I wanna do is to have the internet connection disabled completely when the VPN connection goes down. I am connecting to my VPN (privatevpn.com) through Viscosity.
I have tried everything in the book. I have tried to have a disconnect scripts in…
John Schlong
- 41
3
votes
0 answers
How to block a port from all traffic on all interfaces in Mac OS X 10.10.5 (Yosemite)
I need to block port 27017 to do some testing but I can’t seem to figure out how to do it in Mac OS X 10.10.5 (Yosemite). I know that sometime ago they moved from iptables to pf tables, but the information I can find specifically for blocking a port…
Jack Slingerland
- 131
3
votes
1 answer
Port forwarding outgoing request with PF
I'm trying to redirect all outgoing traffic from my local machine on port 843, to go to my local service on port 1234.
So, when I make a request to e.g. 1.2.3.4:843, I want it to connect to 127.0.0.1:1234 instead (transparently to the requesting…
Alexander Olsson
- 131
3
votes
0 answers
Packet Filter (pf) firewall in macOS Catalina: How to restrict www access to a specific IP address on local network?
I am trying to use pf firewall on macos Catalina 10.15.3 to allow www (80,443) access for a specific local IP address on my home network. This local IP address will request web pages from a nginx instance. If I turn off the macos firewall in…
dcs3spp
- 131
2
votes
1 answer
PF rule using return-rst on Mac OS X does not reply with TCP reset
I'm trying to add a simple PF rule:
block return-rst out proto tcp from any to any port 33128
to filter all outgoing traffic to TCP port 33128, and I'd like it to respond with a reset. However, when I test it with nc, it times out, instead of…
ldx
- 121
2
votes
1 answer
How to open a server port outside of an OpenVPN tunnel with a pf firewall on OSX (BSD)
I have a Mac mini that I use as a media server running XBMC and serves media from my NAS to my stereo and TV (which has been color calibrated with a Spyder3Express, happy). The Mac runs OSX 10.8.2 and the internet connection is tunneled for general…
Timbo
- 21