Apple - How to launch pf at startup?

By default pf is silenced at startup, a launch daemon com.apple.pfctl.plist exists though in /System/Library/LaunchDaemons/. To enable pf while booting you would have to add an -e switch in the plist.

Since all files in /System/Library/LaunchDaemons/ are protected by SIP in macOS 10.11 and later you have to disable it first.

Then, after booting to the main system, edit the launch daemon plist:

sudo nano /System/Library/LaunchDaemons/com.apple.pfctl.plist

and replace

  ...
  <key>ProgramArguments</key>
  <array>
    <string>/sbin/pfctl</string>
    <string>-f</string>
    <string>/etc/pf.conf</string>
  </array>
  ...

with

  ...
  <key>ProgramArguments</key>
  <array>
    <string>/sbin/pfctl</string>
    <string>-e</string>
    <string>-f</string>
    <string>/etc/pf.conf</string>
  </array>
  ...

Reboot to Recovery Mode and enable SIP again.


It is possible to launch processes at startup using daemons. You can create a daemon - or even edit an already existing one - respectively adding or modifying a .plist file inside /System/Library/LaunchDaemons or /Library/LaunchDaemons.
In my case, running macOS Sierra, a daemon for pfctl was already located inside one of those folders but it was set up without the -e option; consequently, at startup the daemon was launched without any effect.
The issue has been solved adding that mentioned option, plus something more despite it is not properly necessary:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>Disabled</key>
  <false/>
  <key>Label</key>
  <string>com.apple.pfctl</string>
  <key>WorkingDirectory</key>
  <string>/var/run</string>
  <key>Program</key>
  <string>/sbin/pfctl</string>
  <key>ProgramArguments</key>
  <array>
    <string>/sbin/pfctl</string>
    <string>-e</string>
    <string>-f</string>
    <string>/etc/pf.conf</string>
  </array>
  <key>RunAtLoad</key>
  <true/>
  <key>StandardErrorPath</key>
  <string>/var/log/pfctl.err</string>
  <key>StandardOutPath</key>
  <string>/var/log/pfctl.out</string>
</dict>
</plist>

Are there alternative solutions to this issue?

Yes*, in System Preferences / Security & Privacy / Firewall Options..., check "Enable stealth mode" and turn on Firewall.

Somehow this enables PF. You can check by running sudo pfctl -s info.

*Tested on High Sierra and Mojave

Tags:

Bash

Firewall

Launchd

Recent Posts