Simmons Consulting, the Website of Toby Simmons

Enable pf at startup on Apple macOS, SIP enabled


After searching for a way to enable the built in pf firewall at startup in High Sierra (I didn’t want to additionally enable the Application Firewall, just the packet filter piece) I found many posts that all mentioned disabling System Integrity Protection (SIP) and directly editing the default launchd file:

  1. /System/Library/LaunchDaemons/

Instead of disabling SIP, you can also create your own launchd file and put it in /Library/LaunchDaemons to have the same affect, making a few minor edits. Mine is stored in:

  1. /Library/LaunchDaemons/com.simmonsconsulting.pfctl-enable.plist

This is the file I’m using, taking the original Apple-supplied version and editing the label string and adding the -e parameter:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" 
<plist version="1.0">

After creating your plist file, you can make it launch at startup using the following command:

  1. sudo launchctl load -w /Library/LaunchDaemons/com.simmonsconsulting.pfctl-enable.plist

Now, you can reboot and verify if pf is enabled:

  1. sudo pfctl -s info | egrep -i --color=auto 'enabled|disabled'

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

RSS Icon