After searching for a way to enable the built in pf firewall at startup in High Sierra (I didn’t want to additionally enable the Application Firewall, just the packet filter piece) I found many posts that all mentioned disabling System Integrity Protection (SIP) and directly editing the default launchd file:
Instead of disabling SIP, you can also create your own launchd file and put it in /Library/LaunchDaemons to have the same affect, making a few minor edits. Mine is stored in:
This is the file I’m using, taking the original Apple-supplied version and editing the label string and adding the -e parameter:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>com.simmonsconsulting.pfctl-enable</string> <key>WorkingDirectory</key> <string>/var/run</string> <key>Program</key> <string>/sbin/pfctl</string> <key>ProgramArguments</key> <array> <string>pfctl</string> <string>-e</string> <string>-f</string> <string>/etc/pf.conf</string> </array> <key>RunAtLoad</key> <true></true> </dict> </plist>
After creating your plist file, you can make it launch at startup using the following command:
sudo launchctl load -w /Library/LaunchDaemons/com.simmonsconsulting.pfctl-enable.plist
Now, you can reboot and verify if pf is enabled:
sudo pfctl -s info | egrep -i --color=auto 'enabled|disabled'