Simmons Consulting, the Website of Toby Simmons

Enable pf at startup on Apple macOS, SIP enabled

07
Jul

After searching for a way to enable the built in pf firewall at startup in High Sierra (I didn’t want to additionally enable the Application Firewall, just the packet filter piece) I found many posts that all mentioned disabling System Integrity Protection (SIP) and directly editing the default launchd file:

  1. /System/Library/LaunchDaemons/com.apple.pfctl.plist

Instead of disabling SIP, you can also create your own launchd file and put it in /Library/LaunchDaemons to have the same affect, making a few minor edits.

NOPE, NOPE, NOPE. Turns out my notes below are wrong. See this Stack Exchange post for more information. You must disable SIP in order to get pf to load at startup, which really sucks if you are running a headless Mac as a server.

Mine is stored in:

  1. /Library/LaunchDaemons/com.simmonsconsulting.pfctl-enable.plist

This is the file I’m using, taking the original Apple-supplied version and editing the label string and adding the -e parameter:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" 
    "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>Label</key>
        <string>com.simmonsconsulting.pfctl-enable</string>
        <key>WorkingDirectory</key>
        <string>/var/run</string>
        <key>Program</key>
        <string>/sbin/pfctl</string>
        <key>ProgramArguments</key>
        <array>
            <string>pfctl</string>
            <string>-e</string>
            <string>-f</string>
            <string>/etc/pf.conf</string>
        </array>
        <key>RunAtLoad</key>
        <true></true>
    </dict>
</plist>

After creating your plist file, you can make it launch at startup using the following command:

  1. sudo launchctl load -w /Library/LaunchDaemons/com.simmonsconsulting.pfctl-enable.plist

Now, you can reboot and verify if pf is enabled:

  1. sudo pfctl -s info | egrep -i --color=auto 'enabled|disabled'

This entry was posted on Saturday, July 7th, 2018 at 4:17 pm and is filed under Apple, Mac OS X. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Comments (2) »

  1. Gary Longsine says:
    4/11/2025 at 5:05 pm

    You appear to have misunderstood the guidance from the Stack Exchange discussion (which is admittedly vague on the matter), when you write: “You must disable SIP in order to get pf to load at startup, which really sucks if you are running a headless Mac as a server.”

    SIP is just preventing you from editing the system configuration file in question. If you must edit it, you disable SIP, edit the file, then re-enable SIP. The pf firewall will start on reboot with SIP enabled.

    Reply to this Comment
  2. Gary Longsine says:
    4/11/2025 at 5:26 pm

    Oh, and it’s generally better to avoid editing the system startup file. Make a copy of the file, change the key, and invoke pf with the -E (rather than -e) option. Details here:

    setting up pf packet filter firewall on macOS

    Reply to this Comment

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>