Enable pf at startup on Apple macOS, SIP enabled
After searching for a way to enable the built in pf firewall at startup in High Sierra (I didn’t want to additionally enable the Application Firewall, just the packet filter piece) I found many posts that all mentioned disabling System Integrity Protection (SIP) and directly editing the default launchd file:
-
/System/Library/LaunchDaemons/com.apple.pfctl.plist
Instead of disabling SIP, you can also create your own launchd file and put it in /Library/LaunchDaemons to have the same affect, making a few minor edits.
NOPE, NOPE, NOPE. Turns out my notes below are wrong. See this Stack Exchange post for more information. You must disable SIP in order to get pf to load at startup, which really sucks if you are running a headless Mac as a server.
Mine is stored in:
-
/Library/LaunchDaemons/com.simmonsconsulting.pfctl-enable.plist
This is the file I’m using, taking the original Apple-supplied version and editing the label string and adding the -e parameter:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>com.simmonsconsulting.pfctl-enable</string> <key>WorkingDirectory</key> <string>/var/run</string> <key>Program</key> <string>/sbin/pfctl</string> <key>ProgramArguments</key> <array> <string>pfctl</string> <string>-e</string> <string>-f</string> <string>/etc/pf.conf</string> </array> <key>RunAtLoad</key> <true></true> </dict> </plist>
After creating your plist file, you can make it launch at startup using the following command:
-
sudo launchctl load -w /Library/LaunchDaemons/com.simmonsconsulting.pfctl-enable.plist
Now, you can reboot and verify if pf is enabled:
-
sudo pfctl -s info | egrep -i --color=auto 'enabled|disabled'
