HT200259: Turn on the adaptive firewall in macOS Server

Learn about Turn on the adaptive firewall in macOS Server
hgd

Q: How are we supposed to enable the adaptive firewall under El Capitán?

Regarding the technote OS X Server: How to enable the adaptive firewall - Apple Support

 

The command

 

sudo defaults write /System/Library/LaunchDaemons/com.apple.pfctl ProgramArguments '(pfctl, -f, /etc/pf.conf, -e)'

 

fails under El Capitán because of System Integrity Protection:

 

2015-10-27 09:46:54.324 defaults[41513:1379013] Could not write domain /System/Library/LaunchDaemons/com.apple.pfctl; exiting

 

What are we supposed to use instead?

Posted on Oct 27, 2015 1:55 AM

Close

Q: How are we supposed to enable the adaptive firewall under El Capitán?

  • All replies
  • Helpful answers

  • by Linc Davis,Solvedanswer

    Linc Davis Linc Davis Nov 12, 2015 8:24 AM in response to hgd
    Level 10 (207,990 points)
    Applications
    Nov 12, 2015 8:24 AM in response to hgd

    The default configuration of the adaptive firewall doesn't actually work, though the documentation doesn't bother to mention that fact. Besides following those instructions, you have to edit the file /etc/af.plist. Change the value of the key "firewall_address" from the default "127.0.0.1" to the IP address of the interface on which the server listens.

    The linked instructions can't be carried out in El Capitan because of system integrity protection (SIP). You can't edit the file

    /System/Library/LaunchDaemons/com.apple.pfctl.plist

    while the server is running. Either you have to disable SIP temporarily, boot from another volume, or (my preferred way) copy the file to

    /Library/LaunchDaemons

    and edit the copy. The new launchd job will supersede the built-in one. Change the filename and the job label to something like "com.myco.pfctl" to avoid confusion.

  • by nick101,

    nick101 nick101 Oct 28, 2015 3:09 AM in response to hgd
    Level 5 (5,103 points)
    Oct 28, 2015 3:09 AM in response to hgd

    There might be info at this link to help:

     

    http://krypted.com/?s=firewall

     

    I haven't tried it myself, so apologies in advance if it doesn't help