Q: How are we supposed to enable the adaptive firewall under El Capitán?
Regarding the technote OS X Server: How to enable the adaptive firewall - Apple Support
The command
sudo defaults write /System/Library/LaunchDaemons/com.apple.pfctl ProgramArguments '(pfctl, -f, /etc/pf.conf, -e)'
fails under El Capitán because of System Integrity Protection:
2015-10-27 09:46:54.324 defaults[41513:1379013] Could not write domain /System/Library/LaunchDaemons/com.apple.pfctl; exiting
What are we supposed to use instead?
Posted on Oct 27, 2015 1:55 AM
The default configuration of the adaptive firewall doesn't actually work, though the documentation doesn't bother to mention that fact. Besides following those instructions, you have to edit the file /etc/af.plist. Change the value of the key "firewall_address" from the default "127.0.0.1" to the IP address of the interface on which the server listens.
The linked instructions can't be carried out in El Capitan because of system integrity protection (SIP). You can't edit the file
/System/Library/LaunchDaemons/com.apple.pfctl.plist
while the server is running. Either you have to disable SIP temporarily, boot from another volume, or (my preferred way) copy the file to
/Library/LaunchDaemons
and edit the copy. The new launchd job will supersede the built-in one. Change the filename and the job label to something like "com.myco.pfctl" to avoid confusion.
Posted on Nov 12, 2015 8:24 AM