where to put pfctl rules to make them persistent

Lingon is a GUI that allows access to the launchd data; there's an older free version of the app around, and there's a version of Lingon in the App Store. There are launchd examples around the 'net, as well.

For finding your way 'round the Unix layers of the file system and related, see the File System Programming Guide (PDF) (HTML); that has an intro to the Mac app directories, to sandboxing on OS X, and to the Unix directories.

I had the same problem.

It turned out that the ProgramArguments are not correct in the original plist file.

Changing

<string>pfctl</string>

into

<string>/sbin/pfctl</string>

and adding

<string>-e</string>

solved my issue.

My complete plist file is:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Disabled</key>

<false/>

<key>GroupName</key>

<string>wheel</string>

<key>Label</key>

<string>com.apple.pfctl</string>

<key>Program</key>

<string>/sbin/pfctl</string>

<key>ProgramArguments</key>

<array>

<string>/sbin/pfctl</string>

<string>-e</string>

<string>-f</string>

<string>/etc/pf.conf</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>UserName</key>

<string>root</string>

<key>WorkingDirectory</key>

<string>/var/run</string>

</dict>

</plist>

To minimise the disruption to the system (there are several services that muck with pf)

add your rules in an anchor file (in a file under /usr/local) and add the anchor to the

system anchors file in:

/etc/pf.anchors/com.apple

pf can be set to start at boot via launchd

sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.pfctl.plist

launchd is the Mac OS X "replacement" for init & init scripts.

HTH

- Leland

no that will just make sure the rules are loaded correctly.

you can edit the plist file to add a -e to the pfctl command though.

<key>ProgramArguments</key>

<array>

<string>pfctl</string>

<string>-e</string> <<<<< add this line

<string>-f</string>

<string>/etc/pf.conf</string>

</array>

And it will start pf at boot, though not as early in the boot process as one would hope.

HTH

- Leland

Credit where it's due: Keith Stattenfeld confirmed my hunch independently, and Scott Lowe actually had the problem solved, though I didn't realize it until later.

When you use

pfctl

-f

-f

/etc/pf.conf

-f /etc/pf.conf

pfctl

This all works fine when you're doing it from the command line. But when you ask

launchd

stdout

stderr

pfctl

launchd

You could probably add a "quiet" flag to

pfctl

/var/run

You can just drop this in a new

launchd

pfctl

launchd

pfctl

The way we are handling pftcl is a bit of cheat, i.e. the best way 🙂

We have used IceFloor to edit the rules. See http://www.hanynet.com/icefloor/

IceFloor installs its own launchdaemon and a shell script and creates its own pf config files. (So that it does not get upset with any Apple changes to the standard pf files.)

Rather than installing IceFloor on every Mac we have copied the launchdaemon, shellscript and config files to every client Mac and when they are rebooted the launchdaemon runs the shell script which starts pf with the config files we built with IceFloor. I have even written an installer package using Apple's PackageMaker to copy all the files in to the right places which gets installed by DeployStudio during imaging.

In a directory under /usr/local would be one spot. That's the local area of the Unix layer.