Yosemite firewall: IPFW is gone, Moving to PF

Question

Level 1

53 points

Yosemite firewall: IPFW is gone, Moving to PF

Since Yosemite no longer includes IPFW, I'm having to convert my firewall rules to PF.

What version of PF does Yosemite use? As I understand it, OpenBSD keeps changing the syntax as they change their OS version.

If you have a working Yosemite pf.conf file, please post your (sanitized) ruleset, so I can see how to setup things such as port forwarding, nat, etc.

Also, I understand that its wise to create your own pf configuration that uses an include to Apple's default /etc/pf.conf for two reasons. One, because Apple rewrites the /etc/pf.conf file with OS updates, and two, because Apple uses the /etc/pf.conf file to enable OS features. So my question is, should I make a call to include apple's /etc/pf.conf at the beginning of my ruleset, the middle, or the end?

Thank you!

Mac mini (Late 2012), OS X Yosemite (10.10), -

Posted on Nov 1, 2014 6:08 PM

Reply

Answer 1

Nov 1, 2014 7:54 PM in response to TigerKR

From man pf.conf

HISTORY

The pf.conf file format first appeared in OpenBSD 3.0.

So I'd guess just standard 3.0.

And you get full pf.conf syntax from man pf.conf.

This post seems to be a reasonable primer for including your own rules.

Reply

Answer 2

TigerKR Author

Level 1

53 points

Nov 4, 2014 8:50 PM in response to Michael Newbery

Yeah, I read the entire man page, but for instance: the man pf.conf file uses the term "egress" in an example but doesn't define it. From what I can gather it refers to the external interface, but if there are several interfaces in the computer, how does it know which one is the external (WAN) interface?

Also, that krypted site is unreachable for me in the last few days. 😟

I seriously doubt that apple is using OpenBSD 3.0's pf files, as the current release of OpenBSD is 5.6. And it gets confusing as one online tutorial <http://www.bsdnow.tv/tutorials/pf> states:

-----begin quote-----

match out on egress inet from !(egress:network) to any nat-to (egress:0)

This line performs network address translation. For a router, this is a very vital role. All the attached LAN clients (with internal IPs) will be able to access the internet, and pf will keep track of who made what connection and to where. There's a state table kept in memory of which IPs wanted to talk to which other IPs, and on what ports. This line will be significantly different on older rulesets. An older version would look something like this:

nat on $ext_if from $int_if:network to any -> ($ext_if)

I strongly recommend using OpenBSD for routers/gateways instead of the other BSDs, at least until they can get their pf updated.

-----end quote-----

Not only do I not know what egress refers to in Yosemite, but I don't know which line will work in the firewall configuration.

Reply

Answer 3

Nov 5, 2014 2:22 AM in response to TigerKR

Hmm, I can't reach the krypton site at the moment either 😟

It looks like the older nat on $ext_if syntax is the one being supported, not the match out on, since I can't find "match" in the man page.

Sorry, I was not as much use to you as I'd hoped. While I use pf as my firewall, it's on an elderly PC running FreeBSD.

The ruleset on that is as follows, which might be a help.

# # pf ruleset # # # Network: # [ Computer 1, 2, ... ] # | Cable Modem # ---------------------[NAT firewall] --- bfe0 [ this fw ] rl0 ------------- Internet # # Objectives # All computers through the NAT FW have unrestricted access to the Internet # Default deny to all incoming # Allow the following # * Auth/ident (TCP port 113) used by some services such as SMTP and IRC # * ICMP # Log filter stats on the external interface # # ext_if = "rl0" int_if = "bfe0" # Let web traffic to surfboard go direct surfboard = "192.168.100.1" tcp_services = "{ 113 }" table <priv_nets> const { 127/8, 192.168/16, 172.16/12, 10/8, 169.254/16 } # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # options # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # set loginterface $ext_if set skip on lo0 # Just ignore lo0 entirely # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # scrub # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # scrub in all # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # NAT # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # nat on $ext_if from $int_if:network to any -> ($ext_if) # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # filter rules # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # block all pass in on $ext_if from $surfboard to any pass out on $ext_if from any to $surfboard block drop in on $ext_if from { <priv_nets> } to any block drop out on $ext_if from any to { <priv_nets> } # # Allow access to tcp services, and all outgoing # pass in on $ext_if inet proto tcp from any to { ($ext_if) } port $tcp_services flags S/SA keep state pass in on $int_if from any to any keep state pass out on $int_if from any to any keep state # End of Ruleset

Reply

Answer 4

TigerKR Author

Level 1

53 points

Nov 5, 2014 3:06 AM in response to Michael Newbery

Thanks for showing me your ruleset. Here's the one I've worked up so far. I haven't put it into use yet. Please let me know if you see any problems with it:

----------

# Version 2014-11-05-01

# "all" is equivalent to "from any to any"

##########

# Macros - User-defined variables may be defined and used later, simplifying the configuration file.

# Macros must be defined before they are referenced in pf.conf.

##########

# external interface (WAN)

ext_if = "en4"

# internal interface (LAN)

int_if = "en0"

# unfiltered interfaces

unfiltered_ifs = "{" $int_if, lo0 "}"

# all interfaces

all_ifs = "{" $ext_if, $int_if, lo0 "}"

# alt ip address

alt_ip = "xxx.xxx.xxx.xxx"

# static IP address for ISP

ext_ip = "(" $ext_if:0 ")"

# IP Address Range for LAN

int_net = "(" $int_if:network ")"

# LAN IP Address for myintserv Server (Web, Email, alt_serv2)

myintserv_ip = "xx.xx.xx.xx"

# TCP alt-serv1 redirect port to be forwarded to local port 12345

alt_serv1= " { 54321 } "

# TCP and UDP port to be opened in firewall for DNS

firewall_services= " { 53 } "

# TCP alt-serv2 redirect port to be forwarded to myintserv port 12345

alt_serv2= " { 43210 } "

# TCP ports used for myintserv Server (to be port forwarded from firewall)

myintserv_services= " { 25, 80, 587, 995 } "

# TCP ports to be opened on firewall

tcp_services= "{ $alt_serv1, $firewall_services, $alt_serv2, $myintserv_services "}"

# ICMP packet types to be allowed through firewall

icmp_types= " { 0, 3, 4, 8, 11 } "

##########

# Tables - Tables provide a mechanism for increasing the performance and

# flexibility of rules with large numbers of source or destination addresses.

##########

# Sun Microsystems cluster interconnect (should not be coming in over the internet)

# table <sunmicro> const { 204.152.64.0/23 }

# Special Use Addresses (should not be coming in over the internet)

# table <rfc5735> const { 0.0.0.0/8, 10.0.0.0/8, \

# 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, \

# 192.0.0.0/24, 192.0.2.0/24, 192.168.0.0/16, \

# 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, \

# 224.0.0.0/4, 240.0.0.0/4, 255.255.255.255/32 }

# Do not block 192.88.99.0/24 RFC3068

# blocked network addresses

table <blocked_net_addr> const { 0.0.0.0/8, 10.0.0.0/8, \

127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, \

192.0.0.0/24, 192.0.2.0/24, 192.168.0.0/16, \

198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, \

224.0.0.0/4, 240.0.0.0/4, 204.152.64.0/23 }

# for when the ban-hammer is needed for bads

table <bad_hosts> persist

##########

# Options - Options tune the behavior of the packet filtering engine.

##########

# Enable collection of packet and byte count statistics for the given interface.

set loginterface $ext_if

# Enable basic ruleset optimization. This is the default behaviour.

# Basic ruleset optimization does four things to improve the performance of ruleset evaluations:

# 1. remove duplicate rules

# 2. remove rules that are a subset of another rule

# 3. combine multiple rules into a table when advantageous

# 4. re-order the rules to improve evaluation performance

set ruleset-optimization basic

# Optimize state timeouts for a normal network environment.

set optimization normal

# A TCP RST is returned for blocked TCP packets,

# an ICMP UNREACHABLE is returned for blocked UDP packets,

# and all other packets are silently dropped.

set block-policy return

# Load fingerprints of known operating systems from the given filename.

set fingerprints "/etc/pf.os"

# list interfaces for which packets should not be filtered.

set skip on lo0

##########

# Traffic Normalization (e.g. scrub) - Traffic normalization protects internal machines against inconsistencies in Internet protocols and implementations.

##########

# normalize all incoming traffic

scrub in on $ext_if all no-df fragment reassemble

# Replace IP identification fields with random values. Makes it more difficult to count costs hidden behind a NAT box.

scrub out on $ext_if all random-id

##########

# Queueing - Queueing provides rule-based bandwidth control.

##########

# Translation (Various forms of NAT) - Translation rules specify how addresses are to be mapped or redirected to other addresses.

##########

# No need to apply NAT or redirect ports on the LAN or lo0

no nat on $unfiltered_ifs all

no rdr on $unfiltered_ifs all

# general nat rule

nat on $ext_if from $int_net to any -> $ext_ip

# redirect alt-serv1 from firewall to local port 12345

rdr on $ext_if inet proto tcp from any to $ext_ip port $alt_serv1 -> 127.0.0.1 port 12345

# redirect alt-serv2 from firewall to myintserv port 12345

rdr on $ext_if inet proto tcp from any to $ext_ip port $alt_serv2 -> $myintserv_ip port 12345

# redirect myintserv services from firewall to myintserv

rdr on $ext_if inet proto tcp from any to $ext_ip port $myintserv_services -> $myintserv_ip

##########

# Packet Filtering - Packet filtering provides rule-based blocking or passing of packets.

##########

# block and log everything by default

block return log on $ext_if all

# block anything coming from source we have no back routes for

block in from no-route to any

# block packets whose ingress interface does not match the one in

# the route back to their source address

block in from urpf-failed to any

# block and log outgoing packets that do not have our address as source,

# they are either spoofed or something is misconfigured (NAT disabled,

# for instance), we want to be nice and do not send out garbage.

block out log quick on $ext_if from ! $ext_ip to any

# silently drop broadcasts (cable modem noise)

block in quick on $ext_if from any to 255.255.255.255

# block and log incoming packets from reserved address space and invalid

# addresses, they are either spoofed or misconfigured, we cannot reply to

# them anyway (hence, no return-rst). Also block bad hosts.

block in log quick on $ext_if from { <blocked_net_addr>, <bad_hosts>, $ext_ip } to any

# spoofed address protection

antispoof log quick for $int_if

# once the traffic is permitted into an interface, we won't try to obstruct it leaving

pass out quick modulate state

# allow local traffic

pass in quick on $int_if

# allow ICMP traffic

pass in on $ext_if inet proto icmp all icmp-type $icmp_types

# open the udp ports used by those network services that will be available to the Internet

pass in on $ext_if inet proto udp from any to $ext_ip port $firewall_services

# open the tcp ports used by those network services that will be available to the Internet

pass in on $ext_if inet proto tcp from any to $ext_ip port $tcp_services

# Do not allow Windows 9x SMTP connections since they are typically

# a viral worm. Alternately we could limit these OSes to 1 connection each.

block in on $ext_if inet proto tcp from any os {"Windows 95", "Windows 98"} to any port smtp

##########

# Includes - Additional configuration files can be included with the include keyword.

##########

# include Apple's conf file which may be rewritten by OS updates, so don't modify the file, just load it

include "/etc/pf.conf"

Reply

Answer 5

Nov 5, 2014 3:42 AM in response to TigerKR

You have an extra quote in the following, before the final }

# TCP ports to be opened on firewall

tcp_services= "{ $alt_serv1, $firewall_services, $alt_serv2, $myintserv_services "}"

You probably want to add " keep state" to your "pass in" rules.

# allow local traffic

pass in quick on $int_if keep state

# allow ICMP traffic

pass in on $ext_if inet proto icmp all icmp-type $icmp_types keep state

# open the udp ports used by those network services that will be available to the Internet

pass in on $ext_if inet proto udp from any to $ext_ip port $firewall_services keep state

# open the tcp ports used by those network services that will be available to the Internet

pass in on $ext_if inet proto tcp from any to $ext_ip port $tcp_services keep state

Apart from that, it looks OK.

From bitter experience, be directly connected to the machine when debugging firewall rules, not via an interface subject to the firewall rules 😟

Reply

Answer 6

TigerKR Author

Level 1

53 points

Nov 5, 2014 4:16 AM in response to Michael Newbery

Your advice to be seated at the machine when editing the firewall is spot on. I've been there too, back in the early days of IPFW.

Heh, I think I'm actually missing a quote, on that line:

tcp_services= "{" $alt_serv1, $firewall_services, $alt_serv2, $myintserv_services "}"

I thought that keep state was implied with "pass"… I may have misunderstood... From man pf.conf:

pass The packet is passed; state is created unless the no state option is specified. By default packet filter filters packets statefully; the first time a packet matches a pass rule, a state entry is created; for subsequent packets the filter checks whether the packet matches any state. If it does, the packet is passed without evaluation of any rules. After the connection is closed or times out, the state entry is automatically removed. This has several advantages. For TCP connections, comparing a packet to a state involves checking its sequence numbers, as well as TCP timestamps if a scrub reassemble tcp rule applies to the connection. If these values are outside the narrow windows of expected values, the packet is dropped. This pre-vents prevents vents spoofing attacks, such as when an attacker sends packets with a fake source address/port but does not know the connection's sequence numbers. Similarly, packet filter knows how to match ICMP replies to states. For example, pass out inet proto icmp all icmp-type echoreq allows echo requests (such as those created by ping(8)) out statefully, and matches incoming echo replies correctly to states. Also, looking up states is usually faster than evaluating rules. If there are 50 rules, all of them are evaluated sequentially in O(n). Even with 50000 states, only 16 comparisons are needed to match a state, since states are stored in a binary search tree that allows searches in O(log2 n). Furthermore, correct handling of ICMP error messages is critical to many protocols, particularly TCP. Packet filter matches ICMP error messages to the correct connection, checks them against connection parameters, and passes them if appropriate. For example if an ICMP source quench message referring to a stateful TCP connection arrives, it will be matched to the state and get passed. Finally, state tracking is required for nat, binat and rdr rules, in order to track address and port translations and reverse the translation on returning packets. Packet filter will also create state for other protocols which are effectively stateless by nature. UDP packets are matched to states using only host addresses and ports, and other protocols are matched to states using only the host addresses. If stateless filtering of individual packets is desired, the no state keyword can be used to specify that state will not be created if this is the last matching rule. A number of parameters can also be set to affect how packet filter handles state tracking. See STATEFUL TRACKING OPTIONS below for fur-ther further ther details.

Reply

Answer 7

Nov 5, 2014 10:25 AM in response to TigerKR

Probably the pf.conf I've got on my firewall machine is older than current Yosemite. At the time, keep state was explicitly required, and despite multiple upgrades, I've never removed the flags. It's probably best to omit it then, in the interests of conciseness.

One of the things I like about pf is that the configuration files are (or can generally be made to be) small—and hence more humanly understandable.

I left out from my configuration file some stuff about IPv6 tunnels and VPNs that's specific to my setup. Bear in mind that if you want IPv6 as well you'll need to add some lines to do that.

Reply

Answer 8

ndsvfx

Level 1

15 points

Nov 6, 2014 7:34 PM in response to Michael Newbery

You can always use

http://www.murusfirewall.com

Access also seems to enable pf

Reply

Answer 9

TigerKR Author

Level 1

53 points

Nov 8, 2014 10:29 AM in response to TigerKR

Ok, so here's my working final ruleset. Unfortunately, I wasn't able to get port redirection working (port forwarding is working fine). As a benefit, pf seems to be much more efficient, I get double the LAN <-> LAN and WAN <-> LAN traffic throughput/bandwidth vs old IPFW and NATd - its actually pretty amazing. So here's the sanitized ruleset:

# /etc/pf.anchors/org.example.my.pf.conf

# Version 2014-11-07

##########

# Macros - User-defined variables may be defined and used later, simplifying the configuration file.

# Macros must be defined before they are referenced in pf.conf.

##########

# don't nest macros as it can lead to invalid ruleset

# external interface (WAN)

ext_if = "en4"

# internal interface (LAN)

int_if = "en0"

# static IP for external interface, from ISP

ext_ip = "xxx.xxx.xxx.xxx"

# LAN IP address for email and web server

email_web_server_ip = "xxx.xxx.xxx.xxx"

# tcp ports to open for dns and alt ssh for firewall_dns_server

firewall_dns_server_services = "{ 53, xxxxx }"

# tcp ports to open for email and web traffic for email_web_server

email_web_server_services = "{ 25, 80, 587, 995, xxxxx }"

# udp ports to open for dns traffic on firewall_dns_server (dns server)

udp_services = "{ 53 }"

# icmp types to allow echo reply, destination unreachable, echo, time exceeded

icmp_types= "{ 0, 3, 8, 11 }"

##########

# Tables - Tables provide a mechanism for increasing the performance and

# flexibility of rules with large numbers of source or destination addresses.

##########

# emerging threats, ips for the firewall to block

table <emerging_block_ips> persist file "/etc/pf.anchors/emerging-Block-IPs.txt"

# table to conatin automatic entries for IPs which try to brute force (to be implemented later)

# table <bruteforce> persist

# table to list hosts that I want to ban manually

table <bad_hosts> persist

# Sun Microsystems cluster interconnect (should not be coming in over the internet)

# table <sunmicro> const { 204.152.64.0/23 }

# Special Use Addresses (should not be coming in over the internet)

# table <rfc5735> const { 0.0.0.0/8, 10.0.0.0/8, \

# 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, \

# 192.0.0.0/24, 192.0.2.0/24, 192.168.0.0/16, \

# 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, \

# 224.0.0.0/4, 240.0.0.0/4, 255.255.255.255/32 }

# Do not block 192.88.99.0/24 RFC3068

# Special Use Addresses (should not be coming in over the internet)

table <blocked_net_addr> const { 0.0.0.0/8, 10.0.0.0/8, \

127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, \

192.0.0.0/24, 192.0.2.0/24, 192.168.0.0/16, \

198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, \

224.0.0.0/4, 240.0.0.0/4, 204.152.64.0/23 }

##########

# Options - Options tune the behavior of the packet filtering engine.

##########

# urgent -debug messages generated for serious errors

# misc - debug messages generated for various errors

# (e.g., to see status from the packet normalizer/scrubber and for state creation failures)

# loud - debug messages generated for common conditions

# (e.g., to see status from the passive OS fingerprinter)

set debug urgent

# Enable collection of packet and byte count statistics for the given interface.

set loginterface $ext_if

# A TCP RST is returned for blocked TCP packets,

# an ICMP UNREACHABLE is returned for blocked UDP packets,

# and all other packets are silently dropped.

set block-policy return

# list interfaces for which packets should not be filtered.

set skip on lo0

# Enable basic ruleset optimization. This is the default behaviour.

# Basic ruleset optimization does four things to improve the performance of ruleset evaluations:

# 1. remove duplicate rules

# 2. remove rules that are a subset of another rule

# 3. combine multiple rules into a table when advantageous

# 4. re-order the rules to improve evaluation performance

set ruleset-optimization basic

# Load fingerprints of known operating systems from the given filename.

set fingerprints "/etc/pf.os"

# Optimize state timeouts for a normal network environment.

set optimization normal

# if-bound - states are bound to the interface they're created on.

# If traffic matches a state table entry but is not crossing

# the interface recorded in that state entry, the match is rejected.

# The packet must then match a filter rule or will be dropped/rejected altogether.

# floating - states can match packets on any interface. As long as the packet matches

# a state entry and is passing in the same direction as it was on the interface

# when the state was created, it does not matter what interface it's crossing, it will pass

set state-policy floating

##########

# Traffic Normalization (e.g. scrub) - Traffic normalization protects internal machines against inconsistencies in Internet protocols and implementations.

##########

# normalize all incoming traffic

scrub in on $ext_if all no-df

# Replace IP identification fields with random values.

# Makes it more difficult to count costs hidden behind a NAT box.

scrub out on $ext_if all random-id

##########

# Queueing - Queueing provides rule-based bandwidth control.

##########

# Translation (Various forms of NAT) - Translation rules specify how addresses are to be mapped or redirected to other addresses.

##########

# general nat rule

nat on $ext_if from $int_if:network to any -> ($ext_if)

# redirect email_web_server services to email_web_server

rdr on $ext_if proto tcp to any port $email_web_server_services -> $email_web_server_ip

# DENY rouge redirection

no rdr

##########

# Packet Filtering - Packet filtering provides rule-based blocking or passing of packets.

##########

# block and log everything by default

block log all

# spoofed address protection for external interface

antispoof for $ext_if

# spoofed address protection for internal interface

antispoof for $int_if

# block anything coming from source we have no back routes for

block quick from no-route

# block packets whose ingress interface does not match the one in

# the route back to their source address

block quick from urpf-failed

# silently drop broadcasts (ISP noise)

block in log quick on $ext_if to 255.255.255.255

# silently drop IGMP (ISP noise)

block in quick on $ext_if proto IGMP from xxx.xxx.xxx.xxx to 224.0.0.1

# block and log incoming packets from emerging threats

block in log quick from <emerging_block_ips>

# block and log incoming packets from spoofed or misconfigured addresses

block in log quick on $ext_if from <blocked_net_addr>

# block and log incoming packets from hosts trying to brute force attack - not yet implemented

# block in log quick from <bruteforce>

# Do not allow Windows 9x SMTP connections since they are typically

# a viral worm. Alternately we could limit these OSes to 1 connection each.

block in log quick inet proto tcp from any os {"Windows 95", "Windows 98"} to any port smtp

# block and log outgoing packets that do not have our address as source,

# they are either spoofed or something is misconfigured (NAT disabled,

# for instance), we want to be nice and do not send out garbage.

block out log quick on $ext_if from ! $ext_ip

# once the traffic is permitted into an interface, we won't try to obstruct it leaving

# don't use modulate state, it messes up the firewall_dns_server's ability to connect to the internet

pass out quick on $ext_if

# allow local traffic

pass quick on $int_if

# open the tcp ports used by those network services that will be available to the Internet

pass in proto tcp to any port $firewall_dns_server_services

# open the tcp ports used by those network services that will be available to the Internet

pass in proto tcp to any port $email_web_server_services

# open the udp ports used by those network services that will be available to the Internet

pass in proto udp to any port $udp_services

# allow ICMP traffic

pass in inet proto icmp to any icmp-type $icmp_types

Reply

Answer 10

TigerKR Author

Level 1

53 points

Nov 8, 2014 10:33 AM in response to TigerKR

Here's the LaunchDaemon:

/Library/LaunchDaemons/org.example.my.startup.plist

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Disabled</key>

<key>Label</key>

<string>org.example.my.startup</string>

<key>ProgramArguments</key>

<array>

<string>/usr/local/bin/org.example.my.startup.sh</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>ThrottleInterval</key>

</dict>

</plist>

Reply

Answer 11

TigerKR Author

Level 1

53 points

Nov 8, 2014 10:37 AM in response to TigerKR

Here's the startup script:

#!/bin/sh

# /usr/local/bin/org.example.my.startup.sh

# version 2014-11-06-01

/usr/bin/syslog -s -l 1 Starting org.example.my.startup script...

# sleep for 15 seconds because network interfaces aren't yet up

/usr/bin/syslog -s -l 1 Initiating sleep period...

/bin/sleep 15

/usr/bin/syslog -s -l 1 Sleep period has completed, moving on...

# Use the "ipconfig waitall" command to wait for all the

# interfaces to come up:

/usr/sbin/ipconfig waitall

# interface forwarding

/usr/sbin/sysctl -w net.inet.ip.forwarding=1

# load pf firewall rules with nat

/sbin/pfctl -e

/sbin/pfctl -f /etc/pf.anchors/org.example.my.pf.conf

# log message

/usr/bin/syslog -s -l 1 corg.example.my.startup script finshed...

# Exit with a clean status

exit 0

Reply