How are we supposed to enable the adaptive firewall under El Capitán?

Question

hgd Author

Level 1

10 points

How are we supposed to enable the adaptive firewall under El Capitán?

Regarding the technote OS X Server: How to enable the adaptive firewall - Apple Support

The command

sudo defaults write /System/Library/LaunchDaemons/com.apple.pfctl ProgramArguments '(pfctl, -f, /etc/pf.conf, -e)'

fails under El Capitán because of System Integrity Protection:

2015-10-27 09:46:54.324 defaults[41513:1379013] Could not write domain /System/Library/LaunchDaemons/com.apple.pfctl; exiting

What are we supposed to use instead?

Posted on Oct 27, 2015 1:51 AM

Reply

Answer 1

Best reply

Linc Davis

Level 10

209,541 points

Nov 12, 2015 8:24 AM in response to hgd

The default configuration of the adaptive firewall doesn't actually work, though the documentation doesn't bother to mention that fact. Besides following those instructions, you have to edit the file /etc/af.plist. Change the value of the key "firewall_address" from the default "127.0.0.1" to the IP address of the interface on which the server listens.

The linked instructions can't be carried out in El Capitan because of system integrity protection (SIP). You can't edit the file

/System/Library/LaunchDaemons/com.apple.pfctl.plist

while the server is running. Either you have to disable SIP temporarily, boot from another volume, or (my preferred way) copy the file to

/Library/LaunchDaemons

and edit the copy. The new launchd job will supersede the built-in one. Change the filename and the job label to something like "com.myco.pfctl" to avoid confusion.

Reply

Answer 2

nick101

Level 5

5,132 points

Oct 28, 2015 3:09 AM in response to hgd

There might be info at this link to help:

http://krypted.com/?s=firewall

I haven't tried it myself, so apologies in advance if it doesn't help

Reply