HT200259: Turn on the adaptive firewall in macOS Server

Learn about Turn on the adaptive firewall in macOS Server
techfips

Q: Adaptive firewall on Server 5 with LaunchDaemons

Step 2 of the instructions at "OS X Server: How to enable the adaptive firewall" results in an error on Server 5(.0.15, El Capitan 10.11.1): "defaults[99364:35929732] Could not write domain /System/Library/LaunchDaemons/com.apple.pfctl; exiting". Does anybody know how to circumvent this issue?

 

Question has been posed before by Nick101 and is already answered. Never mind...

 

Message was edited by: techfips

OS X Server, OS X El Capitan (10.11.1), null

Posted on Nov 16, 2015 7:58 PM

Close

Q: Adaptive firewall on Server 5 with LaunchDaemons

  • All replies
  • Helpful answers

  • by Linc Davis,

    Linc Davis Linc Davis Nov 17, 2015 3:50 PM in response to techfips
    Level 10 (207,990 points)
    Applications
    Nov 17, 2015 3:50 PM in response to techfips

    The default configuration of the adaptive firewall doesn't actually work, though the documentation doesn't bother to mention that fact. Besides following those instructions, you have to edit the file /etc/af.plist. Change the value of the key "firewall_address" from the default "127.0.0.1" to the IP address of the interface on which the server listens.

    The linked instructions can't be carried out in El Capitan because of system integrity protection (SIP). You can't edit the file

    /System/Library/LaunchDaemons/com.apple.pfctl.plist

    while the server is running. Either you have to disable SIP temporarily, boot from another volume, or (my preferred way) copy the file to

    /Library/LaunchDaemons

    and edit the copy. The new launchd job will supersede the built-in one. Change the filename and the job label to something like "com.myco.pfctl" to avoid confusion.