Sample script to chainload a custom ruleset into PF, avoids editing Apple's standard config

pfstart.sh

#!/bin/bash -x

# Wait for networking to be up, just in case
/usr/sbin/ipconfig waitall

# Loop on the presence of the standard Apple ruleset before proceeding
# This way we don't accidentally get overruled (SWIDT) if com.apple.pfctl
#   happens to be loaded after myorg.pf.
count=0
while [[ $(pfctl -sr 2>&1 | egrep "apple" | wc -l) -eq 0 && $count -lt 12 ]]; do
    logger -t myorg.pfstart "Apple anchors not loaded yet, waiting..."
    count=$((count+1))
    sleep 10
done

if [ $count -gt 11 ]; then
  logger -t myorg.pfstart "Apple's rules failed to load, we're bailing here"
  exit 1
fi

# Check for our org's ruleset before attempting to chain-load it
if [ -e /etc/pf.anchors/myorg.pf.pf.conf ]; then
    logger -t myorg.pfstart "Chain-loading myorg.pf.conf with Apple rules"
    cat /etc/pf.conf /etc/pf.anchors/myorg.pf.conf | /sbin/pfctl -e -f - 2>&1 > /dev/null

    # Verify that our ruleset loaded, if not, try again.
    if [ $(pfctl -sr 2>&1 | egrep "myorg.pf" | wc -l) -gt 0 ]; then
        logger -t myorg.pfstart "Successfully chain-loaded myorg.pf.conf"
        exit 0
    else
        logger -t myorg.pfstart "Ruleset myorg.pf.conf did not load, retrying"
        cat /etc/pf.conf /etc/pf.anchors/myorg.pf.conf | /sbin/pfctl -e -f - 2>&1 > /dev/null
        exit $?
    fi
else
    logger -t myorg.pfstart "Unable to chain-load myorg.pf.conf, file not found"
    exit 1
fi