Skip to content

Instantly share code, notes, and snippets.

@wknapik

wknapik/README.md

Created March 1, 2022 14:18
Show Gist options
  • Save wknapik/f68262bea6a8dda3d595cec830a7191f to your computer and use it in GitHub Desktop.
Save wknapik/f68262bea6a8dda3d595cec830a7191f to your computer and use it in GitHub Desktop.
Download ZIP
Enable packet filter on macOS
Raw
README.md

Run

launchctl load -w /Library/LaunchDaemons/local.pfctl.plist

Explanation

macOS 10.11 introduced System Integrity Protection, which makes /System (and consequently /System/Library/LaunchDaemons/com.apple.pfctl.plist) immutable, even to root. This means the plist can't be modified to enable packet filter (by adding the -E switch to pfctl). The solution is to create a custom launchd daemon, which only calls pfctl -E (calling pfctl -E -f /etc/pf.conf conflicts with com.apple.pfctl.plist, which may cause failure and pf not being enabled).

Raw
local.pfctl.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Disabled</key>
<false/>
<key>Label</key>
<string>local.pfctl</string>
<key>WorkingDirectory</key>
<string>/var/run</string>
<key>Program</key>
<string>/sbin/pfctl</string>
<key>ProgramArguments</key>
<array>
<string>pfctl</string>
<string>-E</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>StandardErrorPath</key>
<string>/var/log/local.pfctl.err</string>
<key>StandardOutPath</key>
<string>/var/log/local.pfctl.out</string>
</dict>
</plist>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment