I connect to a Cisco VPN Server and want to share that connection via wifi. Using the macOS Internet Sharing feature, I can only select one interface to share - either my LAN adapter, or the VPN connection. Clients on the wifi can then only connect to either the iNet, or the VPN. The VPN Server is only creating a split-tunnel connection - and switching to full tunnel is unfortunately not an option. Setting my nat rules directly in /etc/pf.conf/ works fine and solves my problem to a degree. I want to script and dynamically add them using a nat-anchor. Setting the anchor with load for an external config works, however when I define my anchor in pf.conf and try to populate my rules using pfctl like so:

echo "                                                                                                                                      
nat on en8 from bridge100:network to any -> (en8)
nat on utun1 from bridge100:network to any -> (utun1)" | pfctl -a my.anchor -f -

or as a one-liner:

echo -e "nat on en8 from bridge100:network to any -> (en8)\nnat on utun1 from bridge100:network to any -> (utun1)\n" | pfctl -a my.anchor  -f -

(w/ or w/o the trailing \n) I can confirm that the rules are set on my anchor using pfctl -sn -a my.anchor but the actual routing remains unchanged. What am I doing wrong here?

Does anyone know how to configure NAT for use with a bridge on MacOS? I tried a configuration, which I thought worked in the past, however it no longer works. I have my public internet on en1 192.168.0.10 and bridge for QEMU guests on bridge100 192.168.57.1. sudo sysctl net.int.ip.forwarding=1 (I note, omitting the previous line causes NAT to work! still asking if this is the correct configuration). Here it's not set when NAT works: sudo sysctl -a|grep fowar '' I'm trying the following in pf.conf: nat on en1 from bridge100:network to any -> (en1) My routes look like: Host: default 192.168.0.1 VM: default via 192.168.57.1 I try trace route from the VM, and it's going through the right route, but pings time out: $ traceroute www.google.com traceroute to www.google.com (142.250.80.36), 30 hops max, 60 byte packets 1 _gateway (192.168.57.1) 0.990 ms 0.644 ms 0.527 ms^C

I have an app that (while it is running and only while it is running) needs to make changes to the packet filter (pf) so that it blocks or allows certain traffic. These rules should be in addition to the user's own rules in /etc/pf.conf - but i do not want to directly edit /etc/pf.conf as this is extremely intrusive. I can do this trivially in linux using iptables and even in windows using wfp without altering any on-disk files, can i accomplish the same thing in osx with pf ? Solution only has to work in yosemite (10.10) and above

I've switched to macOS Monterey and am not able to get port forwarding working for localhost (http and https) using the loopback interface lo0. I'm using pf and doing exactly what I was doing before the OS upgrade but without success: Basically, I create a pf anchors file: /etc/pf.anchors/myorganization

rdr pass log (all) on lo0 inet proto tcp from any to any port 80 -> 127.0.0.1 port 3000
rdr pass log (all) on lo0 inet proto tcp from any to any port 443 -> 127.0.0.1 port 7000

Add a reference to it in /etc/pf.conf:

scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
rdr-anchor "myorganization/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
load anchor "myorganization" from "/etc/pf.anchors/myorganization"

I test the anchors:

sudo pfctl -vnf /etc/pf.anchors/myorganization

and the result looks good:

pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.

rdr pass log (all) on lo0 inet proto tcp from any to any port = 80 -> 127.0.0.1 port 3000
rdr pass log (all) on lo0 inet proto tcp from any to any port = 443 -> 127.0.0.1 port 7000

I've enabled them:

sudo pfctl -evf /etc/pf.conf
sudo pfctl -e

I've added localhost to my /etc/hosts

127.0.0.1   localhost

But when I browse to https://localhost I get ERR_CONNECTION_REFUSED. If I browse to https://localhost:7000 the site is working fine. Looking at the tcp traffic using tcpdump, I was expecting to see > 127.0.0.1.7000 but it shows > 127.0.0.1.443:

23:48:04.130611 IP6 (flowlabel 0xb0300, hlim 64, next-header TCP (6) payload length: 44) ::1.50441 > ::1.443: Flags [S], seq 3067776972, win 65535, options [mss 16324,nop,wscale 6,nop,nop,TS val 964644834 ecr 0,sackOK,eol], length 0
23:48:04.130738 IP6 (flowlabel 0xa0500, hlim 64, next-header TCP (6) payload length: 44) ::1.50442 > ::1.443: Flags [S], seq 3324498656, win 65535, options [mss 16324,nop,wscale 6,nop,nop,TS val 99035196 ecr 0,sackOK,eol], length 0
23:48:04.130869 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    127.0.0.1.50443 > 127.0.0.1.443: Flags [S], seq 3800502092, win 65535, options [mss 16344,nop,wscale 6,nop,nop,TS val 2889641981 ecr 0,sackOK,eol], length 0
23:48:04.131018 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    127.0.0.1.50444 > 127.0.0.1.443: Flags [S], seq 2687597757, win 65535, options [mss 16344,nop,wscale 6,nop,nop,TS val 3887445210 ecr 0,sackOK,eol], length 0
23:48:04.133055 IP6 (flowlabel 0xf0f00, hlim 64, next-header TCP (6) payload length: 44) ::1.50445 > ::1.443: Flags [S], seq 3046833283, win 65535, options [mss 16324,nop,wscale 6,nop,nop,TS val 2977518404 ecr 0,sackOK,eol], length 0
23:48:04.133214 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    127.0.0.1.50446 > 127.0.0.1.443: Flags [S], seq 3143600809, win 65535, options [mss 16344,nop,wscale 6,nop,nop,TS val 4289031031 ecr 0,sackOK,eol], length 0

I'm on a 2021 MacBook Pro with Sequoia 15.3.2 and some of my settings (DNS, Firewall) are set with a profile by the company I work for. Sometimes I share this MacBook to a user for which I've created a standard (non-admin) account and has Android Studio with Android emulator. I noticed that it is possible to start android emulator from the command line and set another DNS by adding -dns-server parameter. I would like to prevent the use of another DNS in Android emulator and possibly in other apps. I can't uninstall Android Studio as it is needed. How could I do that, independently of the network the user is connected to (I can force something on Wifi network but not with 4G/5G hotpoint) ? I first thought of hosts file, but I think it only allows to block by host name and not by IP. I don't have access to Firewall and DNS settings as it is handled by the company. Then I thought of pfctl but I don't know exactly how to configure it, I made a quick try but didn't succeed I added those lines in pfctl conf and restarted it :

block drop proto tcp from any to 8.8.8.8 port 53
block drop proto udp from any to 8.8.8.8 port 53

Then I launched Android emulator with -dns-server 8.8.8.8 option, but this DNS server was still accessible. Maybe I should add port 853 in my conf too ? Can you please advise me on how I could do that ?

I would like to setup port forwarding on my MacBook, but I don`t get it working, even after studying a lot of questions here and other blog posts. I have some SSH tunels opened from another machine to my MacBook to be able to access other services via these tunnels. The tunnels are working fine. I checked this with nc -z 127.0.0.1 and even with cURL. To be able the use these tunnels transparently, I assigned each system a custom IP address via /etc/hosts.

gitlab.acme.com    100.0.100.100

To forward all trafic from 100.0.100.100:443 to 127.0.0.1:30030 I wrote the following rule:

rdr pass proto tcp from any to 10.0.100.100 port 443 -> 127.0.0.1 port 30030

But I am unable to apply this rule. My last attempt was to put this rule in /etc/pf.conf:

scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"

rdr pass proto tcp from any to 10.0.100.100 port 443 -> 127.0.0.1 port 30030

dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"

Any idea why this doesn't work?

I see someone had/has the same issue I'm seeing [here](https://developer.apple.com/forums/thread/656877) , but I can't find an answer to it. **What I'm trying to do**: create a packet filter that is applied to any device that's sharing internet. My use case has devices plugged into a Mac Mini via USB that shares the ethernet connection. **What I've done so far**: - Created a

/etc/pf.anchors/tethering

file with my desired rulesets - Modified the

/etc/pf.config

file so it looks like this:

#
# com.apple anchor point
#
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"

# Custom anchor loadings
anchor "tethering"
load anchor "tethering" from "/etc/pf.anchors/tethering"

- Run command

pfctl -E -f /etc/pf.conf

to load modified config - Run command

pfctl -sr

and get the following

scrub-anchor "com.apple/*" all fragment reassemble
anchor "com.apple/*" all
anchor "tethering" all

- Finally, I test a device that's already connected and everything behaves as expected. **What goes wrong**: Every time I connect a new device, my anchor appears to have no effect. I run the command

pfctl -sr

and get a different result (below). OSX automatically appends an anchor *com.apple.internet-sharing* that overrides my desired *tethering*.

scrub-anchor "com.apple/*" all fragment reassemble
scrub-anchor "com.apple.internet-sharing" all fragment reassemble
anchor "com.apple/*" all
anchor "tethering" all
anchor "com.apple.internet-sharing" all

**Finally - the question:** How do can I find - and therefore modify - the

.apple.internet-sharing

anchor? Or, how can I prevent this anchor from being automatically added? Thanks in advance for any and all assistance.

I'm using macos 15.3.2, and I haven't changed /System/Library/LaunchDaemons/com.apple.pfctl.plist on my Mac, its content is

Disabled
	
	Label
	com.apple.pfctl
	WorkingDirectory
	/var/run
	Program
	/sbin/pfctl
	ProgramArguments
	
		pfctl
		-f
		/etc/pf.conf
	
	RunAtLoad

But when I tapped sudo pfctl -s info in terminal, it shows the status is enabled. There's no command like -e in this file, why the pfctl is enabled after power on?

I have a specific port (8000) open on my Mac (macOS 11.6) for local web development testing. The networking isn’t set up for all machines on my subnet to see this port so I need help with networking setup. Let’s say my computer’s NAT IP is 192.168.1.10. If I go to 192.168.1.10:8000, I get nothing. nmap also tells me the port is closed. I can access the port on 127.0.0.1:8000, though. I’m not doing anything with my router to give WLAN access, this is just so other computers and mobile devices on my local Wi-Fi network can access the server. I have turned off the application firewall, and also have tried adjusting the packet filter (PF) settings, and it kept saying that there was a syntax error in the PF list. I even tried disabling pfctl, which I did, but macOS is still blocking port 8000 and generally still seemed to be running a firewall. Is there another/different firewall system I need to configure to have my networking stack setup to allow any machine on my subnet to see the locally opened port as open?

On macOS Sonoma 14.6.1 (with the kernel Darwin 23.6.0), I am starting five Hazelcast 3.12 nodes on localhost to emulate a split–brain scenario. Each of these nodes listens on a specific port for communication from other nodes, and communicates to other nodes from the configured ports:

| listens on |  5701 |  5702 |  5703 |  5704 |  5705 |
|------------|-------|-------|-------|-------|-------|
| sends from | 33712 | 33721 | 33731 | 33741 | 33751 |
|            | 33713 | 33723 | 33732 | 33742 | 33752 |
|            | 33714 | 33724 | 33734 | 33743 | 33753 |
|            | 33715 | 33725 | 33735 | 33745 | 33754 |

I wanted to emulate a split–brain scenario by dropping all tcp packets between nodes–1,2,3 and nodes–4,5. For this purpose, I created a pf (Packet Filter) rules in /etc/pf.anchors/hazelcast:

block out quick on lo0 proto tcp from 127.0.0.1 port 33711:33715 to 127.0.0.1 port 5704
block out quick on lo0 proto tcp from 127.0.0.1 port 33721:33725 to 127.0.0.1 port 5704
block out quick on lo0 proto tcp from 127.0.0.1 port 33731:33735 to 127.0.0.1 port 5704

block in  quick on lo0 proto tcp from 127.0.0.1 port 33711:33715 to 127.0.0.1 port 5704
block in  quick on lo0 proto tcp from 127.0.0.1 port 33721:33725 to 127.0.0.1 port 5704
block in  quick on lo0 proto tcp from 127.0.0.1 port 33731:33735 to 127.0.0.1 port 5704

block out quick on lo0 proto tcp from 127.0.0.1 port 33711:33715 to 127.0.0.1 port 5705
block out quick on lo0 proto tcp from 127.0.0.1 port 33721:33725 to 127.0.0.1 port 5705
block out quick on lo0 proto tcp from 127.0.0.1 port 33731:33735 to 127.0.0.1 port 5705

block in  quick on lo0 proto tcp from 127.0.0.1 port 33711:33715 to 127.0.0.1 port 5705
block in  quick on lo0 proto tcp from 127.0.0.1 port 33721:33725 to 127.0.0.1 port 5705
block in  quick on lo0 proto tcp from 127.0.0.1 port 33731:33735 to 127.0.0.1 port 5705

block out quick on lo0 proto tcp from 127.0.0.1 port 33741:33745 to 127.0.0.1 port 5701
block out quick on lo0 proto tcp from 127.0.0.1 port 33741:33745 to 127.0.0.1 port 5702
block out quick on lo0 proto tcp from 127.0.0.1 port 33741:33745 to 127.0.0.1 port 5703

block in  quick on lo0 proto tcp from 127.0.0.1 port 33741:33745 to 127.0.0.1 port 5701
block in  quick on lo0 proto tcp from 127.0.0.1 port 33741:33745 to 127.0.0.1 port 5702
block in  quick on lo0 proto tcp from 127.0.0.1 port 33741:33745 to 127.0.0.1 port 5703

block out quick on lo0 proto tcp from 127.0.0.1 port 33751:33755 to 127.0.0.1 port 5701
block out quick on lo0 proto tcp from 127.0.0.1 port 33751:33755 to 127.0.0.1 port 5702
block out quick on lo0 proto tcp from 127.0.0.1 port 33751:33755 to 127.0.0.1 port 5703

block in  quick on lo0 proto tcp from 127.0.0.1 port 33751:33755 to 127.0.0.1 port 5701
block in  quick on lo0 proto tcp from 127.0.0.1 port 33751:33755 to 127.0.0.1 port 5702
block in  quick on lo0 proto tcp from 127.0.0.1 port 33751:33755 to 127.0.0.1 port 5703

At the end of /etc/pf.conf, I added:

anchor "hazelcast/*"
load anchor "hazelcast" from "/etc/pf.anchors/hazelcast"

Then I ran the command:

sudo pfctl -Evf /etc/pf.conf

It printed:

...
Loading anchor hazelcast from /etc/pf.anchors/hazelcast
block drop out quick on lo0 inet proto tcp from 127.0.0.1 port 33741:33745 to 127.0.0.1 port = 5701
block drop out quick on lo0 inet proto tcp from 127.0.0.1 port 33741:33745 to 127.0.0.1 port = 5702
block drop out quick on lo0 inet proto tcp from 127.0.0.1 port 33741:33745 to 127.0.0.1 port = 5703
block drop out quick on lo0 inet proto tcp from 127.0.0.1 port 33751:33755 to 127.0.0.1 port = 5701
block drop out quick on lo0 inet proto tcp from 127.0.0.1 port 33751:33755 to 127.0.0.1 port = 5702
block drop out quick on lo0 inet proto tcp from 127.0.0.1 port 33751:33755 to 127.0.0.1 port = 5703
block drop out quick on lo0 inet proto tcp from 127.0.0.1 port 33711:33715 to 127.0.0.1 port = 5704
block drop out quick on lo0 inet proto tcp from 127.0.0.1 port 33721:33725 to 127.0.0.1 port = 5704
block drop out quick on lo0 inet proto tcp from 127.0.0.1 port 33731:33735 to 127.0.0.1 port = 5704
block drop out quick on lo0 inet proto tcp from 127.0.0.1 port 33711:33715 to 127.0.0.1 port = 5705
block drop out quick on lo0 inet proto tcp from 127.0.0.1 port 33721:33725 to 127.0.0.1 port = 5705
block drop out quick on lo0 inet proto tcp from 127.0.0.1 port 33731:33735 to 127.0.0.1 port = 5705
block drop in quick on lo0 inet proto tcp from 127.0.0.1 port 33741:33745 to 127.0.0.1 port = 5701
block drop in quick on lo0 inet proto tcp from 127.0.0.1 port 33741:33745 to 127.0.0.1 port = 5702
block drop in quick on lo0 inet proto tcp from 127.0.0.1 port 33741:33745 to 127.0.0.1 port = 5703
block drop in quick on lo0 inet proto tcp from 127.0.0.1 port 33751:33755 to 127.0.0.1 port = 5701
block drop in quick on lo0 inet proto tcp from 127.0.0.1 port 33751:33755 to 127.0.0.1 port = 5702
block drop in quick on lo0 inet proto tcp from 127.0.0.1 port 33751:33755 to 127.0.0.1 port = 5703
block drop in quick on lo0 inet proto tcp from 127.0.0.1 port 33711:33715 to 127.0.0.1 port = 5704
block drop in quick on lo0 inet proto tcp from 127.0.0.1 port 33721:33725 to 127.0.0.1 port = 5704
block drop in quick on lo0 inet proto tcp from 127.0.0.1 port 33731:33735 to 127.0.0.1 port = 5704
block drop in quick on lo0 inet proto tcp from 127.0.0.1 port 33711:33715 to 127.0.0.1 port = 5705
block drop in quick on lo0 inet proto tcp from 127.0.0.1 port 33721:33725 to 127.0.0.1 port = 5705
block drop in quick on lo0 inet proto tcp from 127.0.0.1 port 33731:33735 to 127.0.0.1 port = 5705
pf enabled
Token : 14399845021355597821

Then I started the nodes 1 and 4. In the log of the node-1, I saw:

Initialized new cluster connection between /127.0.0.1:33715 and /127.0.0.1:5704

What am I doing wrong?

I have a particular machine that I keep buttoned down very tight. Only a few specific ports/protocols are allowed. I have a pretty basic set of rules that work very well. While working on a different problem, I realized I could add a few more rules and button things down even tighter by specifying specific ports on specific network interfaces. So for example, on one network interface, only access to 80 & 443 are allowed, no mail or vpn access to that interface. So here is what one of the old rules looked like: pass in quick proto tcp from any to any port { 80 443 } keep state And this is what one of the new rules looks like: pass in quick proto tcp from any to en1 port { 80 443 } keep state The difference is subtle but I'm specifying a specific network interface, not just in to 'any'. This particular server has three connections to the internet. **The problem is...** **pf** will no longer start up right at boot with these new rules. When I specify the interface, my **pf** startup script fails to start **pf**. And I have to do it manually through the terminal. At first glance, the problem seems like my script is probably just trying to use network interfaces that aren't up yet. But I'm already waiting for them to come up. Here is my **pf** startup script, it has been working perfectly for years, until this rule change. #!/bin/bash ipconfig waitall /sbin/pfctl -e -f /etc/pf.conf With the new rules, nothing gets loaded at system startup when this runs. But if I run the same **pfctl** command once the system is up, it loads the rules and starts the firewall just fine. I modified my script to save multiple copies of ifconfig so I could see how the status of the two interfaces en0 and en1 progress. Before the ipconfig waitall command, they are there with no IPs. After the command, they still have no ips and they show up as 'inactive'. Over the next few seconds, the various IPs start to load up. But the two interfaces show up the whole time. So the easy patch solution would be to just run ipconfig waitall followed by sleep 6 and call it a day. But I'd rather learn exactly what is causing the hangup so I can wait for that exact 'thing' to be ready, instead of leaving the firewall completely open for 6 seconds. It is a high traffic server and gets lots of hack/ddos attempts so every second may count.

I'm on MacOS Ventura on M1 Apple Silicon. Something keeps re-enabling pfctl that blocks my internet access roughly every 10 minutes. I'm no expert in macos or pfctl but after a bit of googling, I tried deleting all anchor files I could find to no avail. To counter, I have a small loop running that keeps disabling the pfctl every 10 seconds. But even then when it gets re-enabled it momentarily blocks all communication. Does anyone know how to figure out what's triggering this? How do I permanently kill pfctl so it doesn't start again? PS: This is my laptop that I used as a BYOD at my workplace. After I switched jobs, I got IT to remove all their crap but maybe something got left behind?

I would like to intercept the tcp traffic from a device on my network. I cannot change the destination but I set the router IP to the IP of my M1 Mac Mini. I used to do this with ipfw on a virtual machine running Ubuntu. I used these command to accomplish the interception:

sudo iptables -A PREROUTING -t nat -p tcp -d 176.58.117.69 --dport 10004 -j DNAT --to-destination 192.168.245.32
sudo iptables -A OUTPUT -t nat -p tcp -d 176.58.117.69 -j DNAT --to-destination 192.168.245.32

I want to obtain the same result with pf on MacOS Monterey. I added a new anchor file under /private/etc/pf.anchors containing: rdr pass proto tcp from any to 176.58.117.69 -> self Sending a packet to that address on port 10004 from another computer with the IP of the Mac Mini as router IP and running nc -l 10004 on the Mac Mini does not return anything. I checked that the rules do not contain an error with sudo pfctl -vnf /private/etc/pf.conf The rules were loaded with pfctl -ef /private/etc/pf.conf What am I missing?

I would like to build a bridge between two interfaces with pf, like with iptables: sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT This snippet just forwards all packets from wifi to an ethernet interface. How to accomplish same with pf? I see very often something like this in pf.conf: rdr on en0 inet proto tcp from 192.168.1.0/24 to 192.168.1.186 port 1234 -> 192.168.1.198 port 80 nat on en0 inet proto tcp from 192.168.1.0/24 to 192.168.1.198 port 80 -> 192.168.1.186 But isn't it just a forward for a specific port and not a range of ports?

I am trying to redirect traffic on all ports to my local server by editing the pf.conf file on MacBook. pf.conf file content: # # Default PF configuration file. # # This file contains the main ruleset, which gets automatically loaded # at startup. PF will not be automatically enabled, however. Instead, # each component which utilizes PF is responsible for enabling and disabling # PF via -E and -X as documented in pfctl(8). That will ensure that PF # is disabled only when the last enable reference is released. # # Care must be taken to ensure that the main ruleset does not get flushed, # as the nested anchors rely on the anchor point defined here. In addition, # to the anchors loaded by this file, some system services would dynamically # insert anchors into the main ruleset. These anchors will be added only when # the system service is used and would removed on termination of the service. # # See pf.conf(5) for syntax. # # # com.apple anchor point # scrub-anchor "com.apple/*" nat-anchor "com.apple/*" rdr-anchor "com.apple/*" rdr pass inet proto tcp from any to any -> 127.0.0.1 port 12345 rdr pass inet proto udp from any to any -> 127.0.0.1 port 12345 dummynet-anchor "com.apple/*" anchor "com.apple/*" load anchor "com.apple" from "/etc/pf.anchors/com.apple" Then ran: sudo pfctl -f /private/etc/pf.conf sudo pfctl -e What could cause this issue? How to fix it?

I don't understand why PF does not work on M1. This problem is only on M1. I tried turning firewall on/off. PF successfully enabled without my code /etc/pf.conf scrub-anchor "com.apple/*" nat-anchor "com.apple/*" rdr-anchor "com.apple/*" dummynet-anchor "com.apple/*" anchor "com.apple/*" load anchor "com.apple" from "/etc/pf.anchors/com.apple" block drop all pass on lo0 pass on utun0 pass out proto udp from any to 169.38.69.24 port 1194 Terminal output: sudo pfctl -e -f /etc/pf.conf pfctl: Use of -f option, could result in flushing of rules present in the main ruleset added by the system at startup. See /etc/pf.conf for further details. No ALTQ support in kernel ALTQ related functions disabled /etc/pf.conf:11: syntax error pfctl: Syntax error in config file: pf rules not loaded And i tried with pf.anchors: /etc/pf.conf scrub-anchor "com.apple/*" nat-anchor "com.apple/*" rdr-anchor "com.apple/*" dummynet-anchor "com.apple/*" anchor "com.apple/*" load anchor "com.apple" from "/etc/pf.anchors/com.apple" anchor "org.vpnonly.pf" load anchor "org.vpnonly.pf" from "/etc/pf.anchors/org.vpnonly.pf.rules" Terminal output: sudo pfctl -e -f /etc/pf.conf pfctl: Use of -f option, could result in flushing of rules present in the main ruleset added by the system at startup. See /etc/pf.conf for further details. No ALTQ support in kernel ALTQ related functions disabled /etc/pf.conf:9: syntax error pfctl: Syntax error in config file: pf rules not loaded /etc/pf.anchors/org.vpnonly.pf.rules # Options #set block-policy drop set block-policy return set fingerprints "/etc/pf.os" set ruleset-optimization basic set skip on lo0 wifi=en0 ether=en1 # Interfaces vpn_intf = "{utun0 utun1 utun2 utun3}" # Ports allowed_vpn_ports = "{1194 1195 54563 50000}" # Table with allowed IPs table persist file "/etc/pf.anchors/vpn.list" # Block all outgoing packets block out all # Antispoof protection antispoof for $vpn_intf # Allow DHCP. pass quick on { $wifi $ether } proto udp from any port 67:68 # Allow outgoing packets to specified IPs only pass out proto icmp from any to pass out proto {tcp udp} from any to port $allowed_vpn_ports # Allow traffic for VPN interfaces pass out on $vpn_intf all /etc/pf.anchors/vpn.list: 169.38.69.24

I add a rule in /etc/pf.conf: scrub-anchor "com.apple/*" nat-anchor "com.apple/*" nat on utun4 from en5:network to 132.128/9 -> (utun4) (utun4) round-robin rdr-anchor "com.apple/*" all but after a while , the added rule is missing , "sudo pf.ctl -sn ",the result is: No ALTQ support in kernel ALTQ related functions disabled rdr on lo0 inet proto udp from any port != 49978 to 172.16.14.2 port = 53 -> 127.0.0.1 port 5373 the rules is overriden by some system automatic operation. How could I keep this rule all the time , not overriden ? macOS version is big sur 11.3.1 thks.

To emulate the CI integration testing environment for the application that I’m working with, I want to be able to have the following mapping of requests happen: * foo:8080 ⟶ localhost:8081 * bar:8080 ⟶ localhost:8080 Without the port change, I can do this easily enough by editing /etc/hosts¹ to define foo and bar to be 127.0.0.1, but the port forwarding has me stumped. Is this possible with pf and if so, how? I’ve found recipes that would map *all* requests to port 8080 to a different port, but I only want it remapped if it’s a specific hostname. --- 1. I have a vague recollection that Network Utility used to provide this capability but it is now deprecated.

I have a slightly elaborate firewall setup where my server usually has between 400 and 800 ip addresses firewalled. It switches back and forth between two different pf tables. Every day it rebuilds the firewall list in the new table and flushes the old one. It does this all via script and it works very well. But the problem is this ALTQ error. Every time you use pfctl for anything, the first thing it does is output two error lines: No ALTQ support in kernel ALTQ related functions disabled Problem is my script runs pfctl hundreds of times per day. The error log for my script is growing WAY too fast. Is there any way to suppress these error messages? pfctl does have a -q flag but that's only for ignoring non-error output. Is there a way I can more fully disable ALTQ in the config file so it won't even try to use it? Note that I don't know what ALTQ is, but I know I don't need it. My firewall works perfectly aside from the log flood.

I am looking to implement a rule like the following iptables rule on my Mac.

sudo iptables -t nat -A OUTPUT -d 10.244.1.8 -p tcp --dport 4369 -j DNAT --to-destination 127.0.0.1:4369

Context: In my current setup I am port forwarding a container in k8s through

port-forward

and I am trying to, when I ping the IP of the running erlang node on the container be able to translate this IP into the localhost to carry the processing (the setup can be found on this post https://www.mendrugory.com/post/remote-elixir-node-kubernetes/) Thanks in advance!