Then let’s set pf to be verbose while we’re testing (we’ll turn it off later): Now, provided we don’t get any crazy errors, let’s load pf with our rules (which also loads the anchors): Once we’ve edited our configuration file, let’s run a quick sanity check on it: You can also build a list, which allows multiple criteria to be defined for a given rule and macros, which are essentially arrays of IPs, ports, etc, designed to reduce the amount of typing you have to do if you’re building out a big configuration file.
Anything in this section of pf.conf in angled () brackets is a table that has been defined. Of the above, tables allow you to define ranges and basically alias IPs. Pass in log quick on en0 proto from any to 192.168.210.10 port 548 keep state One more rule, to show how we’re going to pass and log data for data coming into en0 for both tcp and udp from anyone to the IP on that interface running 192.168.210.10 for port 548: Then to do something pretty straight forward, like allow incoming icmp traffic for en0: Or to knock the two above lines out with one: First add the following to the pf.conf file to block all otherwise allowed incoming sockets: Then let’s block some stuff (after all, if we’re not filtering, why use a packet filter). This is going to always allow local traffic, which we need for a few internal processes. Now let’s load a line below the previously called anchors in the first file: Here we see information like stats on timeouts, limits to rules, etc. To see how the rules are interpreted, let’s run pfctl with the -sa option, which shows all information/stats: The scrub options are pretty cool as it cleans dirty packets prior to passing them to their destination. These are mostly just allowing the Apple services to work with services enabled in the Sharing system preference pane, etc. Load anchor "400.AdaptiveFirewall/" from "/Applications/Server.app/Contents/ServerRoot/private/etc/pf.anchors/400.AdaptiveFirewall" Scrub-anchor "300.NetworkLinkConditioner/*"ĭummynet-anchor "300.NetworkLinkConditioner/*" In here, we see some rules (without comments):
Basically, the anchor file being loaded is /etc/pf.anchors/com.apple.
An anchor is a collection of rules and tables. Here, you can see that pf is configured with a number of anchors. Load anchor "com.apple" from "/etc/pf.anchors/com.apple" To get started, let’s look at the /etc/pf.conf configuration file that comprises pf: There will be more on ALF coming in “July” but in the meantime, there’s something I hadn’t written much about in Lion and that’s the pf implementation. I’ve done plenty of writing on the Application Layer Firewall (ALF) and the IP FireWall (IPFW) in OS X over the years.
0 kommentar(er)
