OS X firewall configuration (pf)

I need to configure IP access restrictions on a couple of OS X clients. I’m familiar with iptables on Linux, and once upon a time knew how to do it with ipfw. However, recent OS X releases switched to BSD’s packet filter (pf).

Has anyone spun up BigFix tasks for configuring the packet filter (pf) firewall in OS X Lion and later?

If anyone does have this we can also add this to BES Support as I notice that the Firewall fixlets for OSX end at 10.6

1 Like

All,

I’ve configured PF firewalls on OS X clients recently. I’ve published the analysis we use here: http://bigfix.me/analysis/details/2994651

I’ve just uploaded the tasks we use to turn pf on and off…
Enable PF Firewall:
http://bigfix.me/fixlet/details/4016
Disable PF Firewall:
http://bigfix.me/fixlet/details/4017

Our tasks to configure the pf files are pretty specific to our area. Your changes are likely to be different, but here’s the general changes we made:

  1. backup /etc/pf.conf: "cp /etc/pf.conf /etc/pf.conf.orig
  2. add line for our new pf file: “echo ‘anchor edu.school’ >> /etc/pf.conf”
  3. add line to load it: "echo ‘load anchor edu.school from “/etc/pf.anchors/edu.school”’ >> /etc/pf.conf"
    You can repeat steps 2 & 3 if you want to load multiple anchor files
  4. create custom anchor file. /etc/pf.anchors/edu.school is a plain text file that contains the following (specific to our needs). This configures clients to block port 22 on any subnet except the custom 10.0.1.0/26 range:
    table {
    10.0.1.0/26
    }
    block in on en0 proto tcp from any to any port 22
    pass in on en0 proto tcp from to any port 22
  5. Once the custom rules file is in place, and added to the pf.conf, you can use the task to start the firewall.

Our relevance for these tasks includes lines like:
not exists file “/etc/pf.anchors/edu.school” whose (concatenation of lines of it contains “10.0.1.0/26”)

We then run the “chown 0:0” and “chmod 755” commands against the /etc/pf.anchors/edu.school file to prevent modifications.

Hope that helps!

2 Likes