I have PF working but when I start/restart the system the postfix 'master' program asks me if I want to grant permission to it to accept connections from the internet. Now, permission is set in the SystemFirewall, that you set up through preferences. However, I also have my own ruleset in /etc/pf.anchors/local.rules that pf loads at startup.

#
# com.apple anchor point
#
int_if  = "en0"
lan_net = "192.168.0.0/24"

set skip on lo0
tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s }"
udp_services = "{ domain }"


scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
#

So I start pfctl in the plist with pfctl -ef /etc/pf.anchors/local.rules

Everything is running fine with this - except for the postfix master. Which tells me that pfctl is not reading the 250.ApplicationFirewall/* anchor - which should be the ... ApplicationFirewall rules.

This

sudo pfctl -a com.apple -sr

returns

No ALTQ support in kernel
ALTQ related functions disabled
anchor "200.AirDrop/*" all
anchor "250.ApplicationFirewall/*" all

Could it be that I shouldn't run the Application Firewall at the same time as the pf controller? Or, how do I tell pf rules to actually read the ApplicationFirewall rules?