2
1
I have PF working but when I start/restart the system the postfix 'master' program asks me if I want to grant permission to it to accept connections from the internet. Now, permission is set in the SystemFirewall, that you set up through preferences. However, I also have my own ruleset in /etc/pf.anchors/local.rules that pf loads at startup.
#
# com.apple anchor point
#
int_if = "en0"
lan_net = "192.168.0.0/24"
set skip on lo0
tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s }"
udp_services = "{ domain }"
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
#
So I start pfctl in the plist with pfctl -ef /etc/pf.anchors/local.rules
Everything is running fine with this - except for the postfix master. Which tells me that pfctl is not reading the 250.ApplicationFirewall/* anchor - which should be the ... ApplicationFirewall rules.
This
sudo pfctl -a com.apple -sr
returns
No ALTQ support in kernel
ALTQ related functions disabled
anchor "200.AirDrop/*" all
anchor "250.ApplicationFirewall/*" all
Could it be that I shouldn't run the Application Firewall at the same time as the pf controller? Or, how do I tell pf rules to actually read the ApplicationFirewall rules?