macOS Sierra: reload firewall when network changes

1

I've been trying to reload pf rules whenever network changes. Here is my plist file. /Library/LaunchAgents/com.wwk.networkchange.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.wwk.networkchange</string>
    <key>ProgramArguments</key>
    <array>
        <string>sudo /sbin/pfctl -f /Users/wwk/pf.conf</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
    <key>WatchPaths</key>
    <array>
        <string>/private/var/run/resolv.conf</string>
    </array>
</dict>
</plist>

I can see that /private/var/run/resolv.conf is changed when network interfaces are changed but pf rules aren't reloaded at all. FYI, /Users/wwk/pf.conf is there and I've enabled /sbin/pfctl to be run without password prompt via /etc/sudoers file. Thanks in any advance!

Pei

Posted 2017-08-26T08:00:39.367

Reputation: 111

Answers

0

Actually it was because my new daemon was conflicted with Apple's default pfctl daemon. So I've had to update the default pfctl daemon plist to watch paths which are changed whenever network changes. Add following to the /System/Library/LaunchDaemons/com.apple.pfctl.plist

<WatchPaths>
<array>
    <string>/private/var/run/resolv.conf</string>
    <string>/etc/pf.conf</string>
    <string>/Library/Preferences/SystemConfiguration/NetworkInterfaces.plist</string>
    <string>/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist</string>
</array>

Btw, we have to enable changes in system files by $ csrutil disable in macOS recovery mode to make changes in above plist file. (should do $ csrutil enable after necessary changes in system files)

Pei

Posted 2017-08-26T08:00:39.367

Reputation: 111

Asked: 2017-08-26T08:00:39.367

Viewed: 97 times

Active: 2017-09-17T13:34:30.330