Adding Additional Rules to the Packet Firewall

Table of Contents

If you need to add additional rules to the macOS Packet Firewall beyond those provided in the EPM installation, there is a folder setup in the installation that will allow those to automatically load at startup. You would only need to make sure the file with those rules is placed in the /etc/pf.anchors/edu.utexas.shared.pf.d folder on the system.

Adding firewall rules via scripting

If you are writing a script to generate the custom rule file you will want to write it similar to this example:

ExampleScript.sh

#!/bin/bash
# setup location for file 
file_location=/etc/pf.anchors/edu.utexas.shared.pf.d/customrules.file
#check for existing copy of file 
if [ -e $policy ]; then 
     echo "That custom rules file already exists, nothing done!"
else
     #create file if it does not already exist 
     cat > $file_location <<EOF 
# =====================================================
# Custom Rules to do stuff 
# =====================================================
# Allow DHCP
#pass in log inet proto udp from any port 67 to any port 68 
EOF 

fi
#set proper permissions for the custom rule file
/bin/chmod 644 $file_location
/bin/chown root:wheel $file_location
#restart packet fire wall to ensure changes are loaded 
/usr/local/bin/pf-restart.sh

Adding firewall rules via package

A package can be constructed to deliver the custom rules file to the /etc/pf.anchors/edu.utexas.shared.pf.d folder on the system.

The included UTexas-PacketFirewall-ExtraRules.zip archive uses the Whitebox Packages application to construct the package.

Section Content