PF firewall configuration for OS X 10.7 and later. This is a complete package with custom launchd item and control scripts. There's also a Makefile for creating the installer package with luggage.
Files and locations:
- Launchd item which starts the firewall on boot. Basically calls /usr/local/bin/pf-control.sh with restart argument.
- The main configuration file. We're not modifying the default /etc/pf.conf since Apple seems to modify it in their OS updates. Instead, in this file we call include /etc/pf.conf and add our own configuration.
- The macro file where we define trusted IP addresses and groups. This file is included by the default and custom rule files so anything you define here can be used when writing rules.
- The actual rule file.
- The custom rule file. Intended for client specific rules and local editing. The installer creates this in postflight script if it doesn't exist.
- This is a directory which can contain custom rules as files. Intended for the situation where some third-party application requires some special firewall rules. Create a file (programmatically) in this folder and it will be included in the final ruleset.
- Control script for the firewall. Usage: pf-control.sh start|stop|restart
- Helper script to quickly unload and load the launchd item.
Files used to create the installer:
- The Makefile for luggage. To create the installer package, run make pkg in this directory.
- Installer postflight script. Loads the firewall if installed on startup disk.
- Installer preflight script. Unloads the launchd item (if loaded) and takes a backup of the files about to be overwritten (to /var/backups/).