network – How to dynamically add anchors on startup for apple pfctl without editing system pf.conf

I am answering this with what i’ve done so far, cuz it took some digging and could be useful to someone. You could make something more complicated based on this, it’s just kind of a start. If someone posts something better i will accept that, i guess.

A more complicated solution would save tokens and use ‘-E’ and ‘-X’ to retain and release references to the packet filtering system, or allow unloading the service, but i don’t do that here. Note that launchd does not really support running a command when unloading a service. You could write a script to keep a process alive and handle the shutdown, or in most cases you would probably just handle flushing rules for the anchor when shutting down your process for your application.

Save all of the below files to their locations and do the following:

sudo launchctl load -w /Library/LaunchDaemons/org.myorg.mypf.plist 
# Note: the next step turns on ip forwarding for your system.
# You only need to do this if you are doing actual NAT
# and not just referencing this answer for something else like packet
# filtering
sudo sysctl -w net.inet.ip.forwarding=1

If you would like ip forwarding to persist across boots, create (if needed) /etc/sysctl.conf and set contents:



Again, this is only necessary to make NAT work, as we are in this specific example. If you are doing something else, you don’t need it.


<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE plist PUBLIC "-//Apple Computer/DTD PLIST 1.0//EN" "">
<plist version="1.0">


#!/usr/bin/env zsh

/sbin/pfctl -f - <<EOF
scrub-anchor "org.myorg/*"
nat-anchor "org.myorg/*"
rdr-anchor "org.myorg/*"
dummynet-anchor "org.myorg/*"
anchor "org.myorg/*"

# Flush existing rules.
# Not that useful for our one-shot, but could be useful in more complicated setups
/sbin/pfctl -a org.myorg -F all
/sbin/pfctl -a org.myorg/system -F all

/sbin/pfctl -a org.myorg/system -f /usr/local/etc/pf.anchors/org.myorg/system


# Set to your "inside" network, or see `man pf.conf` and
# use something else (you could use someif0:network, for example)
nat on en0 inet from to any -> (en0)

launchd – pfctl: Duplicate signature for

launchd – pfctl: Duplicate signature for – Ask Different

Firewall – Why can not I create new network connections after enabling PF with a simple custom ruleset with `pfctl -f`?

Why can not I create new network connections after enabling PF with a simple custom ruleset using no new network connections? pfctl -f?

I read the official FAQ tutorial for the PF firewall of OpenBSD, which is also used on macOS.

I have a single network interface en0but after loading the custom ruleset (sudo pfctl -ef ~ / pf.conf) Can not create new connections:

# Block all traffic by default
block everything

# Allow outgoing traffic
Enter en0 inet proto {tcp, udp} from any to any keep state

The loaded rules:

$ sudo pfctl -s rules
No ALTQ support in the kernel
ALTQ-related features disabled
Delete all block
On en0 inet proto tcp, output all flags S / SA keep state
faint on en0 inet proto udp all keep state

I know that consist Imply rules keep the conditionThis allows the destination host to answer and complete the TCP handshake.

Why does not it work?

Network – How do I use pfctl to route traffic through a non-standard interface?

I have a VPN that has set up a default route that (of course) is different from my gateway. All traffic is therefore routed through the tunnel.

However, I want to exempt certain apps from going through the tunnel.

With pfctl I could do the following:

Distribute fast route-to (en0 group specialgrp flags

To send all traffic from apps that belong to the specialgrp (gid) through the default gateway, not the tunnel.

This works as long as the traffic is displayed on the default gateway when I use tcpdump. The source IP address is not correct. It is set to the address specified by the VPN (a (IP address) and not my local IP address. The app can not run because the source IP is incorrect.

How do I set the source IP of the outgoing packets correctly so that they are set to the IP address of my computer and not to the VPN?

Many Thanks

logs – PF Firewall: Every time I use `pfctl`, I receive error messages regarding ALTQ support

I have a somewhat sophisticated firewall configuration where my server normally has between 400 and 800 IP addresses. It switches between two different back and forth pf Tables. Every day, the firewall list in the new table is recreated and the old one is deleted. This is done by script and works very well.

But the problem is that ALTQ Error. With every use pfctl For all, the first thing it does is issue two error lines:

No ALTQ support in the kernel
ALTQ-related features disabled

Problem is my script is running pfctl Hundreds of times a day. The error log for my script is growing too fast.

Is there a way to suppress these error messages? pfctl has a -q Flag, but that's only for ignoring the output without error. Is there a way to more completely disable ALTQ in the configuration file so it will not even try to use it?

Note that I do not know what ALTQ is, but I know I do not need it. Apart from the flood of logs, my firewall works perfectly.

DreamProxies - Cheapest USA Elite Private Proxies 100 Cheapest USA Private Proxies Buy 200 Cheap USA Private Proxies 400 Best Private Proxies Cheap 1000 USA Private Proxies 2000 USA Private Proxies 5000 Cheap USA Private Proxies - Buy Cheap Private Proxies Buy 50 Private Proxies Buy 100 Private Proxies Buy 200 Private Proxies Buy 500 Private Proxies Buy 1000 Private Proxies Buy 2000 Private Proxies New Proxy Lists Every Day Buy Quality Private Proxies