Digitally Diverse

Various tech tips and ephemera from the Core Solution Group

pf & logging in Mac OS X 10.8 and 10.9

The pf firewall (see http://www.openbsd.org/faq/pf ) is an excellent tool and there are many reasons I prefer it to ipfw (which was the native/built-in option supplied in versions of Mac OS X prior to 10.7 . Not to be confused with the Application Firewall (see http://support.apple.com/en-us/HT201642).

The problem with pf in OS X is that logging is problematic – pretty much broken.

In an effort to remedy this situation, I went searching and found Charles Edge’s post here to be particularly helpful:

http://krypted.com/mac-os-x/a-cheat-sheet-for-using-pf-in-os-x-lion-and-up/

and just as much, the following post that he refers to:

http://ikawnoclast.com/security/mac-os-x-pf-firewall-avoiding-known-bad-guys/

The Emerging Threats ETOpen ruleset is a great discovery.

Now then: In order to achieve reliable logging for pf, I suggest using launchd with a LaunchDaemon plist as shown:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

        <key>Label</key>

        <string>csg.pflog</string>

        <key>ProgramArguments</key>

        <array>

                <string>/usr/local/bin/pflog.sh</string>

        </array>

        <key>KeepAlive</key>

        <dict>

                <key>NetworkState</key>

                <true/>

        </dict>

</dict>

</plist>

The script that is called (by the above plist) is simply:

#!/bin/sh

/sbin/ifconfig pflog0 create

/usr/sbin/tcpdump -lnettti pflog0 | /usr/bin/logger -t pf -p local2.info

The flags/options chosen for tcpump are the ones I found to result in the most useful information being logged, for my needs. Read the manpage and adjust as desired.

Also note that adding a firewall entry for pf via pfctl, doesn’t appear to work. I suggest creating your own tables, configuring /etc/pf.conf appropriately (to refer to your custom tables, please DO leave any and all existing entries untouched) and then manually editing your custom table(s) (with due caution !), then using

sudo pfctl -f /etc/pf.conf

to invoke your changes.

Originally published January 12, 2015 by David Haines,

coresolutiongroup.com

(413) 584-5115