Being a Mac OS X user (too, not solely) for a while I know of Apple developers’ attempts to bring in some packet firewall (I guess they already had “Socket (level) firewall) into OS X. They’ve tried FreeBSD’s ipfw and threw it out later, although you can see its reamins are still in system, even El Capitan:
and they’re trying with PF now. PF itself has rather harsh way of evolving. First of all, term “forking” would be very much appropriate here. PF for FreeBSD and OpenBSD’s PF are pretty much forks. FreeBSD 10.2 uses PF from OpenBSD 4.5. Their ways are greatly diverged. If being asked which one I’d prefer I’d rather go with OpenBSD’s, buuut, I admit it became more complex than anybody would expect in the beginning. NAT/routing syntax, for e. g., is pretty much different between them.
Well, back again to Mac OS X. I don’t know which OpenBSD version they have choosen (this is very interesting question), but I can assure you that both in Yosemite and El Capitan it’s rather “outdated, broken, rotten”.
You should realize that it contains bugs that were fixed long time ago in upstream and it lacks of some features too, even not that modern. A few things to mention:
- TCP modulate state isn’t working, don’t waste your time with trying:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
Logging worked really strange. I’d say that it worked rather sticky, w/o ability to unset logging for specific rules sometimes (circumstances are unclear), although I don’t have any confirmation on hands now. I’ll update it if I find again eventually.
nat(together) won’t give you the result you expect. It works as expected in FreeBSD 10.2 (and may be 10.1), although it takes you to a quiz way. ;) It works in OpenBSD although as I said earlier syntax there’s changed significantly.
(self)and co. – the manual page says: “Surrounding the interface name (and optional modifiers) in parentheses changes this behaviour.” It simply doesn’t work. You’d have to
pfctl -fyour ruleset file.
So, what’s in the rest? – Don’t expect much from PF on Mac OS X. It works generally. Buuuut…
Ough, and I was able to crash El Capitan at least 2 or 3 times when experimenting with “nat route-to”.