This is an old revision of the document!
On a workstation where you are the only user, you can use a very simple /etc/pf.conf:
set skip on lo0 # don't filter localhost packets ext_if = "em0" # replace em0 with your external interface set block-policy drop # by default, drop packets. You can also set block-policy reject set loginterface $ext_if # log that interface block all # block all traffic by default pass out all # pass all outgoing traffic
As a general rule, the last matching rule determines the action.
I generally don't whitelist by IP addresses because I've had times where I needed to access a system from a different IP. I also avoid OS fingerprinting because, although it is available, it's not 100% accurate.
To load the ruleset once you've edited it, run:
$ doas pfctl -f /etc/pf.conf
To disable the firewall (useful for diagnosing the network), run:
$ doas pfctl -d
To enable it again:
$ doas pfctl -e
For a server, you will want to, at a minimum, allow incoming ssh packets:
set skip on lo0 # don't filter localhost packets ext_if = "em0" # my external interface is em0 set block-policy drop # by default, drop packets. You can also set block-policy reject set loginterface $ext_if # log that interface pass in proto tcp from 192.168.1.1 to port ssh pass out all # pass all outgoing traffic
Replace 192.168.1.1 with your IP.