Is the firewall really pfctl, or another instance of pfctl?

I was mucking around with pfctl a while back, didn't get very far and forgot about it.

Yesterday, I couldn't ssh into a remote machine. I disabled the firewall in system preferences but still had the problem. When I couldn't ping anything I wondered… So, I disabled pfctl with sudo pfctl -d and lo and behold ping and ssh were working again.

If pfctl was still running my ruleset regardless of whether the firewall in sys prefs was enabled or not then either:

• the sys prefs firewall is a separate firewall app, not pfctl given a simple gui (as I'd assumed).
• the firewall in sys prefs is a separate instance of pfctl, both can run independent of the other.

or it's something else (I like to give myself leeway). I've checked running processes and can only find Firewall, no pf/pfctl etc, I'm puzzled.

Which option is the truth?

Solution 1:

There's no second instance of pfctl running. Pretty much everything you have to do with pfctl requires root priviliges.

For example, just getting a listing of rules without using sudo gives a "permission denied"

$ pfctl -sr
pfctl: /dev/pf: Permission denied

Adding sudo allows you to view the current rule set:

$ sudo pfctl -sr
No ALTQ support in kernel
ALTQ related functions disabled
scrub-anchor "com.apple/*" all fragment reassemble
anchor "com.apple/*" all

The issue you may be experiencing might be related to this post: Application Firewall is not enabling pfctl