Why can't I create new network connections after enabling PF with a simple custom ruleset using `pfctl -f`?

Solution 1:

Debugging basics

To help you progress with PF, I advise you to create the special interface pflog with:

/usr/bin/sudo ifconfig pflog0 create

improve, for a short debugging time, your pf.conf with:

block log all

and next start to spy what is blocked with:

/usr/bin/sudo tcpdump -i pflog0

Choice of IP protocols

Before trying to write your own rule set, decide if you want to use IPv4, IPv6 or both and configure your network interface (en0) accordingly. I wouldn't recommand to start with the last configuration which is already a nightmare to troubleshoot network problems (DNS, routing…). (Concerning this "choice of IP protocols", beware of the cursed Automatic network configuration which does turn everything possible on so as to be sure the dummies will always find a path to the Internet.)

As soon as you switch from IPv4 to IPv6, mind to change all your pass...inet rules into pass...inet6 rules. Otherwise you will be in a perfect cul de sac.

Debugging pfctl

Use the pfdump.sh from this top level answer on pfctl - howto add an anchor and make it active / load it

Always keep a recovery path

2 more pieces of advice:

1. Always keep a backup of /etc/pf.conf so as to be able to restore a working state with:

   pfctl -f /etc/pf.conf
   

2. Always start your tests on a machine you have a physical access to (I mean not through ssh or ARD).