How set PF on macOS Mojave rules and restrict ip access

Question

Information

Docker for Mac: version: 2.0.0.3 (31259)

macOS: version 10.14.4 Mojave

PF ruels

Refer the link https://blog.neilsabol.site/post/quickly-easily-adding-pf-packet-filter-firewall-rules-macos-osx/

Trouble

My trouble is:

In the /etc/pf.conf add the rules:

block return in proto tcp from any to any port 443
pass in inet proto tcp from 10.2.0.0/24 to any port 443 no state

then run the command sudo pfctl -evf /etc/pf.conf

Then in browser(Chrome/Safari) can not access the ip address. Is pf not working in mojave?

Answer 1

Thank you for reading my blog and sorry for the delay.

I did some testing with a setup similar to yours and pf seems to work in Mojave (10.14.x) and Catalina (10.15.x - beta) in the same way it did in High Sierra (10.13.x).

Are you attempting to access the site via https://localhost or https://127.0.0.1 from the Mac running Docker? If yes, you may need to add a second rule (last line below):

block return in proto tcp from any to any port 443
pass in inet proto tcp from 10.2.0.0/24 to any port 443 no state
pass in inet proto tcp from 127.0.0.1 to any port 443 no state

To test on Mojave and Catalina, I did the following.

1. Spun up an Apache test container

docker run -dit --name apache24-test -p 80:80 httpd:2.4

2. Confirmed access via http://localhost and http://ipaddress

3. Added these rules to /etc/pf.conf

block return in proto tcp from any to any port 443
pass in inet proto tcp from 10.2.0.0/24 to any port 443 no state
pass in inet proto tcp from 127.0.0.1 to any port 443 no state

4. Loaded the rules and enabled pf

sudo pfctl -f /etc/pf.conf
sudo pfctl -E

Once done, the Apache test site "It Works" was accessible on port 80 from the Mac running Docker and other PCs in the 10.2.0.0/24 subnet. It was not accessible from other networks.

Let me know if that helps or makes any difference. If not, there may be a Docker level networking configuration to address.

Thank you, -Neil