OS X Server: Packet filter rules do not load

On OS X Mountain Lion systems configured as a server using OS X Server, the pfctl utility may not load rules into the packet filter. Rules added automatically by the Adaptive Firewall service and rules added manually by the system administrator will not be enforced by the packet filter.

This article has been archived and is no longer updated by Apple.

To resolve this issue, use a text editor as the root user to edit the /etc/pf.anchors/com.apple file. Locate the following line near the end of the file:

load anchor "400.AdaptiveFirewall/" from "/Applications/Server.app/Contents/ServerRoot/private/etc/pf.anchors/400.AdaptiveFirewall"

Edit the line to remove the forward slash character "/" after the first "400.AdaptiveFirewall". After editing the line, it should appear like this:

load anchor "400.AdaptiveFirewall" from "/Applications/Server.app/Contents/ServerRoot/private/etc/pf.anchors/400.AdaptiveFirewall"

Save changes to the file, then use the pfctl command to reload rules and enable the packet filter:

sudo pfctl -f /etc/pf.conf
sudo pfctl -e


Alternative non-interactive procedure

As an alternative to the procedure described above, system administrators may use the following command to edit the file non-interactively:

sudo ruby -an -i.bak -e 'puts $_ =~ /^(load anchor "400.AdaptiveFirewall)\/(".*)/ ? $1<<$2 : $_' /etc/pf.anchors/com.apple
Published Date: