[Ansible Galaxy] Use Ansible bjoernalbers.macos_pf to install Packet Filter (PF) Firewall

Ansible Role: macos_pf

An Ansible Role to manage the Packet Filter (pf) Firewall of macOS.

Installation

First, Install Ansible.

1
2
3
4
# Mac OS X
$ brew install ansible

$ ansible --version

Then, install it use:

1
$ ansible-galaxy install bjoernalbers.macos_pf

Requirements

These target host(s) must meet these requirements:

  • It should be a Mac, ideally with a recent version of macOS (Snow Leopard won’t work).
    System Integrity Protection (SIP) must temporarily be disabled. Otherwise the Packet Filter can’t be enabled permanently across reboots.

  • You need to have access as an admin user and become “root” via become: yes - see example playbook below.

Role Variables

Define your firewall rules with macos_pf_rules.

Please use IP addresses instead FQDN’s in your firewall rules! Because the Mac might not be able to resolve those hostnames during boot and so the packet filter fails to start.

Dependencies

None.

Example Playbook

1
2
3
4
5
6
7
8
9
10
11
---
- name: Manage Packet Filter (pf) Firewall on macOS
hosts: all
# You have to become root to deploy the firewall rules!
become: yes
roles:
- role: macos_pf
macos_pf_rules: |
# Block access to facebook.com for increased productivity :-)
block drop out inet proto tcp from any to 157.240.27.35 port 443
block drop out inet proto tcp from any to 157.240.27.35 port 80

References

[1] bjoernalbers/ansible-role-macos-pf: Ansible Role to manage Packet Filter (pf) firewall on macOS - https://github.com/bjoernalbers/ansible-role-macos-pf

[2] bjoernalbers/macos_pf | Ansible Galaxy - https://galaxy.ansible.com/bjoernalbers/macos_pf

[3] OpenBSD PF: Packet Filtering - https://www.openbsd.org/faq/pf/filter.html

[4] Ansible is Simple IT Automation - https://www.ansible.com/

[5] Installing Ansible — Ansible Documentation - https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html