Mac OSX `pfctl` rule for Cyphal/UDP

If you have the pfctl running on Mac OSX (like in a corporate environment), you’ll need to add some rules to get pfctl to allow all multicast traffic. Chat GPT helped in ironing out some details but missed some important items.

You’ll need to be sudo to do this. It requires a few layers of indirection but it’s not too hard.
This link was most helpful: firewall - pfctl - howto add an anchor and make it active / load it - Ask Different

First add an anchor to the bottom of the /etc/pf.conf file

# at the end add a user pass filter for Cyphal/UDP
anchor "org.cyphal/*"
load anchor "org.cyphal" from "/etc/pf.anchors/org.cyphal"

I left an extra newline.
In /etc/pf.anchors/org.cyphal i added this:

anchor "org.cyphal"
load anchor "org.cyphal" from "/etc/pf.rules/cyphal-udp.rule"

Then in /etc/pf.rules/cyphal-udp.rule

rdr pass on en8 proto udp from any to 239.0.0.0/8 port 9382 -> 0.0.0.0 port 9382
pass in on en8 proto udp from any to 239.0.0.0/8 port 9382

This allow receiving multicast on the en8 interface (which is just one of MY interfaces, you’ll have to put yours in there!).

Then you’ll have to give it a restart

sudo pfctl -d
sudo pfctl -e -f /etc/pf.conf
3 Likes

This also had some helpful debugging information but is a bit dated, so I don’t know if everything is still the same → PF on Mac OS X – Thus Spake Manjusri