UPDATED:1/25/2026
Two root-required utilities for macOS security hardening:
- pfFW.sh – Installs and manages a hardened Packet Filter (PF) firewall baseline using a dedicated PF anchor and a LaunchDaemon.
- macSrvOff.sh – Disables common macOS sharing services and network advertising features with automatic backups, logs, and rollback support.
These tools are intended for administrators and power users who want deterministic, scriptable macOS hardening without relying on third-party software.
PF (Packet Filter) is the native BSD firewall built into macOS. It filters network traffic using rules defined in /etc/pf.conf and optional anchors (separate rule files).
Key concepts:
- Rules are evaluated top-to-bottom.
- PF is stateful by default (
keep state). - Anchors allow clean separation of custom rules from system configuration.
- PF is controlled using
pfctl.
macOS ships with PF available but usually disabled unless explicitly configured.
-
pfFW.sh
Hardened PF firewall installer/uninstaller. -
macSrvOff.sh
macOS services and sharing hardening tool (internally namedmac_harden_services.sh).
- macOS 14 (Sonoma) or newer (15 supported)
- Administrator privileges
sudoaccess- Local Terminal access
chmod +x pfFW.sh macSrvOff.sh
# Install hardened PF firewall
sudo ./pfFW.sh install
# Preview service hardening (dry-run)
sudo ./macSrvOff.sh plan --verify
# Apply service hardening
sudo ./macSrvOff.sh apply --verifyRollback service changes:
sudo ./macSrvOff.sh rollbackUninstall PF hardening:
sudo ./pfFW.sh uninstallOn install, the script:
- Creates a hardened PF anchor:
/etc/pf.anchors/com.local.harden_pf
- Inserts a managed anchor block into
/etc/pf.conf. - Validates all PF rules before loading.
- Enables PF.
- Installs a LaunchDaemon to ensure PF loads on boot:
/Library/LaunchDaemons/com.local.harden_pf.plist
- Creates timestamped backups of
/etc/pf.conf.
On uninstall, it cleanly removes all of the above and restores PF to its prior state.
- Default deny inbound traffic
- Stateful outbound traffic allowed
- Loopback traffic skipped
- DHCP allowed
- ICMP / ICMPv6 allowed (required for networking)
- QUIC (UDP/443) blocked to force TCP fallback
sudo ./pfFW.sh installsudo ./pfFW.sh uninstallsudo pfctl -s info
sudo pfctl -sr
sudo pfctl -saRecommended reset:
sudo ./pfFW.sh uninstall
sudo pfctl -dRestore from backup:
ls /etc/pf.conf.bak.*
sudo cp /etc/pf.conf.bak.TIMESTAMP /etc/pf.conf
sudo pfctl -f /etc/pf.confEdit the anchor directly:
sudo nano /etc/pf.anchors/com.local.harden_pf
sudo pfctl -n -f /etc/pf.anchors/com.local.harden_pf
sudo pfctl -f /etc/pf.confDo not edit the managed block in /etc/pf.conf.
Disables or reduces exposure of:
- AirDrop UI
- Handoff / Continuity advertising
- Printer sharing (CUPS)
- Remote Login (SSH)
- Remote Management (ARD)
- SMB, AFP, NetBIOS
- Internet Sharing
- Bluetooth PAN services
- AirPlay Receiver
- Multicast advertisements (mDNS)
All changes are logged and reversible.
sudo ./macSrvOff.sh plan
sudo ./macSrvOff.sh apply
sudo ./macSrvOff.sh rollback--verify– Reads settings back and reports PASS/FAIL--dry-run– Log only, no changes--no-sharing– Skip service shutdowns--id <backup_id>– Roll back a specific run--strict-os– Fail if macOS version is unsupported
- State:
/var/db/mac_harden_services/ - Logs:
/var/log/mac_harden_services/mac_harden_services.log - Each run creates:
CHANGELOG.txtUNDO.shcompatibility_report.tsv
sudo ./macSrvOff.sh rollbackRollback is best-effort and restores settings recorded at runtime.
- Always review
CHANGELOG.txtbefore and after applying changes. - Test on non-production machines first.
- These scripts are suitable for local admin use or integration into MDM workflows.
These scripts modify system configuration and services. Use only on systems you own or administer. No warranty is provided.
