Created
January 2, 2017 15:51
-
-
Save pronebird/e75547295171415a01175eb510dde62d to your computer and use it in GitHub Desktop.
OS X Firewall Packet Filter (pfctl): Killswitch + Protection
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Put this file in /etc/pf.anchors/ | |
| # Options | |
| set block-policy drop | |
| set fingerprints "/etc/pf.os" | |
| set ruleset-optimization basic | |
| set skip on lo0 | |
| # Interfaces | |
| inet_define = "en0" | |
| ivpn_define = "utun0" | |
| # Block everything | |
| block out all | |
| block in all | |
| # Protection: Antispoof | |
| antispoof for $inet_define inet | |
| antispoof for $ivpn_define inet | |
| # Incoming: DHCP | |
| # I do not recommend to enable this rule if you never leave your home network (by adding your computer as a static ip on your router) | |
| pass in on $inet_define proto udp from any port 67 to any port 68 | |
| # Outbound: Allow only VPN | |
| pass out on $inet_define proto [CAN_BE_TCP_OR_UDP] from any to [REPLACE_BY_VPN_IP_HERE] | |
| # Example: pass out on $inet_define proto {tcp, udp} from any to 62.201.110.70 | |
| # Example: pass out on $inet_define proto udp from any to {92.201.40.1, 81.29.75.123} | |
| # Allow traffic for VPN | |
| pass out on $ivpn_define all |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Put this at the end of /etc/pf.conf | |
| anchor "org.dgse.pf" | |
| load anchor "org.dgse.pf" from "/etc/pf.anchors/org.nsa.pf.rules" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Enable persistence | |
| # https://support.apple.com/en-us/HT200259 | |
| # Use /Library/... instead of /System/Library/... because of Rootless | |
| sudo defaults write /Library/LaunchDaemons/com.apple.pfctl ProgramArguments '(pfctl, -f, /etc/pf.conf, -e)' | |
| sudo chmod 644 /Library/LaunchDaemons/com.apple.pfctl.plist | |
| sudo plutil -convert xml1 /Library/LaunchDaemons/com.apple.pfctl.plist | |
| # Start the firewall | |
| sudo pfctl -f -e /etc/pf.conf |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment