forked from essandess/macOS-Fortress
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpf.conf
187 lines (157 loc) · 7.27 KB
/
pf.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
#
# Default PF configuration file.
#
# This file contains the main ruleset, which gets automatically loaded
# at startup. PF will not be automatically enabled, however. Instead,
# each component which utilizes PF is responsible for enabling and disabling
# PF via -E and -X as documented in pfctl(8). That will ensure that PF
# is disabled only when the last enable reference is released.
#
# Care must be taken to ensure that the main ruleset does not get flushed,
# as the nested anchors rely on the anchor point defined here. In addition,
# to the anchors loaded by this file, some system services would dynamically
# insert anchors into the main ruleset. These anchors will be added only when
# the system service is used and would removed on termination of the service.
#
# See pf.conf(5) for syntax.
#
# $vpn_net == utun0/24 when Tunnelblick creates utun0
#vpn_net = "10.8.0/24" # utun0 interface doesn't exist at boot time
# References for modifications:
# The Book of PF by Peter N.M. Hansteen, p. 21
# http://ikawnoclast.com/security/mac-os-x-pf-firewall-avoiding-known-bad-guys/
# http://support.apple.com/kb/HT5519?viewlocale=en_US&locale=en_US
# http://blog.scottlowe.org/2013/05/15/using-pf-on-os-x-mountain-lion/
# http://krypted.com/mac-security/a-cheat-sheet-for-using-pf-in-os-x-lion-and-up/
# Options
set block-policy return
set fingerprints "/etc/pf.os"
set ruleset-optimization basic
set skip on lo0
# Normalization
# Scrub incoming packets
scrub in all no-df
#
# com.apple anchor point
#
scrub-anchor "com.apple/*"
# Queueing
# Translation
# OpenVPN Server NAT
#
# The Book of PF, p. 21
# Allow VPN connections to the VPN host:
# http://serverfault.com/questions/555594/troubleshoot-broken-tcp-from-openvpn-client-to-server-but-ping-traceroute-work
int_if = "en0"
#tun_if = "utun0"
#no nat on ! $tun_if from $vpn_net to ($int_if)
#nat on ! $tun_if from $vpn_net to ! ($int_if) -> ($int_if)
# Use a list in case Tunnelblick creates multiples utun interaces
#tun_if = "{ utun0, utun1, utun2, utun3, utun4, utun5, utun6, utun7, utun8, utun9 }"
not_tun_if = "{ !utun0, !utun1, !utun2, !utun3, !utun4, !utun5, !utun6, !utun7, !utun8, !utun9 }"
no nat on $not_tun_if from $vpn_net to ($int_if)
nat on $not_tun_if from $vpn_net to ! ($int_if) -> ($int_if)
# This rule must be included below BEFORE these packets are passed by other rules:
#pass in quick on $tun_if reply-to $tun_if from $vpn_net to $int_if
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
# macOS Server Adaptive Firewall
# Comment out for non-macOS Server instances
anchor "com.apple.server-firewall/*"
load anchor "com.apple.server-firewall" from "/etc/pf.anchors/com.apple.server-firewall"
# Filtering
# Block by default
block all
# debugging rules
# $ sudo ifconfig pflog0 create
# $ sudo tcpdump -n -e -ttt -i pflog0
# $ sudo ifconfig pflog0 destroy
# block log (all, to pflog0) all
# Allow VPN connections to the VPN host:
# http://serverfault.com/questions/555594/troubleshoot-broken-tcp-from-openvpn-client-to-server-but-ping-traceroute-work
#pass in quick on $tun_if reply-to $tun_if from $vpn_net to $int_if
# Rule for a lot of utun interfaces in case Tunnelblick creates extras
pass in quick on utun0 reply-to utun0 from $vpn_net to $int_if
pass in quick on utun1 reply-to utun1 from $vpn_net to $int_if
pass in quick on utun2 reply-to utun2 from $vpn_net to $int_if
pass in quick on utun3 reply-to utun3 from $vpn_net to $int_if
pass in quick on utun4 reply-to utun4 from $vpn_net to $int_if
pass in quick on utun5 reply-to utun5 from $vpn_net to $int_if
pass in quick on utun6 reply-to utun6 from $vpn_net to $int_if
pass in quick on utun7 reply-to utun7 from $vpn_net to $int_if
pass in quick on utun8 reply-to utun8 from $vpn_net to $int_if
pass in quick on utun9 reply-to utun9 from $vpn_net to $int_if
# Local net
table <lan_inet> const { lo0, 10/8, 172.16/12, 192.168/16 }
table <lan_inet6> const { ::1, fe80::/10 }
pass quick inet from <lan_inet> to any keep state
pass quick inet6 from <lan_inet6> to any keep state
# Antispoof
# This breaks ping, DNS on macOS Server
#antispoof log quick for { lo0 $int_if ($tun_if) } inet
# Block to/from illegal destinations or sources
block drop in log quick from no-route to any
block drop in log quick from urpf-failed to any
# This is observed on macOS
#block drop in log quick on $int_if from any to 255.255.255.255
# Whitelist
# Hardcoded IPs
#mydomainname_com = "xxx.xxx.xxx.xxx"
#table <whitelist> const { $mydomainname_com }
#pass in quick from <whitelist>
# Block brute force attacks
table <bruteforce> persist
block drop log quick from <bruteforce>
# quick pass of Tor relay ports to avoid blocks below
#tor_relay = "{ 9001, 9030 }"
#pass in quick proto tcp from any to { lo0 $int_if } port $tor_relay
#pass out quick proto tcp from { lo0 $int_if } to any port $tor_relay
# Open Source IP blocks
# Refresh with pfctl -a blockips -T load -f /usr/local/etc/blockips.conf
anchor 'blockips' label "Open Source IP Blocks"
load anchor 'blockips' from '/usr/local/etc/blockips.conf'
# ICMP
icmp_types = "echoreq"
pass inet proto icmp from $int_if:network to any icmp-type $icmp_types
pass inet proto icmp from any to $int_if icmp-type $icmp_types
# allow out the default range for traceroute(8):
# "base+nhops*nqueries-1" (33434+64*3-1)
pass out on $int_if inet proto udp from any to any port 33433 >< 33626
# Allow critical system traffic
pass in quick inet proto udp from port bootps to port bootpc
pass out quick inet proto udp from port bootpc to port bootps
# LAN services: block access, except from localnet
lan_udp_services = "{ domain, 5001, postgresql }"
lan_tcp_services = "{ domain, auth, nntp, www, \
311, 3128, 5001, 5900:5909, privoxy, postgresql, \
8123, 8180, 8181, 9150, 9151 }"
block in proto tcp from any to { lo0 $int_if } port $lan_tcp_services
block in proto udp from any to { lo0 $int_if } port $lan_udp_services
# Add vpn_net if running OpenVPN
#pass in proto udp from { lo0 $vpn_net $int_if:network } to { lo0 $int_if } port $lan_udp_services
#pass in proto tcp from { lo0 $vpn_net $int_if:network } to { lo0 $int_if } port $lan_tcp_services
pass in proto udp from { lo0 $int_if:network } to { lo0 $int_if } port $lan_udp_services
pass in proto tcp from { lo0 $int_if:network } to { lo0 $int_if } port $lan_tcp_services
# Internet services
internet_udp_services = "{ https, 500, openvpn, \
1701, 4500, 5060, 5190, 5297, 5298, 5678, 16384 }"
internet_tcp_services = "{ 995, 1640, 1723, 2195, \
2196, 4190, 5218, 5223, 5190, 5220, 5222, 5298, \
8008, 8443, 8800, 8843, 9001, 9030 }"
pass in proto udp from any to { lo0 $int_if } port $internet_udp_services
pass in proto tcp from any to { lo0 $int_if } port $internet_tcp_services
apns_services = "{ 2195, 2196 }"
pass in proto tcp from any port $apns_services to <lan_inet>
# ssh really restrictive
pass in inet proto tcp from any to { lo0 $int_if } port ssh \
keep state (max-src-conn 5, max-src-conn-rate 5/2, \
overload <bruteforce> flush global)
# web, mail more restrictive
pass in inet proto tcp from any to { lo0 $int_if } \
port { smtp, https, imap, submission, imaps, eyetv } \
keep state (max-src-nodes 50, max-src-conn 200, max-src-conn-rate 100/10, \
overload <bruteforce> flush global)
pass out inet proto tcp from $int_if port { imap4-ssl, imaps } to any