Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
R
R
RR402015-12-29 16:20:44
firewall
RR40, 2015-12-29 16:20:44

How to set up PF firewall in OS X?

Please help me figure out the PF firewall on OS X, the essence of the task that I set myself
1. blocking traffic past the specified IP addresses (VPN servers)
2. work after reboot through LaunchDaemons
My configs
/Library/LaunchDaemons/com.pf.customized.plist

<?xml version="1.0" encoding="UTF-8"?>  
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0">  
<dict>  
        <key>Label</key>  
        <string>pf.customized.rules</string>  
        <key>Program</key>  
        <string>/sbin/pfctl</string>  
        <key>ProgramArguments</key>  
        <array>  
                <string>/sbin/pfctl</string>  
                <string>-e</string>  
                <string>-f</string>  
                <string>/etc/pf/pf.customized.rules.conf</string>  
        </array>  
        <key>RunAtLoad</key>  
        <true/>  
        <key>StandardErrorPath</key>  
        <string>/var/log/pf.log</string>  
        <key>StandardOutPath</key>  
        <string>/var/log/pf.log</string>  
</dict>  
</plist>

PF config file
###############################  
#         PF Options          #  
###############################  
  
# Don't alert source about dropped packets  
set block-policy drop  
  
# Configuring OS fingerprints  
set fingerprints '/etc/pf.os'  
  
# Disable PF for loopback interface  
set skip on lo0  
  
  
# Normalize and defragment  
scrub in all  
  
# Including TABLES  
# include '/etc/pf/tables.conf'  
  
table <vpn_servers> const {10.0.0.101,VPN IP 1,VPN IP 2,VPN IP 3}  
table <vms> const {10.0.0.10,10.0.0.11,10.0.0.12}  
  
###############################  
#            Policy           #  
###############################  
  
# pass all  
  
pass quick on en4 from <vms> to <vpn_servers> keep state  
block on en4 from <vms> to !<vpn_servers>  
  
#ICMP (ping)  
pass out proto icmp from any to any  
  
#DHCP  
pass inet proto udp from port 68 to port 67  
pass inet proto udp from port 67 to port 68  
  
#DNS  
pass out inet proto {tcp udp} from any to any port 53

Problems
1. After a reboot, for some reason, the rules are not applied
2. Is there a more elegant solution at the interface level? For example, to pass traffic only through the VPN adapter?
3. What to do with the fact that I have a Yota modem and it receives an address via DHCP every time, and if everything is blocked, then it cannot even receive an address

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
P
progressman, 2016-01-12
@progressman

plist in /Library/LaunchDaemons for some reason doesn't work for me either.
Enabling Firewall in the settings also does not activate pf :(
I think I'll try to start using a bash script that will be launched from /Library/LaunchDaemons, this is how Murus did it.
murusfirewall.com/Documentation/Murus%20Manual.pdf

Report
S
Semen55338, 2017-02-26
@Semen55338

Check rules sudo pfctl -vnf /path/to/config

Similar questions
S
sel1h0v2017-02-25 03:15:21
How to close the network from the provider? 2Reply
U
user2k2017-03-04 17:09:36
What is the command to add a firewall rule to the beginning in Mikrotik? 1Reply
A
Alex Serov2017-03-22 01:33:06
How to intercept network packets coming to a specific device? 1Reply
A
Anton Artyomov2017-04-11 15:15:22
How to make server access only from Russia in iptables without geoip? 2Reply
A
Alexander Petrov2017-04-26 05:53:00
Please help with setting up openwrt luci 15.05 for a sip phone to work? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question