Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
R
R
RR402015-12-29 16:20:44
firewall
RR40, 2015-12-29 16:20:44

How to set up PF firewall in OS X?

Please help me figure out the PF firewall on OS X, the essence of the task that I set myself
1. blocking traffic past the specified IP addresses (VPN servers)
2. work after reboot through LaunchDaemons
My configs
/Library/LaunchDaemons/com.pf.customized.plist

<?xml version="1.0" encoding="UTF-8"?>  
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0">  
<dict>  
        <key>Label</key>  
        <string>pf.customized.rules</string>  
        <key>Program</key>  
        <string>/sbin/pfctl</string>  
        <key>ProgramArguments</key>  
        <array>  
                <string>/sbin/pfctl</string>  
                <string>-e</string>  
                <string>-f</string>  
                <string>/etc/pf/pf.customized.rules.conf</string>  
        </array>  
        <key>RunAtLoad</key>  
        <true/>  
        <key>StandardErrorPath</key>  
        <string>/var/log/pf.log</string>  
        <key>StandardOutPath</key>  
        <string>/var/log/pf.log</string>  
</dict>  
</plist>

PF config file
###############################  
#         PF Options          #  
###############################  
  
# Don't alert source about dropped packets  
set block-policy drop  
  
# Configuring OS fingerprints  
set fingerprints '/etc/pf.os'  
  
# Disable PF for loopback interface  
set skip on lo0  
  
  
# Normalize and defragment  
scrub in all  
  
# Including TABLES  
# include '/etc/pf/tables.conf'  
  
table <vpn_servers> const {10.0.0.101,VPN IP 1,VPN IP 2,VPN IP 3}  
table <vms> const {10.0.0.10,10.0.0.11,10.0.0.12}  
  
###############################  
#            Policy           #  
###############################  
  
# pass all  
  
pass quick on en4 from <vms> to <vpn_servers> keep state  
block on en4 from <vms> to !<vpn_servers>  
  
#ICMP (ping)  
pass out proto icmp from any to any  
  
#DHCP  
pass inet proto udp from port 68 to port 67  
pass inet proto udp from port 67 to port 68  
  
#DNS  
pass out inet proto {tcp udp} from any to any port 53

Problems
1. After a reboot, for some reason, the rules are not applied
2. Is there a more elegant solution at the interface level? For example, to pass traffic only through the VPN adapter?
3. What to do with the fact that I have a Yota modem and it receives an address via DHCP every time, and if everything is blocked, then it cannot even receive an address

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
P
progressman, 2016-01-12
@progressman

plist in /Library/LaunchDaemons for some reason doesn't work for me either.
Enabling Firewall in the settings also does not activate pf :(
I think I'll try to start using a bash script that will be launched from /Library/LaunchDaemons, this is how Murus did it.
murusfirewall.com/Documentation/Murus%20Manual.pdf

Report
S
Semen55338, 2017-02-26
@Semen55338

Check rules sudo pfctl -vnf /path/to/config

Similar questions
2
2tele22018-12-28 12:57:38
How to block YouTube in mikrotik firewall? 4Reply
K
Konstantin2022-03-02 16:59:45
LOSS in the game how to determine what the problem is? 2Reply
B
by_EL2022-03-06 00:03:44
How to allow multiple ports with one rule on Pfsense firewall? 0Reply
V
Vladimir the Great2014-07-28 02:29:01
How to open a port in ispmanager 4 Lite? 2Reply
S
Sergey Ryzhkin2019-01-23 12:53:04
Why is Kerio VPN not connecting? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question