Last active
February 6, 2017 18:26
-
-
Save ChristianSch/e04b8f4de5105e31afd1 to your computer and use it in GitHub Desktop.
pf.conf for ovpn.to servers on osx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# Default PF configuration file. | |
# | |
# This file contains the main ruleset, which gets automatically loaded | |
# at startup. PF will not be automatically enabled, however. Instead, | |
# each component which utilizes PF is responsible for enabling and disabling | |
# PF via -E and -X as documented in pfctl(8). That will ensure that PF | |
# is disabled only when the last enable reference is released. | |
# | |
# Care must be taken to ensure that the main ruleset does not get flushed, | |
# as the nested anchors rely on the anchor point defined here. In addition, | |
# to the anchors loaded by this file, some system services would dynamically | |
# insert anchors into the main ruleset. These anchors will be added only when | |
# the system service is used and would removed on termination of the service. | |
# | |
# See pf.conf(5) for syntax. | |
# | |
# | |
#options | |
set block-policy drop | |
# set ruleset-optimization basic | |
# com.apple anchor point | |
# | |
scrub-anchor "com.apple/*" | |
nat-anchor "com.apple/*" | |
rdr-anchor "com.apple/*" | |
dummynet-anchor "com.apple/*" | |
anchor "com.apple/*" | |
load anchor "com.apple" from "/etc/pf.anchors/com.apple" | |
# ovpn.to servers (https://vcp.ovpn.to/index.php?site=server) | |
# javascript for extraction: | |
# var inputs = document.getElementsByTagName('input'), out = ''; for (i in inputs) { console.log(inputs[i]); if (inputs[i].value && inputs[i].getAttribute('size') == 13) { out += inputs[i].value; if (i < (inputs.length - 1)) { out += ', '; }; }; }; console.log(out); | |
table <vpn> const { 195.230.24.50, 179.43.151.228, 179.43.151.230, 179.43.134.202, 179.43.134.203, 179.43.134.204, 46.165.249.209, 178.162.195.12, 178.162.199.66, 195.154.136.40, 195.154.136.42, 79.172.193.26, 79.172.193.80, 82.221.111.210, 178.17.168.21, 178.17.168.22, 95.211.186.214, 37.48.118.8, 37.48.118.9, 37.48.80.94, 5.79.74.141, 5.79.74.142, 5.79.74.140, 37.48.80.201, 95.211.209.73, 93.115.83.37, 5.254.103.246, 46.174.191.25, 172.86.179.30 } | |
table <local_ips> const { 192.168.0.0/24, 192.168.178.0/24 } | |
#table <en> const { en0, en1, en2 } | |
# drop anything that does not match any of the following rules | |
block out log (all, to pflog1) all | |
# pass packets | |
# lan | |
pass out quick to <vpn> flags S/SA keep state | |
# wifi | |
#pass out quick on <en> proto { tcp, udp, icmp } to <vpn> flags S/SA keep state | |
# allow local packages | |
pass out quick from 127.0.0.1 to any | |
pass out quick from <local_ips> to <vpn> | |
# pass out quick from me to <local_ips> | |
#genymotion | |
pass quick from 192.168.56.0/24 to 192.168.56.0/24 | |
# allow tunneled traffic | |
pass quick on tun0 to any flags S/SA keep state | |
pass quick on tun1 to any flags S/SA keep state | |
# yosemite | |
pass quick on utun0 to any flags S/SA keep state | |
pass quick on utun1 to any flags S/SA keep state | |
# local traffic | |
pass out quick from <local_ips> to <local_ips> | |
pass on p2p0 #allow AirDrop | |
pass on p2p1 #allow AirDrop | |
pass on p2p2 #allow AirDrop | |
pass quick proto tcp to any port 631 #allow AirPrint | |
set skip on lo0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment