ChristianSch/pf.conf

## pf.conf
#
# Default PF configuration file.
#
# This file contains the main ruleset, which gets automatically loaded
# at startup.  PF will not be automatically enabled, however.  Instead,
# each component which utilizes PF is responsible for enabling and disabling
# PF via -E and -X as documented in pfctl(8).  That will ensure that PF
# is disabled only when the last enable reference is released.
#
# Care must be taken to ensure that the main ruleset does not get flushed,
# as the nested anchors rely on the anchor point defined here. In addition,
# to the anchors loaded by this file, some system services would dynamically
# insert anchors into the main ruleset. These anchors will be added only when
# the system service is used and would removed on termination of the service.
#
# See pf.conf(5) for syntax.
#

#
#options
set block-policy drop
# set ruleset-optimization basic

# com.apple anchor point
#
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"

# ovpn.to servers (https://vcp.ovpn.to/index.php?site=server)
# javascript for extraction:
# var inputs = document.getElementsByTagName('input'), out = ''; for (i in inputs) { console.log(inputs[i]); if (inputs[i].value && inputs[i].getAttribute('size') == 13) { out += inputs[i].value; if (i < (inputs.length - 1)) { out += ', '; }; }; }; console.log(out);
table <vpn> const { 195.230.24.50, 179.43.151.228, 179.43.151.230, 179.43.134.202, 179.43.134.203, 179.43.134.204, 46.165.249.209, 178.162.195.12, 178.162.199.66, 195.154.136.40, 195.154.136.42, 79.172.193.26, 79.172.193.80, 82.221.111.210, 178.17.168.21, 178.17.168.22, 95.211.186.214, 37.48.118.8, 37.48.118.9, 37.48.80.94, 5.79.74.141, 5.79.74.142, 5.79.74.140, 37.48.80.201, 95.211.209.73, 93.115.83.37, 5.254.103.246, 46.174.191.25, 172.86.179.30 }

table <local_ips> const { 192.168.0.0/24, 192.168.178.0/24 }

#table <en> const { en0, en1, en2 }

# drop anything that does not match any of the following rules
block out log (all, to pflog1) all

# pass packets
# lan
pass out quick to <vpn> flags S/SA keep state
# wifi
#pass out quick on <en> proto { tcp, udp, icmp } to <vpn> flags S/SA keep state


# allow local packages
pass out quick from 127.0.0.1 to any
pass out quick from <local_ips> to <vpn>
# pass out quick from me to <local_ips>

#genymotion
pass quick from 192.168.56.0/24 to 192.168.56.0/24

# allow tunneled traffic
pass quick on tun0 to any flags S/SA keep state
pass quick on tun1 to any flags S/SA keep state

# yosemite
pass quick on utun0 to any flags S/SA keep state
pass quick on utun1 to any flags S/SA keep state

# local traffic
pass out quick from <local_ips> to <local_ips>

pass on p2p0 #allow AirDrop
pass on p2p1 #allow AirDrop
pass on p2p2 #allow AirDrop
pass quick proto tcp to any port 631 #allow AirPrint

set skip on lo0
	#
	# Default PF configuration file.
	#
	# This file contains the main ruleset, which gets automatically loaded
	# at startup. PF will not be automatically enabled, however. Instead,
	# each component which utilizes PF is responsible for enabling and disabling
	# PF via -E and -X as documented in pfctl(8). That will ensure that PF
	# is disabled only when the last enable reference is released.
	#
	# Care must be taken to ensure that the main ruleset does not get flushed,
	# as the nested anchors rely on the anchor point defined here. In addition,
	# to the anchors loaded by this file, some system services would dynamically
	# insert anchors into the main ruleset. These anchors will be added only when
	# the system service is used and would removed on termination of the service.
	#
	# See pf.conf(5) for syntax.
	#

	#
	#options
	set block-policy drop
	# set ruleset-optimization basic

	# com.apple anchor point
	#
	scrub-anchor "com.apple/*"
	nat-anchor "com.apple/*"
	rdr-anchor "com.apple/*"
	dummynet-anchor "com.apple/*"
	anchor "com.apple/*"
	load anchor "com.apple" from "/etc/pf.anchors/com.apple"

	# ovpn.to servers (https://vcp.ovpn.to/index.php?site=server)
	# javascript for extraction:
	# var inputs = document.getElementsByTagName('input'), out = ''; for (i in inputs) { console.log(inputs[i]); if (inputs[i].value && inputs[i].getAttribute('size') == 13) { out += inputs[i].value; if (i < (inputs.length - 1)) { out += ', '; }; }; }; console.log(out);
	table <vpn> const { 195.230.24.50, 179.43.151.228, 179.43.151.230, 179.43.134.202, 179.43.134.203, 179.43.134.204, 46.165.249.209, 178.162.195.12, 178.162.199.66, 195.154.136.40, 195.154.136.42, 79.172.193.26, 79.172.193.80, 82.221.111.210, 178.17.168.21, 178.17.168.22, 95.211.186.214, 37.48.118.8, 37.48.118.9, 37.48.80.94, 5.79.74.141, 5.79.74.142, 5.79.74.140, 37.48.80.201, 95.211.209.73, 93.115.83.37, 5.254.103.246, 46.174.191.25, 172.86.179.30 }

	table <local_ips> const { 192.168.0.0/24, 192.168.178.0/24 }

	#table <en> const { en0, en1, en2 }

	# drop anything that does not match any of the following rules
	block out log (all, to pflog1) all

	# pass packets
	# lan
	pass out quick to <vpn> flags S/SA keep state
	# wifi
	#pass out quick on <en> proto { tcp, udp, icmp } to <vpn> flags S/SA keep state


	# allow local packages
	pass out quick from 127.0.0.1 to any
	pass out quick from <local_ips> to <vpn>
	# pass out quick from me to <local_ips>

	#genymotion
	pass quick from 192.168.56.0/24 to 192.168.56.0/24

	# allow tunneled traffic
	pass quick on tun0 to any flags S/SA keep state
	pass quick on tun1 to any flags S/SA keep state

	# yosemite
	pass quick on utun0 to any flags S/SA keep state
	pass quick on utun1 to any flags S/SA keep state

	# local traffic
	pass out quick from <local_ips> to <local_ips>

	pass on p2p0 #allow AirDrop
	pass on p2p1 #allow AirDrop
	pass on p2p2 #allow AirDrop
	pass quick proto tcp to any port 631 #allow AirPrint

	set skip on lo0