Created
February 14, 2013 22:04
-
-
Save brunogama/4956822 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
wifi="en1" | |
lan="en0" | |
localnet="{ en0 en1 }" | |
set limit { frags 5000, states 2500 } | |
set block-policy drop | |
set skip on lo0 | |
set fingerprints '/etc/pf.os' | |
set ruleset-optimization basic | |
set optimization normal | |
set loginterface pflog0 | |
scrub in all | |
# can be commented out if you don't run any listening services, nothing appears to break. | |
scrub-anchor "com.apple/*" | |
nat-anchor "com.apple/*" | |
rdr-anchor "com.apple/*" | |
dummynet-anchor "com.apple/*" | |
anchor "com.apple/*" | |
load anchor "com.apple" from "/etc/pf.anchors/com.apple" | |
block in log quick on $localnet inet proto tcp from any to any flags FUP/FUP | |
block log all | |
antispoof log for $localnet | |
block in quick from urpf-failed | |
# see http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt | |
table <emerging_threats> persist file "/etc/emerging-Block-IPs.txt" | |
block log from <emerging_threats> to any | |
block log from any to <emerging_threats> | |
# see my other gist | |
table <china_ips> persist file "/etc/china-block-ips.txt" | |
block log from any to <china_ips> | |
block log from <china_ips> to any | |
martians = "{ 127.0.0.0/8 172.16.0.0/12 169.254.0.0/16 192.0.2.0/24 0.0.0.0/8 240.0.0.0/4 }" | |
block drop in log on $localnet from $martians to any | |
block drop out log on $localnet to $martians | |
block out from any os "unknown" | |
block out from any os "NMAP" | |
block in from no-route to any | |
block in from urpf-failed to any | |
# block nmap | |
block in quick on $localnet proto tcp flags FUP/WEUAPRSF | |
block in quick on $localnet proto tcp flags WEUAPRSF/WEUAPRSF | |
block in quick on $localnet proto tcp flags SRAFU/WEUAPRSF | |
block in quick on $localnet proto tcp flags /WEUAPRSF | |
block in quick on $localnet proto tcp flags SR/SR | |
block in quick on $localnet proto tcp flags SF/SF | |
block in quick on $localnet proto tcp from any to any flags FUP/FUP | |
pass out on $localnet proto { tcp udp icmp } all | |
pass in on $localnet inet proto icmp all icmp-type "echoreq" | |
pass out on $localnet inet6 proto ipv6-icmp all icmp6-type {neighbradv, neighbrsol} | |
pass in on $localnet inet6 proto ipv6-icmp all icmp6-type {neighbradv, neighbrsol} | |
pass out on $localnet inet6 proto ipv6-icmp all icmp6-type routeradv | |
pass in on $localnet inet6 proto ipv6-icmp all icmp6-type routersol | |
pass in on $localnet inet6 proto ipv6-icmp all icmp6-type echoreq | |
pass in log on $localnet proto udp from port 67 to port 68 | |
pass in log on $localnet proto udp from any to port 5353 | |
pass in log on $localnet proto tcp to port 113 | |
apns_ports = "{ 2195 2196 5223 443 }" # Apple Push Notifications | |
# bad apple http://support.apple.com/kb/TS4264?viewlocale=en_US | |
apn_cidr = "17.0.0.0/8" | |
pass in log on $localnet proto tcp from $apn_cidr to port $apns_ports |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-8"?> | |
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
<plist version="1.0"> | |
<dict> | |
<key>Label</key><string>pfctl_run</string> | |
<key>ProgramArguments</key><array><string>/usr/local/sbin/pfctl_run.sh</string></array> | |
<key>RunAtLoad</key><true/> | |
<key>LaunchOnlyOnce</key><true/> | |
<key>StandardErrorPath</key><string>/var/log/pfctl_run.log</string> | |
<key>StandardOutPath</key><string>/var/log/pfctl_run.log</string> | |
</dict> | |
</plist> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
sysctl -w net.ip.redirect=0 | |
sysctl -w net.inet.icmp.drop_redirect=1 | |
sysctl -w net.inet.tcp.mssdflt=1450 | |
sysctl -w net.inet.tcp.blackhole=1 | |
sysctl -w net.inet.tcp.icmp_may_rst=0 | |
sysctl -w net.inet.tcp.randomize_ports=1 | |
sysctl -w net.inet.udp.blackhole=1 | |
sysctl -w net.inet6.ip6.redirect=0 | |
sysctl -w net.inet6.ip6.use_tempaddr=1 | |
sysctl -w net.inet6.ip6.auto_linklocal=0 | |
sysctl -w net.inet6.icmp6.rediraccept=0 | |
sysctl -w net.inet6.icmp6.rediraccept=0 | |
ifconfig pflog0 create | |
#tcpdump -v -n -e -ttt -i pflog0 & | |
pfctl -d | |
pfctl -v -ef /etc/pf.conf |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment