hydrajump/README.md Secret

## README.md

      
    Raw
  

              README.md
            
          
    Copy to /etc/

sudo cp pf.hydrajump.conf /etc/
sudo cp pf.anchors/com.hydrajump /etc/pf.anchors
Sanity check

sudo pfctl -v -n -f /etc/pf.hydrajump.conf
Load pf with our rules (which also loads the anchors):

sudo pfctl -f /etc/pf.hydrajump.conf
Load on reboot

sudo cp Library/LaunchDaemons/com.hydrajump.pfctl.plist /Library/LaunchDaemons/

  
## com.hydrajump
wifi=en0
ethernet=en1
vpn=tun0

# Default block policy is sending a RST. This allows applications to quickly
# notice that they are not allowed to connect.
set block-policy return

# Don't filter on local loopback or the VPN interface.
set skip on { lo0 $vpn }

# Scrub all incoming packets.
scrub in all

# Don't allow IPv6 at all.
block quick inet6

# By default, don't allow anything on the actual physical links.
block on { $wifi $ethernet }

# Allow ICMP.
pass quick proto icmp

# Allow DHCP.
pass quick on { $wifi $ethernet } proto udp from any port 67:68

# Allow DNS to OpenDNS.
pass out quick proto udp to { 208.67.222.222 208.67.220.220 } port 53

# Allow OpenVPN.
pass quick proto udp to xxxxxxx port 1194

## com.hydrajump.pfctl.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>Label</key>
  <string>com.hydrajump.pfctl</string>
  <key>WorkingDirectory</key>
  <string>/var/run</string>
  <key>UserName</key>
  <string>root</string>
  <key>GroupName</key>
  <string>wheel</string>
  <key>Program</key>
  <string>/sbin/pfctl</string>
  <key>ProgramArguments</key>
  <array>
    <string>pfctl</string>
    <string>-e</string>
    <string>-f</string>
    <string>/etc/pf.hydrajump.conf</string>
  </array>
  <key>RunAtLoad</key>
  <true/>
  <key>StandardErrorPath</key>
  <string>/var/log/pf.log</string>
  <key>StandardOutPath</key>
  <string>/var/log/pf.log</string>
</dict>
</plist>

## pf.hydrajump.conf
# Start with the system default configuration file /etc/pf.conf
include "/etc/pf.conf"

# com.hydrajump anchor point
anchor "com.hydrajump"
load anchor "com.hydrajump" from "/etc/pf.anchors/com.hydrajump"
	wifi=en0
	ethernet=en1
	vpn=tun0

	# Default block policy is sending a RST. This allows applications to quickly
	# notice that they are not allowed to connect.
	set block-policy return

	# Don't filter on local loopback or the VPN interface.
	set skip on { lo0 $vpn }

	# Scrub all incoming packets.
	scrub in all

	# Don't allow IPv6 at all.
	block quick inet6

	# By default, don't allow anything on the actual physical links.
	block on { $wifi $ethernet }

	# Allow ICMP.
	pass quick proto icmp

	# Allow DHCP.
	pass quick on { $wifi $ethernet } proto udp from any port 67:68

	# Allow DNS to OpenDNS.
	pass out quick proto udp to { 208.67.222.222 208.67.220.220 } port 53

	# Allow OpenVPN.
	pass quick proto udp to xxxxxxx port 1194
	<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
	<plist version="1.0">
	<dict>
	<key>Label</key>
	<string>com.hydrajump.pfctl</string>
	<key>WorkingDirectory</key>
	<string>/var/run</string>
	<key>UserName</key>
	<string>root</string>
	<key>GroupName</key>
	<string>wheel</string>
	<key>Program</key>
	<string>/sbin/pfctl</string>
	<key>ProgramArguments</key>
	<array>
	<string>pfctl</string>
	<string>-e</string>
	<string>-f</string>
	<string>/etc/pf.hydrajump.conf</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
	<key>StandardErrorPath</key>
	<string>/var/log/pf.log</string>
	<key>StandardOutPath</key>
	<string>/var/log/pf.log</string>
	</dict>
	</plist>
	# Start with the system default configuration file /etc/pf.conf
	include "/etc/pf.conf"

	# com.hydrajump anchor point
	anchor "com.hydrajump"
	load anchor "com.hydrajump" from "/etc/pf.anchors/com.hydrajump"