ngerasimatos/org.nsa.pf.rules

## org.nsa.pf.rules
# Put this file in /etc/pf.anchors/

# Options
set block-policy drop
set fingerprints "/etc/pf.os"
set ruleset-optimization basic
set skip on lo0

# Interfaces
inet_define = "en0"
ivpn_define = "utun0"

# Block everything
block out all
block in all

# Protection: Antispoof
antispoof for $inet_define inet
antispoof for $ivpn_define inet

# Incoming: DHCP
# I do not recommend to enable this rule if you never leave your home network (by adding your computer as a static ip on your router)
pass in on $inet_define proto udp from any port 67 to any port 68

# Outbound: Allow only VPN
pass out on $inet_define proto [CAN_BE_TCP_OR_UDP] from any to [REPLACE_BY_VPN_IP_HERE]
# Example: pass out on $inet_define proto {tcp, udp} from any to 62.201.110.70
# Example: pass out on $inet_define proto udp from any to {92.201.40.1, 81.29.75.123}

# Allow traffic for VPN
pass out on $ivpn_define all

## pf.conf
# Put this at the end of /etc/pf.conf
anchor "org.dgse.pf"
load anchor "org.dgse.pf" from "/etc/pf.anchors/org.nsa.pf.rules"

## pf.sh
# Enable persistence
# https://support.apple.com/en-us/HT200259
# Use /Library/... instead of /System/Library/... because of Rootless
sudo defaults write /Library/LaunchDaemons/com.apple.pfctl ProgramArguments '(pfctl, -f, /etc/pf.conf, -e)'
sudo chmod 644 /Library/LaunchDaemons/com.apple.pfctl.plist
sudo plutil -convert xml1 /Library/LaunchDaemons/com.apple.pfctl.plist

# Start the firewall
sudo pfctl -f -e /etc/pf.conf
	# Put this file in /etc/pf.anchors/

	# Options
	set block-policy drop
	set fingerprints "/etc/pf.os"
	set ruleset-optimization basic
	set skip on lo0

	# Interfaces
	inet_define = "en0"
	ivpn_define = "utun0"

	# Block everything
	block out all
	block in all

	# Protection: Antispoof
	antispoof for $inet_define inet
	antispoof for $ivpn_define inet

	# Incoming: DHCP
	# I do not recommend to enable this rule if you never leave your home network (by adding your computer as a static ip on your router)
	pass in on $inet_define proto udp from any port 67 to any port 68

	# Outbound: Allow only VPN
	pass out on $inet_define proto [CAN_BE_TCP_OR_UDP] from any to [REPLACE_BY_VPN_IP_HERE]
	# Example: pass out on $inet_define proto {tcp, udp} from any to 62.201.110.70
	# Example: pass out on $inet_define proto udp from any to {92.201.40.1, 81.29.75.123}

	# Allow traffic for VPN
	pass out on $ivpn_define all
	# Put this at the end of /etc/pf.conf
	anchor "org.dgse.pf"
	load anchor "org.dgse.pf" from "/etc/pf.anchors/org.nsa.pf.rules"
	# Enable persistence
	# https://support.apple.com/en-us/HT200259
	# Use /Library/... instead of /System/Library/... because of Rootless
	sudo defaults write /Library/LaunchDaemons/com.apple.pfctl ProgramArguments '(pfctl, -f, /etc/pf.conf, -e)'
	sudo chmod 644 /Library/LaunchDaemons/com.apple.pfctl.plist
	sudo plutil -convert xml1 /Library/LaunchDaemons/com.apple.pfctl.plist

	# Start the firewall
	sudo pfctl -f -e /etc/pf.conf