Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
OS X Firewall Packet Filter (pfctl): Killswitch + Protection
# Put this file in /etc/pf.anchors/
# Options
set block-policy drop
set fingerprints "/etc/pf.os"
set ruleset-optimization basic
set skip on lo0
# Interfaces
inet_define = "en0"
ivpn_define = "utun0"
# Block everything
block out all
block in all
# Protection: Antispoof
antispoof for $inet_define inet
antispoof for $ivpn_define inet
# Incoming: DHCP
# I do not recommend to enable this rule if you never leave your home network (by adding your computer as a static ip on your router)
pass in on $inet_define proto udp from any port 67 to any port 68
# Outbound: Allow only VPN
pass out on $inet_define proto [CAN_BE_TCP_OR_UDP] from any to [REPLACE_BY_VPN_IP_HERE]
# Example: pass out on $inet_define proto {tcp, udp} from any to 62.201.110.70
# Example: pass out on $inet_define proto udp from any to {92.201.40.1, 81.29.75.123}
# Allow traffic for VPN
pass out on $ivpn_define all
# Put this at the end of /etc/pf.conf
anchor "org.dgse.pf"
load anchor "org.dgse.pf" from "/etc/pf.anchors/org.nsa.pf.rules"
# Enable persistence
# https://support.apple.com/en-us/HT200259
# Use /Library/... instead of /System/Library/... because of Rootless
sudo defaults write /Library/LaunchDaemons/com.apple.pfctl ProgramArguments '(pfctl, -f, /etc/pf.conf, -e)'
sudo chmod 644 /Library/LaunchDaemons/com.apple.pfctl.plist
sudo plutil -convert xml1 /Library/LaunchDaemons/com.apple.pfctl.plist
# Start the firewall
sudo pfctl -f -e /etc/pf.conf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment