Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
OS X Firewall Packet Filter (pfctl): Killswitch + Protection
# Put this file in /etc/pf.anchors/
# Options
set block-policy drop
set fingerprints "/etc/pf.os"
set ruleset-optimization basic
set skip on lo0
# Interfaces
inet_define = "en0"
ivpn_define = "utun0"
# Block everything
block out all
block in all
# Protection: Antispoof
antispoof for $inet_define inet
antispoof for $ivpn_define inet
# Incoming: DHCP
# I do not recommend to enable this rule if you never leave your home network (by adding your computer as a static ip on your router)
pass in on $inet_define proto udp from any port 67 to any port 68
# Outbound: Allow only VPN
pass out on $inet_define proto [CAN_BE_TCP_OR_UDP] from any to [REPLACE_BY_VPN_IP_HERE]
# Example: pass out on $inet_define proto {tcp, udp} from any to
# Example: pass out on $inet_define proto udp from any to {,}
# Allow traffic for VPN
pass out on $ivpn_define all
# Put this at the end of /etc/pf.conf
anchor ""
load anchor "" from "/etc/pf.anchors/"
# Enable persistence
# Use /Library/... instead of /System/Library/... because of Rootless
sudo defaults write /Library/LaunchDaemons/ ProgramArguments '(pfctl, -f, /etc/pf.conf, -e)'
sudo chmod 644 /Library/LaunchDaemons/
sudo plutil -convert xml1 /Library/LaunchDaemons/
# Start the firewall
sudo pfctl -f -e /etc/pf.conf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment