Last active
November 3, 2023 06:41
-
-
Save willjasen/d4ae65b7c87fb9a0d62879ffa41d14a7 to your computer and use it in GitHub Desktop.
lock down screen sharing (vnc) to tailscale
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/zsh | |
| # this script limits access to screen sharing on a macOS computer to only be accessible via Tailscale | |
| # variables | |
| TS_INT=$(netstat -i | grep -B1 $(/Applications/Tailscale.app/Contents/MacOS/Tailscale ip --4) | head -n1 | awk '{print $1}') | |
| PFANCHOR=/etc/pf.anchors/vnc-tailscale | |
| # set the pf anchor variable for the tailscale interface | |
| grep -q -e "ts_int = \"$TS_INT\"" $PFANCHOR || \ | |
| echo "ts_int = \"$TS_INT\"" | sudo tee -a $PFANCHOR >/dev/null | |
| # set the pf anchor to allow vnc on the tailscale interface | |
| grep -q -e 'pass in quick on $ts_int proto tcp from any to any port 5900' $PFANCHOR || \ | |
| echo 'pass in quick on $ts_int proto tcp from any to any port 5900' | sudo tee -a $PFANCHOR >/dev/null | |
| # set the pf anchor to deny allow other traffic to vnc | |
| grep -q -e 'block drop in proto tcp from any to any port 5900' $PFANCHOR || \ | |
| echo 'block drop in proto tcp from any to any port 5900' | sudo tee -a $PFANCHOR >/dev/null | |
| echo "the file is as such:" | |
| sudo cat $PFANCHOR | |
| echo "\nchecking the file..." | |
| sudo pfctl -n -f $PFANCHOR | |
| echo "enabling the rules..." | |
| sudo pfctl -e -f $PFANCHOR |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment