Giters

scarnecchia / pf-setup

Mac OS X pf firewall: Avoiding known bad guys

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

pf-setup

Install.sh

Script is not yet tested

Initial setup

copy the file etc/pf.conf to /etc/pf.conf

copy the file etc/pf.anchors/emerging-threats to /etc/pf.anchors/emerging-threats

copy the file etc/pf.anchors/compromised-ips to /etc/pf.anchors/compromised-ips

copy opt/pf/update-et.sh to the home dir of the user who will run the script or to /opt/pf/update-et.sh

make the script executable:

$ chmod 540 /opt/pf/update-et.sh

run the update script to fetch the latest version of emerging-Block-IPs.txt:

$ sudo /opt/pf/update-et.sh

Alternatively you could execute the following commands in sequence:

curl http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt -o /tmp/emerging-Block-IPs.txt
sudo cp /tmp/emerging-Block-IPs.txt /opt/pf
sudo chmod 644 /opt/pf/emerging-Block-IPs.txt
rm /tmp/emerging-Block-IPs.txt

test the config prior to rebooting:

$ sudo pfctl -v -n -f /etc/pf.conf

load the config and enable the pf firewall:

$ sudo pfctl -f -e /etc/pf.conf

Auto-start pf firewall on boot up

Some paths and applications in El Capitan are protected by System Integrity Protection. Even root can't modify the files. You first have to disable SIP before editing or modifying them.

Reboot your Mac to Recovery Mode by restarting your computer and holding down Command R until the Apple logo appears on your screen.

Click Utilities -> Terminal.

In the Terminal window, enter in csrutil disable and press Enter.

Restart your Mac

Modify the file(s)

Update the lauch configuration file to include the -e flag to the startup script /System/Library/LaunchDaemons/com.apple.pfctl.plist, see the example in com.apple.pfctl.plist

Reboot your Mac to Recovery Mode by restarting your computer and holding down Command R until the Apple logo appears on your screen.

Click Utilities -> Terminal.

In the Terminal window, enter in csrutil enable and press Enter.

Restart your Mac

Reboot

test that pf has picked up the new rule set:

$ sudo pfctl -sr

you should see the rules listed such as:

No ALTQ support in kernel
ALTQ related functions disabled
block drop log from any to <emerging_threats>

test that the table has been populated:

$ sudo pfctl -a 'emerging-threats' -t 'emerging_threats' -Tshow

Create the pflog0 interface

$ sudo ifconfig pflog0 create

Use a tool such as Wireshark to view the log entries written to pflog0

reference/credits

https://discussions.apple.com/thread/3346500?tstart=0
https://ikawnoclast.com/security/mac-os-x-pf-firewall-avoiding-known-bad-guys/

About

Mac OS X pf firewall: Avoiding known bad guys

Languages

Language:Shell 100.0%