webbj74 · June 13, 2014 23:21
diff --git a/name.webbj74 b/name.webbj74
 #
 #  OSX packet filter rules
 #  References:
 #  * https://gist.github.com/scy/8122924
 #

 #  The purpose of this config is to make sure that my system uses the
 #  privateInternetAccess VPN connection for everything and not to communicate
 #  unencrypted when the VPN connection goes down. Therefore, I block
 #  everything on the physical interfaces except for ICMP, DHCP, DNS and the
 #  VPN connection.

 #  Define interfaces. I'm on a MacBook Air, so en0 is WiFi, tun0 is the VPN
 wifi=en0
 bluetooth=en1
 thunderbolt=bridge0
 virtualbox=p2p0
 vpn=tun0

 #  Default block policy is sending a RST. This allows applications to quickly
 #  notice that they are not allowed to connect.
 set block-policy return

 #  Don't filter on local loopback or the VPN interface.
 set skip on { lo0 $vpn }

 #  Scrub all incoming packets.
 scrub in all

 #  By default, don't allow anything on the actual physical links.
 block log on { $wifi $bluetooth $thunderbolt }

 #  Allow DHCP.
 #  I could probably be more specific than "from any", but didn't find a way to
 #  specify the link's local network universally. "from $wifi:network" works, but
 #  "from $ether:network" for example doesn't as long as $ether does not exist.
 pass quick on { $wifi $bluetooth $thunderbolt } proto udp from any port 67:68

 #  Allow DNS to Google, although on a rogue network they could still easily
 #  redirect you to another DNS server.
 pass out quick proto udp to { 8.8.8.8 8.8.4.4 } port 53

 #  Allow privateInternetAccess VPN over 110
 pass quick proto tcp to any port 110
	#
	# OSX packet filter rules
	# References:
	# * https://gist.github.com/scy/8122924
	#

	# The purpose of this config is to make sure that my system uses the
	# privateInternetAccess VPN connection for everything and not to communicate
	# unencrypted when the VPN connection goes down. Therefore, I block
	# everything on the physical interfaces except for ICMP, DHCP, DNS and the
	# VPN connection.

	# Define interfaces. I'm on a MacBook Air, so en0 is WiFi, tun0 is the VPN
	wifi=en0
	bluetooth=en1
	thunderbolt=bridge0
	virtualbox=p2p0
	vpn=tun0

	# Default block policy is sending a RST. This allows applications to quickly
	# notice that they are not allowed to connect.
	set block-policy return

	# Don't filter on local loopback or the VPN interface.
	set skip on { lo0 $vpn }

	# Scrub all incoming packets.
	scrub in all

	# By default, don't allow anything on the actual physical links.
	block log on { $wifi $bluetooth $thunderbolt }

	# Allow DHCP.
	# I could probably be more specific than "from any", but didn't find a way to
	# specify the link's local network universally. "from $wifi:network" works, but
	# "from $ether:network" for example doesn't as long as $ether does not exist.
	pass quick on { $wifi $bluetooth $thunderbolt } proto udp from any port 67:68

	# Allow DNS to Google, although on a rogue network they could still easily
	# redirect you to another DNS server.
	pass out quick proto udp to { 8.8.8.8 8.8.4.4 } port 53

	# Allow privateInternetAccess VPN over 110
	pass quick proto tcp to any port 110