├── README.md
├── com.apple.pfctl.plist
├── etc
    ├── pf.anchors
    │   ├── compromised-ips
    │   └── emerging-threats
    └── pf.conf
└── opt
    └── pf
        └── update-et.sh


/README.md:
--------------------------------------------------------------------------------
  1 | # pf-setup
  2 | 
  3 | 
  4 | ## initial setup
  5 | 
  6 | 
  7 | copy the file /etc/[pf.conf](/etc/pf.conf) to `/etc/pf.conf`
  8 | 
  9 | copy the file /etc/pf.anchors/[emerging-threats](/etc/pf.anchors/emerging-threats) to `/etc/pf.anchors/emerging-threats`
 10 | 
 11 | copy /opt/pf/[update-et.sh](/opt/pf/update-et.sh) to the home dir of the user who will run the script or to `/opt/pf/update-et.sh`
 12 | 
 13 | make the script executable:
 14 | 
 15 | 	$ chmod 540 /opt/pf/update-et.sh
 16 | 
 17 | 
 18 | run the update script to fetch the latest version of emerging-Block-IPs.txt:
 19 | 
 20 | 	$ sudo /opt/pf/update-et.sh
 21 | 
 22 | 
 23 | alternatively you could execute the follwing commands in sequence:
 24 | 
 25 | 	curl http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt -o /tmp/emerging-Block-IPs.txt
 26 | 	sudo cp /tmp/emerging-Block-IPs.txt /opt/pf
 27 | 	sudo chmod 644 /opt/pf/emerging-Block-IPs.txt
 28 | 	rm /tmp/emerging-Block-IPs.txt
 29 | 
 30 |     
 31 | test the config prior to rebooting:
 32 | 
 33 | 	$ sudo pfctl -v -n -f /etc/pf.conf
 34 | 
 35 |     
 36 | load the config and enable the pf firewall:
 37 | 
 38 | 	$ sudo pfctl -e -f /etc/pf.conf
 39 | 
 40 | 
 41 | ### auto-start pf firewall on boot up
 42 | 
 43 | 
 44 | Some paths and applications in El Capitan are protected by System Integrity Protection. Even root can't modify the files. You first have to disable SIP before editing or modifying them.
 45 | 
 46 | 
 47 | Reboot your Mac to Recovery Mode by restarting your computer and holding down `Command` `R` until the Apple logo appears on your screen.
 48 | 
 49 | Click Utilities -> Terminal.
 50 | 
 51 | In the Terminal window, enter in `csrutil disable` and press Enter.
 52 | 
 53 | Restart your Mac
 54 | 
 55 | Modify the file(s)
 56 | 
 57 | Update the lauch configuration file to include the `-e` flag to the startup script `/System/Library/LaunchDaemons/com.apple.pfctl.plist`, see the example in [com.apple.pfctl.plist](com.apple.pfctl.plist)
 58 | 
 59 | Reboot your Mac to Recovery Mode by restarting your computer and holding down `Command` `R` until the Apple logo appears on your screen.
 60 | 
 61 | Click Utilities -> Terminal.
 62 | 
 63 | In the Terminal window, enter in `csrutil enable` and press Enter.
 64 | 
 65 | Restart your Mac
 66 | 
 67 | 
 68 | ## reboot
 69 | 
 70 | 
 71 | test that pf has picked up the new rule set:
 72 | 
 73 | 	$ sudo pfctl -sr
 74 | 
 75 | 
 76 | you should see the rules listed such as:
 77 | 
 78 | 	No ALTQ support in kernel
 79 | 	ALTQ related functions disabled
 80 | 	scrub-anchor "com.apple/*" all fragment reassemble
 81 | 	anchor "com.apple/*" all
 82 | 	anchor "emerging-threats" all
 83 | 
 84 | 
 85 | test that the table has been populated:
 86 | 
 87 | 	$ sudo pfctl -a 'emerging-threats' -t 'emerging_threats' -Tshow
 88 | 
 89 | 
 90 | 
 91 | ## Create the pflog0 interface
 92 | 
 93 | 	$ sudo ifconfig pflog0 create
 94 | 
 95 | Use a tool such as Wireshark to view the log entries written to pflog0
 96 | 
 97 | 
 98 | # reference/credits
 99 | 
100 | 	https://discussions.apple.com/thread/3346500?tstart=0
101 | 	https://ikawnoclast.com/security/mac-os-x-pf-firewall-avoiding-known-bad-guys/
102 | 


--------------------------------------------------------------------------------
/com.apple.pfctl.plist:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 3 | <plist version="1.0">
 4 | <dict>
 5 | 	<key>Disabled</key>
 6 | 	<false/>
 7 | 	<key>Label</key>
 8 | 	<string>com.apple.pfctl</string>
 9 | 	<key>WorkingDirectory</key>
10 | 	<string>/var/run</string>
11 | 	<key>Program</key>
12 | 	<string>/sbin/pfctl</string>
13 | 	<key>ProgramArguments</key>
14 | 	<array>
15 | 		<string>pfctl</string>
16 | 		<string>-e</string>
17 | 		<string>-f</string>
18 | 		<string>/etc/pf.conf</string>
19 | 	</array>
20 | 	<key>RunAtLoad</key>
21 | 	<true/>
22 | </dict>
23 | </plist>
24 | 


--------------------------------------------------------------------------------
/etc/pf.anchors/compromised-ips:
--------------------------------------------------------------------------------
1 | table <compromised_ips> persist file "/opt/pf/compromised-ips.txt"
2 | block out log quick to <compromised_ips>
3 | 


--------------------------------------------------------------------------------
/etc/pf.anchors/emerging-threats:
--------------------------------------------------------------------------------
1 | table <emerging_threats> persist file "/opt/pf/emerging-Block-IPs.txt"
2 | block out log quick to <emerging_threats>
3 | 


--------------------------------------------------------------------------------
/etc/pf.conf:
--------------------------------------------------------------------------------
 1 | #
 2 | # Default PF configuration file.
 3 | #
 4 | # This file contains the main ruleset, which gets automatically loaded
 5 | # at startup.  PF will not be automatically enabled, however.  Instead,
 6 | # each component which utilizes PF is responsible for enabling and disabling
 7 | # PF via -E and -X as documented in pfctl(8).  That will ensure that PF
 8 | # is disabled only when the last enable reference is released.
 9 | #
10 | # Care must be taken to ensure that the main ruleset does not get flushed,
11 | # as the nested anchors rely on the anchor point defined here. In addition,
12 | # to the anchors loaded by this file, some system services would dynamically 
13 | # insert anchors into the main ruleset. These anchors will be added only when
14 | # the system service is used and would removed on termination of the service.
15 | #
16 | # See pf.conf(5) for syntax.
17 | #
18 | # skip lo0 local loopback interface
19 | set skip on lo0
20 | 
21 | # default block all
22 | block in all
23 | block out log all
24 | 
25 | # com.apple anchor point
26 | anchor "com.apple/*"
27 | load anchor "com.apple" from "/etc/pf.anchors/com.apple"
28 | 
29 | # emerging-threats anchor point
30 | anchor "emerging-threats"
31 | load anchor "emerging-threats" from "/etc/pf.anchors/emerging-threats"
32 | 
33 | # compromised-ips anchor point
34 | anchor "compromised-ips"
35 | load anchor "compromised-ips" from "/etc/pf.anchors/compromised-ips"
36 | 
37 | # ICMP
38 | pass out log quick proto icmp all
39 | # WHOIS
40 | pass out log quick proto {tcp udp} to port whois
41 | # DHCP
42 | pass out log quick proto udp from port bootpc to port bootps 
43 | pass in log quick proto udp from port bootps to port bootpc 
44 | # Public DNS
45 | pass out log quick proto udp to {8.8.8.8 8.8.4.4} port domain 
46 | # Public DNSoverTLS
47 | pass out log quick proto tcp to port 853 
48 | # SSH outbound
49 | pass out log quick proto tcp to port ssh
50 | # rules for www 
51 | pass out log quick proto tcp to port http
52 | pass out log quick proto tcp to port https 
53 | # rules for Google QUIC
54 | pass out log quick proto udp to port http 
55 | pass out log quick proto udp to port https
56 | 


--------------------------------------------------------------------------------
/opt/pf/update-et.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | wc -l /opt/pf/emerging-Block-IPs.txt | logger -t pf -p 5
3 | curl http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt -o /tmp/emerging-Block-IPs.txt
4 | cp /tmp/emerging-Block-IPs.txt /opt/pf
5 | chmod 444 /opt/pf/emerging-Block-IPs.txt
6 | wc -l /opt/pf/emerging-Block-IPs.txt | logger -t pf -p 5
7 | rm /tmp/emerging-Block-IPs.txt
8 | pfctl -f /etc/pf.conf
9 | 


--------------------------------------------------------------------------------