Hi Y’all,
I rarely see the self keyword used in pf.conf and I wondered why? I
experimented with it and want to get some feedback on if what I’m thinking
works or doesn’t.
#
# Default PF configuration file.
#
# This file contains the main ruleset, which gets automatically loaded
# at startup. PF will not be automatically enabled, however. Instead,
# each component which utilizes PF is responsible for enabling and disabling
# PF via -E and -X as documented in pfctl(8). That will ensure that PF
# is disabled only when the last enable reference is released.
#
# Care must be taken to ensure that the main ruleset does not get flushed,
# as the nested anchors rely on the anchor point defined here. In addition,
# to the anchors loaded by this file, some system services would
dynamically
# insert anchors into the main ruleset. These anchors will be added only
when
# the system service is used and would removed on termination of the
service.
#
# See pf.conf(5) for syntax.
#
#
#
# com.apple anchor point
#
int = "{en0, en1, en2, en3, en4}"
utu = "{utun0, utun1, utun2, utun3}"
table <bad_actors> persist file "/etc/bad_actors.txt"
table <abusers> const file "/etc/firehol_abusers_1d.netset"
table <level2> const file "/etc/firehol_level2.netset"
table <level3> const file "/etc/firehol_level3.netset"
table <webclient> const file "/etc/firehol_webclient.netset"
set block-policy drop
set fingerprints "/etc/pf.os"
set ruleset-optimization basic
set limit {tables 10000, table-entries 400000}
scrub in all no-df
scrub-anchor "cisco.anyconnect.vpn"
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "cisco.anyconnect.vpn"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
#default deny all in
block in all
#Allow DHCP
pass in quick inet proto udp from port 67 to port 68
pass in quick inet6 proto udp from port 547 to port 546
#block QUIC protocol
block log quick proto 253 from any to any
#block 6to4 tunneling
block log quick proto 41 from any to any
#pass in from Cisco Umbrella
pass in from {208.67.220.220, 208.67.222.222, 2620:119:35::35,
2620:119:53::53}
#Mobile Hotspot
#pass on $utu from any to any
#pass in log on $int proto 2 from any to any
#pass in log on $int proto 7 from any to any
#pass in log on $int proto 128 from any to any
pass in log quick inet6 proto ipv6-icmp icmp6-type 134
pass in log quick inet6 proto ipv6-icmp icmp6-type 135
pass in log quick inet6 proto ipv6-icmp icmp6-type 136
#pass in log on $int proto 17 from any to 224.0.0.0/24
#antispoof and non-routes
antispoof log for self
#antispoof log for $int
block in log from no-route to any
block in log from urpf-failed to any
block in log on self from any to 255.255.255.255
block in log on self from <bad_actors> to any
block in log quick on $int from <abusers> to any
block in log on self from <level2> to any
block in log on self from <level3> to any
block in log on self from <webclient> to any
block log proto { tcp, udp } from any port = 0
#pass in all packets from localhost
pass in from 127.0.0.1
pass in from ::1
#ignore unknown os
#block in from any os "unknown"
block out from any os "unknown"
#apple file service --port 548-- pf firewall rule
block in log proto tcp to any port { 548 }
#ftp --ports 20 21-- pf firewall rule
block in log proto { tcp udp } to any port { 20 21 }
#http --port 80-- pf firewall rule
block in log proto { tcp udp } to any port 80
#icmp pf firewall rule
block in log proto icmp
#imap --port 143-- pf firewall rule
block in log proto tcp to any port 143
#imaps --port 993-- pf firewall rule
block in log proto tcp to any port 993
#pop3 --port 110-- pf firewall rule
block in log proto tcp to any port 110
#pop3s --port 995-- pf firewall rule
block in log proto tcp to any port 995
#remote apple events --port 3031-- pf firewall rule
block in log proto tcp to any port 3031
#screen_sharing --port 5900-- pf firewall rule
block in log proto tcp to any port 5900
#smb --ports 139 445 137 138-- pf firewall rule
block in log proto tcp to any port { 139 445 }
block in log proto udp to any port { 137 138 }
#smtp --port 25-- pf firewall rule
block in log proto tcp to any port 25
#telnet --port 23-- pf firewall rule
block in log proto { tcp udp } to any port 23
#default pass out rule
pass out all keep state
#Umbrella UDP port 443 pass
pass out log quick from any to {208.67.220.220, 208.67.222.222,
2620:119:35::35, 2620:119:53::53}
#bonjour component SSDP --port 1900-- pf firewall rule
block log proto udp to any port 1900
#finger --port 79-- pf firewall rule
block log proto tcp to any port 79
#iTunes sharing --port 3689-- pf firewall rule
block log proto tcp to any port 3689
#mDNSResponder --port 5353-- pf firewall rule
block log proto udp to any port 5353
#nfs --port 2049-- pf firewall rule
block log proto tcp to any port 2049
#optical drive sharing --port 49152-- pf firewall rule
block log proto tcp to any port 49152
#tftp --port 69-- pf firewall rule
block log proto { tcp udp } to any port 69
#uucp --port 540-- pf firewall rule
block log proto tcp to any port 540
#block port = 0
block log proto { tcp, udp } from any to any port = 0
#outbound blocked tables
block out log from any to <bad_actors>
block out log from any to <abusers>
block out log from any to <level2>
block out log from any to <level3>
block out log from any to <webclient>
#block QUIC protocol
block out log quick proto 253 from any to any
#block 6to4 tunneling
block out log quick proto 41 from any to any
#udp port 443 block excluding umbrella
block out log proto udp from any to any port 443
Thank you!
-Vaughn
-----------------------------
Vaughn A. Hart
vahah...@gmail.com
646-284-4291
https://www.linkedin.com/in/vahart
https://github.com/vaughnhart
https://open.spotify.com/user/aojaa35704q6no3iqt4h6k8im?si=b8f2195781f64632
2Sam 14:14a We must all die; we are like water spilled on the ground, which
cannot be gathered up again.“
Jesus said to her, “I am the resurrection and the life. Whoever believes in
me, though he die, yet shall he live,” (John 11:25 ESV)
