Source of pf.conf - casa-mp-base

xxxxxxxxxx

# Default PF configuration file.

# This file contains the main ruleset, which gets automatically loaded

# at startup.  PF will not be automatically enabled, however.  Instead,

# each component which utilizes PF is responsible for enabling and disabling

# PF via -E and -X as documented in pfctl(8).  That will ensure that PF

# is disabled only when the last enable reference is released.

# Care must be taken to ensure that the main ruleset does not get flushed,

# as the nested anchors rely on the anchor point defined here. In addition,

# to the anchors loaded by this file, some system services would dynamically

# insert anchors into the main ruleset. These anchors will be added only when

# the system service is used and would removed on termination of the service.

# See pf.conf(5) for syntax.

# References for modifications:

# The Book of PF by Peter N.M. Hansteen, p. 21

# http://ikawnoclast.com/security/mac-os-x-pf-firewall-avoiding-known-bad-guys/

# http://support.apple.com/kb/HT5519?viewlocale=en_US&locale=en_US

# http://blog.scottlowe.org/2013/05/15/using-pf-on-os-x-mountain-lion/

# http://krypted.com/mac-security/a-cheat-sheet-for-using-pf-in-os-x-lion-and-up/

# Internal interface; use the command `ifconfig -a` or:

# $ ifconfig | pcregrep -M -o '^[^\t:]+:([^\n]|\n\t)*status: active' | egrep -o -m 1 '^[^\t:]+'

int_if = "@INTERFACE@"

# VPN network (uncomment '#vpn#' comment lines)

# $vpn_net == utun0/24 when Tunnelblick creates utun0

#vpn# vpn_net = "10.8.0/24"   # utun0 interface doesn't exist at boot time

# Options

set block-policy return

set fingerprints "/etc/pf.os"

set ruleset-optimization basic

set skip on lo0

# Normalization

# Scrub incoming packets

scrub in all no-df

# com.apple anchor point

scrub-anchor "com.apple/*"

# Queueing

# Translation

# OpenVPN Server NAT

# The Book of PF, p. 21

# Allow VPN connections to the VPN host:

# http://serverfault.com/questions/555594/troubleshoot-broken-tcp-from-openvpn-client-to-server-but-ping-traceroute-work

#tun_if = "utun0"

#no nat on ! $tun_if from $vpn_net to ($int_if)

#nat on ! $tun_if from $vpn_net to ! ($int_if) -> ($int_if)

# Use a list in case Tunnelblick creates multiples utun interaces

#tun_if = "{ utun0, utun1, utun2, utun3, utun4, utun5, utun6, utun7, utun8, utun9 }"

#vpn# not_tun_if = "{ !utun0, !utun1, !utun2, !utun3, !utun4, !utun5, !utun6, !utun7, !utun8, !utun9 }"

#vpn# no nat on $not_tun_if from $vpn_net to ($int_if)

#vpn# nat on $not_tun_if from $vpn_net to ! ($int_if) -> ($int_if)

# This rule must be included below BEFORE these packets are passed by other rules:

# pass in quick on $tun_if reply-to $tun_if from $vpn_net to $int_if

nat-anchor "com.apple/*"

rdr-anchor "com.apple/*"

dummynet-anchor "com.apple/*"

anchor "com.apple/*"

load anchor "com.apple" from "/etc/pf.anchors/com.apple"

# macOS Server Adaptive Firewall

# Comment out for non-macOS Server instances

# anchor "com.apple.server-firewall/*"

# load anchor "com.apple.server-firewall" from "/etc/pf.anchors/com.apple.server-firewall"

# Filtering

# Block by default

block all

# Debugging:

#pass quick log (all, to pflog0) all

casa-mp-base