casa-mp-base
Public
Source
## Default PF configuration file.## This file contains the main ruleset, which gets automatically loaded# at startup. PF will not be automatically enabled, however. Instead,# each component which utilizes PF is responsible for enabling and disabling# PF via -E and -X as documented in pfctl(8). That will ensure that PF# is disabled only when the last enable reference is released.## Care must be taken to ensure that the main ruleset does not get flushed,# as the nested anchors rely on the anchor point defined here. In addition,# to the anchors loaded by this file, some system services would dynamically # insert anchors into the main ruleset. These anchors will be added only when# the system service is used and would removed on termination of the service.## See pf.conf(5) for syntax.## References for modifications:# The Book of PF by Peter N.M. Hansteen, p. 21# http://ikawnoclast.com/security/mac-os-x-pf-firewall-avoiding-known-bad-guys/# http://support.apple.com/kb/HT5519?viewlocale=en_US&locale=en_US# http://blog.scottlowe.org/2013/05/15/using-pf-on-os-x-mountain-lion/# http://krypted.com/mac-security/a-cheat-sheet-for-using-pf-in-os-x-lion-and-up/# Internal interface; use the command `ifconfig -a` or:# $ ifconfig | pcregrep -M -o '^[^\t:]+:([^\n]|\n\t)*status: active' | egrep -o -m 1 '^[^\t:]+'int_if = "@INTERFACE@"# VPN network (uncomment '#vpn#' comment lines)# $vpn_net == utun0/24 when Tunnelblick creates utun0#vpn# vpn_net = "10.8.0/24" # utun0 interface doesn't exist at boot time# Optionsset block-policy returnset fingerprints "/etc/pf.os"set ruleset-optimization basicset skip on lo0# Normalization# Scrub incoming packetsscrub in all no-df## com.apple anchor point#scrub-anchor "com.apple/*"# Queueing# Translation# OpenVPN Server NAT# # The Book of PF, p. 21# Allow VPN connections to the VPN host:# http://serverfault.com/questions/555594/troubleshoot-broken-tcp-from-openvpn-client-to-server-but-ping-traceroute-work#tun_if = "utun0"