You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

OS X Fortress: Firewall and Blackhole for Trackers, Attackers, Malware, Adware, and Spammers

After Apple deprecated the ipfw firewall in favor of PF, I decided to get serious about securing the server from the steady stream of attacks visible on snort and logs. I was also interested in blocking all the known spammers and botnets, and sending all the web trackers into a blackhole, both on the server and for all its clients.


I built a three layer fortress over the kernel, OS, and clients using the excellent BSD pf packet filter and firewall, a hosts file, and proxy.pac file. I use these features:


  • OS X adaptive firewall
  • Adaptive firewall to brute force attacks
  • IP blocks updated about twice a day from emergingthreats.net (IP blocks, compromised hosts, Malvertisers, RBNs) and dshield.org’s top-20
  • Host blocks updated about twice a day from hphosts.net
  • Special proxy.pac host blacklisting from hostsfile.org


snort and other detections have fallen to a fraction with a few simple blocking actions. There are no ads, all common web tracking technology is decapitated, and you have common sense blocks of Russian business networks, Chinese backbone attackers, and plenty more. PF cleans up and normalizes the network stream appearing on the OS, yielding a more efficient and reliable LAN. You can use the server as a web proxy, providing the same protection from trackers etc. to LAN and VPN clients on the server itself.


I’ve attached the necessary setup commands and plist files. You’ll also need a macports packages wget, gnupg, and p7zip. Here are the setup instructions and brief description of the contents for your own personal modifications. The setup is flexible enough to proxy through your own squid proxy or ratelimit access to specific sites. The updates all use wget -N, which saves everyone’s bandwidth because it only downloads files with newer timestamps.


Here’s a brief description of the ten files — modify for your own situation.


# PF


  • pf.conf — PF configuration written for en0 interface.
  • net.openbsd.pf.plist — Enables the PF firewall at boot.
  • net.openbsd.pf.brutexpire.plist — Flushes two week old bruteforce IP table blocks, every day.
  • net.emergingthreats.blockips.plist — Update check of emergingthreats.net IP blocks, once a day
  • net.dshield.block.plist — Update check of dshield.org’s top-20 bad IPs, every four hours


# /etc/hosts


  • net.hphosts.hosts.plist — Update check of hphost’s host lists, full and partial, once a day
  • whitelist.txt — Any hosts in here are deleted from the /etc/hosts blackhole. You need to specify FQDNs AND TLDs in /etc/hosts, i.e. no wildcards.
  • blacklist.txt — Hosts in here are prepended to the /etc/hosts blackhole. Entries are of the form “127.0.0.1 hostname.domain.net”.

    To whitelist or blacklist a site, add it the .txt file, then relaunch the hphost’s plist, which will regenerate /etc/hosts, flush the DNS cache, and reconfigure a squid proxy if running:
    sudo launchctl unload -w /Library/LaunchDaemons/net.hphosts.hosts.plist ; sudo launchctl load -w /Library/LaunchDaemons/net.hphosts.hosts.plist


# proxy.pac


  • net.securemecca.pac.plist — Update check of proxy.pac that blackholes bad hostnames, every two days. Creates a /Library/WebServer/Documents/proxy.pac file based on hostsfile.org’s “King of the PAC,” good hosts are passed through your own JS function FindProxyForURL(). Default use with Safari, OS X clients with System Preferences>Network>Advanced…>Proxies>Automatic Proxy Configuration>http://localhost/proxy.pac.
  • proxy.pac.orig — A “vanilla” proxy.pac file that sets FindProxyForURL() to return DIRECT.


# delete flash cookies


org.opensource.flashcookiedelete.plist — Delete all Flash Cookies every two hours, except for those created by Macromedia settings, https://www.macromedia.com/support/documentation/en/flashplayer/help/settings_ma nager06.html


Finally, at the browser level, you can install these Safari add-ons from http://fixtracking.com: DoNotTrackMe, DuckDuckGo, Adblock, Safari Javascript Blocker.


To turn on OS X Server's adaptive firewall, do this:


sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serverctl enable service=com.apple.afctl

sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -f


And the setup instructions for OS X. For OS X Server, use DNS to create a private domain such as proxy.domainname.private, then put the proxy.pac.orig file in the directory /Library/Server/Web/Data/Sites/CustomSitesDefault/proxy.pac.orig


# setup

sudo port install wget gnupg p7zip

sudo /usr/bin/cpan install

/usr/bin/cpan Data::Validate::IP

su -

/opt/local/bin/gpg --recv-keys CC37BF7D 155DA479 C83946F0

exit

sudo cp /etc/hosts /etc/hosts.orig

sudo cp /Library/WebServer/Documents/proxy.pac /Library/WebServer/Documents/proxy.pac.orig


# install the files

sudo install -b -B orig pf.conf /etc

sudo install -m 644 net.openbsd.pf.plist /Library/LaunchDaemons

sudo install -m 644 net.openbsd.pf.brutexpire.plist /Library/LaunchDaemons

sudo install -m 644 net.emergingthreats.blockips.plist /Library/LaunchDaemons

sudo install -m 644 net.dshield.block.plist /Library/LaunchDaemons

sudo install -m 644 net.hphosts.hosts.plist /Library/LaunchDaemons

sudo install -m 644 net.securemecca.pac.plist /Library/LaunchDaemons

install -m 644 org.opensource.flashcookiedelete.plist ~/Library/LaunchAgents

sudo mkdir -p /usr/local/etc

sudo install -m 644 whitelist.txt /usr/local/etc

sudo install -m 644 blacklist.txt /usr/local/etc


# daemons

sudo launchctl load -w /Library/LaunchDaemons/net.openbsd.pf.plist

sudo launchctl load -w /Library/LaunchDaemons/net.openbsd.pf.brutexpire.plist

sudo launchctl load -w /Library/LaunchDaemons/net.emergingthreats.blockips.plist

sudo launchctl load -w /Library/LaunchDaemons/net.dshield.block.plist

sudo launchctl load -w /Library/LaunchDaemons/net.hphosts.hosts.plist

sudo launchctl load -w /Library/LaunchDaemons/net.securemecca.pac.plist


launchctl load ~/Library/LaunchAgents/org.opensource.flashcookiedelete.plist


# Launch the OS X web server for the proxy.pac file (OS X, not OS X Server)

sudo apachectl start


Here are the files. Use plutil -lint file.plist to find any cut-and-paste errors.


# PF


pf.conf


#

# Default PF configuration file.

#

# This file contains the main ruleset, which gets automatically loaded

# at startup. PF will not be automatically enabled, however. Instead,

# each component which utilizes PF is responsible for enabling and disabling

# PF via -E and -X as documented in pfctl(8). That will ensure that PF

# is disabled only when the last enable reference is released.

#

# Care must be taken to ensure that the main ruleset does not get flushed,

# as the nested anchors rely on the anchor point defined here. In addition,

# to the anchors loaded by this file, some system services would dynamically

# insert anchors into the main ruleset. These anchors will be added only when

# the system service is used and would removed on termination of the service.

#

# See pf.conf(5) for syntax.

#


# Hardcoded IPs

#mydomain_com = "x.x.x.x"

# $vpn_net == tun0/24 when Tunnelblick creates tun0

vpn_net = "10.8.0/24" # tun0 interface doesn't exist at boot time


# References for modifications:

# The Book of PF by Peter N.M. Hansteen, p. 21

# http://ikawnoclast.com/security/mac-os-x-pf-firewall-avoiding-known-bad-guys/

# http://support.apple.com/kb/HT5519?viewlocale=en_US&locale=en_US

# http://blog.scottlowe.org/2013/05/15/using-pf-on-os-x-mountain-lion/

# http://krypted.com/mac-security/a-cheat-sheet-for-using-pf-in-os-x-lion-and-up/



# Options

set block-policy return

set fingerprints "/etc/pf.os"

set ruleset-optimization basic

set skip on lo0



# Normalization

# Scrub incoming packets

scrub in all no-df


#

# com.apple anchor point

#

scrub-anchor "com.apple/*"



# Queueing



# Translation


# OpenVPN Server NAT

#

# The Book of PF, p. 21

int_if = "en0"

# tun_if = "tun0" # tun0 doesn't exist at boot time

nat on $int_if inet from { $vpn_net $int_if:network } to any -> ($int_if)


nat-anchor "com.apple/*"

rdr-anchor "com.apple/*"

dummynet-anchor "com.apple/*"

anchor "com.apple/*"

load anchor "com.apple" from "/etc/pf.anchors/com.apple"



# Filtering


# Pass by default

pass all


# Antispoof

# This breaks ping, DNS on OS X Server

#antispoof log quick for { lo0 $int_if } inet


# Block to/from illegal destinations or sources

block drop in log quick from no-route to any

block drop in log quick from urpf-failed to any

# This is observed on OS X

#block drop in log quick on $int_if from any to 255.255.255.255


# Local net

pass quick from { lo0 $int_if } to any


# Whitelist

#table <whitelist> const { $mydomain_com }

#pass in quick from <whitelist>


# Block brute force attacks

table <bruteforce> persist

block drop log quick from <bruteforce>


# Emerging Threats Open Source, http://rules.emergingthreats.net/fwrules/


# http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

table <emerging_threats> persist file "/usr/local/etc/emerging-Block-IPs.txt"

block drop log quick from <emerging_threats> to any


# http://rules.emergingthreats.net/blockrules/compromised-ips.txt

table <compromised_ips> persist file "/usr/local/etc/compromised-ips.txt"

block drop log quick from <compromised_ips> to any


# http://rules.emergingthreats.net/blockrules/rbn-ips.txt

table <rbn_ips> persist file "/usr/local/etc/rbn-ips.txt"

block drop log quick from <rbn_ips> to any


# http://rules.emergingthreats.net/blockrules/rbn-malvertisers-ips.txt

table <rbn_malvertisers_ips> persist file "/usr/local/etc/rbn-ips.txt"

block drop log quick from <rbn_malvertisers_ips> to any


# dshield.org block list

table <dshield_block_ip> persist file "/usr/local/etc/dshield_block_ip.txt"

block drop log quick from <dshield_block_ip> to any


# ICMP

icmp_types = "echoreq"

pass inet proto icmp from $int_if:network to any icmp-type $icmp_types

pass inet proto icmp from any to $int_if icmp-type $icmp_types


# allow out the default range for traceroute(8):

# "base+nhops*nqueries-1" (33434+64*3-1)

pass out on $int_if inet proto udp from any to any port 33433 >< 33626


# Allow critical system traffic

pass in quick inet proto udp from port bootps to port bootpc

pass out quick inet proto udp from port bootpc to port bootps


# LAN services: block access, except from localnet

lan_udp_services = "{ domain, 5001, postgresql }"

lan_tcp_services = "{ domain, auth, nntp, www, \

311, 3128, 5001, 5900:5909, privoxy, postgresql, \

8123 }"

block in proto tcp from any to { lo0 $int_if } port $lan_tcp_services

block in proto udp from any to { lo0 $int_if } port $lan_udp_services

pass in quick inet proto udp from { lo0 $vpn_net $int_if:network } to { lo0 $int_if } port $lan_udp_services

pass in quick inet proto tcp from { lo0 $vpn_net $int_if:network } to { lo0 $int_if } port $lan_tcp_services


# Internet services

internet_udp_services = "{ https, 500, openvpn, \

1701, 4500, 5060, 5190, 5297, 5298, 5678 }"

internet_tcp_services = "{ 995, 1640, 1723, 2195, \

2196, 4190, 5218, 5223, 5190, 5220, 5222, 5298, \

8008, 8443, 8800, 8843 }"

pass in proto udp from any to { lo0 $int_if } port $internet_udp_services

pass in proto tcp from any to { lo0 $int_if } port $internet_tcp_services

# ssh really restrictive

pass in inet proto tcp from any to { lo0 $int_if } port ssh \

keep state (max-src-conn 5, max-src-conn-rate 5/2, \

overload <bruteforce> flush global)

# web, mail more restrictive

pass in inet proto tcp from any to { lo0 $int_if } \

port { smtp, https, imap, submission, imaps, eyetv } \

keep state (max-src-nodes 50, max-src-conn 200, max-src-conn-rate 100/10, \

overload <bruteforce> flush global)



net.openbsd.pf.plist


<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>net.openbsd.pf.plist</string>

<key>Program</key>

<string>/sbin/pfctl</string>

<key>ProgramArguments</key>

<array>

<string>/sbin/pfctl</string>

<string>-e</string>

<string>-f</string>

<string>/etc/pf.conf</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>ServiceDescription</key>

<string>OpenBSD Packet Filter (pf)</string>

<key>StandardErrorPath</key>

<string>/var/log/pf.log</string>

<key>StandardOutPath</key>

<string>/var/log/pf.log</string>

</dict>

</plist>



net.openbsd.pf.brutexpire.plist


<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>net.openbsd.pf.brutexpire.plist</string>

<key>Program</key>

<string>/sbin/pfctl</string>

<key>ProgramArguments</key>

<array>

<string>/sbin/pfctl</string>

<string>-t</string>

<string>bruteforce</string>

<string>-T</string>

<string>expire</string>

<string>604800</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StartInterval</key>

<integer>86400</integer>

<key>ServiceDescription</key>

<string>OpenBSD Packet Filter bruteforce table expiration</string>

<key>StandardErrorPath</key>

<string>/var/log/pf.log</string>

<key>StandardOutPath</key>

<string>/var/log/pf.log</string>

</dict>

</plist>



net.emergingthreats.blockips.plist


<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>net.emergingthreats.blockips.plist</string>

<key>Program</key>

<string>/bin/bash</string>

<key>ProgramArguments</key>

<array>

<string>/bin/bash</string>

<string>-c</string>

<string>/bin/mkdir -p /usr/local/etc ; /opt/local/bin/wget -N -P /usr/local/etc http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt ; /opt/local/bin/wget -N -P /usr/local/etc http://rules.emergingthreats.net/blockrules/compromised-ips.txt ; /opt/local/bin/wget -N -P /usr/local/etc http://rules.emergingthreats.net/blockrules/rbn-ips.txt ; /opt/local/bin/wget -N -P /usr/local/etc http://rules.emergingthreats.net/blockrules/rbn-malvertisers-ips.txt ; /sbin/pfctl -f /etc/pf.conf</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StartInterval</key>

<integer>86400</integer>

<key>ServiceDescription</key>

<string>Emerging Threats PF Update</string>

<key>StandardErrorPath</key>

<string>/var/log/pf.log</string>

<key>StandardOutPath</key>

<string>/var/log/pf.log</string>

</dict>

</plist>



net.dshield.block.plist


<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>net.dshield.block.plist</string>

<key>Program</key>

<string>/bin/bash</string>

<key>ProgramArguments</key>

<array>

<string>/bin/bash</string>

<string>-c</string>

<string>/bin/mkdir -p /usr/local/etc ; /opt/local/bin/wget -N -P /usr/local/etc http://www.dshield.org/block.txt &amp;&amp; /opt/local/bin/wget -N -P /usr/local/etc http://www.dshield.org/block.txt.asc &amp;&amp; /opt/local/bin/gpg --verify /usr/local/etc/block.txt.asc /usr/local/etc/block.txt &amp;&amp; /usr/bin/perl -ane &apos;use POSIX; use Data::Validate::IP; my $vip=Data::Validate::IP-&gt;new; if (/^\w*#/) { print; } elsif ($vip-&gt;is_ipv4($F[0]) &amp; $vip-&gt;is_ipv4($F[1]) &amp; isdigit($F[2]) &amp; (0&lt;= $F[2] &amp; $F[2]&lt;=32)) { print $F[0], &quot;/&quot;, $F[2], &quot;\n&quot;; }&apos; /usr/local/etc/block.txt &gt; /tmp/dshield_block_ip.txt &amp;&amp; /usr/bin/install -m 644 -g admin -S /tmp/dshield_block_ip.txt /usr/local/etc/dshield_block_ip.txt ; /bin/rm -f /tmp/dshield_block_ip.txt ; /sbin/pfctl -f /etc/pf.conf</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StartInterval</key>

<integer>14400</integer>

<key>ServiceDescription</key>

<string>dshield.org top 20 block list</string>

<key>StandardErrorPath</key>

<string>/var/log/pf.log</string>

<key>StandardOutPath</key>

<string>/var/log/pf.log</string>

</dict>

</plist>



# /etc/hosts


net.hphosts.hosts.plist


<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>net.hphosts.hosts.plist</string>

<key>Program</key>

<string>/bin/bash</string>

<key>ProgramArguments</key>

<array>

<string>/bin/bash</string>

<string>-c</string>

<string>/bin/mkdir -p /usr/local/etc ; ( /bin/test -f /etc/hosts.orig || /usr/bin/install -m 644 -S /etc/hosts /etc/hosts.orig ) &amp;&amp; /bin/cp /etc/hosts.orig /tmp/hosts &amp;&amp; /opt/local/bin/wget -N -P /usr/local/etc http://hosts-file.net/download/hosts.zip &amp;&amp; /opt/local/bin/wget -N -P /usr/local/etc http://hosts-file.net/hphosts-partial.asp &amp;&amp; /usr/bin/unzip -o /usr/local/etc/hosts.zip -d /tmp/hphosts &amp;&amp; /opt/local/bin/gpg --verify /tmp/hphosts/hosts.txt.sig /tmp/hphosts/hosts.txt &amp;&amp; ( /bin/test -f /usr/local/etc/whitelist.txt || /usr/bin/printf &apos;\n# whitelisted hosts (FQDN and DN) will be deleted from hphost&apos;&quot;&apos;&quot;&apos;s host.zip\n#\n&apos; &gt; /usr/local/etc/whitelist.txt ) &amp;&amp; /usr/bin/printf &apos;\n# hpHosts hosts.txt from http://hosts-file.net/download/hosts.zip:\n' &gt; /tmp/hosts-block.txt &amp;&amp; /bin/cat /tmp/hphosts/hosts.txt | tr -d &apos;\015&apos; &gt;&gt; /tmp/hosts-block.txt &amp;&amp; /usr/bin/printf &apos;\n# hpHosts hphosts-partial.asp from http://hosts-file.net/hphosts-partial.asp:\n' &gt;&gt; /tmp/hosts-block.txt &amp;&amp; /bin/cat /usr/local/etc/hphosts-partial.asp | tr -d &apos;\015&apos; &gt;&gt; /tmp/hosts-block.txt &amp;&amp; ( /bin/test -f /usr/local/etc/blacklist.txt &amp;&amp; /bin/cat /usr/local/etc/blacklist.txt &gt;&gt; /tmp/hosts ) &amp;&amp; /usr/bin/grep -v -E &quot;`/usr/bin/perl -ane &apos;BEGIN{$s=qw#\\s+(#}; { if (!/^\w*#/&amp;length($F[0])&gt;0){$s = $s . $F[0] . qw(|);}} END{$s = substr($s,0,length($s)-1) . qw#)\\s*#; $s=~s/\\./\\\\./g; print $s;}&apos; /usr/local/etc/whitelist.txt`&quot; /tmp/hosts-block.txt &gt;&gt; /tmp/hosts &amp;&amp; /usr/bin/install -m 644 -S /tmp/hosts /etc/hosts ; /bin/rm -fr /tmp/hosts /tmp/hphosts /tmp/hosts-block.txt ; /usr/bin/dscacheutil -flushcache ; /opt/local/sbin/squid -k check &amp;&amp; /opt/local/sbin/squid -k reconfigure</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StartInterval</key>

<integer>86400</integer>

<key>ServiceDescription</key>

<string>hpHosts.org hosts file update</string>

<key>StandardErrorPath</key>

<string>/var/log/system.log</string>

<key>StandardOutPath</key>

<string>/var/log/system.log</string>

</dict>

</plist>



whitelist.txt



# whitelisted hosts (FQDN and DN) will be deleted from hphost's host.zip

www.drugstore.com

drugstore.com

www.evite.com

evite.com



blacklist.txt



# blacklisted hosts of the form "127.0.0.1 hostname.tld" appened to /etc/hosts

127.0.0.1 www.ahostnamethatyouwanttoblackholebutwillneveractuallyseeontheinternet.net

127.0.0.1 ahostnamethatyouwanttoblackholebutwillneveractuallyseeontheinternet.net



# proxy.pac


net.securemecca.pac.plist-for-osx


<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>net.securemecca.pac.plist</string>

<key>Program</key>

<string>/bin/bash</string>

<key>ProgramArguments</key>

<array>

<string>/bin/bash</string>

<string>-c</string>

<string>/bin/mkdir -p /usr/local/etc ; ( /bin/test -f /Library/WebServer/Documents/proxy.pac.orig || /usr/bin/install -m 644 -S /Library/WebServer/Documents/proxy.pac /Library/WebServer/Documents/proxy.pac.orig ) &amp;&amp; /bin/cp /Library/WebServer/Documents/proxy.pac.orig /tmp/proxy.pac.orig &amp;&amp; /opt/local/bin/wget -N -P /usr/local/etc http://securemecca.com/Downloads/AutoPac_EN.unx.7z &amp;&amp; /opt/local/bin/7za x -aoa -o/tmp /usr/local/etc/AutoPac_EN.unx.7z AutoPac_EN.unx &amp;&amp; /opt/local/bin/gpg --verify /tmp/AutoPac_EN.unx/proxy_en.sig /tmp/AutoPac_EN.unx/proxy_en &amp;&amp; /usr/bin/printf &apos;// *Modified for domainname.com*\n// King of the PAC from http://securemecca.com/pac.html:\n' &gt; /tmp/proxy.pac &amp;&amp; /usr/bin/sed -E &apos;s/return[ \t]+normal/return MyFindProxyForURL(url.toString(), host)/g&apos; /tmp/AutoPac_EN.unx/proxy_en &gt;&gt; /tmp/proxy.pac &amp;&amp; /usr/bin/sed -E &apos;s/function[ \t]+FindProxyForURL/function MyFindProxyForURL/&apos; /tmp/proxy.pac.orig &gt;&gt; /tmp/proxy.pac &amp;&amp; /usr/bin/install -m 644 -g admin -S /tmp/proxy.pac /Library/WebServer/Documents/proxy.pac ; /bin/rm -fr /tmp/proxy.pac /tmp/proxy.pac.orig /tmp/AutoPac_EN.unx</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StartInterval</key>

<integer>172800</integer>

<key>ServiceDescription</key>

<string>securemecca.com King of the PAC Modification</string>

<key>StandardErrorPath</key>

<string>/var/log/system.log</string>

<key>StandardOutPath</key>

<string>/var/log/system.log</string>

</dict>

</plist>


net.securemecca.pac.plist-for-osxserver


<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>net.securemecca.pac.plist</string>

<key>Program</key>

<string>/bin/bash</string>

<key>ProgramArguments</key>

<array>

<string>/bin/bash</string>

<string>-c</string>

<string>/bin/mkdir -p /usr/local/etc ; ( /bin/test -f /Library/Server/Web/Data/Sites/CustomSitesDefault/proxy.pac.orig || /usr/bin/install -m 644 -S /Library/Server/Web/Data/Sites/CustomSitesDefault/proxy.pac /Library/Server/Web/Data/Sites/CustomSitesDefault/proxy.pac.orig ) &amp;&amp; /bin/cp /Library/Server/Web/Data/Sites/CustomSitesDefault/proxy.pac.orig /tmp/proxy.pac.orig &amp;&amp; /opt/local/bin/wget -N -P /usr/local/etc http://securemecca.com/Downloads/AutoPac_EN.unx.7z &amp;&amp; /opt/local/bin/7za x -aoa -o/tmp /usr/local/etc/AutoPac_EN.unx.7z AutoPac_EN.unx &amp;&amp; /opt/local/bin/gpg --verify /tmp/AutoPac_EN.unx/proxy_en.sig /tmp/AutoPac_EN.unx/proxy_en &amp;&amp; /usr/bin/printf &apos;// *Modified for mydomain.com*\n// King of the PAC from http://securemecca.com/pac.html:\n' &gt; /tmp/proxy.pac &amp;&amp; /usr/bin/sed -E &apos;s/return[ \t]+normal/return MyFindProxyForURL(url.toString(), host)/g&apos; /tmp/AutoPac_EN.unx/proxy_en &gt;&gt; /tmp/proxy.pac &amp;&amp; /usr/bin/sed -E &apos;s/function[ \t]+FindProxyForURL/function MyFindProxyForURL/&apos; /tmp/proxy.pac.orig &gt;&gt; /tmp/proxy.pac &amp;&amp; /usr/bin/install -m 644 -g admin -S /tmp/proxy.pac /Library/Server/Web/Data/Sites/CustomSitesDefault/proxy.pac ; /bin/rm -fr /tmp/proxy.pac /tmp/proxy.pac.orig /tmp/AutoPac_EN.unx</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StartInterval</key>

<integer>172800</integer>

<key>ServiceDescription</key>

<string>securemecca.com King of the PAC Modification</string>

<key>StandardErrorPath</key>

<string>/var/log/system.log</string>

<key>StandardOutPath</key>

<string>/var/log/system.log</string>

</dict>

</plist>



proxy.pac.orig


function FindProxyForURL(url, host)

{

return "DIRECT";

// return "PROXY localhost:3128";

}



# delete flash cookies


org.opensource.flashcookiedelete.plist


<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>org.opensource.flashcookiedelete.plist</string>

<key>Program</key>

<string>/bin/bash</string>

<key>ProgramArguments</key>

<array>

<string>/bin/bash</string>

<string>-c</string>

<string>/usr/bin/find ~/Library/Preferences/Macromedia/Flash\ Player ! -path ~/Library/Preferences/Macromedia/Flash\ Player/macromedia.com/support/flashplayer/sys/settings.sol -delete</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StartInterval</key>

<integer>1800</integer>

<key>ServiceDescription</key>

<string>Delete Flash Cookies</string>

</dict>

</plist>

OS X Mavericks (10.9), OS X Server, EyeTV HD, Turbo.264 HD

Posted on Dec 20, 2013 12:03 PM

Reply
12 replies

Dec 29, 2013 11:02 AM in response to essandess

Here's a modification to pfctl configuration and block table updates that creates an anchor for the block tables and avoids breaking existing connections. Rather than 'pfctl -f /etc/pf.conf', reload the tables using 'pfctl -a blockips -T load -f /usr/local/etc/blockips.conf'.


Replace the open source blocks in pf.conf with these commands:


# PF


# Open Source IP blocks

# Refresh with pfctl -a blockips -T load -f /usr/local/etc/blockips.conf

anchor 'blockips' label "Open Source IP Blocks"

load anchor 'blockips' from '/usr/local/etc/blockips.conf'


Create the new file /usr/local/etc/blockips.conf :


# Define tables and drop rules for open source IP blocks

# Reload with:

# pfctl -a blockips -T load -f /usr/local/etc/blockips.conf

# Emerging Threats Open Source, http://rules.emergingthreats.net/fwrules/

# http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

table <emerging_threats> persist file "/usr/local/etc/emerging-Block-IPs.txt"

block drop log quick from <emerging_threats> to any

# http://rules.emergingthreats.net/blockrules/compromised-ips.txt

table <compromised_ips> persist file "/usr/local/etc/compromised-ips.txt"

block drop log quick from <compromised_ips> to any

# http://rules.emergingthreats.net/blockrules/rbn-ips.txt

table <rbn_ips> persist file "/usr/local/etc/rbn-ips.txt"

block drop log quick from <rbn_ips> to any

# http://rules.emergingthreats.net/blockrules/rbn-malvertisers-ips.txt

table <rbn_malvertisers_ips> persist file "/usr/local/etc/rbn-malvertisers-ips.txt"

block drop log quick from <rbn_malvertisers_ips> to any

# dshield.org block list

table <dshield_block_ip> persist file "/usr/local/etc/dshield_block_ip.txt"

block drop log quick from <dshield_block_ip> to any


Modify the two plists that update the block tables:


net.emergingthreats.blockips.plist


<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>net.emergingthreats.blockips.plist</string>

<key>Program</key>

<string>/bin/bash</string>

<key>ProgramArguments</key>

<array>

<string>/bin/bash</string>

<string>-c</string>

<string>/bin/mkdir -p /usr/local/etc ; /opt/local/bin/wget -N -P /usr/local/etchttp://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt ; /opt/local/bin/wget -N -P /usr/local/etchttp://rules.emergingthreats.net/blockrules/compromised-ips.txt ; /opt/local/bin/wget -N -P /usr/local/etchttp://rules.emergingthreats.net/blockrules/rbn-ips.txt ; /opt/local/bin/wget -N -P /usr/local/etchttp://rules.emergingthreats.net/blockrules/rbn-malvertisers-ips.txt ; /sbin/pfctl -a blockips -T load -f /usr/local/etc/blockips.conf</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StartInterval</key>

<integer>86400</integer>

<key>ServiceDescription</key>

<string>Emerging Threats PF Update</string>

<key>StandardErrorPath</key>

<string>/var/log/pf.log</string>

<key>StandardOutPath</key>

<string>/var/log/pf.log</string>

</dict>

</plist>



net.dshield.block.plist


<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>net.dshield.block.plist</string>

<key>Program</key>

<string>/bin/bash</string>

<key>ProgramArguments</key>

<array>

<string>/bin/bash</string>

<string>-c</string>

<string>/bin/mkdir -p /usr/local/etc ; /opt/local/bin/wget -N -P /usr/local/etc http://www.dshield.org/block.txt&amp;&amp; /opt/local/bin/wget -N -P /usr/local/etc http://www.dshield.org/block.txt.asc &amp;&amp; /opt/local/bin/gpg --verify /usr/local/etc/block.txt.asc /usr/local/etc/block.txt &amp;&amp; /usr/bin/perl -ane &apos;use POSIX; use Data::Validate::IP; my $vip=Data::Validate::IP-&gt;new; if (/^\w*#/) { print; } elsif ($vip-&gt;is_ipv4($F[0]) &amp; $vip-&gt;is_ipv4($F[1]) &amp; isdigit($F[2]) &amp; (0&lt;= $F[2] &amp; $F[2]&lt;=32)) { print $F[0], &quot;/&quot;, $F[2], &quot;\n&quot;; }&apos; /usr/local/etc/block.txt &gt; /tmp/dshield_block_ip.txt &amp;&amp; /usr/bin/install -m 644 -g admin -S /tmp/dshield_block_ip.txt /usr/local/etc/dshield_block_ip.txt ; /bin/rm -f /tmp/dshield_block_ip.txt ; /sbin/pfctl -a blockips -T load -f /usr/local/etc/blockips.conf</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StartInterval</key>

<integer>14400</integer>

<key>ServiceDescription</key>

<string>dshield.org top 20 block list</string>

<key>StandardErrorPath</key>

<string>/var/log/pf.log</string>

<key>StandardOutPath</key>

<string>/var/log/pf.log</string>

</dict>

</plist>


Aug 1, 2014 9:02 AM in response to davidh

It's a one-liner:

/bin/mkdir -p /usr/local/etc ; /opt/local/bin/wget -N -P /usr/local/etc http://www.dshield.org/block.txt && /opt/local/bin/wget -N -P /usr/local/etc http://www.dshield.org/block.txt.asc && /opt/local/bin/gpg --verify /usr/local/etc/block.txt.asc /usr/local/etc/block.txt && /usr/bin/perl -ane 'use POSIX; use Data::Validate::IP; my $vip=Data::Validate::IP->new; if (/^\w*#/) { print; } elsif ($vip->is_ipv4($F[0]) & $vip->is_ipv4($F[1]) & isdigit($F[2]) & (0<= $F[2] & $F[2]<=32)) { print $F[0], "/", $F[2], "\n"; }' /usr/local/etc/block.txt > /tmp/dshield_block_ip.txt && /usr/bin/install -m 644 -g admin -S /tmp/dshield_block_ip.txt /usr/local/etc/dshield_block_ip.txt ; /bin/rm -f /tmp/dshield_block_ip.txt ; /sbin/pfctl -a blockips -T load -f /usr/local/etc/blockips.conf

Aug 1, 2014 10:30 AM in response to essandess

Great, thanks ! I understood what the Perl was doing, but couldn't properly translate some/all of the characters you'd translate/accommodated for listing directly within the plist (arguments) itself.


Also note the RBN lists are now deprecated & no longer at the exact URL(s) you originally specified.
For example, see http://rules.emergingthreats.net/blockrules/emerging-rbn-malvertisers.rules
which is empty of any actual rules/info, and states:


"

THIS RULESET HAS BEEN OBSOLETED!! This file is left to simply note this fact.

#

# More information available at doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork

"


Cheers.

Sep 6, 2014 9:56 AM in response to essandess

Update and fix:


Use the new file net.hphosts.hosts.plist below to avoid this problem.


I was experiencing TLS authentication problems with many apps and servers. Mail.app would fail for all accounts, iCloud Keychain stopped working, as did Adobe Updater and EyeTV program updates and more. I was unable to fix the problem and was tentatively blaming some unidentified OS X TLS bug. Apple Enterprise support helped uncover a problem with the /etc/hosts file created by net.hphosts.hosts.plist -- the hosts list from hosts-file.net/download/hosts.zip contains numerous nonconforming domain names (specifically, names that begin with a hyphen).

By copying /etc/hosts.orig back to /etc/hosts, then shutdown then safe boot and login, then shutdown, then normal boot, all my TLS problems vanished and everything began working again. There are several known fragility issues with OS X and /etc/hosts, and this apparently is another one.


I updated the script in net.hphosts.hosts.plist to use the perl module Data::Validate::Domain to only add valid domain names to /etc/hosts. This has been working fine ever since. Here are the updates:


sudo /usr/bin/cpan Data::Validate::Domain



net.hphosts.hosts.plist


<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>net.hphosts.hosts.plist</string>

<key>Program</key>

<string>/bin/bash</string>

<key>ProgramArguments</key>

<array>

<string>/bin/bash</string>

<string>-c</string>

<string>/bin/mkdir -p /usr/local/etc ; ( /bin/test -f /etc/hosts.orig || /usr/bin/install -m 644 -S /etc/hosts /etc/hosts.orig ) &amp;&amp; /bin/cp /etc/hosts.orig /tmp/hosts &amp;&amp; /opt/local/bin/wget -N -P /usr/local/etc http://hosts-file.net/download/hosts.zip &amp;&amp; /opt/local/bin/wget -N -P /usr/local/etc http://hosts-file.net/hphosts-partial.asp &amp;&amp; /usr/bin/unzip -o /usr/local/etc/hosts.zip -d /tmp/hphosts &amp;&amp; /opt/local/bin/gpg --verify /tmp/hphosts/hosts.txt.sig /tmp/hphosts/hosts.txt &amp;&amp; ( /bin/test -f /usr/local/etc/whitelist.txt || /usr/bin/printf &apos;\n# whitelisted hosts (FQDN and DN) will be deleted from hphost&apos;&quot;&apos;&quot;&apos;s host.zip\n#\n&apos; &gt; /usr/local/etc/whitelist.txt ) &amp;&amp; /usr/bin/printf &apos;\n# hpHosts hosts.txt from http://hosts-file.net/download/hosts.zip:\n' &gt; /tmp/hosts-block.txt &amp;&amp; /bin/cat /tmp/hphosts/hosts.txt | tr -d &apos;\015&apos; | /usr/bin/perl -ane &apos;use POSIX; use Data::Validate::Domain qw(is_domain); { if (/^127\.0\.0\.1\s*(.+)$/) { print qq#127.0.0.1\t$1\n# if is_domain($1); } else { print; } }&apos; &gt;&gt; /tmp/hosts-block.txt &amp;&amp; /usr/bin/printf &apos;\n# hpHosts hphosts-partial.asp from http://hosts-file.net/hphosts-partial.asp:\n' &gt;&gt; /tmp/hosts-block.txt &amp;&amp; /bin/cat /usr/local/etc/hphosts-partial.asp | tr -d &apos;\015&apos; | /usr/bin/perl -ane &apos;use POSIX; use Data::Validate::Domain qw(is_domain); { if (/^127\.0\.0\.1\s*(.+)$/) { print qq#127.0.0.1\t$1\n# if is_domain($1); } else { print; } }&apos; &gt;&gt; /tmp/hosts-block.txt &amp;&amp; ( /bin/test -f /usr/local/etc/blacklist.txt &amp;&amp; /bin/cat /usr/local/etc/blacklist.txt &gt;&gt; /tmp/hosts ) &amp;&amp; /usr/bin/grep -v -E &quot;`/usr/bin/perl -ane &apos;BEGIN{$s=qw#\\s+(#}; { if (!/^\w*#/&amp;length($F[0])&gt;0){$s = $s . $F[0] . qw(|);}} END{$s = substr($s,0,length($s)-1) . qw#)\\s*#; $s=~s/\\./\\\\./g; print $s;}&apos; /usr/local/etc/whitelist.txt`&quot; /tmp/hosts-block.txt &gt;&gt; /tmp/hosts &amp;&amp; /usr/bin/install -m 644 -S /tmp/hosts /etc/hosts ; /bin/rm -fr /tmp/hosts /tmp/hphosts /tmp/hosts-block.txt ; killall -HUP mDNSResponder ; /opt/local/sbin/squid -k reconfigure</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StartInterval</key>

<integer>86400</integer>

<key>ServiceDescription</key>

<string>hpHosts.org hosts file update</string>

<key>StandardErrorPath</key>

<string>/var/log/system.log</string>

<key>StandardOutPath</key>

<string>/var/log/system.log</string>

</dict>

</plist>

Sep 16, 2014 3:29 AM in response to essandess

Large /etc/hosts files do break mDNSResponder on OS X (bug report #18277328).


I recommend not replacing /etc/hosts with the large hosts file created by net.hphosts.hosts.plist.


Rather, edit this plist to create the file /etc/hosts-hphosts, then use the squid proxy to filter out bad/tracker domains. This will provide nearly the same level of security as using /etc/hosts directly, but without the OS X issues.


The squid directive you want in squid.conf for a large /etc/hosts file are:


hosts_file /etc/hosts-hphosts

ipcache_size 16384

fqdncache_size 131072


See the link above for privacy-enhancing squid directives.


Here's the modified net.hphosts.hosts.plist.


net.hphosts.hosts.plist


<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>net.hphosts.hosts.plist</string>

<key>Program</key>

<string>/bin/bash</string>

<key>ProgramArguments</key>

<array>

<string>/bin/bash</string>

<string>-c</string>

<string>/bin/mkdir -p /usr/local/etc ; ( /bin/test -f /etc/hosts.orig || /usr/bin/install -m 644 -S /etc/hosts /etc/hosts.orig ) &amp;&amp; /bin/cp /etc/hosts.orig /tmp/hosts &amp;&amp; /opt/local/bin/wget -N -P /usr/local/etc http://hosts-file.net/download/hosts.zip &amp;&amp; /opt/local/bin/wget -N -P /usr/local/etchttp://hosts-file.net/hphosts-partial.asp &amp;&amp; /usr/bin/unzip -o /usr/local/etc/hosts.zip -d /tmp/hphosts &amp;&amp; /opt/local/bin/gpg --verify /tmp/hphosts/hosts.txt.sig /tmp/hphosts/hosts.txt &amp;&amp; ( /bin/test -f /usr/local/etc/whitelist.txt || /usr/bin/printf &apos;\n# whitelisted hosts (FQDN and DN) will be deleted from hphost&apos;&quot;&apos;&quot;&apos;s host.zip\n#\n&apos; &gt; /usr/local/etc/whitelist.txt ) &amp;&amp; /usr/bin/printf &apos;\n# hpHosts hosts.txt from http://hosts-file.net/download/hosts.zip:\n' &gt; /tmp/hosts-block.txt &amp;&amp; /bin/cat /tmp/hphosts/hosts.txt | tr -d &apos;\015&apos; | /usr/bin/perl -ane &apos;use POSIX; use Data::Validate::Domain qw(is_domain); { if (/^127\.0\.0\.1\s*(.+)$/) { print qq#127.0.0.1\t$1\n# if is_domain($1); } else { print; } }&apos; &gt;&gt; /tmp/hosts-block.txt &amp;&amp; /usr/bin/printf &apos;\n# hpHosts hphosts-partial.asp from http://hosts-file.net/hphosts-partial.asp:\n' &gt;&gt; /tmp/hosts-block.txt &amp;&amp; /bin/cat /usr/local/etc/hphosts-partial.asp | tr -d &apos;\015&apos; | /usr/bin/perl -ane &apos;use POSIX; use Data::Validate::Domain qw(is_domain); { if (/^127\.0\.0\.1\s*(.+)$/) { print qq#127.0.0.1\t$1\n# if is_domain($1); } else { print; } }&apos; &gt;&gt; /tmp/hosts-block.txt &amp;&amp; ( /bin/test -f /usr/local/etc/blacklist.txt &amp;&amp; /bin/cat /usr/local/etc/blacklist.txt &gt;&gt; /tmp/hosts ) &amp;&amp; /usr/bin/grep -v -E &quot;`/usr/bin/perl -ane &apos;BEGIN{$s=qw#\\s+(#}; { if (!/^\w*#/&amp;length($F[0])&gt;0){$s = $s . $F[0] . qw(|);}} END{$s = substr($s,0,length($s)-1) . qw#)\\s*#; $s=~s/\\./\\\\./g; print $s;}&apos; /usr/local/etc/whitelist.txt`&quot; /tmp/hosts-block.txt &gt;&gt; /tmp/hosts &amp;&amp; /usr/bin/install -m 644 -S /tmp/hosts /etc/hosts-hphosts ; /bin/rm -fr /tmp/hosts /tmp/hphosts /tmp/hosts-block.txt ; /opt/local/sbin/squid -k reconfigure</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StartInterval</key>

<integer>86400</integer>

<key>ServiceDescription</key>

<string>hpHosts.org hosts file update</string>

<key>StandardErrorPath</key>

<string>/var/log/system.log</string>

<key>StandardOutPath</key>

<string>/var/log/system.log</string>

</dict>

</plist>

Oct 4, 2014 12:57 AM in response to essandess

For reference here are some pfctl commands that show statistics on (reasonably presumed) attacks on the network:


sudo pfctl -t bruteforce -Ts | wc -l

sudo pfctl -a blockips -t compromised_ips -Ts -v | egrep -e 'Packets: [^0]' | wc -l

sudo pfctl -a blockips -t dshield_block_ip -Ts -v | egrep -e 'Packets: [^0]' | wc -l

sudo pfctl -a blockips -t emerging_threats -Ts -v | egrep -e 'Packets: [^0]' | wc -l


My own counts on a server with an uptime of a couple weeks are 19, 78, 1, and 8—over a hundred attacks. This is consistent with greatly reduced alerts from snort running on OS X.

Dec 19, 2014 5:05 PM in response to essandess

I've created a git repo of this osxfortress package, all updated. To grab these files and install everything:


git clone https://github.com/essandess/osxfortress.git

sh ./osxfortress/readme-and-install.sh


The README file says:


osxfortress

===========


OS X Fortress: Firewall, Blackhole, and Privatizing Proxy for Trackers, Attackers, Malware, Adware, and Spammers


Kernel-level, OS-level, and client-level security for OS X. Built to

address a steady stream of attacks visible on snort and server logs,

as well as blocks ads, malicious scripts, and conceal information used

to track you around the web. After this package was installed, snort

and other detections have fallen to a fraction with a few simple

blocking actions. This setup is a lot more capable and effective than

using a simple adblocking browser Add-On. There's a world of

difference between ad-filled web pages with and without a filtering

proxy server. It's also saved me from inadvertantly clicking on

phishing links.


This package uses these features:


* OS X adaptive firewall

* Adaptive firewall to brute force attacks

* IP blocks updated about twice a day from emergingthreats.net

(IP blocks, compromised hosts, Malvertisers) and

dshield.org’s top-20

* Host blocks updated about twice a day from hphosts.net

* Special proxy.pac host blacklisting from hostsfile.org

OS X Fortress: Firewall and Blackhole for Trackers, Attackers, Malware, Adware, and Spammers

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.