Patrick: Currently, I get:
No ALTQ support in kernel ALTQ related functions disabled TRANSLATION RULES: nat-anchor "com.apple/*" all rdr-anchor "com.apple/*" all FILTER RULES: scrub in all no-df fragment reassemble scrub-anchor "cisco.anyconnect.vpn" all fragment reassemble scrub-anchor "com.apple/*" all fragment reassemble anchor "cisco.anyconnect.vpn" all anchor "com.apple/*" all block drop in log all pass in quick inet proto udp from any port = 67 to any port = 68 keep state pass in quick inet6 proto udp from any port = 547 to any port = 546 keep state pass in log quick inet6 proto ipv6-icmp all icmp6-type routeradv keep state pass in log quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state pass in log quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state block drop in log on ! self inet from 127.0.0.0/8 to any block drop in log on ! self inet6 from ::1 to any block drop in log inet6 from ::1 to any block drop in log on lo0 inet6 from fe80::1 to any block drop in log inet from 127.0.0.1 to any block drop in log from no-route to any block drop in log from urpf-failed to any block drop in log on self inet from any to 255.255.255.255 block drop in log on self from <bad_actors> to any block drop in log on self from <abusers> to any block drop in log on self from <level2> to any block drop in log on self from <level3> to any block drop in log on self from <webclient> to any block drop log proto tcp from any port = 0 to any block drop log proto udp from any port = 0 to any pass in inet from 127.0.0.1 to any flags S/SA keep state pass in inet6 from ::1 to any flags S/SA keep state block drop out from any os "unknown" to any block drop in log proto tcp from any to any port = 548 block drop in log proto tcp from any to any port = 20 block drop in log proto tcp from any to any port = 21 block drop in log proto tcp from any to any port = 80 block drop in log proto tcp from any to any port = 143 block drop in log proto tcp from any to any port = 993 block drop in log proto tcp from any to any port = 110 block drop in log proto tcp from any to any port = 995 block drop in log proto tcp from any to any port = 3031 block drop in log proto tcp from any to any port = 5900 block drop in log proto tcp from any to any port = 139 block drop in log proto tcp from any to any port = 445 block drop in log proto tcp from any to any port = 25 block drop in log proto tcp from any to any port = 23 block drop in log proto udp from any to any port = 20 block drop in log proto udp from any to any port = 21 block drop in log proto udp from any to any port = 80 block drop in log proto udp from any to any port = 137 block drop in log proto udp from any to any port = 138 block drop in log proto udp from any to any port = 23 block drop in log proto icmp all pass out all flags S/SA keep state pass out log quick inet from any to 208.67.220.220 flags S/SA keep state pass out log quick inet from any to 208.67.222.222 flags S/SA keep state pass out log quick inet6 from any to 2620:119:35::35 flags S/SA keep state pass out log quick inet6 from any to 2620:119:53::53 flags S/SA keep state block drop log proto tcp from any to any port = 79 block drop log proto tcp from any to any port = 3689 block drop log proto tcp from any to any port = 2049 block drop log proto tcp from any to any port = 49152 block drop log proto tcp from any to any port = 69 block drop log proto tcp from any to any port = 540 block drop log proto tcp from any to any port = 0 block drop log proto udp from any to any port = 1900 block drop log proto udp from any to any port = 5353 block drop log proto udp from any to any port = 69 block drop log proto udp from any to any port = 0 block drop log from any to <bad_actors> block drop log from any to <abusers> block drop log from any to <level2> block drop log from any to <level3> block drop log from any to <webclient> block drop log quick proto 253 all block drop log quick proto ipv6 all block drop log proto udp from any to any port = 443 DUMMYNET RULES: dummynet-anchor "com.apple/*" all is the command ifstated +1? Mac OS and their networking tolpology may have modified PF. I notice that on some tables/rules for apple iCloud/apple-dns addresses if there is no DNS resolution it will drop the entire ruleset... aka pf won't load it at all. I tried making some of Stuarts changes but I ran into my Umbrella client not working. Persnickety beast... it makes tunnels from localhost to 127:0.0.1 without name resolution. My theory on hacking is that any connection is a connection and within tunnels there is a way to pas-through the table. Hence all the block in rules. I've made too many changes at once... all I'm keeping is the block in log and disabling the inbound Umbrella servers. -Vaughn ----------------------------- Vaughn A. Hart [email protected] 646-284-4291 https://www.linkedin.com/in/vahart https://github.com/vaughnhart https://open.spotify.com/user/aojaa35704q6no3iqt4h6k8im?si=b8f2195781f64632 2Sam 14:14a We must all die; we are like water spilled on the ground, which cannot be gathered up again.“ Jesus said to her, “I am the resurrection and the life. Whoever believes in me, though he die, yet shall he live,” (John 11:25 ESV) On Wed, Mar 26, 2025 at 10:59 AM Patrick Lamaiziere <[email protected]> wrote: > Le Mon, 24 Mar 2025 12:31:29 -0400, > "Vaughn A. Hart" <[email protected]> a écrit : > > Hello, > > > Stuart, > > > > Thank you for the response. I see the antispoof for self rules expand > > when I run pfctl - s all. > > It expands to what? I don't have and openbsd but imo "self" here is > taken as an interface or an interface-group name, as others said. > > > Is there any way to have such a dynamic rule? > > +1 for ifstated. It works very well but I had in the paste some > surprises when an interface state change is not detected very very > rarely (on FreeBSD). > > In my opinion don't mix "quick" and "non quick" rules, it is difficult > to understand the rules set. I prefer to use only quick rules > > Regards, >
