Ok. I posted my latest on my GitHub. I changed my use of quick to only be on block rules and one outbound exception.
Thank you! -Vaughn ----------------------------- Vaughn A. Hart [email protected] 646-284-4291 https://www.linkedin.com/in/vahart https://github.com/vaughnhart https://open.spotify.com/user/aojaa35704q6no3iqt4h6k8im?si=b8f2195781f64632 2Sam 14:14a We must all die; we are like water spilled on the ground, which cannot be gathered up again.“ Jesus said to her, “I am the resurrection and the life. Whoever believes in me, though he die, yet shall he live,” (John 11:25 ESV) On Wed, Mar 26, 2025 at 11:14 AM Vaughn A. Hart <[email protected]> wrote: > Patrick: > > Currently, I get: > > No ALTQ support in kernel > > ALTQ related functions disabled > > TRANSLATION RULES: > > nat-anchor "com.apple/*" all > > rdr-anchor "com.apple/*" all > > > FILTER RULES: > > scrub in all no-df fragment reassemble > > scrub-anchor "cisco.anyconnect.vpn" all fragment reassemble > > scrub-anchor "com.apple/*" all fragment reassemble > > anchor "cisco.anyconnect.vpn" all > > anchor "com.apple/*" all > > block drop in log all > > pass in quick inet proto udp from any port = 67 to any port = 68 keep state > > pass in quick inet6 proto udp from any port = 547 to any port = 546 keep > state > > pass in log quick inet6 proto ipv6-icmp all icmp6-type routeradv keep state > > pass in log quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep > state > > pass in log quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep > state > > block drop in log on ! self inet from 127.0.0.0/8 to any > > block drop in log on ! self inet6 from ::1 to any > > block drop in log inet6 from ::1 to any > > block drop in log on lo0 inet6 from fe80::1 to any > > block drop in log inet from 127.0.0.1 to any > > block drop in log from no-route to any > > block drop in log from urpf-failed to any > > block drop in log on self inet from any to 255.255.255.255 > > block drop in log on self from <bad_actors> to any > > block drop in log on self from <abusers> to any > > block drop in log on self from <level2> to any > > block drop in log on self from <level3> to any > > block drop in log on self from <webclient> to any > > block drop log proto tcp from any port = 0 to any > > block drop log proto udp from any port = 0 to any > > pass in inet from 127.0.0.1 to any flags S/SA keep state > > pass in inet6 from ::1 to any flags S/SA keep state > > block drop out from any os "unknown" to any > > block drop in log proto tcp from any to any port = 548 > > block drop in log proto tcp from any to any port = 20 > > block drop in log proto tcp from any to any port = 21 > > block drop in log proto tcp from any to any port = 80 > > block drop in log proto tcp from any to any port = 143 > > block drop in log proto tcp from any to any port = 993 > > block drop in log proto tcp from any to any port = 110 > > block drop in log proto tcp from any to any port = 995 > > block drop in log proto tcp from any to any port = 3031 > > block drop in log proto tcp from any to any port = 5900 > > block drop in log proto tcp from any to any port = 139 > > block drop in log proto tcp from any to any port = 445 > > block drop in log proto tcp from any to any port = 25 > > block drop in log proto tcp from any to any port = 23 > > block drop in log proto udp from any to any port = 20 > > block drop in log proto udp from any to any port = 21 > > block drop in log proto udp from any to any port = 80 > > block drop in log proto udp from any to any port = 137 > > block drop in log proto udp from any to any port = 138 > > block drop in log proto udp from any to any port = 23 > > block drop in log proto icmp all > > pass out all flags S/SA keep state > > pass out log quick inet from any to 208.67.220.220 flags S/SA keep state > > pass out log quick inet from any to 208.67.222.222 flags S/SA keep state > > pass out log quick inet6 from any to 2620:119:35::35 flags S/SA keep state > > pass out log quick inet6 from any to 2620:119:53::53 flags S/SA keep state > > block drop log proto tcp from any to any port = 79 > > block drop log proto tcp from any to any port = 3689 > > block drop log proto tcp from any to any port = 2049 > > block drop log proto tcp from any to any port = 49152 > > block drop log proto tcp from any to any port = 69 > > block drop log proto tcp from any to any port = 540 > > block drop log proto tcp from any to any port = 0 > > block drop log proto udp from any to any port = 1900 > > block drop log proto udp from any to any port = 5353 > > block drop log proto udp from any to any port = 69 > > block drop log proto udp from any to any port = 0 > > block drop log from any to <bad_actors> > > block drop log from any to <abusers> > > block drop log from any to <level2> > > block drop log from any to <level3> > > block drop log from any to <webclient> > > block drop log quick proto 253 all > > block drop log quick proto ipv6 all > > block drop log proto udp from any to any port = 443 > > > DUMMYNET RULES: > > dummynet-anchor "com.apple/*" all > > is the command ifstated +1? Mac OS and their networking tolpology may have > modified PF. I notice that on some tables/rules for apple iCloud/apple-dns > addresses if there is no DNS resolution it will drop the entire ruleset..
