summaryrefslogtreecommitdiff
path: root/pkg/osx/bitmask.pf.conf
diff options
context:
space:
mode:
authorKali Kaneko <kali@leap.se>2016-01-29 13:18:36 -0800
committerKali Kaneko <kali@leap.se>2016-04-18 16:15:21 -0400
commite9e9abc4ec26be29b3a6b09e6a0b67786269183b (patch)
tree698ffd51104e6d391957ba25e31e88a2bbced38a /pkg/osx/bitmask.pf.conf
parent0bd65c1d3e6c5ee1d861122ec2cd617ad026de43 (diff)
[feature] privileged bitmask helper
This is still quite untested, and a bit hacky, but the main idea behind let us have a daemonized bitmask helper, that should be installed by the Bitmask installer. Its responsibilities are to launch the vpn process as a privileged user, and start/stop the firewall.
Diffstat (limited to 'pkg/osx/bitmask.pf.conf')
-rw-r--r--pkg/osx/bitmask.pf.conf17
1 files changed, 17 insertions, 0 deletions
diff --git a/pkg/osx/bitmask.pf.conf b/pkg/osx/bitmask.pf.conf
new file mode 100644
index 00000000..eb0e858f
--- /dev/null
+++ b/pkg/osx/bitmask.pf.conf
@@ -0,0 +1,17 @@
+default_device = "en99"
+
+set block-policy drop
+set skip on lo0
+
+# block all traffic on default device
+block out on $default_device all
+
+# allow traffic to gateways
+pass out on $default_device to <bitmask_gateways>
+
+# allow traffic to local networks over the default device
+pass out on $default_device to $default_device:network
+
+# block all DNS, except to the gateways
+block out proto udp to any port 53
+pass out proto udp to <bitmask_gateways> port 53