From e9e9abc4ec26be29b3a6b09e6a0b67786269183b Mon Sep 17 00:00:00 2001
From: Kali Kaneko <kali@leap.se>
Date: Fri, 29 Jan 2016 13:18:36 -0800
Subject: [feature] privileged bitmask helper

This is still quite untested, and a bit hacky, but the main idea behind
let us have a daemonized bitmask helper, that should be installed by the
Bitmask installer. Its responsibilities are to launch the vpn process as
a privileged user, and start/stop the firewall.
---
 pkg/osx/bitmask.pf.conf | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 pkg/osx/bitmask.pf.conf

(limited to 'pkg/osx/bitmask.pf.conf')

diff --git a/pkg/osx/bitmask.pf.conf b/pkg/osx/bitmask.pf.conf
new file mode 100644
index 00000000..eb0e858f
--- /dev/null
+++ b/pkg/osx/bitmask.pf.conf
@@ -0,0 +1,17 @@
+default_device = "en99"
+
+set block-policy drop
+set skip on lo0
+
+# block all traffic on default device
+block out on $default_device all
+
+# allow traffic to gateways
+pass out on $default_device to <bitmask_gateways>
+
+# allow traffic to local networks over the default device
+pass out on $default_device to $default_device:network
+
+# block all DNS, except to the gateways
+block out proto udp to any port 53
+pass out proto udp to <bitmask_gateways> port 53
-- 
cgit v1.2.3