MacOS WG/AWG killswitch

deploy/data/macos/pf/amn.000.allowLoopback.conf

@@ -0,0 +1,3 @@
+# Always allow at least loopback/localhost traffic
+set skip on lo0
+pass quick on lo0 flags any

deploy/data/macos/pf/amn.100.blockAll.conf

@@ -0,0 +1,3 @@
+# Block all traffic by default (can be overridden by later rules)
+block out all flags any no state
+

deploy/data/macos/pf/amn.110.allowNets.conf

@@ -0,0 +1,2 @@
+table <allownets> {}
+pass out to <allownets> flags any no state

deploy/data/macos/pf/amn.120.blockNets.conf

@@ -0,0 +1,2 @@
+table <blocknets> {}
+block out to <blocknets> flags any no state

deploy/data/macos/pf/amn.150.allowExcludedApps.conf

@@ -0,0 +1,2 @@
+# Rules are set at runtime
+

deploy/data/macos/pf/amn.200.allowVPN.conf

@@ -0,0 +1,9 @@
+# Exempt the tunnel interface(s) used by the VPN connection
+
+utunInterfaces = "{                                                                         \
+    utun0, utun1, utun2, utun3, utun4, utun5, utun6, utun7, utun8, utun9,   utun10,         \
+    utun11, utun12, utun13, utun14, utun15, utun16, utun17, utun18, utun19, utun20,         \
+    utun21, utun22, utun23, utun24, utun25, utun26, utun27, utun28, utun29, utun30          \
+}"
+
+pass out on $utunInterfaces flags any no state

deploy/data/macos/pf/amn.250.blockIPv6.conf

@@ -0,0 +1,2 @@
+# Block all outgoing IPv6 traffic (even over the VPN)
+block return out inet6 flags any no state

deploy/data/macos/pf/amn.290.allowDHCP.conf

@@ -0,0 +1,5 @@
+# Allow DHCP
+pass out inet proto udp from port 68 to 255.255.255.255 port 67 no state
+
+# Allow DHCPv6
+pass out inet6 proto udp from port 546 to ff00::/8 port 547 no state

deploy/data/macos/pf/amn.300.allowLAN.conf

@@ -0,0 +1,3 @@
+# Allow LAN IP ranges
+table <lanips> { 10.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 255.255.255.255/32, fc00::/7, fe80::/10, ff00::/8 }
+pass out to <lanips> flags any no state

deploy/data/macos/pf/amn.310.blockDNS.conf

@@ -0,0 +1,7 @@
+# Block all DNS traffic
+block return out proto { tcp, udp } to port 53 flags any no state
+
+# Allow our DNS servers
+table <dnsaddr> {}
+pass out proto { tcp, udp } to <dnsaddr> port 53 flags any no state
+

deploy/data/macos/pf/amn.350.allowHnsd.conf

@@ -0,0 +1,14 @@
+utunInterfaces = "{                                                                         \
+    utun0, utun1, utun2, utun3, utun4, utun5, utun6, utun7, utun8, utun9,   utun10,         \
+    utun11, utun12, utun13, utun14, utun15, utun16, utun17, utun18, utun19, utun20,         \
+    utun21, utun22, utun23, utun24, utun25, utun26, utun27, utun28, utun29, utun30          \
+}"
+
+hnsdGroup=amnhnsd
+
+# Block everything from handshake group
+# Without this initial block hnsd traffic could possibly travel outside the tunnel (we don't trust the routing table)
+block return out group $hnsdGroup flags any no state
+
+# Next, poke a hole in this block but only for traffic on the tunnel (port 13038 is the handshake control port)
+pass out on $utunInterfaces proto { tcp, udp } to port { 53, 13038 } group $hnsdGroup flags any no state

deploy/data/macos/pf/amn.400.allowPIA.conf

@@ -0,0 +1,2 @@
+# Allow traffic by privileged group (used by daemon)
+pass out proto { tcp, udp } group  { amnvpn } flags any no state

deploy/data/macos/pf/amn.conf

@@ -0,0 +1,16 @@
+# This root anchor file establishes multiple sub-anchors which can be
+# individually turned on or off; they have a numeric prefix in order to
+# produce a well-defined alphabetical order.
+
+anchor "000.allowLoopback"
+anchor "100.blockAll"
+anchor "110.allowNets"
+anchor "120.blockNets"
+anchor "150.allowExcludedApps"
+anchor "200.allowVPN"
+anchor "250.blockIPv6"
+anchor "290.allowDHCP"
+anchor "300.allowLAN"
+anchor "310.blockDNS"
+anchor "350.allowHnsd"
+anchor "400.allowPIA"