MacOS WG/AWG killswitch

2023-12-23 12:51:55 +02:00 · 2023-12-23 12:51:55 +02:00 · 3d2174d84e
commit 3d2174d84e
parent 1a17f2956a
23 changed files with 397 additions and 51 deletions
--- a/deploy/data/macos/pf/amn.350.allowHnsd.conf
+++ b/deploy/data/macos/pf/amn.350.allowHnsd.conf
@ -0,0 +1,14 @@
+utunInterfaces = "{                                                                         \
+    utun0, utun1, utun2, utun3, utun4, utun5, utun6, utun7, utun8, utun9,   utun10,         \
+    utun11, utun12, utun13, utun14, utun15, utun16, utun17, utun18, utun19, utun20,         \
+    utun21, utun22, utun23, utun24, utun25, utun26, utun27, utun28, utun29, utun30          \
+}"
+
+hnsdGroup=amnhnsd
+
+# Block everything from handshake group
+# Without this initial block hnsd traffic could possibly travel outside the tunnel (we don't trust the routing table)
+block return out group $hnsdGroup flags any no state
+
+# Next, poke a hole in this block but only for traffic on the tunnel (port 13038 is the handshake control port)
+pass out on $utunInterfaces proto { tcp, udp } to port { 53, 13038 } group $hnsdGroup flags any no state