Firewall and Privatizing Proxy for Trackers, Attackers, Malware, Adware, and Spammers with Anti-Virus On-Demand and On-Access Scanning (PF, squid, privoxy, hphosts, dshield, emergingthreats, hostsfile, PAC file, clamav)
Kernel-level, OS-level, and client-level security for macOS. Built to address a steady stream of attacks visible on snort and server logs, as well as blocks ads, malicious scripts, and conceal information used to track you around the web. After this package was installed, snort and other detections have fallen to a fraction with a few simple blocking actions. This setup is a lot more capable and effective than using a simple adblocking browser add-on. There's a world of difference between ad-filled web pages with and without a filtering proxy server. It's also saved me from inadvertantly clicking on phishing links.
Downloads
and Desktop
directories.clamav-server
for details, port notes clamav-server
.sudo port install macos-fortress
port notes macos-fortress
sudo port load macos-fortress
After initial installation, it is necessary to kickstart these launch daemons, which run on a schedule, and do not run at load time:
sudo launchctl kickstart -k system/org.macports.macos-fortress-dshield
sudo launchctl kickstart -k system/org.macports.macos-fortress-emergingthreats
sudo launchctl kickstart -k system/org.macports.macos-fortress-hphosts
sudo launchctl kickstart -k system/org.macports.adblock2privoxy
sudo launchctl kickstart -k system/org.macports.macos-fortress-easylistpac
The default web server is native macOS Apache, which must be started with the command:
sudo apachectl start
Note that all files in this repo are superceded by the MacPorts port macos-fortress, including the deprecated installation script readme-and-install.sh.
sudo port install macos-fortress-pf
port notes macos-fortress-pf
sudo port load macos-fortress-pf
sudo port install macos-fortress-proxy
port notes macos-fortress-proxy
sudo port load macos-fortress-proxy
sudo sh macosfortress_setup_check.sh
Working output:
Checking macOS-Fortress installed items (run as sudo)…
Checking launchd.plist files…
[✅] /Library/LaunchDaemons/net.openbsd.pf.plist exists
[✅] /Library/LaunchDaemons/net.openbsd.pf.brutexpire.plist exists
[✅] /Library/LaunchDaemons/net.emergingthreats.blockips.plist exists
[✅] /Library/LaunchDaemons/net.dshield.block.plist exists
[✅] /Library/LaunchDaemons/net.hphosts.hosts.plist exists
[✅] /Library/LaunchDaemons/com.github.essandess.easylist-pac.plist exists
[✅] /Library/LaunchDaemons/com.github.essandess.adblock2privoxy.plist exists
[✅] /Library/LaunchDaemons/com.github.essandess.adblock2privoxy.nginx.plist exists
[✅] /Library/LaunchDaemons/org.squid-cache.squid-rotate.plist exists
[✅] /Library/LaunchDaemons/org.macports.Privoxy.plist exists
[✅] /Library/LaunchDaemons/org.macports.clamd.plist exists
[✅] /Library/LaunchDaemons/org.macports.freshclam.plist exists
[✅] /Library/LaunchDaemons/org.macports.ClamavScanSchedule.plist exists
[✅] /Library/LaunchDaemons/org.macports.ClamavScanOnAccess.plist exists
Checking launchd.plist's. These should all be installed with return
code 0 (2d column of `sudo launchctl list`)…
[✅] - 0 com.github.essandess.easylist-pac
[✅] - 0 net.dshield.block
[✅] 91695 0 org.macports.ClamdScanOnAccess
[✅] - 0 org.macports.freshclam
[✅] - 0 net.openbsd.pf
[✅] - 0 com.github.essandess.adblock2privoxy
[✅] 35403 0 org.macports.clamd
[✅] - 0 org.macports.ClamavScanSchedule
[✅] - 0 net.openbsd.pf.brutexpire
[✅] - 0 net.emergingthreats.blockips
[✅] 36183 0 org.macports.Privoxy
[✅] 5578 0 com.github.essandess.adblock2privoxy.nginx
[✅] - 0 net.hphosts.hosts
Checking PF files…
[✅] /etc/pf.conf exists
[✅] /usr/local/etc/blockips.conf exists
[✅] /usr/local/etc/emerging-Block-IPs.txt exists
[✅] /usr/local/etc/compromised-ips.txt exists
[✅] /usr/local/etc/dshield_block_ip.txt exists
[✅] /usr/local/etc/block.txt exists
[✅] /usr/local/etc/block.txt.asc exists
Checking PF…
[✅] PF is enabled and running
Checking hphosts files…
[✅] /etc/hosts-hphosts exists
[✅] /usr/local/etc/hosts.zip exists
[✅] /usr/local/etc/hphosts-partial.asp exists
[✅] /usr/local/etc/whitelist.txt exists
[✅] /usr/local/etc/blacklist.txt exists
Checking /etc/hosts-hphosts creation…
[✅] /etc/hosts-hphosts exists
Checking proxy PAC and proxy chain files…
[✅] /Library/WebServer/Documents/proxy.pac.orig exists
[✅] /Library/WebServer/Documents/proxy.pac exists
[✅] /usr/local/bin/easylist_pac.py exists
[✅] /usr/local/bin/adblock2privoxy exists
[✅] /usr/local/etc/proxy.pac exists
[✅] /usr/local/etc/adblock2privoxy/nginx.conf exists
[✅] /usr/local/etc/adblock2privoxy/css/default.html exists
[✅] /usr/local/etc/adblock2privoxy/privoxy/ab2p.action exists
[✅] /usr/local/etc/adblock2privoxy/privoxy/ab2p.filter exists
[✅] /usr/local/etc/adblock2privoxy/privoxy/ab2p.system.action exists
[✅] /usr/local/etc/adblock2privoxy/privoxy/ab2p.system.filter exists
[✅] /opt/local/etc/privoxy/config exists
[✅] /opt/local/var/log/privoxy/logfile exists
Checking proxy status…
[✅] Privoxy is running properly
[✅] Privoxy config http://p.p/ via http://localhost:3128 is running properly
[✅] nginx is running properly
[✅] PAC /Library/WebServer/Documents/proxy.pac.orig passes Javascript parsing
[✅] PAC /Library/WebServer/Documents/proxy.pac passes Javascript parsing
[✅] Web server for http://localhost/proxy.pac is running properly
[✅] Blackhole server for http://localhost:8119/ is running properly
sudo port unload macos-fortress
or
sudo port uninstall macos-fortress
This repo is superceded by the MacPorts port macos-fortress, including the deprecated disable/uninstall script disable.sh, which was originally used to unload all launch daemons, disable the pf firewall, and list all installed files without removing them.
There are three major, independent, and configurable components to the repo: the PF firewall, the proxy chain, and the AV scanner. Here are a few configuration pointers.
The file pf.conf controls the firewall ruleset and likely must be edited on a specific computer and network, or edited for a VPN server configuration.
sudo pfctl -d
int_if
for the internal interface is set to en0
. This should be changed to the active interface on your
computer, which can be determined with the command ifconfig -a
, or more specificall:
ifconfig | pcregrep -M -o '^[^\t:]+:([^\n]|\n\t)*status: active' | egrep -o -m 1 '^[^\t:]+'
<lan_inet>
is set to the standard reserved ranges { 10/8, 172.16/12, 192.168/16 }
. This must be changed
to the CIDR ranges on the specific LAN./etc/services
.
sudo pfctl -Fall && sudo pfctl -ef /etc/pf.conf
pfctl
commands in the script pf_attacks to determine IP addresses and counts for the various
blocked IPs. E.g., the adaptive table <bruteforce>
is shown using the command:
sudo pfctl -t bruteforce -Ts
Privoxy on port 8118 is configured in config to sent web requests to the internet, wih HTTPS inspection configured for
blocking content within TLS encrypted tunnels—the great majorityof we content. An auxiliary nginx webserver for CSS-based
element hiding is configured on port 8119. Privoxy .action
and .filter
files, and nginx .css
files are created from Easylist rules
using the repo adblock2privoxy.
Browsing to the privoxy configuration page http://p.p/ through any of these proxy configurations is a check on whether the proxy is running and configured correctly.
To provide these services on a firewalled LAN, edit the privoxy and nginx configuration files config, and nginx.conf so that they're available for devices on the LAN, or connecting from a VPN tunnel.
Update Macports packages regularly. This command with update the Macports database, update all installed packages, and uninstall all older, inactive versions.
sudo bash -c 'port selfupdate ; port -puN upgrade outdated ; port uninstall inactive'
Though it's possible to build Privoxy with the configure
--enable-compression
option,
compressed HTTP traffic within a VPN tunnel exposes your traffic to the
CRIME/BEAST/VORACLE attacks and is generally not
recommended.
The MacPorts port
macos-fortress
(sudo port install macos-fortress
) installs and configures an macOS Firewall and Privatizing
Proxy. It will:
Application :arrow_right:
proxy.pac
:arrow_right:port 8118:arrow_right: Privoxy :arrow_right: Internet
An auxilliary nginx-based webserver (nominally on localhost:8119
) is used for both a proxy.pac
ad and tracker blackhole and for CSS element blocking rules with the Privoxy configuration generated by adblock2privoxy.
This firewall is configured to block all known tracker and adware content—in the browser, in-app, wherever it finds them. Many websites now offer an additional way to block ads: subscribe to their content. Security and privacy will always necessitate ad blocking, but now that this software has become mainstream with mainstream effects, ad blocker users must consider the potential impact of ad blocking on the writers and publications that are important to them. Personally, two publications that I gladly pay for, especially for their important 2016 US Presidential election coverage, are the New York Times and The Atlantic. I encourage all users to subscribe to their own preferred publications and writers.
Lightbeam, the tracking tracker Firefox add-on, shows how ad- and tracker-blocking works to prevent third parties monitoring you or your children's online activities. My daughter enjoys the learning exercises at the children's website ABCya!. The Lightbeam graph below on the left shows all the third party trackers after less than a minute of browser activity, without using a privatizing proxy. The graph on the right shows all this tracker activity blocked when this privatizing proxy is used.
Lightbeam graph without proxy | Lightbeam graph with proxy |
This problem is the subject of Gary Kovacs's TED talk, Tracking Our Online Trackers:
The snort intrusion detection system reports far fewer events when known attack sites are blackholed by the packet filter:
snort+BASE Overview | snort+BASE Events |
/usr/local/etc/whitelist.txt
and /usr/local/etc/blacklist.txt
. After editing these file, use launchctl to unload and load the plist /Library/LaunchDaemons/net.hphosts.hosts.plist
, which recreates the hostfile /etc/hosts-hphost
and reconfigures the squid proxy to use the updates.macosfortress_boot_check
, or individually using pf_restart
, privoxy_restart
, and squid_restart
. And please post a solution if you find one.wget -N
option to save everyone's bandwidth