# voodoo-pf.conf
# 
# Firewall rules. Use with voodoo-safe.sh
#
# http://www.sarfata.org/posts/secure-your-mac.md
#
# Copyright Thomas Sarlandie 2012
#
# This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 
# Unported License: http://creativecommons.org/licenses/by-sa/3.0/
#
# Attribution required: please include my name in any derivative and let me
# know how you have improved it! 

# The interface that you will use to connect to an unsecure network
ext_if = "en1"
# your VPN server (if you intend to use one)
ipsec_server = "42.42.42.42"

# drop everything by default
set block-policy drop
# we do not want to filter traffic on "internal" interfaces
set skip on lo0
set skip on vmnet1
set skip on vmnet8
set skip on vboxnet0

# Normalize all incoming traffic
scrub in on $ext_if all fragment reassemble

# Block and log everything by default - Use pf-lockdown.sh log to see the logs
block drop log all

# Block silently some traffic - otherwise the logs get very clogged up
# I have disabled those lines to let you see the logs and realize all the stuff your
# computer shares...
#block on $ext_if proto udp from any port 5353 to any port 5353
#block out inet6
#block out on $ext_if proto udp from any to port 137

# Allow ipsec traffic
pass out on $ext_if proto tcp from any to $ipsec_server port 500
pass out on $ext_if proto udp from any to $ipsec_server port 500
pass out on $ext_if proto udp from any to $ipsec_server port 4500
pass out on $ext_if proto tcp from any to $ipsec_server port 1701
pass out on $ext_if proto udp from any to $ipsec_server port 1701

# Allow dhcp traffic
pass in on $ext_if proto udp from port 68 to any port 67
pass in on $ext_if proto udp from port 67 to any port 68
pass out on $ext_if proto udp from port 67 to any port 68

# Allow ping to test connection
pass out on $ext_if inet proto icmp all icmp-type echoreq
# Allow ssh out
pass out on $ext_if inet proto tcp to port 22

# Allow all on vpn
pass out on ppp0