How do we set up the guest account so it restricts Internet access to all applications and scripts in all ports?
Using parental controls only restricts web access, and I'm looking how to prevent any application to access the Internet.
I'm looking for a free solution that works even if the (guest) user runs malicious scripts. USB access is required for the guest account.
In Ubuntu we can restrict user access with a command like this:
sudo iptables -A OUTPUT -p all -m owner --uid-owner example_user -j DROP
Best Answer
Please read this carefully and have another device with internet access, in case you are locking yourself out.
In OS X you will use the OpenBSD based tool
pf
which stands for "packet filter".Helpful man pages are
man pfctl
andman pf.conf
You need sudo access.
Edit
/etc/pf.conf
to your desired needings:An example pf.conf would be simple as this and look like this
Now activate pfctl with
sudo pfctl -e
and load your config withsudo pfctl -f /etc/pf.conf
.For checking the syntax of the config file you can use
pfctl -nf /etc/pf.conf
.If you want to deactivate the firewall, pass the command
pfctl -d
.Testing the new configuration is as simple as
curl -I apple.stackexchange.com
. The firewall should block this for you.However, I'd be careful with restrictions. If you are losing your Mac or it gets stolen, the guest account is the only account which one will be has access too(hopefully) which in return should have access to the internet to track it down(if "Find My Mac" is enabled).