MacOS – How to Use Terminal for “Little Snitch” Functionality without Little Snitch

firewallmacostcpterminal

I'm a Terminal newb, and trying to wrap my head around manual "Little Snitch" functionality without using Little Snitch.

From the research I've been doing, I've landed on the fact that I need to utilize pf.conf, however I have no idea how to format my request for Terminal.

I need to block a connection to www.domain.com on port 443. How do I do this?

Best Answer

To permanently block outgoing traffic to specific domains you should create a new anchor file and add it to pf.conf.

  1. Create an anchor file org.user.block.out in /private/etc/pf.anchors 

    sudo touch /private/etc/pf.anchors/org.user.block.out

    with the following content and a trailing empty line

    mybadhosts = "{ www.domain.com, domain.com, www.domain2.com, domain2.com }"
mybadports = "{ 443, 80 }"

block drop out proto tcp from any to $mybadhosts port $mybadports

    The additional domain names in mybadhosts are just an example how to add additional domains. The same goes for port 80 in mybadports.

    A simple but less flexible solution is:

    block drop out proto tcp from any to domain.com port 443

  2. Modify the file /private/etc/pf.conf but keep a trailing empty line

    original file:

    scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"

    to

    scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
anchor "org.user.block.out"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
load anchor "org.user.block.out" from "/etc/pf.anchors/org.user.block.out"

  3. Parse and test your anchor file to make sure there are no errors:

    sudo pfctl -vnf /etc/pf.anchors/org.user.block.out

  4. Now modify /System/Library/LaunchDaemons/com.apple.pfctl.plist from 

    <array>
    <string>pfctl</string>
    <string>-f</string>
    <string>/etc/pf.conf</string>
</array>

    to

    <array>
    <string>pfctl</string>
    <string>-e</string>
    <string>-f</string>
    <string>/etc/pf.conf</string>
</array>

    You have to disable System Integrity Protection to accomplish this. After editing the file reenable SIP. After rebooting your Mac pf will be enabled (that's the -e option).

    Alternatively you may create your own launch daemon similar to the answer here: Using Server 5.0.15 to share internet WITHOUT internet sharing.

After a system update or upgrade some of the original files above may have been replaced and you have to reapply all changes.

Related Question