How to restrict Internet, not just web, access for the guest account?
How do we set up the guest account so it restricts Internet access to all applications and scripts in all ports?
Using parental controls only restricts web access, and I'm looking how to prevent any application to access the Internet.
I'm looking for a free solution that works even if the (guest) user runs malicious scripts. USB access is required for the guest account.
In Ubuntu we can restrict user access with a command like this:
sudo iptables -A OUTPUT -p all -m owner --uid-owner example_user -j DROP
Solution 1:
Please read this carefully and have another device with internet access, in case you are locking yourself out.
In OS X you will use the OpenBSD based tool pf
which stands for "packet filter".
Helpful man pages are
man pfctl
andman pf.conf
You need sudo access.
Edit /etc/pf.conf
to your desired needings:
An example pf.conf would be simple as this and look like this
## blocking rule
block out user guest
Now activate pfctl with sudo pfctl -e
and load your config withsudo pfctl -f /etc/pf.conf
.
For checking the syntax of the config file you can use pfctl -nf /etc/pf.conf
.
If you want to deactivate the firewall, pass the command pfctl -d
.
Testing the new configuration is as simple as curl -I apple.stackexchange.com
. The firewall should block this for you.
However, I'd be careful with restrictions. If you are losing your Mac or it gets stolen, the guest account is the only account which one will be has access too(hopefully) which in return should have access to the internet to track it down(if "Find My Mac" is enabled).