How to restrict Internet, not just web, access for the guest account?

How do we set up the guest account so it restricts Internet access to all applications and scripts in all ports?

Using parental controls only restricts web access, and I'm looking how to prevent any application to access the Internet.

I'm looking for a free solution that works even if the (guest) user runs malicious scripts. USB access is required for the guest account.

In Ubuntu we can restrict user access with a command like this:

sudo iptables -A OUTPUT -p all -m owner --uid-owner example_user -j DROP

Solution 1:

Please read this carefully and have another device with internet access, in case you are locking yourself out.

In OS X you will use the OpenBSD based tool pf which stands for "packet filter".

  • Helpful man pages are man pfctl and man pf.conf

  • You need sudo access.

Edit /etc/pf.conf to your desired needings:
An example pf.conf would be simple as this and look like this

## blocking rule
block out user guest

Now activate pfctl with sudo pfctl -e and load your config with
sudo pfctl -f /etc/pf.conf.

For checking the syntax of the config file you can use pfctl -nf /etc/pf.conf.
If you want to deactivate the firewall, pass the command pfctl -d.

Testing the new configuration is as simple as curl -I apple.stackexchange.com. The firewall should block this for you.

However, I'd be careful with restrictions. If you are losing your Mac or it gets stolen, the guest account is the only account which one will be has access too(hopefully) which in return should have access to the internet to track it down(if "Find My Mac" is enabled).