How to Use Terminal for "Little Snitch" Functionality without Little Snitch

macos terminal firewall tcp

I'm a Terminal newb, and trying to wrap my head around manual "Little Snitch" functionality without using Little Snitch.

From the research I've been doing, I've landed on the fact that I need to utilize pf.conf, however I have no idea how to format my request for Terminal.

I need to block a connection to www.domain.com on port 443. How do I do this?


To permanently block outgoing traffic to specific domains you should create a new anchor file and add it to pf.conf.

  1. Create an anchor file org.user.block.out in /private/etc/pf.anchors 

    sudo touch /private/etc/pf.anchors/org.user.block.out

    with the following content and a trailing empty line

    mybadhosts = "{ www.domain.com, domain.com, www.domain2.com, domain2.com }"
mybadports = "{ 443, 80 }"

block drop out proto tcp from any to $mybadhosts port $mybadports

    The additional domain names in mybadhosts are just an example how to add additional domains. The same goes for port 80 in mybadports.

    A simple but less flexible solution is:

    block drop out proto tcp from any to domain.com port 443

  2. Modify the file /private/etc/pf.conf but keep a trailing empty line

    original file:

    scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"

    to

    scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
anchor "org.user.block.out"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
load anchor "org.user.block.out" from "/etc/pf.anchors/org.user.block.out"

  3. Parse and test your anchor file to make sure there are no errors:

    sudo pfctl -vnf /etc/pf.anchors/org.user.block.out

  4. Now modify /System/Library/LaunchDaemons/com.apple.pfctl.plist from 

    <array>
    <string>pfctl</string>
    <string>-f</string>
    <string>/etc/pf.conf</string>
</array>

    to

    <array>
    <string>pfctl</string>
    <string>-e</string>
    <string>-f</string>
    <string>/etc/pf.conf</string>
</array>

    You have to disable System Integrity Protection to accomplish this. After editing the file reenable SIP. After rebooting your Mac pf will be enabled (that's the -e option).

    Alternatively you may create your own launch daemon similar to the answer here: Using Server 5.0.15 to share internet WITHOUT internet sharing.

After a system update or upgrade some of the original files above may have been replaced and you have to reapply all changes.

Related

Is there such thing as a SuperDrive enclosure?
How to add wiktionary as a source to the default dictionary.app?
External display has blurry fonts on Dell U2312hm- MacBook Pro Retina
Reformat exFat with specific Device Block Size and Cluster Size
Where can I find a comprehensive and detailed technical software manual for OS X?
How do I deactivate my microphone and iSight for security reasons?
iPad PDF Reader with annotation support?
What's the best iPhone SIP apps work internationally and allow recording?
Problem Installing Boot Camp Windows Partition on new Mac Pro
Make `hostname -f` return fully qualified hostname
How to restore Mac OS X on a new hard-drive?
How to clean uninstall Adobe Acrobat Reader DC?