How to Use Terminal for "Little Snitch" Functionality without Little Snitch

I'm a Terminal newb, and trying to wrap my head around manual "Little Snitch" functionality without using Little Snitch.

From the research I've been doing, I've landed on the fact that I need to utilize pf.conf, however I have no idea how to format my request for Terminal.

I need to block a connection to www.domain.com on port 443. How do I do this?


To permanently block outgoing traffic to specific domains you should create a new anchor file and add it to pf.conf.

  1. Create an anchor file org.user.block.out in /private/etc/pf.anchors

    sudo touch /private/etc/pf.anchors/org.user.block.out
    

    with the following content and a trailing empty line

    mybadhosts = "{ www.domain.com, domain.com, www.domain2.com, domain2.com }"
    mybadports = "{ 443, 80 }"
    
    block drop out proto tcp from any to $mybadhosts port $mybadports
    

    The additional domain names in mybadhosts are just an example how to add additional domains. The same goes for port 80 in mybadports.

    A simple but less flexible solution is:

    block drop out proto tcp from any to domain.com port 443
    
  2. Modify the file /private/etc/pf.conf but keep a trailing empty line

    original file:

    scrub-anchor "com.apple/*"
    nat-anchor "com.apple/*"
    rdr-anchor "com.apple/*"
    dummynet-anchor "com.apple/*"
    anchor "com.apple/*"
    load anchor "com.apple" from "/etc/pf.anchors/com.apple"
    

    to

    scrub-anchor "com.apple/*"
    nat-anchor "com.apple/*"
    rdr-anchor "com.apple/*"
    dummynet-anchor "com.apple/*"
    anchor "com.apple/*"
    anchor "org.user.block.out"
    load anchor "com.apple" from "/etc/pf.anchors/com.apple"
    load anchor "org.user.block.out" from "/etc/pf.anchors/org.user.block.out"
    
  3. Parse and test your anchor file to make sure there are no errors:

    sudo pfctl -vnf /etc/pf.anchors/org.user.block.out
    
  4. Now modify /System/Library/LaunchDaemons/com.apple.pfctl.plist from

    <array>
        <string>pfctl</string>
        <string>-f</string>
        <string>/etc/pf.conf</string>
    </array>
    

    to

    <array>
        <string>pfctl</string>
        <string>-e</string>
        <string>-f</string>
        <string>/etc/pf.conf</string>
    </array>
    

    You have to disable System Integrity Protection to accomplish this. After editing the file reenable SIP. After rebooting your Mac pf will be enabled (that's the -e option).

    Alternatively you may create your own launch daemon similar to the answer here: Using Server 5.0.15 to share internet WITHOUT internet sharing.

After a system update or upgrade some of the original files above may have been replaced and you have to reapply all changes.