Black hole all IP addresses except for 192.168.1.1

Mac OS X like other BSD systems uses ipfw instead of iptables. Read the man page for full reference.

One way to would be to deny all TCP "establish connection" packets except those directed to gitserver, leaving all other traffic untouched:

ipfw add allow tcp from me to gitserver setup
ipfw add allow tcp from me to me setup # may not be needed
ipfw add deny tcp from any to any setup

The rules will be lost on reboot, so they must be set on every boot (e.g. from /etc/rc.common or crontab's @reboot).

If that seems too complicated, get a third party firewall. Little Snitch is a good one, but it costs another $30 :)


A little outside-the-box thought: Put a second network card into gitserver and connect the machine via that. Of course, routing should be disabled on gitserver.

Alternatively, assign your machine the IP 192.168.1.2, netmask 255.255.255.252 and leave the "router" field empty. This basically means your machine can communicate directly only with 192.168.1.1 and if there is no router configured, it doesn't know how to reach the outside world.

For both of these approaches, you need to be sure you don't need anything from "outside" - DNS, NTP, AppStore and application updates via network will not work with those setups.