macos-fortress: Update to version 2025.09.21

* Use default Python version
* Use port:squid
* Update to maintained hosts files in subport `macos-fortress-hosts`
* Update pf rules
This commit is contained in:
Steven Thomas Smith
2025-09-21 06:41:34 -04:00
committed by Renee Otten
parent 0fd2beb0b7
commit a4df9af0ab
3 changed files with 108 additions and 85 deletions
+69 -23
View File
@@ -4,7 +4,7 @@ PortSystem 1.0
PortGroup active_variants 1.1
name macos-fortress
version 2024.01.11
version 2025.09.21
revision 0
categories net security
@@ -25,7 +25,7 @@ build {}
# Use ${python.default_version}
# name consistency with ${prefix}/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/_resources/port1.0/group/python-1.0.tcl
set python_default_version 39
set python_default_version 313
set python_version ${python_default_version}
set python_branch [string index ${python_version} 0].[string range ${python_version} 1 end]
@@ -741,14 +741,12 @@ subport ${name}-proxy-squid {
conflicts ${name}-proxy
set squid_major_version 5
depends_lib-append \
port:${name}-easylistpac \
port:${name}-hosts \
port:adblock2privoxy \
port:privoxy \
port:squid${squid_major_version}
port:squid
# squid patch file creation
## export prefix=${prefix}
@@ -791,13 +789,13 @@ subport ${name}-proxy-squid {
startupitems \
name ${subport} \
start [list \
"\${prefix}/bin/port -p load ${name}-hosts squid${squid_major_version} privoxy adblock2privoxy ${name}-easylistpac" \
"\${prefix}/bin/port -p load ${name}-hosts squid privoxy adblock2privoxy ${name}-easylistpac" \
] \
stop [list \
"\${prefix}/bin/port -p unload ${name}-hosts squid${squid_major_version} privoxy adblock2privoxy ${name}-easylistpac" \
"\${prefix}/bin/port -p unload ${name}-hosts squid privoxy adblock2privoxy ${name}-easylistpac" \
] \
restart [list \
"\${prefix}/bin/port -p reload ${name}-hosts squid${squid_major_version} privoxy adblock2privoxy ${name}-easylistpac" \
"\${prefix}/bin/port -p reload ${name}-hosts squid privoxy adblock2privoxy ${name}-easylistpac" \
] \
pidfile none \
name ${subport}.squid-rotate \
@@ -903,12 +901,8 @@ subport ${name}-easylistpac {
efficient network-level blocks in a proxy.pac file \
for automatic proxy network configurations and \
Privoxy proxy servers. Easily incorporates \
multiple blocking rulesets into both PAC and \
Privoxy formats, including easyprivacy.txt, \
easylist.txt, fanboy-annoyance.txt, \
fanboy-social.txt, antiadblockfilters.txt, \
malwaredomains_full.txt, and the anti-spamware \
list adblock-list.txt.
multiple blocking rulesets into both Privoxy \
and PAC formats, including many default lists.
homepage https://github.com/essandess/easylist-pac-privoxy
@@ -1029,12 +1023,15 @@ subport ${name}-hosts {
port:p${perl5.major}-data-validate-domain \
port:wget
set hosts_maintained_subdir hosts-maintained
destroot {
xinstall -d \
${destroot}${prefix}/etc/${name} \
${destroot}${prefix}/var/log
destroot.keepdirs \
${destroot}${prefix}/etc/${name} \
${destroot}${prefix}/etc/${name}/${hosts_maintained_subdir} \
${destroot}${prefix}/var/log
# N.b. do *not* use filename "hosts.orig" because mprsyncup uses
# `rsync -aIC`. The -C flag causes .orig files to be excluded
@@ -1043,6 +1040,7 @@ subport ${name}-hosts {
${filespath}/${f} \
${destroot}${prefix}/etc/${name}/${f}.macports
}
xinstall -d ${destroot}${prefix}/etc/${name}/${hosts_maintained_subdir}
xinstall -d ${destroot}${prefix}/etc/${name}/hphosts
xinstall -m 0644 \
${filespath}/hphosts-hosts_20180316.txt.bz2 \
@@ -1079,31 +1077,78 @@ function hosts_block_wget_and_add () {
\t\t\t> \${prefix}/etc/${name}/whitelist.txt )
\t# empty hosts-block.txt
\t> \"/tmp/${subport}/hosts-block.txt\"
\t# get lists
\t# https://github.com/fabston/little-snitch-blocklist/blob/main/SOURCES.md
\thosts_block_wget_and_add \\
\t\thttps://raw.githubusercontent.com/StevenBlack/hosts/master/hosts \\
\t\tStevenBlack \\
\t\t${hosts_maintained_subdir}/StevenBlack \\
\t\tcat \\
\t\t'^0\\.0\\.0\\.0\\s+(.+)$'
\thosts_block_wget_and_add \\
\t\thttps://mirror1.malwaredomains.com/files/justdomains \\
\t\tmalwaredomains \\
\t\tcat \\
\t\t'^\\s*(\[^#\\s\].*)\$'
\thosts_block_wget_and_add \\
\t\thttps://sysctl.org/cameleon/hosts \\
\t\tcameleon \\
\t\t${hosts_maintained_subdir}/cameleon \\
\t\tcat \\
\t\t'^127\\.0\\.0\\.1\\s+(.+)\$'
\thosts_block_wget_and_add \\
\t\thttps://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt \\
\t\tdisconnect \\
\t\t${hosts_maintained_subdir}/disconnect \\
\t\tcat \\
\t\t'^\\s*(\[^#\\s\].*)\$'
\thosts_block_wget_and_add \\
\t\thttps://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt \\
\t\tdisconnect \\
\t\t${hosts_maintained_subdir}/disconnect \\
\t\tcat \\
\t\t'^\\s*(\[^#\\s\].*)\$'
\thosts_block_wget_and_add \\
\t\thttps://adaway.org/hosts.txt \\
\t\t${hosts_maintained_subdir}/adaway \\
\t\tcat \\
\t\t'^127\\.0\\.0\\.1\\s+(.+)\$'
\thosts_block_wget_and_add \\
\t\thttps://raw.githubusercontent.com/notracking/hosts-blocklists/master/hostnames.txt \\
\t\t${hosts_maintained_subdir}/notracking \\
\t\tcat \\
\t\t'^0\\.0\\.0\\.0\\s+(.+)$'
\thosts_block_wget_and_add \\
\t\thttps://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml&mimetype=plaintext \\
\t\t${hosts_maintained_subdir}/yoyo \\
\t\tcat \\
\t\t'^\\s*(\[^#\\s\].*)\$'
\thosts_block_wget_and_add \\
\t\thttps://phishing.army/download/phishing_army_blocklist.txt \\
\t\t${hosts_maintained_subdir}/phishing_army \\
\t\tcat \\
\t\t'^\\s*(\[^#\\s\].*)\$'
\thosts_block_wget_and_add \\
\t\thttps://someonewhocares.org/hosts/hosts \\
\t\t${hosts_maintained_subdir}/someonewhocares \\
\t\tcat \\
\t\t'^127\\.0\\.0\\.1\\s+(.+)\$'
\thosts_block_wget_and_add \\
\t\thttps://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt \\
\t\t${hosts_maintained_subdir}/Spam404 \\
\t\tcat \\
\t\t'^\\s*(\[^#\\s\].*)\$'
\thosts_block_wget_and_add \\
\t\thttps://gitlab.com/quidsup/notrack-blocklists/-/raw/master/notrack-malware.txt?inline=false \\
\t\t${hosts_maintained_subdir}/quidsup \\
\t\tcat \\
\t\t'^\\s*(\[^#\\s\].*)\$'
\thosts_block_wget_and_add \\
\t\thttps://gitlab.com/quidsup/notrack-blocklists/-/raw/master/notrack-blocklist.txt?inline=false \\
\t\t${hosts_maintained_subdir}/quidsup \\
\t\tcat \\
\t\t'^\\s*(\[^#\\s\].*)\$'
\thosts_block_wget_and_add \\
\t\thttps://badmojr.github.io/1Hosts/Pro/hosts.txt \\
\t\t${hosts_maintained_subdir}/badmojr \\
\t\tcat \\
\t\t'^0\\.0\\.0\\.0\\s+(.+)$'
\thosts_block_wget_and_add \\
\t\thttps://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt \\
\t\t${hosts_maintained_subdir}/anudeepND \\
\t\tcat \\
\t\t'^0\\.0\\.0\\.0\\s+(.+)$'
\thosts_block_add \\
\t\t'http://hosts-file.net/download/hosts.zip \[no longer maintained\]' \\
\t\thphosts/hphosts-hosts_20180316.txt.bz2 \\
@@ -1119,6 +1164,7 @@ function hosts_block_wget_and_add () {
\t\thphosts/hphosts-ad_servers_20170602.txt.bz2 \\
\t\tbzcat \\
\t\t'^127\\.0\\.0\\.1\\s+(.+)\$'
\t# process lists
\tegrep -v -e '^(127\\.0\\.0\\.1|::1)\\s+localhost\$' \"/tmp/${subport}/hosts-block.txt\" \\
\t\t> \"/tmp/${subport}/hosts-block-\$\$.txt\" \\
\t\t&& mv \"/tmp/${subport}/hosts-block-\$\$.txt\" \"/tmp/${subport}/hosts-block.txt\"
+3 -9
View File
@@ -7,20 +7,14 @@
# http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
table <emerging_threats> persist file "@PREFIX@/etc/@NAME@/emerging-Block-IPs.txt"
block drop log quick from <emerging_threats> to any
block drop log quick from any to <emerging_threats>
# http://rules.emergingthreats.net/blockrules/compromised-ips.txt
table <compromised_ips> persist file "@PREFIX@/etc/@NAME@/compromised-ips.txt"
block drop log quick from <compromised_ips> to any
# THIS RULESET HAS BEEN OBSOLETED!!
# http://rules.emergingthreats.net/blockrules/rbn-ips.txt
#table <rbn_ips> persist file "@PREFIX@/etc/@NAME@/rbn-ips.txt"
#block drop log quick from <rbn_ips> to any
# http://rules.emergingthreats.net/blockrules/rbn-malvertisers-ips.txt
#table <rbn_malvertisers_ips> persist file "@PREFIX@/etc/@NAME@/rbn-malvertisers-ips.txt"
#block drop log quick from <rbn_malvertisers_ips> to any
block drop log quick from any to <compromised_ips>
# dshield.org block list
table <dshield_block_ip> persist file "@PREFIX@/etc/@NAME@/dshield_block_ip.txt"
block drop log quick from <dshield_block_ip> to any
block drop log quick from any to <dshield_block_ip>
+36 -53
View File
@@ -60,16 +60,14 @@ scrub-anchor "com.apple/*"
# The Book of PF, p. 21
# Allow VPN connections to the VPN host:
# http://serverfault.com/questions/555594/troubleshoot-broken-tcp-from-openvpn-client-to-server-but-ping-traceroute-work
# $ sudo vi /etc/sysctl.conf
# net.inet.ip.forwarding=1
# # net.inet6.ip6.forwarding=1
#tun_if = "utun0"
#no nat on ! $tun_if from $vpn_net to ($int_if)
#nat on ! $tun_if from $vpn_net to ! ($int_if) -> ($int_if)
# Use a list in case Tunnelblick creates multiples utun interaces
#tun_if = "{ utun0, utun1, utun2, utun3, utun4, utun5, utun6, utun7, utun8, utun9 }"
#vpn# not_tun_if = "{ !utun0, !utun1, !utun2, !utun3, !utun4, !utun5, !utun6, !utun7, !utun8, !utun9 }"
#vpn# no nat on $not_tun_if from $vpn_net to ($int_if)
#vpn# nat on $not_tun_if from $vpn_net to ! ($int_if) -> ($int_if)
#vpn# no nat on ! $tun_if inet from $vpn_net to ($int_if)
#vpn# nat on ! $tun_if inet from $vpn_net to ! ($int_if) -> ($int_if)
# This rule must be included below BEFORE these packets are passed by other rules:
# pass in quick on $tun_if reply-to $tun_if from $vpn_net to $int_if
# pass in quick on $tun_if reply-to $tun_if inet from $vpn_net to $int_if
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
@@ -88,8 +86,8 @@ load anchor "com.apple" from "/etc/pf.anchors/com.apple"
block all
# Debugging:
#pass quick log (all, to pflog0) all
#block log (all, to pflog0) all
# pass quick log (all, to pflog0) all
# block log (all, to pflog0) all
# debugging rules
# $ sudo ifconfig pflog0 create
@@ -97,20 +95,10 @@ block all
# $ sudo ifconfig pflog0 destroy
# block log (all, to pflog0) all
# Allow VPN connections to the VPN host:
# Allow VPN connections to the VPN host and clients:
# http://serverfault.com/questions/555594/troubleshoot-broken-tcp-from-openvpn-client-to-server-but-ping-traceroute-work
# pass in quick on $tun_if reply-to $tun_if from $vpn_net to $int_if
# Rule for a lot of utun interfaces in case Tunnelblick creates extras
#vpn# pass in quick on utun0 reply-to utun0 from $vpn_net to $int_if
#vpn# pass in quick on utun1 reply-to utun1 from $vpn_net to $int_if
#vpn# pass in quick on utun2 reply-to utun2 from $vpn_net to $int_if
#vpn# pass in quick on utun3 reply-to utun3 from $vpn_net to $int_if
#vpn# pass in quick on utun4 reply-to utun4 from $vpn_net to $int_if
#vpn# pass in quick on utun5 reply-to utun5 from $vpn_net to $int_if
#vpn# pass in quick on utun6 reply-to utun6 from $vpn_net to $int_if
#vpn# pass in quick on utun7 reply-to utun7 from $vpn_net to $int_if
#vpn# pass in quick on utun8 reply-to utun8 from $vpn_net to $int_if
#vpn# pass in quick on utun9 reply-to utun9 from $vpn_net to $int_if
#vpn# pass in quick on $tun_if reply-to $tun_if inet from $vpn_net to $int_if
#vpn# pass quick on $tun_if inet from $int_if:network to $vpn_net
# Local net
table <lan_inet> const { 10/8, 172.16/12, 192.168/16 }
@@ -141,13 +129,13 @@ block drop log quick from <bruteforce>
# Allow application-specific traffic over these interfaces
# multicast DNS
pass on $int_if proto { udp, tcp } to { 224.0.0.2, 224.0.0.18, 224.0.0.251 } port mdns
pass on $int_if proto { tcp, udp } to { 224.0.0.2, 224.0.0.18, 224.0.0.251 } port mdns
pass on $int_if proto igmp to { 224.0.0.1, 224.0.0.22, 224.0.0.251 }
# quick pass of Tor relay ports to avoid blocks below
#tor_relay = "{ 9001, 9030 }"
#pass in quick proto tcp from any to $int_if port $tor_relay
#pass out quick proto tcp from $int_if port $tor_relay to any
#pass in proto tcp from any to $int_if port $tor_relay
#pass out proto tcp from $int_if port $tor_relay to any
# Open Source IP blocks
# Refresh with pfctl -a blockips -T load -f @PREFIX@/etc/@NAME@/blockips.conf
@@ -156,8 +144,8 @@ load anchor 'blockips' from '@PREFIX@/etc/@NAME@/blockips.conf'
# ICMP
icmp_types = "echoreq"
pass inet proto icmp from $int_if:network to any icmp-type $icmp_types
pass inet proto icmp from any to $int_if icmp-type $icmp_types
pass out inet proto icmp from $int_if:network to any icmp-type $icmp_types
pass in inet proto icmp from any to $int_if icmp-type $icmp_types
# allow out the default range for traceroute(8):
# "base+nhops*nqueries-1" (33434+64*3-1)
@@ -168,38 +156,31 @@ pass in quick inet proto udp from port bootps to port bootpc
pass out quick inet proto udp from port bootpc to port bootps
# LAN services: block access, except from localnet
lan_udp_services = "{ domain, net-assistant, 5001, 5900, postgresql }"
lan_tcp_services = "{ domain, auth, nntp, www, \
311, 3128, net-assistant, 5001, 5900, privoxy, postgresql, \
311, net-assistant, 5001, 5900, privoxy, postgresql, \
8123, 8180, 8181, 9150, 9151 }"
lan_udp_services = "{ domain, net-assistant, 5001, 5900, postgresql }"
block in proto tcp from any to $int_if port $lan_tcp_services
block in proto udp from any to $int_if port $lan_udp_services
pass in inet proto udp from $int_if:network to $int_if port $lan_udp_services
pass in inet proto tcp from $int_if:network to $int_if port $lan_tcp_services
pass out proto udp from $int_if port $lan_udp_services to $int_if:network
pass in inet proto udp from $int_if:network to $int_if port $lan_udp_services
pass out proto tcp from $int_if port $lan_tcp_services to $int_if:network
pass out proto udp from $int_if port $lan_udp_services to $int_if:network
# Add vpn_net if running OpenVPN
#vpn# pass in inet proto udp from $vpn_net to $int_if port $lan_udp_services
#vpn# pass in inet proto tcp from $vpn_net to $int_if port $lan_tcp_services
#vpn# pass out proto udp from $int_if port $lan_udp_services to $vpn_net
#vpn# pass in inet proto udp from $vpn_net to $int_if port $lan_udp_services
#vpn# pass out proto tcp from $int_if port $lan_tcp_services to $vpn_net
#vpn# pass out proto udp from $int_if port $lan_udp_services to $vpn_net
# Internet services
internet_udp_services = "{ https, 500, openvpn, \
1701, 4500, 5060, 5190, 5297, 5298, 5678, 16384 }"
internet_tcp_services = "{ 995, 1640, 1723, 2195, \
2196, 4190, 5218, 5223, 5190, 5220, 5222, 5298, \
8008, 8443, 8800, 8843, 9001, 9030 }"
pass in proto udp from any to $int_if port $internet_udp_services
pass in proto tcp from any to $int_if port $internet_tcp_services
pass out inet proto udp from $int_if to any port $internet_udp_services
pass out inet proto tcp from $int_if to any port $internet_tcp_services
#apns_services = "{ 2195, 2196 }"
#pass in proto tcp from any port $apns_services to <lan_inet>
#pass out inet proto tcp to any port $apns_services from <lan_inet>
# internet_tcp_services = "{ 9030, 49160:49163 }"
#vpn# internet_udp_services = "{ https }"
# pass in inet proto tcp from any to $int_if port $internet_tcp_services
# pass in inet proto udp from any to $int_if port $internet_udp_services
# pass out inet proto tcp from $int_if to any port $internet_tcp_services
# pass out inet proto udp from $int_if to any port $internet_udp_services
# ssh really restrictive
pass in inet proto tcp from any to $int_if port ssh \
@@ -207,15 +188,17 @@ pass in inet proto tcp from any to $int_if port ssh \
overload <bruteforce> flush global)
pass out inet proto tcp from $int_if port ssh
# web, mail more restrictive
# web, mail, calendarservice more restrictive
webmailcalcard_tcp_services = "{ smtp, www, imap, https, submission, imaps, \
cert-responder, sieve, 8008, 8443, 8800, 8843 }"
pass in inet proto tcp from any to $int_if \
port { smtp, https, imap, submission, imaps } \
port $webmailcalcard_tcp_services \
keep state (max-src-nodes 50, max-src-conn 200, max-src-conn-rate 100/10, \
overload <bruteforce> flush global)
pass out inet proto tcp from $int_if to any \
port { smtp, imap4-ssl, imap, submission, imaps }
pass out inet proto tcp from $int_if to any \
port $webmailcalcard_tcp_services
# I2P
#i2p_port = "65530"
#pass in inet proto { udp, tcp } from any to $int_if port $i2p_port
#pass out inet proto { udp, tcp } from $int_if port $i2p_port to any
#pass in inet proto { tcp, udp } from any to $int_if port $i2p_port
#pass out inet proto { tcp, udp } from $int_if port $i2p_port to any