From a4df9af0abb464a13187b342c0365e377079c983 Mon Sep 17 00:00:00 2001 From: Steven Thomas Smith Date: Sun, 21 Sep 2025 06:41:34 -0400 Subject: [PATCH] macos-fortress: Update to version 2025.09.21 * Use default Python version * Use port:squid * Update to maintained hosts files in subport `macos-fortress-hosts` * Update pf rules --- net/macos-fortress/Portfile | 92 +++++++++++++++++++------- net/macos-fortress/files/blockips.conf | 12 +--- net/macos-fortress/files/pf.conf | 89 ++++++++++--------------- 3 files changed, 108 insertions(+), 85 deletions(-) diff --git a/net/macos-fortress/Portfile b/net/macos-fortress/Portfile index 3daad9fc131..b1811a9a3ed 100644 --- a/net/macos-fortress/Portfile +++ b/net/macos-fortress/Portfile @@ -4,7 +4,7 @@ PortSystem 1.0 PortGroup active_variants 1.1 name macos-fortress -version 2024.01.11 +version 2025.09.21 revision 0 categories net security @@ -25,7 +25,7 @@ build {} # Use ${python.default_version} # name consistency with ${prefix}/var/macports/sources/rsync.macports.org/macports/release/tarballs/ports/_resources/port1.0/group/python-1.0.tcl -set python_default_version 39 +set python_default_version 313 set python_version ${python_default_version} set python_branch [string index ${python_version} 0].[string range ${python_version} 1 end] @@ -741,14 +741,12 @@ subport ${name}-proxy-squid { conflicts ${name}-proxy - set squid_major_version 5 - depends_lib-append \ port:${name}-easylistpac \ port:${name}-hosts \ port:adblock2privoxy \ port:privoxy \ - port:squid${squid_major_version} + port:squid # squid patch file creation ## export prefix=${prefix} @@ -791,13 +789,13 @@ subport ${name}-proxy-squid { startupitems \ name ${subport} \ start [list \ - "\${prefix}/bin/port -p load ${name}-hosts squid${squid_major_version} privoxy adblock2privoxy ${name}-easylistpac" \ + "\${prefix}/bin/port -p load ${name}-hosts squid privoxy adblock2privoxy ${name}-easylistpac" \ ] \ stop [list \ - "\${prefix}/bin/port -p unload ${name}-hosts squid${squid_major_version} privoxy adblock2privoxy ${name}-easylistpac" \ + "\${prefix}/bin/port -p unload ${name}-hosts squid privoxy adblock2privoxy ${name}-easylistpac" \ ] \ restart [list \ - "\${prefix}/bin/port -p reload ${name}-hosts squid${squid_major_version} privoxy adblock2privoxy ${name}-easylistpac" \ + "\${prefix}/bin/port -p reload ${name}-hosts squid privoxy adblock2privoxy ${name}-easylistpac" \ ] \ pidfile none \ name ${subport}.squid-rotate \ @@ -903,12 +901,8 @@ subport ${name}-easylistpac { efficient network-level blocks in a proxy.pac file \ for automatic proxy network configurations and \ Privoxy proxy servers. Easily incorporates \ - multiple blocking rulesets into both PAC and \ - Privoxy formats, including easyprivacy.txt, \ - easylist.txt, fanboy-annoyance.txt, \ - fanboy-social.txt, antiadblockfilters.txt, \ - malwaredomains_full.txt, and the anti-spamware \ - list adblock-list.txt. + multiple blocking rulesets into both Privoxy \ + and PAC formats, including many default lists. homepage https://github.com/essandess/easylist-pac-privoxy @@ -1029,12 +1023,15 @@ subport ${name}-hosts { port:p${perl5.major}-data-validate-domain \ port:wget + set hosts_maintained_subdir hosts-maintained + destroot { xinstall -d \ ${destroot}${prefix}/etc/${name} \ ${destroot}${prefix}/var/log destroot.keepdirs \ ${destroot}${prefix}/etc/${name} \ + ${destroot}${prefix}/etc/${name}/${hosts_maintained_subdir} \ ${destroot}${prefix}/var/log # N.b. do *not* use filename "hosts.orig" because mprsyncup uses # `rsync -aIC`. The -C flag causes .orig files to be excluded @@ -1043,6 +1040,7 @@ subport ${name}-hosts { ${filespath}/${f} \ ${destroot}${prefix}/etc/${name}/${f}.macports } + xinstall -d ${destroot}${prefix}/etc/${name}/${hosts_maintained_subdir} xinstall -d ${destroot}${prefix}/etc/${name}/hphosts xinstall -m 0644 \ ${filespath}/hphosts-hosts_20180316.txt.bz2 \ @@ -1079,31 +1077,78 @@ function hosts_block_wget_and_add () { \t\t\t> \${prefix}/etc/${name}/whitelist.txt ) \t# empty hosts-block.txt \t> \"/tmp/${subport}/hosts-block.txt\" +\t# get lists +\t# https://github.com/fabston/little-snitch-blocklist/blob/main/SOURCES.md \thosts_block_wget_and_add \\ \t\thttps://raw.githubusercontent.com/StevenBlack/hosts/master/hosts \\ -\t\tStevenBlack \\ +\t\t${hosts_maintained_subdir}/StevenBlack \\ \t\tcat \\ \t\t'^0\\.0\\.0\\.0\\s+(.+)$' \thosts_block_wget_and_add \\ -\t\thttps://mirror1.malwaredomains.com/files/justdomains \\ -\t\tmalwaredomains \\ -\t\tcat \\ -\t\t'^\\s*(\[^#\\s\].*)\$' -\thosts_block_wget_and_add \\ \t\thttps://sysctl.org/cameleon/hosts \\ -\t\tcameleon \\ +\t\t${hosts_maintained_subdir}/cameleon \\ \t\tcat \\ \t\t'^127\\.0\\.0\\.1\\s+(.+)\$' \thosts_block_wget_and_add \\ \t\thttps://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt \\ -\t\tdisconnect \\ +\t\t${hosts_maintained_subdir}/disconnect \\ \t\tcat \\ \t\t'^\\s*(\[^#\\s\].*)\$' \thosts_block_wget_and_add \\ \t\thttps://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt \\ -\t\tdisconnect \\ +\t\t${hosts_maintained_subdir}/disconnect \\ \t\tcat \\ \t\t'^\\s*(\[^#\\s\].*)\$' +\thosts_block_wget_and_add \\ +\t\thttps://adaway.org/hosts.txt \\ +\t\t${hosts_maintained_subdir}/adaway \\ +\t\tcat \\ +\t\t'^127\\.0\\.0\\.1\\s+(.+)\$' +\thosts_block_wget_and_add \\ +\t\thttps://raw.githubusercontent.com/notracking/hosts-blocklists/master/hostnames.txt \\ +\t\t${hosts_maintained_subdir}/notracking \\ +\t\tcat \\ +\t\t'^0\\.0\\.0\\.0\\s+(.+)$' +\thosts_block_wget_and_add \\ +\t\thttps://pgl.yoyo.org/adservers/serverlist.php?hostformat=nohtml&mimetype=plaintext \\ +\t\t${hosts_maintained_subdir}/yoyo \\ +\t\tcat \\ +\t\t'^\\s*(\[^#\\s\].*)\$' +\thosts_block_wget_and_add \\ +\t\thttps://phishing.army/download/phishing_army_blocklist.txt \\ +\t\t${hosts_maintained_subdir}/phishing_army \\ +\t\tcat \\ +\t\t'^\\s*(\[^#\\s\].*)\$' +\thosts_block_wget_and_add \\ +\t\thttps://someonewhocares.org/hosts/hosts \\ +\t\t${hosts_maintained_subdir}/someonewhocares \\ +\t\tcat \\ +\t\t'^127\\.0\\.0\\.1\\s+(.+)\$' +\thosts_block_wget_and_add \\ +\t\thttps://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt \\ +\t\t${hosts_maintained_subdir}/Spam404 \\ +\t\tcat \\ +\t\t'^\\s*(\[^#\\s\].*)\$' +\thosts_block_wget_and_add \\ +\t\thttps://gitlab.com/quidsup/notrack-blocklists/-/raw/master/notrack-malware.txt?inline=false \\ +\t\t${hosts_maintained_subdir}/quidsup \\ +\t\tcat \\ +\t\t'^\\s*(\[^#\\s\].*)\$' +\thosts_block_wget_and_add \\ +\t\thttps://gitlab.com/quidsup/notrack-blocklists/-/raw/master/notrack-blocklist.txt?inline=false \\ +\t\t${hosts_maintained_subdir}/quidsup \\ +\t\tcat \\ +\t\t'^\\s*(\[^#\\s\].*)\$' +\thosts_block_wget_and_add \\ +\t\thttps://badmojr.github.io/1Hosts/Pro/hosts.txt \\ +\t\t${hosts_maintained_subdir}/badmojr \\ +\t\tcat \\ +\t\t'^0\\.0\\.0\\.0\\s+(.+)$' +\thosts_block_wget_and_add \\ +\t\thttps://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt \\ +\t\t${hosts_maintained_subdir}/anudeepND \\ +\t\tcat \\ +\t\t'^0\\.0\\.0\\.0\\s+(.+)$' \thosts_block_add \\ \t\t'http://hosts-file.net/download/hosts.zip \[no longer maintained\]' \\ \t\thphosts/hphosts-hosts_20180316.txt.bz2 \\ @@ -1119,6 +1164,7 @@ function hosts_block_wget_and_add () { \t\thphosts/hphosts-ad_servers_20170602.txt.bz2 \\ \t\tbzcat \\ \t\t'^127\\.0\\.0\\.1\\s+(.+)\$' +\t# process lists \tegrep -v -e '^(127\\.0\\.0\\.1|::1)\\s+localhost\$' \"/tmp/${subport}/hosts-block.txt\" \\ \t\t> \"/tmp/${subport}/hosts-block-\$\$.txt\" \\ \t\t&& mv \"/tmp/${subport}/hosts-block-\$\$.txt\" \"/tmp/${subport}/hosts-block.txt\" diff --git a/net/macos-fortress/files/blockips.conf b/net/macos-fortress/files/blockips.conf index cc071ddbdbe..97ca095882b 100644 --- a/net/macos-fortress/files/blockips.conf +++ b/net/macos-fortress/files/blockips.conf @@ -7,20 +7,14 @@ # http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt table persist file "@PREFIX@/etc/@NAME@/emerging-Block-IPs.txt" block drop log quick from to any +block drop log quick from any to # http://rules.emergingthreats.net/blockrules/compromised-ips.txt table persist file "@PREFIX@/etc/@NAME@/compromised-ips.txt" block drop log quick from to any - -# THIS RULESET HAS BEEN OBSOLETED!! -# http://rules.emergingthreats.net/blockrules/rbn-ips.txt -#table persist file "@PREFIX@/etc/@NAME@/rbn-ips.txt" -#block drop log quick from to any - -# http://rules.emergingthreats.net/blockrules/rbn-malvertisers-ips.txt -#table persist file "@PREFIX@/etc/@NAME@/rbn-malvertisers-ips.txt" -#block drop log quick from to any +block drop log quick from any to # dshield.org block list table persist file "@PREFIX@/etc/@NAME@/dshield_block_ip.txt" block drop log quick from to any +block drop log quick from any to diff --git a/net/macos-fortress/files/pf.conf b/net/macos-fortress/files/pf.conf index 564fe09fbdf..9c6c30f31f0 100644 --- a/net/macos-fortress/files/pf.conf +++ b/net/macos-fortress/files/pf.conf @@ -60,16 +60,14 @@ scrub-anchor "com.apple/*" # The Book of PF, p. 21 # Allow VPN connections to the VPN host: # http://serverfault.com/questions/555594/troubleshoot-broken-tcp-from-openvpn-client-to-server-but-ping-traceroute-work +# $ sudo vi /etc/sysctl.conf +# net.inet.ip.forwarding=1 +# # net.inet6.ip6.forwarding=1 #tun_if = "utun0" -#no nat on ! $tun_if from $vpn_net to ($int_if) -#nat on ! $tun_if from $vpn_net to ! ($int_if) -> ($int_if) -# Use a list in case Tunnelblick creates multiples utun interaces -#tun_if = "{ utun0, utun1, utun2, utun3, utun4, utun5, utun6, utun7, utun8, utun9 }" -#vpn# not_tun_if = "{ !utun0, !utun1, !utun2, !utun3, !utun4, !utun5, !utun6, !utun7, !utun8, !utun9 }" -#vpn# no nat on $not_tun_if from $vpn_net to ($int_if) -#vpn# nat on $not_tun_if from $vpn_net to ! ($int_if) -> ($int_if) +#vpn# no nat on ! $tun_if inet from $vpn_net to ($int_if) +#vpn# nat on ! $tun_if inet from $vpn_net to ! ($int_if) -> ($int_if) # This rule must be included below BEFORE these packets are passed by other rules: -# pass in quick on $tun_if reply-to $tun_if from $vpn_net to $int_if +# pass in quick on $tun_if reply-to $tun_if inet from $vpn_net to $int_if nat-anchor "com.apple/*" rdr-anchor "com.apple/*" @@ -88,8 +86,8 @@ load anchor "com.apple" from "/etc/pf.anchors/com.apple" block all # Debugging: -#pass quick log (all, to pflog0) all -#block log (all, to pflog0) all +# pass quick log (all, to pflog0) all +# block log (all, to pflog0) all # debugging rules # $ sudo ifconfig pflog0 create @@ -97,20 +95,10 @@ block all # $ sudo ifconfig pflog0 destroy # block log (all, to pflog0) all -# Allow VPN connections to the VPN host: +# Allow VPN connections to the VPN host and clients: # http://serverfault.com/questions/555594/troubleshoot-broken-tcp-from-openvpn-client-to-server-but-ping-traceroute-work -# pass in quick on $tun_if reply-to $tun_if from $vpn_net to $int_if -# Rule for a lot of utun interfaces in case Tunnelblick creates extras -#vpn# pass in quick on utun0 reply-to utun0 from $vpn_net to $int_if -#vpn# pass in quick on utun1 reply-to utun1 from $vpn_net to $int_if -#vpn# pass in quick on utun2 reply-to utun2 from $vpn_net to $int_if -#vpn# pass in quick on utun3 reply-to utun3 from $vpn_net to $int_if -#vpn# pass in quick on utun4 reply-to utun4 from $vpn_net to $int_if -#vpn# pass in quick on utun5 reply-to utun5 from $vpn_net to $int_if -#vpn# pass in quick on utun6 reply-to utun6 from $vpn_net to $int_if -#vpn# pass in quick on utun7 reply-to utun7 from $vpn_net to $int_if -#vpn# pass in quick on utun8 reply-to utun8 from $vpn_net to $int_if -#vpn# pass in quick on utun9 reply-to utun9 from $vpn_net to $int_if +#vpn# pass in quick on $tun_if reply-to $tun_if inet from $vpn_net to $int_if +#vpn# pass quick on $tun_if inet from $int_if:network to $vpn_net # Local net table const { 10/8, 172.16/12, 192.168/16 } @@ -141,13 +129,13 @@ block drop log quick from # Allow application-specific traffic over these interfaces # multicast DNS -pass on $int_if proto { udp, tcp } to { 224.0.0.2, 224.0.0.18, 224.0.0.251 } port mdns +pass on $int_if proto { tcp, udp } to { 224.0.0.2, 224.0.0.18, 224.0.0.251 } port mdns pass on $int_if proto igmp to { 224.0.0.1, 224.0.0.22, 224.0.0.251 } # quick pass of Tor relay ports to avoid blocks below #tor_relay = "{ 9001, 9030 }" -#pass in quick proto tcp from any to $int_if port $tor_relay -#pass out quick proto tcp from $int_if port $tor_relay to any +#pass in proto tcp from any to $int_if port $tor_relay +#pass out proto tcp from $int_if port $tor_relay to any # Open Source IP blocks # Refresh with pfctl -a blockips -T load -f @PREFIX@/etc/@NAME@/blockips.conf @@ -156,8 +144,8 @@ load anchor 'blockips' from '@PREFIX@/etc/@NAME@/blockips.conf' # ICMP icmp_types = "echoreq" -pass inet proto icmp from $int_if:network to any icmp-type $icmp_types -pass inet proto icmp from any to $int_if icmp-type $icmp_types +pass out inet proto icmp from $int_if:network to any icmp-type $icmp_types +pass in inet proto icmp from any to $int_if icmp-type $icmp_types # allow out the default range for traceroute(8): # "base+nhops*nqueries-1" (33434+64*3-1) @@ -168,38 +156,31 @@ pass in quick inet proto udp from port bootps to port bootpc pass out quick inet proto udp from port bootpc to port bootps # LAN services: block access, except from localnet -lan_udp_services = "{ domain, net-assistant, 5001, 5900, postgresql }" lan_tcp_services = "{ domain, auth, nntp, www, \ - 311, 3128, net-assistant, 5001, 5900, privoxy, postgresql, \ + 311, net-assistant, 5001, 5900, privoxy, postgresql, \ 8123, 8180, 8181, 9150, 9151 }" +lan_udp_services = "{ domain, net-assistant, 5001, 5900, postgresql }" block in proto tcp from any to $int_if port $lan_tcp_services block in proto udp from any to $int_if port $lan_udp_services -pass in inet proto udp from $int_if:network to $int_if port $lan_udp_services pass in inet proto tcp from $int_if:network to $int_if port $lan_tcp_services -pass out proto udp from $int_if port $lan_udp_services to $int_if:network +pass in inet proto udp from $int_if:network to $int_if port $lan_udp_services pass out proto tcp from $int_if port $lan_tcp_services to $int_if:network +pass out proto udp from $int_if port $lan_udp_services to $int_if:network # Add vpn_net if running OpenVPN -#vpn# pass in inet proto udp from $vpn_net to $int_if port $lan_udp_services #vpn# pass in inet proto tcp from $vpn_net to $int_if port $lan_tcp_services -#vpn# pass out proto udp from $int_if port $lan_udp_services to $vpn_net +#vpn# pass in inet proto udp from $vpn_net to $int_if port $lan_udp_services #vpn# pass out proto tcp from $int_if port $lan_tcp_services to $vpn_net +#vpn# pass out proto udp from $int_if port $lan_udp_services to $vpn_net # Internet services -internet_udp_services = "{ https, 500, openvpn, \ - 1701, 4500, 5060, 5190, 5297, 5298, 5678, 16384 }" -internet_tcp_services = "{ 995, 1640, 1723, 2195, \ - 2196, 4190, 5218, 5223, 5190, 5220, 5222, 5298, \ - 8008, 8443, 8800, 8843, 9001, 9030 }" -pass in proto udp from any to $int_if port $internet_udp_services -pass in proto tcp from any to $int_if port $internet_tcp_services -pass out inet proto udp from $int_if to any port $internet_udp_services -pass out inet proto tcp from $int_if to any port $internet_tcp_services - -#apns_services = "{ 2195, 2196 }" -#pass in proto tcp from any port $apns_services to -#pass out inet proto tcp to any port $apns_services from +# internet_tcp_services = "{ 9030, 49160:49163 }" +#vpn# internet_udp_services = "{ https }" +# pass in inet proto tcp from any to $int_if port $internet_tcp_services +# pass in inet proto udp from any to $int_if port $internet_udp_services +# pass out inet proto tcp from $int_if to any port $internet_tcp_services +# pass out inet proto udp from $int_if to any port $internet_udp_services # ssh really restrictive pass in inet proto tcp from any to $int_if port ssh \ @@ -207,15 +188,17 @@ pass in inet proto tcp from any to $int_if port ssh \ overload flush global) pass out inet proto tcp from $int_if port ssh -# web, mail more restrictive +# web, mail, calendarservice more restrictive +webmailcalcard_tcp_services = "{ smtp, www, imap, https, submission, imaps, \ + cert-responder, sieve, 8008, 8443, 8800, 8843 }" pass in inet proto tcp from any to $int_if \ - port { smtp, https, imap, submission, imaps } \ + port $webmailcalcard_tcp_services \ keep state (max-src-nodes 50, max-src-conn 200, max-src-conn-rate 100/10, \ overload flush global) -pass out inet proto tcp from $int_if to any \ - port { smtp, imap4-ssl, imap, submission, imaps } +pass out inet proto tcp from $int_if to any \ + port $webmailcalcard_tcp_services # I2P #i2p_port = "65530" -#pass in inet proto { udp, tcp } from any to $int_if port $i2p_port -#pass out inet proto { udp, tcp } from $int_if port $i2p_port to any +#pass in inet proto { tcp, udp } from any to $int_if port $i2p_port +#pass out inet proto { tcp, udp } from $int_if port $i2p_port to any