Firewall and Privatizing Proxy for Trackers, Attackers, Malware, Adware, and Spammers (PF, squid, privoxy, hphosts, dshield, emergingthreats, hostsfile, PAC file)
Shell JavaScript
Switch branches/tags
Clone or download
Permalink
Failed to load latest commit information.
deprecated squid configuration and launch options Jan 19, 2018
easylist-pac-privoxy @ 15367cb Update easylist-pac-privoxy Apr 16, 2018
.gitmodules Upgrade to adblock2privoxy Jul 27, 2017
BASE_Events.PNG BASE and Lightbeam screenshots. May 15, 2016
BASE_Overview.PNG BASE and Lightbeam screenshots. May 15, 2016
LICENSE Initial commit Dec 20, 2014
Lightbeam_noproxy.png BASE and Lightbeam screenshots. May 15, 2016
Lightbeam_proxy.png BASE and Lightbeam screenshots. May 15, 2016
README.md Update README.md Jan 17, 2018
blacklist.txt Create blacklist.txt Dec 20, 2014
blockips.conf Create blockips.conf Dec 20, 2014
com.github.essandess.easylist-pac.plist Do not run at load Jan 10, 2018
config Privoxy configuration fixes Apr 16, 2018
disable.sh squid configuration and launch options Jan 19, 2018
macosfortress_boot_check squid configuration and launch options Jan 19, 2018
match-all.action Create match-all.action Dec 20, 2014
net.dshield.block.plist Create net.dshield.block.plist Dec 20, 2014
net.emergingthreats.blockips.plist Create net.emergingthreats.blockips.plist Dec 20, 2014
net.hphosts.hosts.plist Update net.hphosts.hosts.plist Jan 11, 2015
net.openbsd.pf.brutexpire.plist Create net.openbsd.pf.brutexpire.plist Dec 20, 2014
net.openbsd.pf.plist Solve launchctl boot-time issue where pf.conf is loaded before interf… Apr 16, 2018
org.opensource.flashcookiedelete.plist Create org.opensource.flashcookiedelete.plist Dec 20, 2014
org.squid-cache.squid-rotate.plist Create org.squid-cache.squid-rotate.plist May 10, 2017
pf.conf Renaming, minor fixes Jan 17, 2018
pf_attacks Create pf_attacks Dec 20, 2014
pf_restart Create pf_restart Dec 20, 2014
privoxy_restart Create privoxy_restart Dec 20, 2014
proxy.pac Create proxy.pac Dec 20, 2014
readme-and-install.sh Solve launchctl boot-time issue where pf.conf is loaded before interf… Apr 16, 2018
squid.conf squid configuration and launch options Jan 19, 2018
squid_restart Update squid_restart Jan 6, 2017
user.action Update user.action Sep 26, 2015
whitelist.txt Create whitelist.txt Dec 20, 2014

README.md

macOS-Fortress

macOS-Fortress: Firewall, Blackhole, and Privatizing Proxy for Trackers, Attackers, Malware, Adware, and Spammers

Kernel-level, OS-level, and client-level security for macOS. Built to address a steady stream of attacks visible on snort and server logs, as well as blocks ads, malicious scripts, and conceal information used to track you around the web. After this package was installed, snort and other detections have fallen to a fraction with a few simple blocking actions. This setup is a lot more capable and effective than using a simple adblocking browser add-on. There's a world of difference between ad-filled web pages with and without a filtering proxy server. It's also saved me from inadvertantly clicking on phishing links.

Proxy features

The install script readme-and-install.sh installs and configures an macOS Firewall and Privatizing Proxy. It will:

  • Prompt you to install Apple's Xcode Command Line Tools and Macports
  • Uses Macports to download and install several key utilities and applications (wget gnupg p7zip squid privoxy nmap)
  • Configure macOS's PF native firewall (man pfctl, man pf.conf), squid, and privoxy
  • Turn on macOS's native Apache webserver to serve the Automatic proxy configuration http://localhost/proxy.pac
  • Networking on the local computer can be set up to use this Automatic Proxy Configuration without breaking App Store or other updates (see squid.conf)
  • Uncomment the nat directive in pf.conf if you wish to set up an OpenVPN server
  • Install and launch daemons that download and regularly update open source IP and host blacklists. The sources are emergingthreats.net (net.emergingthreats.blockips.plist), dshield.org (net.dshield.block.plist), hosts-file.net (net.hphosts.hosts.plist), and EasyList (com.github.essandess.easylist-pac.plist, com.github.essandess.adblock2privoxy.plist)
  • Installs a user launch daemon that deletes flash cookies not related to Adobe Flash Player settings every half-hour (http://goo.gl/k4BxuH)
  • After installation the connection between clients and the internet looks this this:

Application ➡️ proxy.pac ➡️port 3128➡️ Squid ➡️port 8118➡️ Privoxy ➡️ Internet

An auxilliary nginx-based webserver (nominally on localhost:8119) is used for both a proxy.pac ad and tracker blackhole and for CSS element blocking rules with the Privoxy configuration generated by adblock2privoxy.

Public Service Announcement

This firewall is configured to block all known tracker and adware content—in the browser, in-app, wherever it finds them. Many websites now offer an additional way to block ads: subscribe to their content. Security and privacy will always necessitate ad blocking, but now that this software has become mainstream with mainstream effects, ad blocker users must consider the potential impact of ad blocking on the writers and publications that are important to them. Personally, two publications that I gladly pay for, especially for their important 2016 US Presidential election coverage, are the New York Times and The Atlantic. I encourage all users to subscribe to their own preferred publications and writers.

Tracker blocking

Lightbeam, the tracking tracker Firefox add-on, shows how ad- and tracker-blocking works to prevent third parties monitoring you or your children's online activities. My daughter enjoys the learning exercises at the children's website ABCya!. The Lightbeam graph below on the left shows all the third party trackers after less than a minute of browser activity, without using a privatizing proxy. The graph on the right shows all this tracker activity blocked when this privatizing proxy is used.

Lightbeam graph without proxy Lightbeam graph without proxy
Lightbeam graph without proxy Lightbeam graph with proxy

This problem is the subject of Gary Kovacs's TED talk, Tracking Our Online Trackers:

Tracking our online trackers

Attack blocking

The snort intrusion detection system reports far fewer events when known attack sites are blackholed by the packet filter:

snort+BASE Overview snort+BASE Events
snort+BASE Overview snort+BASE Events

Installation

git clone --recurse https://github.com/essandess/macOS-Fortress.git
cd macOS-Fortress
sudo sh ./readme-and-install.sh

Disabling

sudo sh ./disable.sh

Notes

  • Configure the squid proxy to accept connections on the LAN IP and set LAN device Automatic Proxy Configurations to http://lan_ip/proxy.pac to protect devices on the LAN.
  • Count the number of attacks since boot with the script pf_attacks. ``Attack'' is defined as the number of blocked IPs in PF's bruteforce table plus the number of denied connections from blacklisted IPs in the tables compromised_ips, dshield_block_ip, and emerging_threats.
  • Both squid and Privoxy are configured to forge the User-Agent. The default is an iPad to allow mobile device access. Change this to your local needs if necessary.
  • Whitelist or blacklist specific domain names with the files /usr/local/etc/whitelist.txt and /usr/local/etc/blacklist.txt. After editing these file, use launchctl to unload and load the plist /Library/LaunchDaemons/net.hphosts.hosts.plist, which recreates the hostfile /etc/hosts-hphost and reconfigures the squid proxy to use the updates.
  • Sometimes pf and privoxy do not launch at boot, in spite of the use of the use of their launch daemons. Fix this by hand after boot with the scripts macosfortress_boot_check, or individually using pf_restart, privoxy_restart, and squid_restart. And please post a solution if you find one.
  • All open source updates are done using the wget -N option to save everyone's bandwidth

Security

  • These services are intended to be run on a secure LAN behind a router firewall.
  • The default proxy configuration will only accept connections made from the local computer (localhost). If you change this to accept connections from any client on your LAN, do not configure the router to forward ports 3128 or 8118, or you will be running an open web proxy.