Heads-up: when following this guide, IKEv2/IPsec VPNs will likely be unresponsive for about 60 seconds at boot and wake.
$
, strip out $
as this character is not part of the commandcat << "EOF"
, select all lines at once (from cat << "EOF"
to EOF
inclusively) as they are part of the same (single) commandOpen “System Preferences”, click “Security & Privacy”, then “Firewall” and enable “Turn On Firewall”.
Then, click “Firewall Options…”, disable all options except “Enable stealth mode”.
Status: Enabled
👍
/etc/pf.conf
Heads-up: software updates will likely restore
/etc/pf.conf
to default. Remember to check/etc/pf.conf
usingcat /etc/pf.conf
after updates and test kill switch.
Wi-Fi
interface)Use following table to find bitmask using subnet mask.
For example, if subnet mask is 255.255.255.0
, bitmask is /24
and subnet prefix is 10.0.1.0/24
.
Subnet mask | Bitmask |
---|---|
0.0.0.0 | /0 |
128.0.0.0 | /1 |
192.0.0.0 | /2 |
224.0.0.0 | /3 |
240.0.0.0 | /4 |
248.0.0.0 | /5 |
252.0.0.0 | /6 |
254.0.0.0 | /7 |
255.0.0.0 | /8 |
255.128.0.0 | /9 |
255.192.0.0 | /10 |
255.224.0.0 | /11 |
255.240.0.0 | /12 |
255.248.0.0 | /13 |
255.252.0.0 | /14 |
255.254.0.0 | /15 |
255.255.0.0 | /16 |
255.255.128.0 | /17 |
255.255.192.0 | /18 |
255.255.224.0 | /19 |
255.255.240.0 | /20 |
255.255.248.0 | /21 |
255.255.252.0 | /22 |
255.255.254.0 | /23 |
255.255.255.0 | /24 |
255.255.255.128 | /25 |
255.255.255.192 | /26 |
255.255.255.224 | /27 |
255.255.255.240 | /28 |
255.255.255.248 | /29 |
255.255.255.252 | /30 |
255.255.255.254 | /31 |
255.255.255.255 | /32 |
KILLSWITCH_HARDWARE_INTERFACES
should include all used hardware network interfaces.
KILLSWITCH_VPN_INTERFACE
should be set to VPN interface (use ifconfig
to find interface).
KILLSWITCH_TRUSTED_SUBNET_PREFIXES
should include all trusted subnet prefixes such as a home or office subnet prefixes (if trusted).
KILLSWITCH_VPN_ENDPOINT_IPS
should include all VPN endpoint IPs.
This anchor blocks everything except DHCP and VPN requests.
Same as strict but allows multicast DNS and local network requests.
/etc/pf.anchors/local.pf
symlink/usr/local/sbin
directory/usr/local/sbin
directory/usr/local/sbin/strict.sh
convenience scriptUse socketfilterfw
to block specific apps.
/usr/local/sbin/trusted.sh
convenience scriptUse socketfilterfw
to unblock specific apps (useful to allow 1Password’s local sync or Squid proxy for example).
/usr/local/sbin/disabled.sh
convenience script👍
/etc/pf.conf
from backup👍