{"id":13587638,"url":"https://github.com/essandess/macOS-Fortress","last_synced_at":"2025-04-07T22:31:26.329Z","repository":{"id":24836825,"uuid":"28251562","full_name":"essandess/macOS-Fortress","owner":"essandess","description":"Firewall and Privatizing Proxy for Trackers, Attackers, Malware, Adware, and Spammers with Anti-Virus On-Demand and On-Access Scanning (PF, squid, privoxy, hphosts, dshield, emergingthreats, hostsfile, PAC file, clamav)","archived":false,"fork":false,"pushed_at":"2021-11-24T02:47:52.000Z","size":1217,"stargazers_count":432,"open_issues_count":0,"forks_count":51,"subscribers_count":31,"default_branch":"master","last_synced_at":"2025-04-02T06:36:26.354Z","etag":null,"topics":["adblock","adblocking","anti-virus","antivirus","clamav","clamd","clamdscan","easylist","firewall","macos","packet-filtering","pf","privacy-enhancing-technologies","privacy-tools","privoxy","proxy","proxy-configuration","proxy-server","squid","tracker"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/essandess.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-12-20T00:21:30.000Z","updated_at":"2025-03-16T09:31:24.000Z","dependencies_parsed_at":"2022-07-27T16:33:28.111Z","dependency_job_id":null,"html_url":"https://github.com/essandess/macOS-Fortress","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/essandess%2FmacOS-Fortress","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/essandess%2FmacOS-Fortress/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/essandess%2FmacOS-Fortress/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/essandess%2FmacOS-Fortress/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/essandess","download_url":"https://codeload.github.com/essandess/macOS-Fortress/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247740788,"owners_count":20988270,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["adblock","adblocking","anti-virus","antivirus","clamav","clamd","clamdscan","easylist","firewall","macos","packet-filtering","pf","privacy-enhancing-technologies","privacy-tools","privoxy","proxy","proxy-configuration","proxy-server","squid","tracker"],"created_at":"2024-08-01T15:06:17.844Z","updated_at":"2025-04-07T22:31:25.530Z","avatar_url":"https://github.com/essandess.png","language":"Shell","funding_links":[],"categories":["Shell","基于macOS的防护","Mac/iOS","Operating Systems","Map of the content","macOS-based defenses"],"sub_categories":["威胁狩猎","Containers","Mac OS Defences","Security","macOS/iOS","Overlay and Virtual Private Networks (VPNs)"],"readme":"macOS-Fortress\n===========\n\n# macOS-Fortress: Firewall, Blackhole, and Privatizing Proxy for Trackers, Attackers, Malware, Adware, and Spammers; with On-Demand and On-Access Anti-Virus Scanning\n\nKernel-level, OS-level, and client-level security for macOS. Built to address a steady stream of attacks visible on snort and server logs, as well as blocks ads, malicious scripts, and conceal information used to track you around the web. After this package was installed, snort and other detections have fallen to a fraction with a few simple blocking actions.  This setup is a lot more capable and effective than using a simple adblocking browser add-on. There's a world of difference between ad-filled web pages with and without a filtering proxy server. It's also saved me from inadvertantly clicking on phishing links.\n\n## Proxy features\n* macOS adaptive firewall\n* Adaptive firewall to brute force attacks\n* IP blocks updated about twice a day from emergingthreats.net (IP blocks, compromised hosts, Malvertisers) and [dshield.org](https://secure.dshield.org)’s top-20\n* Host blocks updated about twice a day from [hphosts.net](https://www.hosts-file.net)\n* HTTPS Inspection using [Privoxy](http://www.privoxy.org)\n* [EasyList](https://easylist.to/index.html) Tracker and Adblock Rules for [Privoxy](http://www.privoxy.org) with [adblock2privoxy](../../../adblock2privoxy)\n* Incorporates multiple blocking rulesets into both Privoxy and PAC formats, including [easyprivacy.txt](https://easylist.to/easylist/easyprivacy.txt), [easylist.txt](https://easylist.to/easylist/easylist.txt), [fanboy-annoyance.txt](https://easylist.to/easylist/fanboy-annoyance.txt), [fanboy-social.txt](https://easylist.to/easylist/fanboy-social.txt), [antiadblockfilters.txt](https://easylist-downloads.adblockplus.org/antiadblockfilters.txt), [malwaredomains_full.txt](https://easylist-downloads.adblockplus.org/malwaredomains_full.txt), and the anti-spamware list [adblock-list.txt](https://raw.githubusercontent.com/Dawsey21/Lists/master/adblock-list.txt).\n\n## Anti-Virus features\n* Configures [clamAV](http://www.clamav.net) for macOS with regular on-demand scans and on-access scanning of user `Downloads` \nand `Desktop` directories.\n* See the [MacPorts](https://www.macports.org/) port `clamav-server` for details, `port notes clamav-server`.\n\n## Installation\n\n```bash\nsudo port install macos-fortress\nport notes macos-fortress\nsudo port load macos-fortress\n```\n\nAfter initial installation, it is necessary to kickstart these launch daemons, which run on a schedule, and do not run at load time:\n\n```bash\nsudo launchctl kickstart -k system/org.macports.macos-fortress-dshield\nsudo launchctl kickstart -k system/org.macports.macos-fortress-emergingthreats\nsudo launchctl kickstart -k system/org.macports.macos-fortress-hphosts\nsudo launchctl kickstart -k system/org.macports.adblock2privoxy\nsudo launchctl kickstart -k system/org.macports.macos-fortress-easylistpac\n```\n\nThe default web server is native macOS Apache, which must be started with the command:\n```bash\nsudo apachectl start\n```\n\nNote that all files in this repo are superceded by the MacPorts port\n[macos-fortress](https://github.com/macports/macports-ports/tree/master/net/macos-fortress), including the\ndeprecated installation script [readme-and-install.sh](./readme-and-install.sh).\n\n### Firewall-only installation\n\n```bash\nsudo port install macos-fortress-pf\nport notes macos-fortress-pf\nsudo port load macos-fortress-pf\n```\n\n### Proxy-only installation\n\n```bash\nsudo port install macos-fortress-proxy\nport notes macos-fortress-proxy\nsudo port load macos-fortress-proxy\n```\n\n## Check and troubleshoot setup\n\n\u003e `sudo sh macosfortress_setup_check.sh`\n\nWorking output:\n```\nChecking macOS-Fortress installed items (run as sudo)…\n\nChecking launchd.plist files…\n[✅] /Library/LaunchDaemons/net.openbsd.pf.plist exists\n[✅] /Library/LaunchDaemons/net.openbsd.pf.brutexpire.plist exists\n[✅] /Library/LaunchDaemons/net.emergingthreats.blockips.plist exists\n[✅] /Library/LaunchDaemons/net.dshield.block.plist exists\n[✅] /Library/LaunchDaemons/net.hphosts.hosts.plist exists\n[✅] /Library/LaunchDaemons/com.github.essandess.easylist-pac.plist exists\n[✅] /Library/LaunchDaemons/com.github.essandess.adblock2privoxy.plist exists\n[✅] /Library/LaunchDaemons/com.github.essandess.adblock2privoxy.nginx.plist exists\n[✅] /Library/LaunchDaemons/org.squid-cache.squid-rotate.plist exists\n[✅] /Library/LaunchDaemons/org.macports.Privoxy.plist exists\n[✅] /Library/LaunchDaemons/org.macports.clamd.plist exists\n[✅] /Library/LaunchDaemons/org.macports.freshclam.plist exists\n[✅] /Library/LaunchDaemons/org.macports.ClamavScanSchedule.plist exists\n[✅] /Library/LaunchDaemons/org.macports.ClamavScanOnAccess.plist exists\n\nChecking launchd.plist's. These should all be installed with return\ncode 0 (2d column of `sudo launchctl list`)…\n[✅]\t-\t0\tcom.github.essandess.easylist-pac\n[✅]\t-\t0\tnet.dshield.block\n[✅]\t91695\t0\torg.macports.ClamdScanOnAccess\n[✅]\t-\t0\torg.macports.freshclam\n[✅]\t-\t0\tnet.openbsd.pf\n[✅]\t-\t0\tcom.github.essandess.adblock2privoxy\n[✅]\t35403\t0\torg.macports.clamd\n[✅]\t-\t0\torg.macports.ClamavScanSchedule\n[✅]\t-\t0\tnet.openbsd.pf.brutexpire\n[✅]\t-\t0\tnet.emergingthreats.blockips\n[✅]\t36183\t0\torg.macports.Privoxy\n[✅]\t5578\t0\tcom.github.essandess.adblock2privoxy.nginx\n[✅]\t-\t0\tnet.hphosts.hosts\n\nChecking PF files…\n[✅] /etc/pf.conf exists\n[✅] /usr/local/etc/blockips.conf exists\n[✅] /usr/local/etc/emerging-Block-IPs.txt exists\n[✅] /usr/local/etc/compromised-ips.txt exists\n[✅] /usr/local/etc/dshield_block_ip.txt exists\n[✅] /usr/local/etc/block.txt exists\n[✅] /usr/local/etc/block.txt.asc exists\n\nChecking PF…\n[✅] PF is enabled and running\n\nChecking hphosts files…\n[✅] /etc/hosts-hphosts exists\n[✅] /usr/local/etc/hosts.zip exists\n[✅] /usr/local/etc/hphosts-partial.asp exists\n[✅] /usr/local/etc/whitelist.txt exists\n[✅] /usr/local/etc/blacklist.txt exists\n\nChecking /etc/hosts-hphosts creation…\n[✅] /etc/hosts-hphosts exists\n\nChecking proxy PAC and proxy chain files…\n[✅] /Library/WebServer/Documents/proxy.pac.orig exists\n[✅] /Library/WebServer/Documents/proxy.pac exists\n[✅] /usr/local/bin/easylist_pac.py exists\n[✅] /usr/local/bin/adblock2privoxy exists\n[✅] /usr/local/etc/proxy.pac exists\n[✅] /usr/local/etc/adblock2privoxy/nginx.conf exists\n[✅] /usr/local/etc/adblock2privoxy/css/default.html exists\n[✅] /usr/local/etc/adblock2privoxy/privoxy/ab2p.action exists\n[✅] /usr/local/etc/adblock2privoxy/privoxy/ab2p.filter exists\n[✅] /usr/local/etc/adblock2privoxy/privoxy/ab2p.system.action exists\n[✅] /usr/local/etc/adblock2privoxy/privoxy/ab2p.system.filter exists\n[✅] /opt/local/etc/privoxy/config exists\n[✅] /opt/local/var/log/privoxy/logfile exists\n\nChecking proxy status…\n[✅] Privoxy is running properly\n[✅] Privoxy config http://p.p/ via http://localhost:3128 is running properly\n[✅] nginx is running properly\n[✅] PAC /Library/WebServer/Documents/proxy.pac.orig passes Javascript parsing\n[✅] PAC /Library/WebServer/Documents/proxy.pac passes Javascript parsing\n[✅] Web server for http://localhost/proxy.pac is running properly\n[✅] Blackhole server for http://localhost:8119/ is running properly\n```\n\n## Disabling\n\n```\nsudo port unload macos-fortress\n```\n\nor\n\n```\nsudo port uninstall macos-fortress\n```\n\nThis repo is superceded by the MacPorts port\n[macos-fortress](https://github.com/macports/macports-ports/tree/master/net/macos-fortress), including the\ndeprecated disable/uninstall script [disable.sh](./disable.sh), which was originally used to unload all launch daemons, \ndisable the pf firewall, and list all installed files **without** removing them.\n\n## Configuration modifications\n\nThere are three major, independent, and configurable components to the repo: the PF firewall, the proxy chain, and the\nAV scanner. Here are a few configuration pointers.\n\n### PF firewall\n\nThe file [pf.conf](./pf.conf) controls the firewall ruleset and likely must be edited on a specific computer and network, or \nedited for a VPN server [configuration](../../../macos-openvpn-server/pf.conf).\n\n* The PF firewall can be disabled with the command:\n\u003e `sudo pfctl -d`\n* The variable `int_if` for the internal interface is set to `en0`. This should be changed to the active interface on your \ncomputer, which can be determined with the command `ifconfig -a`, or more specificall:\n\u003e `ifconfig | pcregrep -M -o '^[^\\t:]+:([^\\n]|\\n\\t)*status: active' | egrep -o -m 1 '^[^\\t:]+'`\n* The table `\u003clan_inet\u003e` is set to the standard reserved ranges `{ 10/8, 172.16/12, 192.168/16 }`. This must be changed\nto the CIDR ranges on the specific LAN.\n* Specific services accessible only on the LAN and on the open internet should be selected and set in the appropriate \nvariables. See `/etc/services`.\n* The PF firewall ruleset can be flushed, enabled, and reintialized with the command:\n\u003e `sudo pfctl -Fall \u0026\u0026 sudo pfctl -ef /etc/pf.conf`\n* See the `pfctl` commands in the script [pf_attacks](./pf_attacks) to determine IP addresses and counts for the various \nblocked IPs. E.g., the adaptive table `\u003cbruteforce\u003e` is shown using the command:\n\u003e `sudo pfctl -t bruteforce -Ts`\n\n### Proxy\n\nPrivoxy on port 8118 is configured in [config](./config) to sent web requests to the internet, wih HTTPS inspection configured for\nblocking content within TLS encrypted tunnels—the great majorityof we content. An auxiliary nginx webserver for CSS-based \nelement hiding is configured on port 8119. Privoxy `.action` and `.filter` files, and nginx `.css` files are created from Easylist rules \nusing the repo [adblock2privoxy](../../../adblock2privoxy).\n\nBrowsing to the privoxy configuration page http://p.p/ through any of these proxy configurations is a check on whether the \nproxy is running and configured correctly.\n\nTo provide these services on a firewalled LAN, edit the privoxy and nginx configuration files\n[config](./config), and [nginx.conf](../../../adblock2privoxy//nginx.conf) so that they're \navailable for devices on the LAN, or connecting from a [VPN tunnel](../../../macos-openvpn-server/).\n\n### Macports updates\n\nUpdate Macports packages regularly. This command with update the Macports database, update all installed packages, and uninstall all older, inactive versions.\n\n`sudo bash -c 'port selfupdate ; port -puN upgrade outdated ; port uninstall inactive'`\n\n### Warning about Privoxy compression\n\nThough it's possible to build Privoxy with the `configure` `--enable-compression` option, \ncompressed HTTP traffic within a [VPN tunnel](../../../macos-openvpn-server) exposes your traffic to the\nCRIME/BEAST/[VORACLE](https://openvpn.net/security-advisory/the-voracle-attack-vulnerability/) attacks and is generally not \nrecommended.\n\n## Installation details\nThe MacPorts port\n[macos-fortress](https://github.com/macports/macports-ports/tree/master/net/macos-fortress)\n(`sudo port install macos-fortress`) installs and configures an macOS Firewall and Privatizing\nProxy. It will:\n* Uses Macports to download and install several key utilities and applications (wget gnupg p7zip squid privoxy nmap)\n* Configure macOS's PF native firewall (man pfctl, man pf.conf), and privoxy\n* Networking on the local computer can be set up to use this Automatic Proxy Configuration without breaking App Store or other updates (see Privoxy config)\n* Uncomment the nat directive in pf.conf if you wish to set up an [OpenVPN server](../../../macos-openvpn-server)\n* Install and launch daemons that download and regularly update open source IP and host blacklists. The sources are  emergingthreats.net (net.emergingthreats.blockips.plist), dshield.org (net.dshield.block.plist), hosts-file.net (net.hphosts.hosts.plist)\n* After installation the connection between clients and the internet looks this this:\n\n\u003e **Application** :arrow_right: **`proxy.pac`** :arrow_right:port 8118:arrow_right: **Privoxy**  :arrow_right: **Internet**\n\nAn auxilliary nginx-based webserver (nominally on `localhost:8119`) is used for both a `proxy.pac` ad and tracker blackhole and for CSS element blocking rules with the Privoxy configuration generated by [adblock2privoxy](../../../adblock2privoxy).\n\n## Public Service Announcement \n\nThis firewall is configured to block all known tracker and adware content—in the browser, in-app, wherever it finds them. Many websites now offer an additional way to block ads: subscribe to their content. Security and privacy will always necessitate ad blocking, but now that this software has become mainstream with mainstream effects, ad blocker users must consider the [potential impact](http://arstechnica.com/business/2010/03/why-ad-blocking-is-devastating-to-the-sites-you-love/) of ad blocking on the writers and publications that are important to them. Personally, two publications that I gladly pay for, especially for their important 2016 US Presidential election coverage, are the *[New York Times](http://www.nytimes.com)* and *[The Atlantic](http://www.theatlantic.com)*. I encourage all users to subscribe to their own preferred publications and writers.\n\n\n## Tracker blocking\n\n[Lightbeam](https://www.mozilla.org/en-US/lightbeam/), the tracking tracker Firefox add-on, shows how ad- and tracker-blocking works to prevent third parties monitoring you or your children's online activities. My daughter enjoys the learning exercises at the children's website [ABCya!](http://www.abcya.com). The Lightbeam graph below on the left shows all the third party trackers after less than a minute of browser activity, without using a privatizing proxy. The graph on the right shows all this tracker activity blocked when this privatizing proxy is used.\n\n\n![Lightbeam graph without proxy](Lightbeam_noproxy.png)| ![Lightbeam graph without proxy](Lightbeam_proxy.png)\n------------ | -------------\nLightbeam graph without proxy | Lightbeam graph with proxy\n\nThis problem is the subject of Gary Kovacs's TED talk, *Tracking Our Online Trackers:*\n\n[![Tracking our online trackers](https://www.wired.com/images_blogs/business/2012/02/6792752454_99d91d2a92_z.jpg)](https://www.youtube.com/watch?v=f_f5wNw-2c0 \"Tracking our online trackers\")\n\n\n## Attack blocking\n\nThe snort intrusion detection system reports far fewer events when known attack sites are blackholed by the packet filter:\n\n![snort+BASE Overview](BASE_Overview.PNG)| ![snort+BASE Events](BASE_Events.PNG)\n------------ | -------------\nsnort+BASE Overview | snort+BASE Events\n\n## Notes\n\n* Configure the squid proxy to accept connections on the LAN IP and set LAN device Automatic Proxy Configurations to http://lan_ip/proxy.pac to protect devices on the LAN.\n* Count the number of attacks since boot with the script pf_attacks. ``Attack'' is defined as the number of blocked IPs in PF's bruteforce table plus the number of denied connections from blacklisted IPs in the tables compromised_ips, dshield_block_ip, and emerging_threats.\n* Both squid and Privoxy are configured to forge the User-Agent. The default is an iPad to allow mobile device access. Change this to your local needs if necessary.\n* Whitelist or blacklist specific domain names with the files `/usr/local/etc/whitelist.txt` and `/usr/local/etc/blacklist.txt`. After editing these file, use launchctl to unload and load the plist `/Library/LaunchDaemons/net.hphosts.hosts.plist`, which recreates the hostfile `/etc/hosts-hphost` and reconfigures the squid proxy to use the updates.\n* Sometimes pf and privoxy do not launch at boot, in spite of the use of the use of their launch daemons.  Fix this by hand after boot with the scripts `macosfortress_boot_check`, or individually using `pf_restart`, `privoxy_restart`, and `squid_restart`. And please post a solution if you find one.\n* All open source updates are done using the `wget -N` option to save everyone's bandwidth\n\n## Security\n\n* These services are intended to be run on a secure LAN behind a router firewall.\n* The default proxy configuration will only accept connections made from the local computer (localhost). If you change this to accept connections from any client on your LAN, do not configure the router to forward ports 8118, or you will be running an open web proxy.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fessandess%2FmacOS-Fortress","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fessandess%2FmacOS-Fortress","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fessandess%2FmacOS-Fortress/lists"}