macos-fortress (net/macos-fortress) Updated: 10 months, 2 weeks ago Add to my watchlist

Firewall, Blackhole, and Privatizing Proxy for Trackers, Attackers, Malware, Adware, and Spammers

Kernel-level, OS-level, and client-level security for macOS. Built to block attacks using open source databases, and block ads, malicious scripts, and conceal information used for web tracking. Uses PF, dshield, emergingthreats, hosts file, a filtering proxy, and a proxy autoconfiguration (PAC) file.

Version: 2024.01.11 License: MIT GitHub
Maintainers essandess
Categories net security
Homepage https://github.com/essandess/macOS-Fortress
Platforms {darwin any}
Variants
  • initialize_always (Always initialize all configuration files. Intended for development and troubleshooting only. Working deployments must disable this variant to prevent configuration files being overwritten at the next upgrade. Existing configuration files are not overwritten by default.)

Subport(s) (8)


"macos-fortress" depends on

lib (2)
build (1)

Ports that depend on "macos-fortress"

No ports


Port notes

The port macos-fortress is comprised of two independent. configurable components: the PF firewall and the proxy chain, provided by the ports:

macos-fortress-pf
macos-fortress-proxy

To check the status of all the dependent daemons and to see a count of the number of firewall attacks, run:

sudo macosfortress_setup_check.sh
sudo pf_attacks.sh

After initial installation, it is necessary to kickstart these launch daemons, which do not run at load:

sudo port load macos-fortress
sudo launchctl kickstart -k system/org.macports.macos-fortress-dshield
sudo launchctl kickstart -k system/org.macports.macos-fortress-emergingthreats
sudo launchctl kickstart -k system/org.macports.macos-fortress-hosts
sudo launchctl kickstart -k system/org.macports.adblock2privoxy

The PF configuration provides an adaptive firewall that blocks brute force attacks, and connections from IP addresses provided by the crowd-sourced lists dshield and emergingthreats. PF uses this environment variable (with default value):

${PF_CONF:-${prefix}/etc/macos-fortress/pf.conf}

To change site-specific launchd environment variables, use the launchd plist:

${prefix}/share/macos-fortress/private.myserver.launchctl-setenv.plist The proxy uses a chain of squid (port 3128) and privoxy (port 8118) along with a blackhole and CSS blocking using an nginx webserver (port 8119). Please note that this approach may not work on several browsers, including iOS Safari 15. See https://github.com/essandess/easylist-pac-privoxy/issues/21. The port macos-fortress-proxy with HTTPS inspection is recommended.

Clients may be configured to use this proxy by either host:port or the PAC file:

localhost:3128
http://localhost/proxy.pac Domain names and a blacklist file are blocked, excluding whitelisted domain names. These are provised in the files:

${prefix}/etc/macos-fortress/blacklist.txt
${prefix}/etc/macos-fortress/whitelist.txt

The proxy also provides a proxy autoconfiguration (PAC) file with blocking rules generated from easylist ad and tracker blocks. The proxy uses these environment variables (with default values):

${PROXY_HOSTNAME:-localhost}
${PROXY_PAC_SERVER:-127.0.0.1}
${PROXY_PAC_DIRECTORY:-/Library/WebServer/Documents}

To change site-specific launchd environment variables, use the launchd plist:

${prefix}/share/macos-fortress/private.myserver.launchctl-setenv.plist

The native macOS web server is used by default to host the PAC file. This web server must be launched independently with the command

sudo apachectl start A startup item has been generated that will aid in starting macos-fortress with launchd. It is disabled by default. Execute the following command to start it, and to cause it to launch at startup:

sudo port load macos-fortress


Port Health:

Loading Port Health

Installations (30 days)

7

Requested Installations (30 days)

4