macos-fortress (net/macos-fortress) Updated: 10 months, 2 weeks ago Add to my watchlist
Firewall, Blackhole, and Privatizing Proxy for Trackers, Attackers, Malware, Adware, and SpammersKernel-level, OS-level, and client-level security for macOS. Built to block attacks using open source databases, and block ads, malicious scripts, and conceal information used for web tracking. Uses PF, dshield, emergingthreats, hosts file, a filtering proxy, and a proxy autoconfiguration (PAC) file.
Version: 2024.01.11 License: MIT
GitHub
| Maintainers | essandess |
| Categories | net security |
| Homepage | https://github.com/essandess/macOS-Fortress |
| Platforms | {darwin any} |
| Variants |
|
Subport(s) (8)
"macos-fortress" depends on
lib (2)
build (1)
Ports that depend on "macos-fortress"
No ports
Port notes
The port macos-fortress is comprised of two independent. configurable components: the PF firewall and the proxy chain, provided by the ports:
macos-fortress-pf
macos-fortress-proxy
To check the status of all the dependent daemons and to see a count of the number of firewall attacks, run:
sudo macosfortress_setup_check.sh
sudo pf_attacks.sh
After initial installation, it is necessary to kickstart these launch daemons, which do not run at load:
sudo port load macos-fortress
sudo launchctl kickstart -k system/org.macports.macos-fortress-dshield
sudo launchctl kickstart -k system/org.macports.macos-fortress-emergingthreats
sudo launchctl kickstart -k system/org.macports.macos-fortress-hosts
sudo launchctl kickstart -k system/org.macports.adblock2privoxy
The PF configuration provides an adaptive firewall that blocks brute force attacks, and connections from IP addresses provided by the crowd-sourced lists dshield and emergingthreats. PF uses this environment variable (with default value):
${PF_CONF:-${prefix}/etc/macos-fortress/pf.conf}
To change site-specific launchd environment variables, use the launchd plist:
${prefix}/share/macos-fortress/private.myserver.launchctl-setenv.plist The proxy uses a chain of squid (port 3128) and privoxy (port 8118) along with a blackhole and CSS blocking using an nginx webserver (port 8119). Please note that this approach may not work on several browsers, including iOS Safari 15. See https://github.com/essandess/easylist-pac-privoxy/issues/21. The port macos-fortress-proxy with HTTPS inspection is recommended.
Clients may be configured to use this proxy by either host:port or the PAC file:
localhost:3128
http://localhost/proxy.pac Domain names and a blacklist file are blocked, excluding whitelisted domain names. These are provised in the files:
${prefix}/etc/macos-fortress/blacklist.txt
${prefix}/etc/macos-fortress/whitelist.txt
The proxy also provides a proxy autoconfiguration (PAC) file with blocking rules generated from easylist ad and tracker blocks. The proxy uses these environment variables (with default values):
${PROXY_HOSTNAME:-localhost}
${PROXY_PAC_SERVER:-127.0.0.1}
${PROXY_PAC_DIRECTORY:-/Library/WebServer/Documents}
To change site-specific launchd environment variables, use the launchd plist:
${prefix}/share/macos-fortress/private.myserver.launchctl-setenv.plist
The native macOS web server is used by default to host the PAC file. This web server must be launched independently with the command
sudo apachectl start A startup item has been generated that will aid in starting macos-fortress with launchd. It is disabled by default. Execute the following command to start it, and to cause it to launch at startup:
sudo port load macos-fortress
Port Health:
Loading Port Health