- Notifications
You must be signed in to change notification settings - Fork0
vaughnhart/Firewall
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
These firewall rules are based around Cisco Umbrella DNS Advantage.https://docs.umbrella.com/deployment-umbrella/docs/2-prerequisites-update#section-network-accessGuidancehttps://github.com/drduh/macOS-Security-and-Privacy-Guidehttps://github.com/usnistgov/macos_security#readmehttps://tools.cisco.com/security/center/resources/dns_best_practiceshttps://www.cisco.com/c/en/us/support/docs/ip/access-lists/43920-iacl.htmlhttps://csrc.nist.govhttps://downloads.cisecurity.org/#/https://learn.microsoft.com/en-us/archive/blogs/secguide/https://www.brightcloud.com/tools/url-ip-lookup.phphttps://docs.umbrella.com/deployment-umbrella/docs/domain-management#section-3-internal-querieshttps://support.umbrella.com/hc/en-us/articles/115004651426-CNAME-Records-with-DNS-caching-and-UmbrellaLists:https://iplists.firehol.orghttps://firehol.org/guides/icmpv6-recommendations/#allow-incoming-destination-unreachable-messages-only-for-existing-sessionshttps://www.spamhaus.orghttps://www.talosintelligence.comhttps://secureupdates.checkpoint.com/IP-list/TOR.txthttps://www.opendbl.netChangelog - 11/18/22Removed allow all apps outbound rule in Vallum - apps need to be signed.Moved dhcp inbound rule higher in Vallum.Changelog - 12/04/22Removed duplicate lists (botscouts, myips, blocklist_de_strongips, blocklist_de_bots that were already covered in fireholl level2, level3, and abusers1d)Added my system configuration script… not that it will name it to my current machine name. I also removed haley_ssh since there seems to be some update errors. I also explicitly listed denies on the inbound side as per the NIST recommendations. Changelog - 12/11/22Addedhttps://iplists.firehol.org/files/cruzit_web_attacks.ipset - CruzIT Web Attacks.Updated DYNDNS Pomcounp lists in Murus and added to Vallum.Addedhttps://iplists.firehol.org/files/sslproxies_30d.ipset - SSL Proxies.]changelog - 1/15/23Removed VoIPBL list as it has errors on Firehouse site.Updated nations databases in Murus and VallumRemoved DYNDNS group from Murus ruleAdd these Ups to DYNDNS list in Vallum:3.130.204.1603.140.13.18818.119.154.6631.11.36.863.247.141.23577.111.240.50Changelog 1/21/23Addedhttps://media.defense.gov/2022/Jun/15/2003018261/-1/-1/0/CTR_NSA_NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20220615.PDF as a reading resource .DNS restriction in Murus to manual ruleChanged localnet oassthru to specified ports in Vallum. block in on egress proto tcp from any os unknown in MurusChagnelog 1/22/23antispoof log quick for eth0 inetChangellog 1/28/23 - script file changes ONLYsudo /bin/launchctl disable system/com.apple.netbiosd.plistsudo ifconfig en0 -arp#sudo ifconfig en0 dad - did not workchangelog 1/29/23Adedhttps://iplists.firehol.org/files/bds_atif.ipsetsudo launchctl disable system/netbiosd - in scriptchangelog 1/31/23Added 8443 (tcp) to custom firewall rules in Murus and Vallum for testing.Changelog 2/1/23Added 192.16.58.8 for UmbrellaWhitelist in Murus and Vallum.Updates DYNDNS list in Vallum:31.11.36.852.71.57.18452.86.6.11374.208.236.19377.111.240.50#######Murus rule change - all outbound rules are custom now. Please see Custom Rules picture in root folder for complete list. Example is below: pass out log (user) proto {tcp, udp} from any to any port {548, 88, 10548, 43, 3283, 5988, 5900, 631, 515, 9100, 123, 67, 68, 22, 8443, 80} flags S/SAFR keep stateChangelog 2/2/23########after seeing that Murus logs showed Safari making web browser connections to Umbrella (logging them as 208.67.x.x) instead of the web address I made some changes. Vallum flows monitor showed the correct addresses. Vallum Inbound now limits Umbrella communication to OpenDNS signed apps and DHCP to all Apple signed appsVallum Outbound now limits Umbrella communication to OpenDNS signed apps, DHCP to Apple signed apps, and all apps have to go through the filtered ports. Added DHCP in Murus options. Whatever the path is… DHCP and ICMP have to be in that category… and not the custom rules. Changelog 2/3/23Added a protection rule in Vallum for Vallum… trying at least.############Murus Custom rules mostly mirrored in Valllumantispoof log quick for eth0 inetblock in logon egress proto tcp from any os unknownblock log inet6 proto ipv6-icmp from any to anyblock log proto icmp from any to anyblock log (user) proto {tcp, udp} from any to any port 0block log (user) proto {tcp, udp} from any to any port 3689block in flog rom any to 255.255.255.255block in log from any to 127.0.0.1/32pass out log (user) from any to <WhiteUmbrella> flags S/SAFR keep statepass in log (user) from <WhiteUmbrella> to any flags S/SAFR keep statepass proto log igmp allow-optspass quick log from any to {224.0.0.0/4 ff00::/8} allow-optspass proto log {esp, gre} from any to anypass out log (user) proto {tcp} from any to any port {80, 443, 8443, 43} flags S/SAFR keep statepass out log (user) proto {udp} from any to any port {123} keep statepass out log (user) proto {tcp} from any to <all-local-nets> port {22, 88, 389, 515, 548, 631, 636, 9100} flags S/SAFR keep statepass out log (user) proto {tcp, udp} from any to <all-local-nets> port {53, 749, 3283, 5988, 5900} flags S/SAFR keep stateChangelog 2/6/23##########inbound rules.Block in log [tcp,udp] from any to any port 0Changelog 2/8/23Added screenshots on the location to update the nations databases in Vallum and Murus. This is necessary for the Unknown Nation block. ##################sudo tcpdump -i en0 -s0 -c 1100 -AeHnnttttvvv -w test.pcap##################Use Wireshark to see the data. Tcpdump is native on Mac/Linux. Wireshark is a GUI that makes it nice and readable.https://www.tcpdump.org/manpages/tcpdump.1.html orhttps://www.tcpdump.org/index.htmlhttps://www.wireshark.orgFor those with OpenDNS Cisco Umbrella Prosumer and legacy Cisco Umbrella packages... the Legacy Categories (under Content Categories) are still there. It might mean extra monitoring (using Activity Search)... or whitelisting (Global Allowed List under Destinations Lists) but you can add those categories back. In this case more is more.Changelog 2/15/23block log proto {tcp, udp} from any port {0, 5353} to any port {0, 5353}Added Umbrella group back to PassList in Murus.Changelog 2/18/23Blocking and logging a “new” signed version of com.apple.mDNSResponder in Vallum on the inbound and outbound. While logging multicast traffic in Valllum.changelog 2/21/23Another mdnsresponder was noticed in Flow Monitor… blocked on inbound. changelog 2/24/23 ##################to block port 5353 ,make the following changes - in Murus and Vallum (inbound/outbound)remove the following rule pass quick log from any to (224.0.0.0/4 ff00:/8) allow-optsadd the following rules to the end of the custom rules block log (user) proto sscopmce (128) from any to any block proto {tcp, udp} from any to any port {5353}Set custom rules tcp flags back to any in Murus. #############https://support.opendns.com/hc/en-us/articles/227988627-How-to-clear-the-DNS-Cache- - You’ll need to do this after############# clear all browsing history (your web browsers) and system cache.https://www.tomsguide.com/how-to/how-to-clear-the-cache-on-mac############# clear all saved application stateshttps://osxdaily.com/2011/07/17/delete-specific-application-saved-states-from-mac-os-x-10-7-lion-resume/############# empty the trash and rebootchangelog 3/3/23Added 3.19.116.195 to DYNDNS block list in Vallum changelog 3/6/23There are new prerequisites for Cisco Umbrella… updated them in Murus and Vallum. I didn’t remove anything… just added 192.229.211.108https://docs.umbrella.com/deployment-umbrella/docs/2-prerequisites-update#section-network-accessThere is an issue with resolving debug.opendns.com changelog 3/7/23Added AdsYoyo blocklist fromhttps://pgl.yoyo.org/adservers/iplist.php?ipformat=&showintro=0&mimetype=plaintextchangelog 4/3/23Added mask.icloud.com and mask-h2.icloud.com to Ban group in Vallum and also Global Block List in Cisco Umbrella. changelog 4/4/23Added the following lines to the script file:cd /Userssudo chmod og-rwx *############# to run the script just copy to your Downloads folder and open terminal and go to that directory (cd ~/Downloads) and run the following command: sudo sh script ############# Mac OS will ask you to grant the Terminal program permissions to your Downloads folder. Changelog 4/5/23added screenshots for the above changelog. The pictures are from OS Ventura 13.3 but are also applicable to OS Monterey. added the following recommendations fromhttps://github.com/drduh/macOS-Security-and-Privacy-Guide to the script:rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/exclusiverm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqliterm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-shmrm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-walrm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/resetreasonrm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.datasudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.fraghandlersudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/exclusivesudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlitesudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-shmsudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-walsudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/resetreasonsudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.datasudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.fraghandlerrm -rfv "~/Library/LanguageModeling/*" "~/Library/Spelling/*" "~/Library/Suggestions/*"chmod -R 000 ~/Library/LanguageModeling ~/Library/Spelling ~/Library/Suggestionschflags -R uchg ~/Library/LanguageModeling ~/Library/Spelling ~/Library/Suggestionsrm -rfv "~/Library/Application Support/Quick Look/*"chmod -R 000 "~/Library/Application Support/Quick Look"chflags -R uchg "~/Library/Application Support/Quick Look"sudo rm -rfv /.DocumentRevisions-V100/*sudo chmod -R 000 /.DocumentRevisions-V100sudo chflags -R uchg /.DocumentRevisions-V100rm -rfv "~/Library/Saved Application State/*"rm -rfv "~/Library/Containers/<APPNAME>/Saved Application State"chmod -R 000 "~/Library/Saved Application State/"chmod -R 000 "~/Library/Containers/<APPNAME>/Saved Application State"chflags -R uchg "~/Library/Saved Application State/"chflags -R uchg "~/Library/Containers/<APPNAME>/Saved Application State"rm -rfv "~/Library/Containers/<APP>/Data/Library/Autosave Information"rm -rfv "~/Library/Autosave Information"chmod -R 000 "~/Library/Containers/<APP>/Data/Library/Autosave Information"chmod -R 000 "~/Library/Autosave Information"chflags -R uchg "~/Library/Containers/<APP>/Data/Library/Autosave Information"chflags -R uchg "~/Library/Autosave Information"rm -rfv ~/Library/Assistant/SiriAnalytics.dbchmod -R 000 ~/Library/Assistant/SiriAnalytics.dbchflags -R uchg ~/Library/Assistant/SiriAnalytics.dbdefaults delete ~/Library/Preferences/com.apple.iTunes.plist recentSearchessudo shutdown -r now -ochangelog 4/10/23added LPI certification reading material… if you want to learn Linux and command lineadded a photo from my machine while at the Apple Store… showing that Apple blocks mask-h2.icloid.com on their Apple Store network using Cisco Umbrella. You have to use the Cisco Umbrella test pagehttps://welcome.opendns.com (notwww.internetbadguys.com which redirects to the Apple web site) to see that their network is protected by Cisco Umbrella. This stance is quire different from their advertising that Apple is “safe”. Contrast that with the photo I posted showing I can’t block mask and mask-h2 on my Cisco Umbrella. I had to use the dig command instead of nslookup (which returned no values)… leading me to believe Apple doesn’t advertise their use of Cisco Umbrella. Use any of their store machines and verify what I’m saying. changelog 4/15/23###############blocking some non-routeable (martian) traffic… that shouldn’t affect anything. But some people have seen internet routing on these addresses. added to Ban in Vallum 127.0.0.0/8, 0.0.0.0/8, 192.0.2.0/24, 240.0.0.0/4 created a new Murus rule: Murus_UmbrellaDNSOnly that stops all other non-CIsco Umbrellal DNS lookup. This does play well with others. It supposed to stop DNS leak and in the process las no local or other DNS resolution. You home network devices will be harder to find. It might be better for coffee shops/networks you don’t manage. Plus Google… and some other ISPs/network admins have their own DNS bypass/leaks that sometimes circumvent Umbrella. This is meant to stop that. Youtube may not like that it can’t lookup its own servers anymore…. just refresh the page. changelog 4/16/23created a new Vallum rule: Vallum_UmbrellaDNSOnly that reflects the DNS leak changes.################## mask-api.icloud.com which seems to have a lot of traffic generated to it as well in Cisco Umbrella but NIST hasn’t added it to their recommended block list. You may want to as well. Apple’s mask*.icloud.com address seem to be categorized under Online Storage but are actually proxy/anonymizer or DoH and DoT. Sorta like nesting a domain name. site.example.com hosts the vpn, but example.com is for art.changelog 4/17/23added in Murus and Murus_UmbrellaDNSOnly:an inbound and an outbound rule blocking all ports on ipv6block quick log from any to {224.0.0.0/4 ff00::/8 224.0.0.251/32 ff02::fb/128}block log (user) proto 53 from any to anyblock log (user) inet6 from any to anyadded mask-api.icloud.com to Ban list in Vallum and Vallum_UmbrellaDNSOnly.added in Vallum and Vallum_UmbrellaDNSOnly:block in ipv6 from any to any by all apps (any protocol version ipv6)block in ipv6 from any to any by all apps (ipv6 protocol version any)block out ipv6 from any to any by all apps (any protocol version ipv6)block out ipv6 from any to any by all apps (ipv6 protocol version any)added 224.0.0.251/32 and ff02::fb/128 to MDNS group.################## I’m trying to kill MDNS and ICMP-V6 packets in packet captures (without edge or switch control)… iCloud/AirPlay might automate these broadcasts. fixed an error.changelog 4/18/23removed esp and gre from all profiles as per the recommendation of Cisco Umbrella. If you’re using a VPN this might break it.added to all Murus profiles:block in inet6 proto ipv6-icmp all icmp6-type {135}block in inet6 proto ipv6-icmp all################## I’m hunting wabbits with the above rules… this is me trying to secure wifi with a configuration that should probably be in sysclt or a kext or a kernel config for tcp/ip. Above my scope of experience and knowledge.changelog 4/21/23Vallum and VallumUmbrellaDNSOnly: fixed a dhcp error… I think. Captive Portal may not work with UmbrellaDNSOnly configuration. changelog 4/25/23added a rule in Vallum_UmbrellaDNSOnly allowing captive portal assistant to connect to port 53 of UDP (DNS) for DHCP connections.added a rule in Murus_UmbrellaDNSOnly allowing all-local-nets to connect to DNS (UDP 53) only on all-local-nets for that Captive Portal can make the connections. changelog 4/26/23changed the rule in Murus_UmbrellaDNSOnly allowing all-local-nets to connect to any DNS (UDP 53) for Captive Portal connections.changelog 4/27/23fixed DHCP issues in Vallum and Vallum_UmbrellaDNSOnly. Working on Captive Portal Issues. added new Vallum config called Test_UmbrellaPort53 which adds UDP 53 access to Umbrella apps in addition to CaptivePortal. changelog 5/623Added screenshots for Privacy and Security Settings and Battery Configuration (OS Ventura… but the options exist in previous Mac OSs - check Energy Saver )Added additional US Government recommendation on logging. (This is for really advanced users)Changelog 5/9/23Added NSA guidance on programming languages… for those advanced people who program. Updated my contact information.https://support.apple.com/en-us/HT201684 #######################Testing umask variable… but this machines that have only one user login (changing the umask can break things on shared machines). sudo launchctl config user umask 027https://docs.jamf.com/customer-education/jamf-100-course/5.0/Lesson_15_Introduction_to_Scripting.htmlChangelog 5/13/23Added in Vallum and Vallum_UmbrellaDNSOnly rules that allow captiveagent to communicate to captive portals running on ports 8880 and 8843 (mainly used by Ubiquiti wireless access points. Added in Murus and Murus_UmbrellaDNSOnly rules that allow communication to ports 8880 and 8843 for local nets only. pass out log (user) proto {tcp} from any to <all-local-nets> port {22, 88, 389, 515, 548, 631, 636, 8880, 8843, 9100} flags any keep stateAdded a LastConfig folder serves as an archive for the previous version of ALL Vallum, Murus and script configurations (only in the iCloud site). Added a little joke in picture form. Chagnelog 5/15/23Fixed an error in the custom list.Worth readinghttps://attack.mitre.org - really worth reading… including the sub-categories.https://dnsdumpster.com - didn’t know this existed. Changelog 6/27/23Added the new NIST guidance on OS Monterey and VenturaChangelog 6/28/23Modified my U_Apple_macOS_12_V1R3_STIG_Restrictions_Policy_VAH.mobileconfig to be a bit more restrictive… this will break stuff. There is an archive version in the last config folder. Please note these are only on my iCloud version.https://www.icloud.com/iclouddrive/0Si4df9qaPgUT9KzgqsroSIcw#MurusVallumChangelog 6/29/23Added 207.148.248.145 to DYNDNS blocklist in Vallum rules. Check the LastConfig folder for the last previous version.Changed hostname and computername to 보쌈애인 in script.Changelog 7/4/23Added the following lines in Murus and Murus_UmbrellaDNSOnlyscrub in all fragments reassembleset skip utun1 added 152.195.38.76 and 192.16.49.85 to WhiteUmbrella whitelist in ALL Murus and Vallum configs. Changelog 7/5/23Updated the group OptionalWhiteUmbrella.txt file with the latest IP addresses fromhttps://docs.umbrella.com/deployment-umbrella/docs/2-prerequisites-update#section-dns - double check the IPs… as Cisco doesn’t publish when they made the changes and what was removed. Changelog 07/16/23Changed the priority of the igmp pass rule. changelog 07/24/23added the FBI IC3 report on Elderly Fraud. please read - the elderly are losing billions to investment fraud and coins (BitCoin, Ethereum) are at the top of the list. changelog 07/26/23sudo launchctl config user umask 027 in script has been changed to sudo launchctl config user umask 077 making it single user mode. Moved the rolling lines to the bottom, right before reboot.:cd /Userssudo chmod og-rwx *You can run this in terminal yourself. It secures your folders from other “users” and limits the Shared folder from being uses as a place for bad guys to store stuff. Changelog 07/27/23Updated the picture for Cisco Umbrella Blocked Categories to reflect the addition of the Online Communities category which is listing in the High Security Setting for Cisco Umbrella. Added a new blocklist that updates hourly -https://dataplane.org/signals/dnsversion.txt Changelog 08/10/23Blocking protocol 41 (ipv6 encapsulation) in Murus and Murus_UmbrellaDNSOnly: block log (user) proto 41 from any to anyBlocking protocol 41 (ipv6 encapsulation) in Vallum and Vallum_UmbrellaDNSOnly: block out log encap from any to any all appshttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/interface/configuration/15-mt/ir-15-mt-book/ip6-ipoverip6-tunls.pdfhttps://datatracker.ietf.org/doc/html/rfc2460I would add this list to Murus configurations but it’s too long to load it… it lists all the IPV6 tunnels that are being routed over IPV4 servers. If you have a firewall appliance/router you may be able to load ithttps://dataplane.org/signals/proto41.txtIf you have an issue with Murus not loading the new firewall rules please re-run the script file and then re-import the new Murus rule and save the configuration. I was seeing an error where Murus on reboot was saying unknown ruleset and this seemed to stop it.Also check your network wifi settings to make sure that the option for Limit IP Address Tracking (Apple VPN Relay) is not tuned on again. Changelog 08/11/23Added sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.netbiosd.plist to script fileChangelog 0815/23Added the latest OS 13 .Mil STIGs (MDM configuration files)for Ventura. The Custom Policy is really good. Free and available to the public with a warning…use at your own risk. Modified the Restrictions policy for my use. Modified a policy to test blocking Private Relay… it may not work so check that Limit IP Address Tracking is actually off on each new wifi connection. Changelog 8/17/23Added U_Apple_macOS_AppControl_VAH.mobileconfig (payload applicationaccess.new) and U_Apple_macOS_PrivateRelay_VAH.mobileconfig (payload application access). Looking to control binary access… with eventually blocking PrivateRelay/Limit IP Address Tracking files.https://developer.apple.com/support/prepare-your-network-for-icloud-private-relayhttps://datatracker.ietf.org/doc/html/draft-ietf-quic-manageability-11/https://datatracker.ietf.org/doc/rfc9250/Changelog 8/18/23https://datatracker.ietf.org/doc/html/rfc9312 The finalized version of the IETF for QUIC.https://datatracker.ietf.org/wg/masque/about/https://datatracker.ietf.org/doc/html/rfc8094https://blog.cloudflare.com/icloud-private-relay/Changelog 825/23Updated the Global allow and block lists I use in Cisco Umbrella. Changelog 8/26/23Added mask.apple-dns.net to the Ban list in Vallum and Vallum_UmbrellaDNSOnly configurations. Updated the Global Block List in Cisco Umbrella to reflect adding mask.apple-dns.netChnagelog 8/27/23https://datatracker.ietf.org/doc/html/rfc8999 QUIC Invariantshttps://datatracker.ietf.org/doc/html/rfc8546 Wireimagehttps://datatracker.ietf.org/doc/html/rfc8546 QUIC Greasehttps://datatracker.ietf.org/doc/html/draft-ietf-quic-version-negotiation-10 QUIC NegotiationChangelog 8/28/23https://datatracker.ietf.org/doc/rfc9369/ QUIC Version 2https://datatracker.ietf.org/doc/html/rfc9002 QUIC Loss Detection and Controlhttps://datatracker.ietf.org/doc/html/rfc7838 HTTP Alt ServicesChangelog 8/29/23https://www.iana.org/assignments/quic/quic.xhtml - IANA’s QUIC ListUpdated Cisco Umbrella Global Allow List. Changed all the changeling to changelog. Changelog 9/8/23Check outhttps://www.murusfirewall.com/adsorb/ A network Ad filter from Murus. They also have some new stuff but I like blocking Ads for anonymity. I used a network level one for a client for almost a decade and they got very little, physical, junk mail. And the same was for me as well. changelog 9/10/23Added the Adsorb 1.0.1 dmg fileAdded p59-fmip.icloud.com to my Global Allow List in Cisco Umbrella. Check the Cisco Umbrella Lists folder on the MurusVallum iCloud share and the Global Allow List file on the Github site. Changelog 9/14/23Added p41-content.icloud.com to my Global Allow List in Cisco Umbrella. Check the Cisco Umbrella Lists folder on the MurusVallum iCloud share and the Global Allow List file on the Github site. A similar product to Adsorb can be found here:https://pi-hole.net. Check it out! They provide complete network protection. Changelog 9/15/23The source for the Ad block database is here:https://github.com/StevenBlack/hosts. This is a raw list. I also think Adsorb may interfere with Starbucks and other Captive Portals. Changelog 9/18/23Yep… adsorb or other network-level ad blockers block Ads on Captive Portals. You will need to whitelist the page or turn Adsorb off. Added to the string <string>/usr/libexec/wifip2pd</string> to U_Apple_macOS_AppControl_VAH.mobileconfig in an effort to block PrivateRelay based on the following files being active in lsof when PrivateRelay was enabled.I ran lsof and looked for all the files which has com.apple.net.netagent running or associated with their process:com.apple.net.netagent/usr/libexec/wifip2pd/Users/vaughnhart/Library/Caches/GeoServices/System/Library/Frameworks/CoreTelephony.framework/Support/CommCentercom.apple.net.utun_controlcom.apple.flow-divert/usr/libexec/networkserviceproxy/usr/libexec/nesessionmanager/var/run/pppconfd/var/run/vpncontrol.sockChangelog 9/19/23Uploaded my Cisco Umbrella Legacy Migration Report for reference.https://datatracker.ietf.org/wg/masque/documents/ - tunneling over UDP with QUIC.Changelog 9/23/23Added to scriptsudo pmset -a womp 0sudo pmset -a sleep 1sudo pmset -a displaysleep 2sudo pmset -a networkoversleep 0sudo /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -bool true; /bin/launchctl kickstart -k system/com.apple.locationdsudo /usr/bin/defaults write /Library/Preferences/com.apple.locationmenu.plist ShowSystemServices -bool truesudo /usr/sbin/systemsetup -f -setremotelogin off >/dev/nullsudo /bin/launchctl disable system/com.openssh.sshdChangelog 9/24/23Added to script (may be excessive for most… or make it harder to read certain files).sudo /bin/chmod -RN /var/auditsudo /bin/chmod -N /var/auditsudo /bin/launchctl enable system/com.apple.auditdsudo /bin/launchctl bootstrap system /System/Library/LaunchDaemons/com.apple.auditd.plist sudo /usr/sbin/audit -isudo /bin/chmod -N /etc/security/audit_controlsudo /usr/bin/chgrp wheel /etc/security/audit_control sudo /bin/chmod 440 /etc/security/audit_controlsudo /usr/sbin/chown root /etc/security/audit_control sudo /usr/bin/chgrp -R wheel /var/audit/*sudo /bin/chmod 440 /var/audit/*sudo /usr/bin/chgrp wheel /var/auditsudo /usr/sbin/chown root /var/auditsudo /bin/chmod 700 /var/auditsudo /usr/bin/sed -i.bak 's/^expire-after.*/expire-after:7d/' /etc/security/audit_control; /usr/sbin/audit -ssudo /usr/sbin/nvram boot-args="" sudo /usr/bin/security authorizationdb write system.login.screensaver "use-login-window-ui"Added to U_Apple_macOS_PrivateRelay_VAH.mobileconfig:<key>allowCloudReminders</key><false/><key>allowCloudAddressBook</key><false/><key>allowCloudCalendar</key><false/><key>allowCloudFreeform</key><false/><key>allowCloudMail</key><false/><key>allowCloudNotes</key><false/><key>allowAirDrop</key><false/><key>allowActivityContinuation</key><false/><key>forceOnDeviceOnlyDictation</key><true/><key>allowPasswordProximityRequests</key><false/><key>allowPasswordSharing</key><false/><key>allowAirPlayIncomingRequests</key><false/><key>allowDiagnosticSubmission</key><false/><key>allowApplePersonalizedAdvertising</key><false/><key>allowAssistant</key><false/><key>allowCloudBackup</key><false/><key>allowSharedStream</key><false/><key>forceAirDropUnmanaged</key><true/><key>forceAirPlayOutgoingRequestsPairingPassword</key><true/><key>allowUnmanagedToReadManagedContacts</key><false/><key>allowManagedToWriteUnmanagedContacts</key><false/><key>allowOpenFromManagedToUnmanaged</key><false/><key>allowOpenFromUnmanagedToManaged</key><false/><key>allowPairedWatch</key><false/><key>forceWatchWristDetection</key><true/><key>allowAutoUnlock</key><false/><key>allowHostPairing</key><false/>Check outhttps://github.com/usnistgov/macos_security for the latest for Mac OS and iOS guidance for which I have the zip files on my iCloud Share:MSCP_Ventura_Rev_3.0.zipMSCP_Sonoma_Rev_1.0.zipMSCP_iOS_17_Rev_1.0.zipChangelog 9/25/23Added inbound block for port 631 on Vallum and Vallum_UmbrellaDNSOnlyChangelog 9/26/23 Added p28-content.icloud.com to Cisco Umbrella Global Allow List.Added inbound block for the Murus application in Vallum and Vallum_UmbrellaDNSOnlyAdd the new Vallum application zip… vallum-4.1.1.zipchangelog 10/23/23Added in Vallum and Vallum_UmbrellaDNSOnly rules to allow Cisco Secure Client network access. Fixed a port 53 issue in Vallum for Cisco/Umbrella clients as well. changelog 10/27/23Added Vallum 4.1.2.zip - this seems to be a silent update that isn’t seen via the check for updates in the app… but is on the website. changelog 10/29/23Fixed qn issue with Vallum and Vallum_UmbrellaDNSOnly where 3rd Party Apps weren’t allowed communication. This also prevented updates… I think. I was unable to update to 13.6.1 and had to allow everything. These Vallum configurations may be revised shortly. changelog 10/30/23Added the following iCloud sites to the Cisco Umbrella Global Allow List: p25-content.icloud.comp23-content.icloud.comp27-content.icloud.comp63-content.icloud.comp59-sharedstreams.icloud.com changelog 11/6/23Cleaned up inbound outbound rules for Murus and Murus_UmbrellaDNSOnly.Fixed Vallum and Vallum_UmbrellaDNSOnly rules - removing 3rd party apps rule.changelog 11/12/23Added p55-content.icloud.com to the Global Allow List in Cisco Umbrella. changelog 11/12/23Added foodcoop.com to the Global Allow List in Cisco Umbrella. I’m a member of the Park Slope Food Coop since 2009…. What an interesting place. changelog 12/10/23Added p42-content.icloud.com to the Global Allow List in Cisco Umbrella. changelog 12/11/23Added dropboxexperiment.com to the Global Allow List in Cisco Umbrella. Added the Security Technical Implementation Guides (STIGs) for U_Apple_iOS-iPadOS_17_V1R1_STIG.zip and U_Apple_macOS_13_V1R3_STIG.zip from public.cyber.mil - really good!changelog 12/14/23Apple changed something with mobile hotspots and how their systems work… so I needed to enable ipv6 and some other protocols…. The hunt is on for what changed. I think it was done to facilitate QUIC protocol. More research is needed…. I just know I needed to re-enable ipv6 on Wi-fi and Thunderbolt Bridge and remove all ipv6 blocking rules and enable ipv6 on DNS and it looks like sscopmce protocol is used in lookup… which I had disabled. Still finding what changed… Vallum is broken for my mobile hotspot at least.Changelog 12/19/23I removed the NEW_Vallum and NEW_Murus rules as I can’t find what changed and I think it makes the machine insecure own order to get an internet connection. Changelog 1/26/24New Vallum and Vallum_UmbrellaDNSOnly rules… less restrictive with what process can talk to Umbrella servers and added a block for protocol 7 (CBT -https://datatracker.ietf.org/doc/rfc2189/) on the inbound and outbound. New Murus and Murus_UmbrellaDNSOnly rules… added the block for CBT (protocol 7).Added the theflixertv.to - free movie site to Umbrella Allow List. Created a miniscriot version without some of the archaic permission edits. Changelog 1/29/24Shaking Vallum rules down to one profile for UmbrellaDNS_Only:Adding inbound rule app fingerprint for port 53 for Captive Network Assistant and Cisco Secure ClientAdding inbound rule app fingerprint for group Umbrella (all addresses whitelist) for Captive Network Assistant and Cisco Secure ClientRemoving ipv6 blocks for inbound Making inbound DHCP ipv6 compatible - 67-68, 546-547Making outbound DHCP ipv6 compatible - 67-68, 546-547Changing outbound Captive Network Assistant to ipv6 compatible Restricting Umbrella to the Cisco Secure Client and removing old app signatures for Umbrella ClientRemoved ipv6 outbound blocksAdding any rule for protocol version on outbound rules. Removed books on ipv6-local-nets on the inbound and outbound sideRemoved a local block for the Accordance app.Cleaned up the StIGS… I use the default ones (with some modifications from the Public DOD site). :-) AppControl silences some apps on my system that I don’t like… sorta like removing apps on your iPhone. Changelog 2/1/24Added back the Haley SSH blocklist to Murus and Murus_UmbrellaDNSOnly - 54k + bad ssh addresses -https://iplists.firehol.org/files/haley_ssh.ipsetChangelog 2/21/24Fixed some multicast/igmp/ipv6 rules in Murus and Murus_UmbrellaDNSOnly. Still have to fix Vallum… Changelog 2/24/24Added as per firewalld (Linux) and the existing protocol 41 block the ip addresses for 6to4 tunnels - 2002::/16 and 192.88.99.0/24https://www.rfc-editor.org/rfc/rfc3964https://insights.sei.cmu.edu/blog/exfiltration-with-ipv6-tunnels-on-windows/Changelog 2/25/24Added to Ban in Vallum_UmbrellaDNSOnly as per firewalld (Linux) and the existing protocol 41 block the ip addresses for 6to4 tunnels - 2002::/16 and 192.88.99.0/24https://www.rfc-editor.org/rfc/rfc3964https://insights.sei.cmu.edu/blog/exfiltration-with-ipv6-tunnels-on-windows/Added an outbound rule to allow Cisco Secure Client to connect to any address on port 53 for DNS lookup. Added a rule to all the Loop Group - Trusted System Process outbound connections. Changed DHCP to allow outbound 67, 547 for ipv4 and ipv6Changed DHCP tp allow inbound 68, 546 for ipv4 and ipv6 respectively. There may be an issue with hotspot DHCP (a protocol or apple process that bypasses/escapes certain rules) and iCloud syncing (a hidden process I’m looking for). Changelog 2/27/24I switched from Cisco Meraki to Jam NOW! Way better. Changelog 3/13/24Removed Haley SSH from the Lists Library as it seems to be maxing out the memory usage for Murus.https://iplists.firehol.org/files/haley_ssh.ipset#reflected in Murus and Murus_UmbrellaDNSOnlyChangelog 4/4/24Changed the default Restrictions and Password Policy - fixing what seemed to be issues with the Payload Identifier and the UUID Payload numbers being reused in MDM profile, which might be my fault. But once fixed… it all worked fine. Check those Jamf/MDM logs on what’s being not applied and why. Thank you JaMF> I didn’t see this same details in Meraki. AppControl has been updated to disable more applications. The restriction is built for a web only system with only a few local apps. The idea is less attach footprint (in minimal external software) and usable avenues… since everything and it’s grandmother now calls to the web.Changelog 4/6/24Removed some rules and added the macsec rules form NIST’s Mac OS Security (high) guidance exactly as typed. Some things are freer and some things have a definitive restriction. This is ofr Murus and Murus_UmbrellaDNSOnly.Updated the AppControl to block access to the Users folder. This might eb really restrictive for applications located in that folder. Changelog 4/8/24Added the following ip addresses to the Ban lists in DYNDNS in Vallum_UmbrellaDNSOnly (the only Vallum config). These are ip addresses that redirect to malware. 69.30.245.14678.47.71.170104.21.11.3152.223.29.44Changelog 4/9/24Updated Restrictions 3 with some new policy edits… making some things automatics. Use at risk as the originator said… that’s written wrong for a reason,. Edited mini script with some passional edits to make some things harder for myself. Use at your own risk. Removed from the Ban list in Vallum_UmbrellaDNSOnly:added to Ban in Vallum 127.0.0.0/8, 0.0.0.0/8, 192.0.2.0/24, 240.0.0.0/4 to allow sharing again. Removed rule blocking multicast addresses. Added IGMP routing. Added inbound pass for Umbrella group - basically a whitelist. Changed the order for outbound DNS traffic… and added an outbound whitelist for all port 443 traffic to Umbrella. changelog 4/17/24Added port 53 access for all apps to Umbrella. changelog 4/24/24Added sudo /usr/bin/security authorizationdb write system.login.screensaver "authenticate-session-owner" to miniscript as per the latest NIST Guidance.Added a new Service called APNS for tcp port 5223 communications to the Apple servers in Murus and Murius_UmbrellaDNSOnly.Added a new outbound rule in Vallum_UmbrellaDNSOnly to allow communications to APNS tcp port 5223 to Apple Services only. Updated the latest NIST Guidance zips for Sonoma, Ventura and iOS 17 to this share. Get all the guidance and tips and help here:https://github.com/usnistgov/macos_securityChangelog 4/28/24Really interesting reading… no changes made to the firewalls…https://www.wireguard.com/https://datatracker.ietf.org/doc/html/draft-pauly-taps-transport-security-01https://datatracker.ietf.org/doc/html/rfc8922German hosting service $2.00https://www.altinsoft.net/germany-linux-hostingChangelog 5/6/24No firewall changes: I’d recommend looking at these underlying techs to WireGuard… especially Mosh.https://mosh.org/#techinfohttp://noiseprotocol.orgIf you haven’t please update to the Cisco Secure Client - latest version… I’m not sure of my firewall rules don’t allow notification for updates… but I had to check manually and download mine from the Cisco Umbrella website. Changelog 5/7/24Added a rule to Vallum_UmbrellaDNSOnly for Cisco’s Developer ID.Removed some honeypot inbound rules. Sorry. Changelog 5/9/24Created a UmbrellaDNSOnly_Haley SSH profile that has the Haley SSH list added back to it. Sometimes the list causes a memory error on my M1 MacBook Air (2020). But it might run fine on all your newer (2021+) machines.http://iplists.firehol.org/?ipset=haley_ssh Changelog 5/21/24I am getting some errors with Murus and Murus_UmbrellaDNSOnly loading on system startup… so I am removing some lists that never update. I am doing the following to the Ban list in Vallum185.94.190.158 fromhttps://secureupdates.checkpoint.com/IP-list/IP-blacklist.txt192.9.135.73 fromhttps://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txtI have removed the following list from version of Murus:Removed CruzitWeb Attacks which hasn’t been updated since 2023http://iplists.firehol.org/?ipset=cruzit_web_attacksRemoved SpamHaus_edrop for duplicates with SpamHaud_Drophttp://iplists.firehol.org/?ipset=spamhaus_edropRemoved CyberCrime for duploicates with Firehol_WebClienthttp://iplists.firehol.org/?ipset=cybercrimeRemoved XRoxy_30D which hasn’t been updated since 2023http://iplists.firehol.org/?ipset=xroxy_30dRemoved the direct connection to BinaryDefense… only pulling the Firehol list.http://iplists.firehol.org/?ipset=bds_atifI have added Haley_SSH to all Murus Versions -http://iplists.firehol.org/?ipset=haley_sshChangelog 5/22/24Removed the Apple Anchors from all versions of Murus configurations. Changelog 5/27/24Updated my modified .mil profiles to App Control 2 and Restrictions Policy 5. There were some loopholes that I think I closed and some stuff that an editor didn’t recognize. Cleaned up Vallum_Umbrella_DNSOnly…. Removed some open rules… some stuff might break. Like captive portal assistants. Still trying to figure out Personal Hotspots on iPhone and their use of sscopemce… which I block. Changelog 5/28/24Added 192.229.221.95 to the Umbrella list in Vallum_UmbrellaDNSOnly… seems it was missing. Changelog 6/1/24Made some changes to Restrictions Policy 5… err… not changing the name. I’m using Imazing Profile Editor. It has a caveat: if you add a configuration change and then remove it, a change is made to the profile… it adds a hidden VPN configuration (or so is recorded by Jamf NOW) that prohibits it being applied. Dot this I s and cross those T s like crosshairs. +. x-xChangelog 6/11/24Added p49-content.icloud.com and p32-content.icloud.com to the Cisco Umbrella Global Allow List.Updated Restrictions Policy 5 with the Apple Profile updates via Amazing Profile Editor. Chagelog 6/20/24DISA link fro cybersecurity training:https://fedvte.usalearning.govDISA link for the general public:https://fedvte.usalearning.gov/public_fedvte.phpChangelog 9/1/24After updating the restrictions policy - network filter extensions and the filters have to be turned back on…. Because JamfNow does not allow a replacement feature like JamfPro or Cisco MeraKi and I have to re-enable full-disk access for Vallum ESChangelog 9/6/24Finally “fixed” a setting in my Restrictions policy 5…. Lol… so it’s working properly. Updated some new settings apple added. Changelog 9/18/24Restrictions Policy 6 - updated for the new OS and also Sonoma… fixed some errors… something about remote viewing with classroom and a Dock issue. Set apps to open Fullscreen.Changeling 10/1/24Change the removal date for the Restrictions Policy 6 Profile. Added the Vallum 5 Umbrella_DNS_Only config. My version of Umbrella DNS is going away… I cannot renew it so I am looking for an alternative. In fact, all Home version of Umbrella are going away. You’ll have to purchase a Corporate version at a corporate price point. Also, Cisco has removed the personal store for updating your credit cards and renewing ahead of expiration. Please be aware and tell your friends and family. You’ll lose protection on the last date of your subscription. Changelog 10/2/24Updated Restrictions Policy 6 to block the improve Siri and Search options that are in Diagnostic Submissions Under Privacy and Security I am using iMazing Profile Editor and their options are not the same as listed in NIST Guidance. Changelog 10/4/24Stage1 and AppControl v3 are my only two mobile profiles. They are not signed. Free to use at your own risk!Changelog 10/16/24Removedhttps://talosintelligence.com/documents/ip-blacklist andhttps://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt - added port 2228 for ovh.net in Murus.Vallum has inbound block for unsigned apps. Extensions profile for Cisco and Team Murus apps called Baseline.Updated script file.Removed USG files… which are freely available online… also visit the CIA website for reading that is quite informative. The Freedom of Information Act. READ READ READ.Changeling 11/7/24Added the following IP address to the Umbrella whitelist group as per Cisco Talos filtering (2a04:e4c7:ffff::/48, 2a04:e4c7:fffe::/48) in both Murus and Vallum rules.Changelog 11/26/24Added some more OVH ranges to Murus_UmbrellaDNSOnlyAdded sudo defaults write /Library/Preferences/com.apple.loginwindow EnableMCXLoginScripts -bool TRUE to enable login and logout scripts run as part of a MDM profile. Changelog 11/29/24You also need sudo defaults write /var/root//Library/Preferences/com.apple.loginwindow EnableMCXLoginScripts -bool TRUE enable login and logout scripts run as part of a MDM profile. Changelog 12/15/24Updated Stage1 mobileconfig… with some new edits to FileVault… etc.I’ve switch to Cisco Umbrella DNS Advantage… under a MSP license. If you need Umbrella let me know, and I can setup your instance. Changelog 2/7/25I added umbrella.com, opendns.com, and cisco.com to my whitelist addresses in Murus and Vallum.Changelog 2/9/25Sequoia ready Stage1.mobileconfigPlease note screenshot for Photos Enhanced Search disable. Really IMPORTANT!!! I don’t have a key option to disable it by profile so it must be done manually. there is also an option in visudo (run the command in terminal: sudo visudo)Defaultslog_allowedDefaultsrequirettyDefaultstty_ticketsDefaultstimestamp_timeout=0Changeling 2/10/25Updated script to disable Bluetooth Sharing… which I don’t use. /usr/bin/sudo -u "$CURRENT_USER" /usr/bin/defaults -currentHost write com.apple.Bluetooth PrefKeyServicesEnabled -bool falsePlease note that you will need to change the “$CURRENT_USER” to the username for the system you are using. Changelog 3/9/25I’m not running Murus or Vallum anymore… really none of their software at the moment. I’m switching to manually running pf. I’ve uploaded my /etc/pf.conf file.I am running Cisco Umbrella DNS Advantage with Proxy/Application Filtering (most necessary). There is a file called bad_actors.txt which needs to be added to /etc/ along with the pf.conf file. These are IPs I’ve noted for having intrusive traffic I didn’t initiate… hacking basically. Some attacked network devices, routing on the internet, or a machine directly. I will be updating pf in the future with ip list filtering. #command line (Terminal) pf commands:less /etc/pf.conf (see your pf.conf file)sudo pfctl -s all (see what’s running in pf)sudo pfctl -n -f /etc/pf.conf (check this pf configuration file for errors)sudo pfctl -f /etc/pf.conf (load pf with this configuration file)sudo vi /etc/pf.conf (edit mode)Man vi - tutorial for vi editingMan pfctl -0 tutorial for managing pfctl (the loader for pf) Changelog 03/17/25Mac OS will clear the pf.conf file after each OS update and it has to be pf.conf.Please be aware and copy the pf.conf file I have posted back to the folder. I am testing the following rule: antispoof for self (but having issue with Cisco Umbrella making it's connection from localhost to 127/::1 - which performs lookups)block drop in log for any os “unknown” - this like the rule above will block any unknown os (this also break Cisco Umbrella from connecting to itself since it’s not fingerprinted in pf.os). DHCP included! I am using block drop log out for any os “unknown” which seems safe for Cisco Umbrella.Changelog 03/18/25Fixed the antispoof for self rule. Everything works! Zelle me: vaughn@aegisitnyc.com or 646-284-4291 or 347-559-1619If you have work reach out to me! Social Media:https://www.linkedin.com/in/vaharthttps://github.com/vaughnharthttps://www.icloud.com/iclouddrive/0Si4df9qaPgUT9KzgqsroSIcw#MurusVallumcommand line quicksheetsudo tcpdump -i en0 -s0 -c 1100 -AeHnnttttvvv -w test.pcapsudo lsof -i -n -P netstat -arnarp -anwho -aumasksudo launchctl config user umask 077 sudo log collect --output ~/Desktop/SystemLogs.logarchive --last 20mgrep -w 'console' /private/etc/ttyssudo defaults write /Library/Preferences/com.apple.loginwindow EnableMCXLoginScripts -bool TRUEIn console search for it.murus.Vallum.AFW to see running log