Skip to content

Murus (pf) and Vallum (afw?) configurations layered with Cisco Umbrella and Firehol. Test it and let me know what you thin! It's free for all!

Notifications You must be signed in to change notification settings

vaughnhart/Firewall

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

eThese firewall rules are based around Cisco Umbrella or OpenDNS Umbrella  Prosumer. 
https://www.opendns.com/home-internet-security/
https://docs.umbrella.com/deployment-umbrella/docs/2-prerequisites-update#section-network-access
You will need a license for Murus Pro… which should bundle Vallum firewall as well.You’ll need them both.  This is a restricted IPv4 only config.
https://help.vallumfirewall.com/index.php?chapter=log - Vallum Logging

Guidance
https://github.com/drduh/macOS-Security-and-Privacy-Guide
https://github.com/usnistgov/macos_security#readme
https://tools.cisco.com/security/center/resources/dns_best_practices
https://www.cisco.com/c/en/us/support/docs/ip/access-lists/43920-iacl.html
https://csrc.nist.gov
https://downloads.cisecurity.org/#/
https://learn.microsoft.com/en-us/archive/blogs/secguide/
https://www.brightcloud.com/tools/url-ip-lookup.php
https://docs.umbrella.com/deployment-umbrella/docs/domain-management#section-3-internal-queries
https://support.umbrella.com/hc/en-us/articles/115004651426-CNAME-Records-with-DNS-caching-and-Umbrella

Lists:
https://iplists.firehol.org
https://firehol.org/guides/icmpv6-recommendations/#allow-incoming-destination-unreachable-messages-only-for-existing-sessions
https://www.spamhaus.org
https://www.talosintelligence.com
https://secureupdates.checkpoint.com/IP-list/TOR.txt
https://www.opendbl.net

Changelog - 11/18/22

Removed allow all apps outbound rule in Vallum  - apps need to be signed.
Moved dhcp inbound rule higher in Vallum.

Changelog - 12/04/22
Removed duplicate lists (botscouts, myips, blocklist_de_strongips, blocklist_de_bots that were already covered in fireholl level2, level3, and abusers1d)
Added my system configuration script… not that it will name it to my current machine name. 
I also removed haley_ssh since there seems to be some update errors.  I also explicitly listed denies on the inbound side as per the NIST recommendations. 

Changelog - 12/11/22
Added https://iplists.firehol.org/files/cruzit_web_attacks.ipset - CruzIT Web Attacks.
Updated DYNDNS Pomcounp lists in Murus and added to Vallum.
Added https://iplists.firehol.org/files/sslproxies_30d.ipset - SSL Proxies.

]changelog - 1/15/23
Removed VoIPBL list as it has errors on Firehouse site.
Updated nations databases in Murus and Vallum
Removed DYNDNS group from Murus rule
Add these Ups to DYNDNS list in Vallum:
3.130.204.160
3.140.13.188
18.119.154.66
31.11.36.8
63.247.141.235
77.111.240.50

Changelog 1/21/23
Added https://media.defense.gov/2022/Jun/15/2003018261/-1/-1/0/CTR_NSA_NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20220615.PDF as a reading resource .
DNS restriction in Murus to manual rule
Changed localnet oassthru to specified ports in Vallum. 
block in on egress proto tcp from any os unknown in Murus

Chagnelog 1/22/23
antispoof log quick for eth0 inet

Changellog 1/28/23 - script file changes ONLY
sudo /bin/launchctl disable system/com.apple.netbiosd.plist
sudo ifconfig en0 -arp
#sudo ifconfig en0 dad - did not work

changelog 1/29/23
Aded https://iplists.firehol.org/files/bds_atif.ipset
sudo launchctl disable system/netbiosd - in script

changelog 1/31/23
Added 8443 (tcp) to custom firewall rules in Murus and Vallum for testing.

Changelog 2/1/23
Added 192.16.58.8 for UmbrellaWhitelist in Murus and Vallum.
Updates DYNDNS list in Vallum:
31.11.36.8
52.71.57.184
52.86.6.113
74.208.236.193
77.111.240.50
#######Murus rule change - all outbound rules are custom now. Please see Custom Rules picture in root folder for complete list. Example is below: 
pass out log (user) proto {tcp, udp} from any to any port  {548, 88, 10548, 43, 3283, 5988, 5900, 631, 515, 9100, 123, 67, 68, 22, 8443, 80} flags S/SAFR keep state

Changelog 2/2/23
########after seeing that Murus logs showed Safari making web browser connections to Umbrella (logging them as 208.67.x.x) instead of the web address I made some changes. Vallum flows monitor showed the correct addresses. 
Vallum Inbound now limits Umbrella communication to OpenDNS signed apps and DHCP to all Apple signed apps
Vallum Outbound now limits Umbrella communication to OpenDNS signed apps, DHCP to Apple signed apps, and all apps have to go through the filtered ports. 
Added DHCP in Murus options. Whatever the path is… DHCP and ICMP have to be in that category… and not the custom rules. 

Changelog 2/3/23
Added a protection rule in Vallum for Vallum… trying at least.
############Murus Custom rules mostly mirrored in Valllum
antispoof log quick for eth0 inet
block in logon egress proto tcp from any os unknown
block log inet6 proto ipv6-icmp from any to any
block log proto icmp from any to any
block log (user) proto {tcp, udp} from any to any port 0
block log (user) proto {tcp, udp} from any to any port 3689
block in flog rom any to 255.255.255.255
block in log from any to 127.0.0.1/32
pass out  log (user) from any  to <WhiteUmbrella> flags S/SAFR keep state
pass in log (user) from <WhiteUmbrella> to any flags S/SAFR keep state
pass proto log igmp allow-opts
pass quick log from any to {224.0.0.0/4 ff00::/8} allow-opts
pass proto log {esp, gre} from any to any
pass out log (user) proto {tcp} from any to any port {80, 443, 8443, 43} flags S/SAFR  keep state
pass out log (user) proto {udp} from any to any port {123}  keep state
pass out log (user) proto {tcp} from any to <all-local-nets>  port  {22, 88, 389, 515, 548, 631, 636, 9100} flags S/SAFR keep state
pass out log (user) proto {tcp, udp} from any to <all-local-nets>  port  {53, 749, 3283, 5988, 5900} flags S/SAFR keep state

Changelog 2/6/23
##########inbound rules.
Block in log [tcp,udp] from any to any port 0

Changelog 2/8/23
Added screenshots on the location to update the nations databases in Vallum and Murus. This is necessary for the Unknown Nation block. 

##################sudo tcpdump -i en0 -s0 -c 1100 -AeHnnttttvvv -w test.pcap
##################Use Wireshark to see the data. Tcpdump is native on Mac/Linux. Wireshark is a GUI that makes it nice and readable. 
https://www.tcpdump.org/manpages/tcpdump.1.html or https://www.tcpdump.org/index.html
https://www.wireshark.org

For those with OpenDNS Cisco Umbrella Prosumer and legacy Cisco Umbrella packages... the Legacy Categories (under Content Categories) are still there. It might mean extra monitoring (using Activity Search)... or whitelisting (Global Allowed List under Destinations Lists)  but you can add those categories back. In this case more is more.

Changelog 2/15/23
block log  proto {tcp, udp} from any port {0, 5353} to any port {0, 5353}
Added Umbrella group back to PassList in Murus.

Changelog 2/18/23
Blocking and logging a “new” signed version of com.apple.mDNSResponder in Vallum on the inbound and outbound.  While logging multicast traffic in Valllum.

changelog 2/21/23
Another mdnsresponder was noticed in Flow Monitor… blocked on inbound. 

changelog 2/24/23 
##################to block port 5353 ,make the following changes - in Murus and Vallum (inbound/outbound)
remove the following rule
 pass quick log from any to (224.0.0.0/4 ff00:/8) allow-opts
add the following rules to the end of the custom rules
 block log (user) proto sscopmce from any to any
 block proto {tcp, udp} from any to any port {5353}
Set custom rules tcp flags back to any in Murus. 
############# https://support.opendns.com/hc/en-us/articles/227988627-How-to-clear-the-DNS-Cache- - You’ll need to do this after
############# clear all browsing history (your web browsers) and system cache. https://www.tomsguide.com/how-to/how-to-clear-the-cache-on-mac
############# clear all saved application states https://osxdaily.com/2011/07/17/delete-specific-application-saved-states-from-mac-os-x-10-7-lion-resume/
############# empty the trash and reboot

changelog 3/3/23
Added 3.19.116.195 to DYNDNS block list in Vallum 

changelog 3/6/23
There are new prerequisites for Cisco Umbrella… updated them in Murus and Vallum. I didn’t remove anything… just added 192.229.211.108
https://docs.umbrella.com/deployment-umbrella/docs/2-prerequisites-update#section-network-access
There is an issue with resolving debug.opendns.com 

changelog 3/7/23
Added AdsYoyo blocklist from https://pgl.yoyo.org/adservers/iplist.php?ipformat=&showintro=0&mimetype=plaintext

changelog 4/3/23
Added mask.icloud.com and mask-h2.icloud.com to Ban group in Vallum and also Global Block List in Cisco Umbrella. 

changelog 4/4/23
Added the following lines to the script file:
cd /Users
sudo chmod og-rwx *
############# to run the script just copy to your Downloads folder and open terminal and go to that directory (cd ~/Downloads) and run the following command: sudo sh script 
############# Mac OS will ask you to grant the  Terminal program permissions to your Downloads folder. 

Changelog 4/5/23
added screenshots for the above changelog. The pictures are from OS Ventura 13.3 but are also applicable to OS Monterey. 
added the following recommendations from https://github.com/drduh/macOS-Security-and-Privacy-Guide to the script:
rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/exclusive
rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite
rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-shm
rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-wal
rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/resetreason
rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.data
sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.fraghandler
sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/exclusive
sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite
sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-shm
sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-wal
sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/resetreason
sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.data
sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.fraghandler
rm -rfv "~/Library/LanguageModeling/*" "~/Library/Spelling/*" "~/Library/Suggestions/*"
chmod -R 000 ~/Library/LanguageModeling ~/Library/Spelling ~/Library/Suggestions
chflags -R uchg ~/Library/LanguageModeling ~/Library/Spelling ~/Library/Suggestions
rm -rfv "~/Library/Application Support/Quick Look/*"
chmod -R 000 "~/Library/Application Support/Quick Look"
chflags -R uchg "~/Library/Application Support/Quick Look"
sudo rm -rfv /.DocumentRevisions-V100/*
sudo chmod -R 000 /.DocumentRevisions-V100
sudo chflags -R uchg /.DocumentRevisions-V100
rm -rfv "~/Library/Saved Application State/*"
rm -rfv "~/Library/Containers/<APPNAME>/Saved Application State"
chmod -R 000 "~/Library/Saved Application State/"
chmod -R 000 "~/Library/Containers/<APPNAME>/Saved Application State"
chflags -R uchg "~/Library/Saved Application State/"
chflags -R uchg "~/Library/Containers/<APPNAME>/Saved Application State"
rm -rfv "~/Library/Containers/<APP>/Data/Library/Autosave Information"
rm -rfv "~/Library/Autosave Information"
chmod -R 000 "~/Library/Containers/<APP>/Data/Library/Autosave Information"
chmod -R 000 "~/Library/Autosave Information"
chflags -R uchg "~/Library/Containers/<APP>/Data/Library/Autosave Information"
chflags -R uchg "~/Library/Autosave Information"
rm -rfv ~/Library/Assistant/SiriAnalytics.db
chmod -R 000 ~/Library/Assistant/SiriAnalytics.db
chflags -R uchg ~/Library/Assistant/SiriAnalytics.db
defaults delete ~/Library/Preferences/com.apple.iTunes.plist recentSearches
sudo shutdown -r now -o

changelog 4/10/23
added LPI certification reading material… if you want to learn Linux and command line
added a photo from my machine while at the Apple Store… showing that Apple blocks mask-h2.icloid.com on their Apple Store network using Cisco Umbrella. You have to use the Cisco Umbrella test page https://welcome.opendns.com (not www.internetbadguys.com which redirects to the Apple web site) to see that their network is protected by Cisco Umbrella. This stance is quire different from their advertising that Apple is “safe”. Contrast that with the photo I posted showing I can’t block mask and mask-h2 on my Cisco Umbrella.  I had to use the dig command instead of nslookup (which returned no values)… leading me to believe Apple doesn’t advertise their use of Cisco Umbrella. Use any of their store machines and verify what I’m saying. 

changelog  4/15/23
###############blocking some non-routeable (martian) traffic… that shouldn’t affect anything. But some people have seen internet routing on these addresses. 
added to Ban in Vallum 127.0.0.0/8, 0.0.0.0/8, 192.0.2.0/24, 240.0.0.0/4 
created a new Murus rule: Murus_UmbrellaDNSOnly that stops all other non-CIsco Umbrellal DNS lookup. This does play well with others. It supposed to stop DNS leak and in the process las no local or other DNS resolution. You home network devices will be harder to find. It might be better for coffee shops/networks you don’t manage. Plus Google… and some other ISPs/network admins have their own DNS bypass/leaks that sometimes circumvent Umbrella. This is meant to stop that. Youtube may not like that it can’t lookup its own servers anymore…. just refresh the page. 

changelog 4/16/23
created a new Vallum rule: Vallum_UmbrellaDNSOnly  that reflects the DNS leak changes.
##################  mask-api.icloud.com which seems to have a lot of traffic generated to it as well in Cisco Umbrella but NIST hasn’t added it to their recommended block list. You may want to as well. Apple’s mask*.icloud.com address seem to be categorized under Online Storage but are actually proxy/anonymizer or DoH and DoT. Sorta like nesting a domain name. site.example.com hosts the vpn, but example.com is for art.

changelog 4/17/23
added in Murus and Murus_UmbrellaDNSOnly:
an inbound and an outbound rule blocking all ports on ipv6
block quick log from any to {224.0.0.0/4 ff00::/8 224.0.0.251/32 ff02::fb/128}
block log (user) proto 53 from any to any
block log (user) inet6 from any to any
added mask-api.icloud.com to Ban list in Vallum and Vallum_UmbrellaDNSOnly.

added in Vallum and Vallum_UmbrellaDNSOnly:
block in ipv6 from any to any by all apps (any protocol version ipv6)
block in ipv6 from any to any by all apps (ipv6 protocol version any)
block out ipv6 from any to any by all apps (any protocol version ipv6)
block out  ipv6 from any to any by all apps (ipv6 protocol version any)
added 224.0.0.251/32 and ff02::fb/128 to MDNS group.
################## I’m trying to kill MDNS and ICMP-V6 packets in packet captures (without edge or switch control)… iCloud/AirPlay might automate these broadcasts. fixed an error.

changelog 4/18/23
removed esp and gre from all profiles  as per the recommendation of Cisco Umbrella. If you’re using a VPN this might break it.
added to all Murus profiles:
block in inet6 proto ipv6-icmp all icmp6-type {135}
block in inet6 proto ipv6-icmp all
##################  I’m hunting wabbits with the above rules… this is me trying to secure wifi with a configuration that should probably be in sysclt or a kext or a kernel config for tcp/ip. Above my scope of experience and knowledge.

changelog 4/21/23
Vallum and VallumUmbrellaDNSOnly: fixed a dhcp error… I think. Captive Portal may not work with UmbrellaDNSOnly configuration. 

changelog 4/25/23
added a rule in Vallum_UmbrellaDNSOnly allowing captive portal assistant to connect to port 53 of UDP (DNS) for DHCP connections.
added a rule in Murus_UmbrellaDNSOnly allowing all-local-nets to connect to DNS (UDP 53) only on all-local-nets for that Captive Portal can make the connections. 

changelog 4/26/23
changed the rule in Murus_UmbrellaDNSOnly allowing all-local-nets to connect to any DNS (UDP 53) for Captive Portal connections.

changelog 4/27/23
fixed DHCP issues in Vallum and Vallum_UmbrellaDNSOnly. Working on Captive Portal Issues. 
added new Vallum config called Test_UmbrellaPort53 which adds UDP 53 access to Umbrella apps in addition to CaptivePortal. 

changelog 5/623
Added screenshots for Privacy and Security Settings and Battery Configuration (OS Ventura… but the options exist in previous Mac OSs - check Energy Saver )
Added additional US Government recommendation on logging. (This is for really advanced users)

Changelog 5/9/23
Added NSA guidance on programming languages… for those advanced people who program. 
Updated my contact information.
https://support.apple.com/en-us/HT201684 
#######################Testing umask variable… but this machines that have only one user login (changing the umask can break things on shared machines). sudo launchctl config user umask 027 
https://docs.jamf.com/customer-education/jamf-100-course/5.0/Lesson_15_Introduction_to_Scripting.html

Changelog 5/13/23
Added in Vallum and Vallum_UmbrellaDNSOnly rules that allow captiveagent to communicate to captive portals running on ports 8880 and 8843 (mainly used by Ubiquiti wireless access points.  
Added in  Murus and Murus_UmbrellaDNSOnly rules that allow communication to ports 8880 and 8843 for local nets only.  
pass out log (user) proto {tcp} from any to <all-local-nets>  port  {22, 88, 389, 515, 548, 631, 636, 8880, 8843, 9100} flags any keep state
Added a LastConfig folder serves as an archive for the previous version of ALL Vallum, Murus and script configurations (only in the iCloud site). 
Added a little joke in picture form. 

Chagnelog 5/15/23
Fixed an error in the custom list.

Worth reading 
https://attack.mitre.org - really worth reading… including the sub-categories.  
https://dnsdumpster.com - didn’t know this existed. 

Changelog 6/27/23
Added the new NIST guidance on OS Monterey and Ventura

Changelog 6/28/23
Modified my U_Apple_macOS_12_V1R3_STIG_Restrictions_Policy_VAH.mobileconfig to be a bit more restrictive… this will break stuff. There is an archive version in the last config folder. Please note these are only on my iCloud version. 
https://www.icloud.com/iclouddrive/0Si4df9qaPgUT9KzgqsroSIcw#MurusVallum

Changelog 6/29/23
Added 207.148.248.145 to DYNDNS blocklist in Vallum rules.  Check the LastConfig folder for the last previous version.
Changed hostname and computername to 보쌈애인 in script.

Changelog 7/4/23
Added the following lines in Murus and Murus_UmbrellaDNSOnly
scrub in all fragments reassemble
set skip utun1 
added 152.195.38.76 and 192.16.49.85 to WhiteUmbrella whitelist in ALL Murus and Vallum configs. 

Changelog 7/5/23
Updated the group OptionalWhiteUmbrella.txt file with the latest IP addresses from https://docs.umbrella.com/deployment-umbrella/docs/2-prerequisites-update#section-dns - double check the IPs… as Cisco doesn’t publish when they made the changes and what was removed. 

Changelog 07/16/23
Changed the priority of the igmp pass rule. 

changelog 07/24/23
added the FBI IC3 report on Elderly Fraud. please read - the elderly are losing billions to investment fraud and coins (BitCoin, Ethereum) are at the top of the list. 

changelog 07/26/23
sudo launchctl config user umask 027 in script has been changed to sudo launchctl config user umask 077 making it single user mode. 
Moved the rolling lines to the bottom, right before reboot.:
cd /Users
sudo chmod og-rwx *
You can run this in terminal yourself. It secures your folders from other “users” and limits the Shared folder from being uses as a place for bad guys to store stuff. 

Changelog 07/27/23
Updated the picture for Cisco Umbrella Blocked Categories to reflect the addition of the Online Communities category which is listing in the High Security Setting for Cisco Umbrella. 
Added a new blocklist that updates hourly - https://dataplane.org/signals/dnsversion.txt 

Changelog 08/10/23
Blocking protocol 41 (ipv6 encapsulation) in Murus and Murus_UmbrellaDNSOnly:  block log (user) proto 41 from any to any
Blocking protocol 41 (ipv6 encapsulation) in Vallum and Vallum_UmbrellaDNSOnly: block out log encap  from any to any all apps
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/interface/configuration/15-mt/ir-15-mt-book/ip6-ipoverip6-tunls.pdf
https://datatracker.ietf.org/doc/html/rfc2460
I would add this list to Murus configurations but it’s too long to load it… it lists all the IPV6 tunnels that are being routed over IPV4 servers.  If you have a firewall appliance/router you may be able to load it https://dataplane.org/signals/proto41.txt
If you have an issue with Murus not loading the new firewall rules please re-run the script file and then re-import the new Murus rule and save the configuration. I was seeing an error where Murus on reboot was saying unknown ruleset and this seemed to stop it.
Also check your network wifi settings to make sure that the option for Limit IP Address Tracking (Apple VPN Relay) is not tuned on again. 

Changelog 08/11/23
Added sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.netbiosd.plist to script file

Changelog 0815/23
Added the latest OS 13 .Mil STIGs (MDM configuration files)for Ventura. The Custom Policy is really good.  Free and available to the public with a warning…use at your own risk. 
Modified the Restrictions policy for my use. 
Modified a policy to test blocking Private Relay… it may not work so check that Limit IP Address Tracking is actually off on each new wifi connection. 

Changelog 8/17/23
Added U_Apple_macOS_AppControl_VAH.mobileconfig (payload applicationaccess.new)  and U_Apple_macOS_PrivateRelay_VAH.mobileconfig (payload application access). Looking to control binary access… with eventually blocking PrivateRelay/Limit IP Address Tracking files.
https://developer.apple.com/support/prepare-your-network-for-icloud-private-relay
https://datatracker.ietf.org/doc/html/draft-ietf-quic-manageability-11/
https://datatracker.ietf.org/doc/rfc9250/

Changelog 8/18/23
https://datatracker.ietf.org/doc/html/rfc9312 The finalized version of the IETF for QUIC.
https://datatracker.ietf.org/wg/masque/about/
https://datatracker.ietf.org/doc/html/rfc8094
https://blog.cloudflare.com/icloud-private-relay/

Changelog 825/23
Updated the Global allow and block lists I use in Cisco Umbrella. 

Changelog 8/26/23
Added mask.apple-dns.net to the Ban list in Vallum and Vallum_UmbrellaDNSOnly configurations. 
Updated the Global Block List in Cisco Umbrella to reflect adding mask.apple-dns.net

Chnagelog 8/27/23
https://datatracker.ietf.org/doc/html/rfc8999 QUIC Invariants
https://datatracker.ietf.org/doc/html/rfc8546 Wireimage
https://datatracker.ietf.org/doc/html/rfc8546 QUIC Grease
https://datatracker.ietf.org/doc/html/draft-ietf-quic-version-negotiation-10 QUIC Negotiation

Changelog 8/28/23
https://datatracker.ietf.org/doc/rfc9369/ QUIC Version 2
https://datatracker.ietf.org/doc/html/rfc9002 QUIC Loss Detection and Control
https://datatracker.ietf.org/doc/html/rfc7838 HTTP Alt Services

Changelog 8/29/23
https://www.iana.org/assignments/quic/quic.xhtml - IANA’s QUIC List
Updated Cisco Umbrella Global Allow List. 
Changed all the changeling to changelog. 

Changelog 9/8/23
Check out https://www.murusfirewall.com/adsorb/ A network Ad filter from Murus. 
They also have some new stuff but I like blocking Ads for anonymity. I used a network level one for a client for almost a decade and they got very little, physical, junk mail.  And the same was for me as well. 

changelog 9/10/23
Added the Adsorb 1.0.1 dmg file
Added p59-fmip.icloud.com to my Global Allow List in Cisco Umbrella. Check the Cisco Umbrella Lists folder on the MurusVallum iCloud share and the Global Allow List file on the Github site. 

Changelog 9/14/23
Added p41-content.icloud.com to my Global Allow List in Cisco Umbrella. Check the Cisco Umbrella Lists folder on the MurusVallum iCloud share and the Global Allow List file on the Github site. 
A similar product to Adsorb can be found here: https://pi-hole.net. Check it out! They provide complete network protection. 

Changelog 9/15/23
The source for the Ad block database is here: https://github.com/StevenBlack/hosts. This is a raw list. 
I also think Adsorb may interfere with Starbucks and other Captive Portals. 

Changelog 9/18/23
Yep… adsorb or other network-level ad blockers block Ads on Captive Portals. You will need to whitelist the page or turn Adsorb off. 
Added  to the string <string>/usr/libexec/wifip2pd</string> to U_Apple_macOS_AppControl_VAH.mobileconfig in an effort to block PrivateRelay based on the following files being active in lsof when PrivateRelay was enabled.
I ran lsof and looked for all the files which has com.apple.net.netagent running or associated with their process:
com.apple.net.netagent
/usr/libexec/wifip2pd
/Users/vaughnhart/Library/Caches/GeoServices
/System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter
com.apple.net.utun_control
com.apple.flow-divert
/usr/libexec/networkserviceproxy
/usr/libexec/nesessionmanager
/var/run/pppconfd
/var/run/vpncontrol.sock

Changelog 9/19/23
Uploaded my Cisco Umbrella Legacy Migration Report for reference. 
https://datatracker.ietf.org/wg/masque/documents/ - tunneling over UDP with QUIC.

Changelog 9/23/23
Added to script
sudo pmset -a womp 0
sudo pmset -a sleep 1
sudo pmset -a displaysleep 2
sudo pmset -a networkoversleep 0
sudo /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -bool true; /bin/launchctl kickstart -k system/com.apple.locationd
sudo /usr/bin/defaults write /Library/Preferences/com.apple.locationmenu.plist ShowSystemServices -bool true
sudo /usr/sbin/systemsetup -f -setremotelogin off >/dev/null
sudo /bin/launchctl disable system/com.openssh.sshd

Changelog 9/24/23
Added to script (may be excessive for most… or make it harder to read certain files).
sudo /bin/chmod -RN /var/audit
sudo /bin/chmod -N /var/audit
sudo /bin/launchctl enable system/com.apple.auditd
sudo /bin/launchctl bootstrap system /System/Library/LaunchDaemons/com.apple.auditd.plist  
sudo /usr/sbin/audit -i
sudo /bin/chmod -N /etc/security/audit_control
sudo /usr/bin/chgrp wheel /etc/security/audit_control  
sudo /bin/chmod 440 /etc/security/audit_control
sudo /usr/sbin/chown root /etc/security/audit_control 
sudo /usr/bin/chgrp -R wheel /var/audit/*
sudo /bin/chmod 440 /var/audit/*
sudo /usr/bin/chgrp wheel /var/audit
sudo /usr/sbin/chown root /var/audit
sudo /bin/chmod 700 /var/audit
sudo /usr/bin/sed -i.bak 's/^expire-after.*/expire-after:7d/' /etc/security/audit_control; /usr/sbin/audit -s
sudo /usr/sbin/nvram boot-args="" 
sudo /usr/bin/security authorizationdb write system.login.screensaver "use-login-window-ui"

Added to U_Apple_macOS_PrivateRelay_VAH.mobileconfig:
			<key>allowCloudReminders</key>
			<false/>
			<key>allowCloudAddressBook</key>
			<false/>
			<key>allowCloudCalendar</key>
			<false/>
			<key>allowCloudFreeform</key>
			<false/>
			<key>allowCloudMail</key>
			<false/>
			<key>allowCloudNotes</key>
			<false/>
			<key>allowAirDrop</key>
			<false/>
			<key>allowActivityContinuation</key>
			<false/>
			<key>forceOnDeviceOnlyDictation</key>
			<true/>
			<key>allowPasswordProximityRequests</key>
			<false/>
			<key>allowPasswordSharing</key>
			<false/>
			<key>allowAirPlayIncomingRequests</key>
			<false/>
			<key>allowDiagnosticSubmission</key>
			<false/>
			<key>allowApplePersonalizedAdvertising</key>
			<false/>
			<key>allowAssistant</key>
			<false/>
			<key>allowCloudBackup</key>
			<false/>
			<key>allowSharedStream</key>
			<false/>
			<key>forceAirDropUnmanaged</key>
			<true/>
			<key>forceAirPlayOutgoingRequestsPairingPassword</key>
			<true/>
			<key>allowUnmanagedToReadManagedContacts</key>
			<false/>
			<key>allowManagedToWriteUnmanagedContacts</key>
			<false/>
			<key>allowOpenFromManagedToUnmanaged</key>
			<false/>
			<key>allowOpenFromUnmanagedToManaged</key>
			<false/>
			<key>allowPairedWatch</key>
			<false/>
			<key>forceWatchWristDetection</key>
			<true/>
			<key>allowAutoUnlock</key>
			<false/>
			<key>allowHostPairing</key>
			<false/>

Check out https://github.com/usnistgov/macos_security for the latest for Mac OS and iOS guidance for which I have the zip files on my iCloud Share:
MSCP_Ventura_Rev_3.0.zip
MSCP_Sonoma_Rev_1.0.zip
MSCP_iOS_17_Rev_1.0.zip

Changelog 9/25/23
Added inbound block for port 631 on Vallum and Vallum_UmbrellaDNSOnly

Changelog 9/26/23 
Added p28-content.icloud.com to Cisco Umbrella Global Allow List.
Added inbound block for the Murus application in Vallum and Vallum_UmbrellaDNSOnly
Add the new Vallum application zip… vallum-4.1.1.zip

changelog 10/23/23
Added in Vallum and Vallum_UmbrellaDNSOnly rules to allow Cisco Secure Client network access. Fixed a port 53 issue in Vallum for  Cisco/Umbrella clients as well.  

changelog 10/27/23
Added Vallum 4.1.2.zip - this seems to be a silent update that isn’t seen via the check for updates in the app… but is on the website. 

changelog 10/29/23
Fixed qn issue with Vallum and Vallum_UmbrellaDNSOnly where 3rd Party Apps weren’t allowed communication. This also prevented updates… I think. I was unable to update to 13.6.1 and had to allow everything. These Vallum configurations may be revised shortly. 

changelog 10/30/23
Added the following iCloud sites to the Cisco Umbrella Global Allow List: 
p25-content.icloud.com
p23-content.icloud.com
p27-content.icloud.com
p63-content.icloud.com
p59-sharedstreams.icloud.com 

changelog 11/6/23
Cleaned up inbound outbound rules for Murus and Murus_UmbrellaDNSOnly.
Fixed Vallum and Vallum_UmbrellaDNSOnly rules - removing 3rd party apps rule.

changelog 11/12/23
Added p55-content.icloud.com to the Global Allow List in Cisco Umbrella.  

changelog 11/12/23
Added foodcoop.com to the Global Allow List in Cisco Umbrella.  I’m a member of the Park Slope Food Coop since 2009…. What an interesting place. 

changelog 12/10/23
Added p42-content.icloud.com to the Global Allow List in Cisco Umbrella.  

changelog 12/11/23
Added dropboxexperiment.com to the Global Allow List in Cisco Umbrella. 
Added the Security Technical Implementation Guides (STIGs) for U_Apple_iOS-iPadOS_17_V1R1_STIG.zip and U_Apple_macOS_13_V1R3_STIG.zip from public.cyber.mil - really good!

changelog 12/14/23
Apple changed something with mobile hotspots and how their systems work… so I needed to enable ipv6 and some other protocols…. The hunt is on for what changed. I think it was done to facilitate QUIC protocol.  More research is needed…. I just know I needed to re-enable ipv6 on Wi-fi and Thunderbolt Bridge and remove all ipv6 blocking rules and enable ipv6 on DNS and it looks like sscopmce protocol is used in lookup… which I had disabled. Still finding what changed… Vallum is broken for my mobile hotspot at least.

Changelog 12/19/23
I removed the NEW_Vallum and NEW_Murus rules as I can’t find what changed and I think it makes the machine insecure own order to get an internet connection. 

Changelog 1/26/24
New Vallum and Vallum_UmbrellaDNSOnly rules… less restrictive with what process can talk to Umbrella servers and added a block for protocol 7 (CBT - https://datatracker.ietf.org/doc/rfc2189/) on the inbound and outbound. 
New Murus and Murus_UmbrellaDNSOnly rules… added the block for CBT (protocol 7).
Added the theflixertv.to - free movie site to Umbrella Allow List. 
Created a miniscriot version without some of the archaic permission edits. 

Changelog 1/29/24
Shaking Vallum rules down to one profile for UmbrellaDNS_Only:
Adding inbound rule app fingerprint for port 53 for Captive Network Assistant and Cisco Secure Client
Adding inbound rule app fingerprint for group Umbrella (all addresses whitelist) for Captive Network Assistant and Cisco Secure Client
Removing ipv6 blocks for inbound 
Making inbound DHCP ipv6 compatible - 67-68, 546-547
Making outbound DHCP ipv6 compatible - 67-68, 546-547
Changing outbound Captive Network Assistant to ipv6 compatible 
Restricting Umbrella to the Cisco Secure Client and removing old app signatures for Umbrella Client
Removed ipv6 outbound blocks
Adding any rule for protocol version on outbound rules. 
Removed books on ipv6-local-nets on the inbound and outbound side
Removed a local block for the Accordance app.
Cleaned up the StIGS… I use the default ones (with some modifications from the Public DOD site). :-) AppControl silences some apps on my system that I don’t like… sorta like removing apps on your iPhone. 

Changelog 2/1/24
Added back the Haley SSH blocklist to Murus and Murus_UmbrellaDNSOnly - 54k + bad ssh addresses - https://iplists.firehol.org/files/haley_ssh.ipset

Changelog 2/21/24
Fixed some multicast/igmp/ipv6 rules in Murus and Murus_UmbrellaDNSOnly. Still have to fix Vallum… 

Changelog 2/24/24
Added as per firewalld (Linux) and the existing protocol 41 block the ip addresses for 6to4 tunnels - 2002::/16 and 192.88.99.0/24
https://www.rfc-editor.org/rfc/rfc3964
https://insights.sei.cmu.edu/blog/exfiltration-with-ipv6-tunnels-on-windows/

Changelog 2/25/24
Added to Ban in Vallum_UmbrellaDNSOnly as per firewalld (Linux) and the existing protocol 41 block the ip addresses for 6to4 tunnels - 2002::/16 and 192.88.99.0/24
https://www.rfc-editor.org/rfc/rfc3964
https://insights.sei.cmu.edu/blog/exfiltration-with-ipv6-tunnels-on-windows/
Added an outbound rule to allow Cisco Secure Client to connect to any address on port 53 for DNS lookup. 
Added a rule to all the Loop Group - Trusted System Process outbound connections. 
Changed DHCP to allow outbound 67, 547 for ipv4 and ipv6
Changed DHCP tp allow inbound 68,  546 for ipv4 and ipv6 respectively. 
There may be an issue with hotspot DHCP (a protocol or apple process that bypasses/escapes certain rules)  and iCloud syncing (a hidden process I’m looking for). 

Changelog 2/27/24
I switched from Cisco Meraki to Jam NOW! Way better. 

Changelog 3/13/24
Removed Haley SSH from the Lists Library as it seems to be maxing out the memory usage for Murus.  https://iplists.firehol.org/files/haley_ssh.ipset
#reflected in Murus and Murus_UmbrellaDNSOnly

Changelog 4/4/24
Changed the default Restrictions and Password Policy - fixing what seemed to be issues with  the Payload Identifier and the UUID Payload numbers being reused in MDM profile, which might be my fault. But once fixed… it all worked fine. Check those Jamf/MDM logs on what’s being not applied and why. Thank you JaMF> I didn’t see this same details in Meraki.  AppControl has been updated to disable more applications. The restriction is built for a web only system with only a few local apps. The idea is less attach footprint (in minimal external software) and usable avenues… since everything and it’s grandmother now calls to the web.

Changelog 4/6/24
Removed some rules and added the macsec rules form NIST’s Mac OS Security (high) guidance exactly as typed. Some things are freer and some things have a definitive restriction. This is ofr Murus and Murus_UmbrellaDNSOnly.
Updated the AppControl to block access to the Users folder. This might eb really restrictive for applications located in that folder.  

Changelog 4/8/24
Added the following ip addresses to the Ban lists in DYNDNS in Vallum_UmbrellaDNSOnly (the only Vallum config). These are ip addresses that redirect to malware. 
69.30.245.146
78.47.71.170
104.21.11.31
52.223.29.44

Changelog 4/9/24
Updated Restrictions 3 with some new policy edits… making some things automatics.  Use at risk as the originator said… that’s written wrong for a reason,. 
Edited mini script with some passional edits to make some things harder for myself. Use at your own risk. 
Removed from the Ban list in Vallum_UmbrellaDNSOnly:
added to Ban in Vallum 127.0.0.0/8, 0.0.0.0/8, 192.0.2.0/24, 240.0.0.0/4 to allow sharing again. 
Removed rule blocking multicast addresses. Added IGMP routing. 
Added inbound pass for Umbrella group - basically a whitelist. 
Changed the order for outbound DNS traffic… and added an outbound whitelist for all port 443 traffic to Umbrella. 

changelog 4/17/24
Added port 53 access for all apps to Umbrella. 

changelog  4/24/24
Added sudo /usr/bin/security authorizationdb write system.login.screensaver "authenticate-session-owner" to miniscript as per the latest NIST Guidance.
Added a new Service called APNS for tcp port 5223 communications to the Apple servers in Murus and Murius_UmbrellaDNSOnly.
Added a new outbound rule in Vallum_UmbrellaDNSOnly to allow communications to APNS tcp port 5223 to Apple Services only. 
Updated the latest NIST Guidance zips for Sonoma, Ventura and iOS 17 to this share. Get all the guidance and tips and help here: https://github.com/usnistgov/macos_security

Changelog 4/28/24
Really interesting reading… no changes made to the firewalls… https://www.wireguard.com/
https://datatracker.ietf.org/doc/html/draft-pauly-taps-transport-security-01
https://datatracker.ietf.org/doc/html/rfc8922
German hosting service $2.00 https://www.altinsoft.net/germany-linux-hosting

Changelog 5/6/24
No firewall changes: I’d recommend looking at these underlying techs to WireGuard… especially Mosh.
https://mosh.org/#techinfo 
http://noiseprotocol.org
If you haven’t please update to the Cisco Secure Client - latest version… I’m not sure of my firewall rules don’t allow notification for updates… but I had to check manually and download mine from the Cisco Umbrella website. 

Changelog 5/7/24
Added a rule to Vallum_UmbrellaDNSOnly for  Cisco’s Developer ID.
Removed some honeypot inbound rules. Sorry. 

Changelog 5/9/24
Created a UmbrellaDNSOnly_Haley SSH profile that has the Haley SSH list added back to it. Sometimes the list causes a memory error on my M1 MacBook Air (2020). But it might run fine on all your newer (2021+) machines. 
http://iplists.firehol.org/?ipset=haley_ssh 

Changelog 5/21/24
I am getting some errors with Murus and Murus_UmbrellaDNSOnly loading on system startup… so I am removing some lists that never update. 
I am doing the following to the Ban list in Vallum
185.94.190.158 from https://secureupdates.checkpoint.com/IP-list/IP-blacklist.txt
192.9.135.73 from https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt
I have removed the following list from version of Murus:
Removed CruzitWeb Attacks which hasn’t been updated since 2023 http://iplists.firehol.org/?ipset=cruzit_web_attacks
Removed SpamHaus_edrop for duplicates with SpamHaud_Drop  http://iplists.firehol.org/?ipset=spamhaus_edrop
Removed CyberCrime for duploicates with Firehol_WebClient http://iplists.firehol.org/?ipset=cybercrime
Removed XRoxy_30D which hasn’t been updated since 2023 http://iplists.firehol.org/?ipset=xroxy_30d
Removed the direct connection to BinaryDefense… only pulling the Firehol list. http://iplists.firehol.org/?ipset=bds_atif
I have added Haley_SSH to all Murus Versions - http://iplists.firehol.org/?ipset=haley_ssh

Changelog 5/22/24
Removed the Apple Anchors from all versions of Murus configurations. 

Changelog 5/27/24
Updated my modified .mil profiles to App Control 2 and Restrictions Policy 5. There were some loopholes that I think I closed and some stuff that an editor didn’t recognize. 
Cleaned up Vallum_Umbrella_DNSOnly…. Removed some open rules… some stuff might break. Like captive portal assistants. Still trying to figure out Personal Hotspots on iPhone and their use of sscopemce… which I block. 

Changelog 5/28/24
Added 192.229.221.95 to the Umbrella list in Vallum_UmbrellaDNSOnly… seems it was missing. 

Changelog 6/1/24
Made some changes to Restrictions Policy 5… err… not changing the name. I’m using Imazing Profile Editor. It has a caveat: if you add a configuration change and then remove it, a change is made to the profile… it adds a hidden VPN configuration (or so is recorded by Jamf NOW) that prohibits it being applied. Dot this I s and cross those T s like crosshairs. +. x-x

Changelog 6/11/24
Added p49-content.icloud.com and p32-content.icloud.com to the Cisco Umbrella Global Allow List.
Updated Restrictions Policy 5 with the Apple Profile updates via Amazing Profile Editor. 

Chagelog 6/20/24
DISA link fro cybersecurity  training: https://fedvte.usalearning.gov
DISA link for the general public: https://fedvte.usalearning.gov/public_fedvte.php

Changelog 9/1/24
After updating the restrictions policy - network filter extensions and the filters have to be turned back on…. Because JamfNow  does not allow a replacement feature like JamfPro or Cisco MeraKi and I have to re-enable full-disk access for Vallum ES

Changelog 9/6/24
Finally “fixed” a setting in my Restrictions policy 5…. Lol… so it’s working properly. Updated some new settings apple added. 

Changelog 9/18/24
Restrictions Policy 6 - updated for the new OS and also Sonoma… fixed some errors… something about remote viewing with classroom and a Dock issue. Set apps to open Fullscreen.

Changeling 10/1/24
Change the removal date for the Restrictions Policy 6 Profile. Added the Vallum 5 Umbrella_DNS_Only config. My version of Umbrella DNS is going away… I cannot renew it so I am looking for an alternative. In fact, all Home version of Umbrella are going away. You’ll have to purchase a Corporate version at a corporate price point. Also, Cisco has removed the personal store for updating your credit cards and renewing ahead of expiration. Please be aware and tell your friends and family. You’ll lose protection on the last date of your subscription. 

Changelog 10/2/24
Updated Restrictions Policy 6 to block the improve Siri and Search options that are in Diagnostic Submissions Under Privacy and Security I am using iMazing Profile Editor and their options are not the same as listed in NIST Guidance. 

Changelog 10/4/24
Stage1 and AppControl v3 are my only two mobile profiles. They are not signed. Free to use at your own risk!

Changelog 10/16/24
Removed https://talosintelligence.com/documents/ip-blacklist and https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt - added port 2228 for ovh.net in Murus.
Vallum has inbound block for unsigned apps. 
Extensions profile for Cisco and Team Murus apps called Baseline.
Updated script file.
Removed USG files… which are freely available online… also visit the CIA website for reading that is quite informative. The Freedom of Information Act. READ READ READ.

Changeling 11/7/24
Added the following IP address to the Umbrella whitelist group as per Cisco Talos filtering (2a04:e4c7:ffff::/48, 2a04:e4c7:fffe::/48) in both Murus and Vallum rules.

Changelog 11/26/24
Added some more OVH ranges to Murus_UmbrellaDNSOnly
Added sudo defaults write /Library/Preferences/com.apple.loginwindow EnableMCXLoginScripts -bool TRUE to script without which login and logout scripts won’t run as part of a MDM profile. 

Zelle me:  vaughn@aegisitnyc.com or 646-284-4291 or 347-559-1619
If you have work reach out to me! 

Social Media:
https://www.linkedin.com/in/vahart
https://github.com/vaughnhart
https://www.icloud.com/iclouddrive/0Si4df9qaPgUT9KzgqsroSIcw#MurusVallum

command  line quicksheet
sudo tcpdump -i en0 -s0 -c 1100 -AeHnnttttvvv -w test.pcap
sudo lsof -i -n -P 
netstat -arn
arp -an
who -a
umask
sudo launchctl config user umask 077 
sudo log collect --output ~/Desktop/SystemLogs.logarchive --last 20m
grep -w 'console' /private/etc/ttys
sudo defaults write /Library/Preferences/com.apple.loginwindow EnableMCXLoginScripts -bool TRUE

In console search for it.murus.Vallum.AFW to see running log

About

Murus (pf) and Vallum (afw?) configurations layered with Cisco Umbrella and Firehol. Test it and let me know what you thin! It's free for all!

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published