-
Notifications
You must be signed in to change notification settings - Fork 0
vaughnhart/Firewall
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
eThese firewall rules are based around Cisco Umbrella or OpenDNS Umbrella Prosumer. https://www.opendns.com/home-internet-security/ https://docs.umbrella.com/deployment-umbrella/docs/2-prerequisites-update#section-network-access You will need a license for Murus Pro… which should bundle Vallum firewall as well.You’ll need them both. This is a restricted IPv4 only config. https://help.vallumfirewall.com/index.php?chapter=log - Vallum Logging Guidance https://github.com/drduh/macOS-Security-and-Privacy-Guide https://github.com/usnistgov/macos_security#readme https://tools.cisco.com/security/center/resources/dns_best_practices https://www.cisco.com/c/en/us/support/docs/ip/access-lists/43920-iacl.html https://csrc.nist.gov https://downloads.cisecurity.org/#/ https://learn.microsoft.com/en-us/archive/blogs/secguide/ https://www.brightcloud.com/tools/url-ip-lookup.php https://docs.umbrella.com/deployment-umbrella/docs/domain-management#section-3-internal-queries https://support.umbrella.com/hc/en-us/articles/115004651426-CNAME-Records-with-DNS-caching-and-Umbrella Lists: https://iplists.firehol.org https://firehol.org/guides/icmpv6-recommendations/#allow-incoming-destination-unreachable-messages-only-for-existing-sessions https://www.spamhaus.org https://www.talosintelligence.com https://secureupdates.checkpoint.com/IP-list/TOR.txt https://www.opendbl.net Changelog - 11/18/22 Removed allow all apps outbound rule in Vallum - apps need to be signed. Moved dhcp inbound rule higher in Vallum. Changelog - 12/04/22 Removed duplicate lists (botscouts, myips, blocklist_de_strongips, blocklist_de_bots that were already covered in fireholl level2, level3, and abusers1d) Added my system configuration script… not that it will name it to my current machine name. I also removed haley_ssh since there seems to be some update errors. I also explicitly listed denies on the inbound side as per the NIST recommendations. Changelog - 12/11/22 Added https://iplists.firehol.org/files/cruzit_web_attacks.ipset - CruzIT Web Attacks. Updated DYNDNS Pomcounp lists in Murus and added to Vallum. Added https://iplists.firehol.org/files/sslproxies_30d.ipset - SSL Proxies. ]changelog - 1/15/23 Removed VoIPBL list as it has errors on Firehouse site. Updated nations databases in Murus and Vallum Removed DYNDNS group from Murus rule Add these Ups to DYNDNS list in Vallum: 3.130.204.160 3.140.13.188 18.119.154.66 31.11.36.8 63.247.141.235 77.111.240.50 Changelog 1/21/23 Added https://media.defense.gov/2022/Jun/15/2003018261/-1/-1/0/CTR_NSA_NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20220615.PDF as a reading resource . DNS restriction in Murus to manual rule Changed localnet oassthru to specified ports in Vallum. block in on egress proto tcp from any os unknown in Murus Chagnelog 1/22/23 antispoof log quick for eth0 inet Changellog 1/28/23 - script file changes ONLY sudo /bin/launchctl disable system/com.apple.netbiosd.plist sudo ifconfig en0 -arp #sudo ifconfig en0 dad - did not work changelog 1/29/23 Aded https://iplists.firehol.org/files/bds_atif.ipset sudo launchctl disable system/netbiosd - in script changelog 1/31/23 Added 8443 (tcp) to custom firewall rules in Murus and Vallum for testing. Changelog 2/1/23 Added 192.16.58.8 for UmbrellaWhitelist in Murus and Vallum. Updates DYNDNS list in Vallum: 31.11.36.8 52.71.57.184 52.86.6.113 74.208.236.193 77.111.240.50 #######Murus rule change - all outbound rules are custom now. Please see Custom Rules picture in root folder for complete list. Example is below: pass out log (user) proto {tcp, udp} from any to any port {548, 88, 10548, 43, 3283, 5988, 5900, 631, 515, 9100, 123, 67, 68, 22, 8443, 80} flags S/SAFR keep state Changelog 2/2/23 ########after seeing that Murus logs showed Safari making web browser connections to Umbrella (logging them as 208.67.x.x) instead of the web address I made some changes. Vallum flows monitor showed the correct addresses. Vallum Inbound now limits Umbrella communication to OpenDNS signed apps and DHCP to all Apple signed apps Vallum Outbound now limits Umbrella communication to OpenDNS signed apps, DHCP to Apple signed apps, and all apps have to go through the filtered ports. Added DHCP in Murus options. Whatever the path is… DHCP and ICMP have to be in that category… and not the custom rules. Changelog 2/3/23 Added a protection rule in Vallum for Vallum… trying at least. ############Murus Custom rules mostly mirrored in Valllum antispoof log quick for eth0 inet block in logon egress proto tcp from any os unknown block log inet6 proto ipv6-icmp from any to any block log proto icmp from any to any block log (user) proto {tcp, udp} from any to any port 0 block log (user) proto {tcp, udp} from any to any port 3689 block in flog rom any to 255.255.255.255 block in log from any to 127.0.0.1/32 pass out log (user) from any to <WhiteUmbrella> flags S/SAFR keep state pass in log (user) from <WhiteUmbrella> to any flags S/SAFR keep state pass proto log igmp allow-opts pass quick log from any to {224.0.0.0/4 ff00::/8} allow-opts pass proto log {esp, gre} from any to any pass out log (user) proto {tcp} from any to any port {80, 443, 8443, 43} flags S/SAFR keep state pass out log (user) proto {udp} from any to any port {123} keep state pass out log (user) proto {tcp} from any to <all-local-nets> port {22, 88, 389, 515, 548, 631, 636, 9100} flags S/SAFR keep state pass out log (user) proto {tcp, udp} from any to <all-local-nets> port {53, 749, 3283, 5988, 5900} flags S/SAFR keep state Changelog 2/6/23 ##########inbound rules. Block in log [tcp,udp] from any to any port 0 Changelog 2/8/23 Added screenshots on the location to update the nations databases in Vallum and Murus. This is necessary for the Unknown Nation block. ##################sudo tcpdump -i en0 -s0 -c 1100 -AeHnnttttvvv -w test.pcap ##################Use Wireshark to see the data. Tcpdump is native on Mac/Linux. Wireshark is a GUI that makes it nice and readable. https://www.tcpdump.org/manpages/tcpdump.1.html or https://www.tcpdump.org/index.html https://www.wireshark.org For those with OpenDNS Cisco Umbrella Prosumer and legacy Cisco Umbrella packages... the Legacy Categories (under Content Categories) are still there. It might mean extra monitoring (using Activity Search)... or whitelisting (Global Allowed List under Destinations Lists) but you can add those categories back. In this case more is more. Changelog 2/15/23 block log proto {tcp, udp} from any port {0, 5353} to any port {0, 5353} Added Umbrella group back to PassList in Murus. Changelog 2/18/23 Blocking and logging a “new” signed version of com.apple.mDNSResponder in Vallum on the inbound and outbound. While logging multicast traffic in Valllum. changelog 2/21/23 Another mdnsresponder was noticed in Flow Monitor… blocked on inbound. changelog 2/24/23 ##################to block port 5353 ,make the following changes - in Murus and Vallum (inbound/outbound) remove the following rule pass quick log from any to (224.0.0.0/4 ff00:/8) allow-opts add the following rules to the end of the custom rules block log (user) proto sscopmce from any to any block proto {tcp, udp} from any to any port {5353} Set custom rules tcp flags back to any in Murus. ############# https://support.opendns.com/hc/en-us/articles/227988627-How-to-clear-the-DNS-Cache- - You’ll need to do this after ############# clear all browsing history (your web browsers) and system cache. https://www.tomsguide.com/how-to/how-to-clear-the-cache-on-mac ############# clear all saved application states https://osxdaily.com/2011/07/17/delete-specific-application-saved-states-from-mac-os-x-10-7-lion-resume/ ############# empty the trash and reboot changelog 3/3/23 Added 3.19.116.195 to DYNDNS block list in Vallum changelog 3/6/23 There are new prerequisites for Cisco Umbrella… updated them in Murus and Vallum. I didn’t remove anything… just added 192.229.211.108 https://docs.umbrella.com/deployment-umbrella/docs/2-prerequisites-update#section-network-access There is an issue with resolving debug.opendns.com changelog 3/7/23 Added AdsYoyo blocklist from https://pgl.yoyo.org/adservers/iplist.php?ipformat=&showintro=0&mimetype=plaintext changelog 4/3/23 Added mask.icloud.com and mask-h2.icloud.com to Ban group in Vallum and also Global Block List in Cisco Umbrella. changelog 4/4/23 Added the following lines to the script file: cd /Users sudo chmod og-rwx * ############# to run the script just copy to your Downloads folder and open terminal and go to that directory (cd ~/Downloads) and run the following command: sudo sh script ############# Mac OS will ask you to grant the Terminal program permissions to your Downloads folder. Changelog 4/5/23 added screenshots for the above changelog. The pictures are from OS Ventura 13.3 but are also applicable to OS Monterey. added the following recommendations from https://github.com/drduh/macOS-Security-and-Privacy-Guide to the script: rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/exclusive rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-shm rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-wal rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/resetreason rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.data sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.fraghandler sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/exclusive sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-shm sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/index.sqlite-wal sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/resetreason sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.data sudo rm -rfv $(getconf DARWIN_USER_CACHE_DIR)/com.apple.QuickLook.thumbnailcache/thumbnails.fraghandler rm -rfv "~/Library/LanguageModeling/*" "~/Library/Spelling/*" "~/Library/Suggestions/*" chmod -R 000 ~/Library/LanguageModeling ~/Library/Spelling ~/Library/Suggestions chflags -R uchg ~/Library/LanguageModeling ~/Library/Spelling ~/Library/Suggestions rm -rfv "~/Library/Application Support/Quick Look/*" chmod -R 000 "~/Library/Application Support/Quick Look" chflags -R uchg "~/Library/Application Support/Quick Look" sudo rm -rfv /.DocumentRevisions-V100/* sudo chmod -R 000 /.DocumentRevisions-V100 sudo chflags -R uchg /.DocumentRevisions-V100 rm -rfv "~/Library/Saved Application State/*" rm -rfv "~/Library/Containers/<APPNAME>/Saved Application State" chmod -R 000 "~/Library/Saved Application State/" chmod -R 000 "~/Library/Containers/<APPNAME>/Saved Application State" chflags -R uchg "~/Library/Saved Application State/" chflags -R uchg "~/Library/Containers/<APPNAME>/Saved Application State" rm -rfv "~/Library/Containers/<APP>/Data/Library/Autosave Information" rm -rfv "~/Library/Autosave Information" chmod -R 000 "~/Library/Containers/<APP>/Data/Library/Autosave Information" chmod -R 000 "~/Library/Autosave Information" chflags -R uchg "~/Library/Containers/<APP>/Data/Library/Autosave Information" chflags -R uchg "~/Library/Autosave Information" rm -rfv ~/Library/Assistant/SiriAnalytics.db chmod -R 000 ~/Library/Assistant/SiriAnalytics.db chflags -R uchg ~/Library/Assistant/SiriAnalytics.db defaults delete ~/Library/Preferences/com.apple.iTunes.plist recentSearches sudo shutdown -r now -o changelog 4/10/23 added LPI certification reading material… if you want to learn Linux and command line added a photo from my machine while at the Apple Store… showing that Apple blocks mask-h2.icloid.com on their Apple Store network using Cisco Umbrella. You have to use the Cisco Umbrella test page https://welcome.opendns.com (not www.internetbadguys.com which redirects to the Apple web site) to see that their network is protected by Cisco Umbrella. This stance is quire different from their advertising that Apple is “safe”. Contrast that with the photo I posted showing I can’t block mask and mask-h2 on my Cisco Umbrella. I had to use the dig command instead of nslookup (which returned no values)… leading me to believe Apple doesn’t advertise their use of Cisco Umbrella. Use any of their store machines and verify what I’m saying. changelog 4/15/23 ###############blocking some non-routeable (martian) traffic… that shouldn’t affect anything. But some people have seen internet routing on these addresses. added to Ban in Vallum 127.0.0.0/8, 0.0.0.0/8, 192.0.2.0/24, 240.0.0.0/4 created a new Murus rule: Murus_UmbrellaDNSOnly that stops all other non-CIsco Umbrellal DNS lookup. This does play well with others. It supposed to stop DNS leak and in the process las no local or other DNS resolution. You home network devices will be harder to find. It might be better for coffee shops/networks you don’t manage. Plus Google… and some other ISPs/network admins have their own DNS bypass/leaks that sometimes circumvent Umbrella. This is meant to stop that. Youtube may not like that it can’t lookup its own servers anymore…. just refresh the page. changelog 4/16/23 created a new Vallum rule: Vallum_UmbrellaDNSOnly that reflects the DNS leak changes. ################## mask-api.icloud.com which seems to have a lot of traffic generated to it as well in Cisco Umbrella but NIST hasn’t added it to their recommended block list. You may want to as well. Apple’s mask*.icloud.com address seem to be categorized under Online Storage but are actually proxy/anonymizer or DoH and DoT. Sorta like nesting a domain name. site.example.com hosts the vpn, but example.com is for art. changelog 4/17/23 added in Murus and Murus_UmbrellaDNSOnly: an inbound and an outbound rule blocking all ports on ipv6 block quick log from any to {224.0.0.0/4 ff00::/8 224.0.0.251/32 ff02::fb/128} block log (user) proto 53 from any to any block log (user) inet6 from any to any added mask-api.icloud.com to Ban list in Vallum and Vallum_UmbrellaDNSOnly. added in Vallum and Vallum_UmbrellaDNSOnly: block in ipv6 from any to any by all apps (any protocol version ipv6) block in ipv6 from any to any by all apps (ipv6 protocol version any) block out ipv6 from any to any by all apps (any protocol version ipv6) block out ipv6 from any to any by all apps (ipv6 protocol version any) added 224.0.0.251/32 and ff02::fb/128 to MDNS group. ################## I’m trying to kill MDNS and ICMP-V6 packets in packet captures (without edge or switch control)… iCloud/AirPlay might automate these broadcasts. fixed an error. changelog 4/18/23 removed esp and gre from all profiles as per the recommendation of Cisco Umbrella. If you’re using a VPN this might break it. added to all Murus profiles: block in inet6 proto ipv6-icmp all icmp6-type {135} block in inet6 proto ipv6-icmp all ################## I’m hunting wabbits with the above rules… this is me trying to secure wifi with a configuration that should probably be in sysclt or a kext or a kernel config for tcp/ip. Above my scope of experience and knowledge. changelog 4/21/23 Vallum and VallumUmbrellaDNSOnly: fixed a dhcp error… I think. Captive Portal may not work with UmbrellaDNSOnly configuration. changelog 4/25/23 added a rule in Vallum_UmbrellaDNSOnly allowing captive portal assistant to connect to port 53 of UDP (DNS) for DHCP connections. added a rule in Murus_UmbrellaDNSOnly allowing all-local-nets to connect to DNS (UDP 53) only on all-local-nets for that Captive Portal can make the connections. changelog 4/26/23 changed the rule in Murus_UmbrellaDNSOnly allowing all-local-nets to connect to any DNS (UDP 53) for Captive Portal connections. changelog 4/27/23 fixed DHCP issues in Vallum and Vallum_UmbrellaDNSOnly. Working on Captive Portal Issues. added new Vallum config called Test_UmbrellaPort53 which adds UDP 53 access to Umbrella apps in addition to CaptivePortal. changelog 5/623 Added screenshots for Privacy and Security Settings and Battery Configuration (OS Ventura… but the options exist in previous Mac OSs - check Energy Saver ) Added additional US Government recommendation on logging. (This is for really advanced users) Changelog 5/9/23 Added NSA guidance on programming languages… for those advanced people who program. Updated my contact information. https://support.apple.com/en-us/HT201684 #######################Testing umask variable… but this machines that have only one user login (changing the umask can break things on shared machines). sudo launchctl config user umask 027 https://docs.jamf.com/customer-education/jamf-100-course/5.0/Lesson_15_Introduction_to_Scripting.html Changelog 5/13/23 Added in Vallum and Vallum_UmbrellaDNSOnly rules that allow captiveagent to communicate to captive portals running on ports 8880 and 8843 (mainly used by Ubiquiti wireless access points. Added in Murus and Murus_UmbrellaDNSOnly rules that allow communication to ports 8880 and 8843 for local nets only. pass out log (user) proto {tcp} from any to <all-local-nets> port {22, 88, 389, 515, 548, 631, 636, 8880, 8843, 9100} flags any keep state Added a LastConfig folder serves as an archive for the previous version of ALL Vallum, Murus and script configurations (only in the iCloud site). Added a little joke in picture form. Chagnelog 5/15/23 Fixed an error in the custom list. Worth reading https://attack.mitre.org - really worth reading… including the sub-categories. https://dnsdumpster.com - didn’t know this existed. Changelog 6/27/23 Added the new NIST guidance on OS Monterey and Ventura Changelog 6/28/23 Modified my U_Apple_macOS_12_V1R3_STIG_Restrictions_Policy_VAH.mobileconfig to be a bit more restrictive… this will break stuff. There is an archive version in the last config folder. Please note these are only on my iCloud version. https://www.icloud.com/iclouddrive/0Si4df9qaPgUT9KzgqsroSIcw#MurusVallum Changelog 6/29/23 Added 207.148.248.145 to DYNDNS blocklist in Vallum rules. Check the LastConfig folder for the last previous version. Changed hostname and computername to 보쌈애인 in script. Changelog 7/4/23 Added the following lines in Murus and Murus_UmbrellaDNSOnly scrub in all fragments reassemble set skip utun1 added 152.195.38.76 and 192.16.49.85 to WhiteUmbrella whitelist in ALL Murus and Vallum configs. Changelog 7/5/23 Updated the group OptionalWhiteUmbrella.txt file with the latest IP addresses from https://docs.umbrella.com/deployment-umbrella/docs/2-prerequisites-update#section-dns - double check the IPs… as Cisco doesn’t publish when they made the changes and what was removed. Changelog 07/16/23 Changed the priority of the igmp pass rule. changelog 07/24/23 added the FBI IC3 report on Elderly Fraud. please read - the elderly are losing billions to investment fraud and coins (BitCoin, Ethereum) are at the top of the list. changelog 07/26/23 sudo launchctl config user umask 027 in script has been changed to sudo launchctl config user umask 077 making it single user mode. Moved the rolling lines to the bottom, right before reboot.: cd /Users sudo chmod og-rwx * You can run this in terminal yourself. It secures your folders from other “users” and limits the Shared folder from being uses as a place for bad guys to store stuff. Changelog 07/27/23 Updated the picture for Cisco Umbrella Blocked Categories to reflect the addition of the Online Communities category which is listing in the High Security Setting for Cisco Umbrella. Added a new blocklist that updates hourly - https://dataplane.org/signals/dnsversion.txt Changelog 08/10/23 Blocking protocol 41 (ipv6 encapsulation) in Murus and Murus_UmbrellaDNSOnly: block log (user) proto 41 from any to any Blocking protocol 41 (ipv6 encapsulation) in Vallum and Vallum_UmbrellaDNSOnly: block out log encap from any to any all apps https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/interface/configuration/15-mt/ir-15-mt-book/ip6-ipoverip6-tunls.pdf https://datatracker.ietf.org/doc/html/rfc2460 I would add this list to Murus configurations but it’s too long to load it… it lists all the IPV6 tunnels that are being routed over IPV4 servers. If you have a firewall appliance/router you may be able to load it https://dataplane.org/signals/proto41.txt If you have an issue with Murus not loading the new firewall rules please re-run the script file and then re-import the new Murus rule and save the configuration. I was seeing an error where Murus on reboot was saying unknown ruleset and this seemed to stop it. Also check your network wifi settings to make sure that the option for Limit IP Address Tracking (Apple VPN Relay) is not tuned on again. Changelog 08/11/23 Added sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.netbiosd.plist to script file Changelog 0815/23 Added the latest OS 13 .Mil STIGs (MDM configuration files)for Ventura. The Custom Policy is really good. Free and available to the public with a warning…use at your own risk. Modified the Restrictions policy for my use. Modified a policy to test blocking Private Relay… it may not work so check that Limit IP Address Tracking is actually off on each new wifi connection. Changelog 8/17/23 Added U_Apple_macOS_AppControl_VAH.mobileconfig (payload applicationaccess.new) and U_Apple_macOS_PrivateRelay_VAH.mobileconfig (payload application access). Looking to control binary access… with eventually blocking PrivateRelay/Limit IP Address Tracking files. https://developer.apple.com/support/prepare-your-network-for-icloud-private-relay https://datatracker.ietf.org/doc/html/draft-ietf-quic-manageability-11/ https://datatracker.ietf.org/doc/rfc9250/ Changelog 8/18/23 https://datatracker.ietf.org/doc/html/rfc9312 The finalized version of the IETF for QUIC. https://datatracker.ietf.org/wg/masque/about/ https://datatracker.ietf.org/doc/html/rfc8094 https://blog.cloudflare.com/icloud-private-relay/ Changelog 825/23 Updated the Global allow and block lists I use in Cisco Umbrella. Changelog 8/26/23 Added mask.apple-dns.net to the Ban list in Vallum and Vallum_UmbrellaDNSOnly configurations. Updated the Global Block List in Cisco Umbrella to reflect adding mask.apple-dns.net Chnagelog 8/27/23 https://datatracker.ietf.org/doc/html/rfc8999 QUIC Invariants https://datatracker.ietf.org/doc/html/rfc8546 Wireimage https://datatracker.ietf.org/doc/html/rfc8546 QUIC Grease https://datatracker.ietf.org/doc/html/draft-ietf-quic-version-negotiation-10 QUIC Negotiation Changelog 8/28/23 https://datatracker.ietf.org/doc/rfc9369/ QUIC Version 2 https://datatracker.ietf.org/doc/html/rfc9002 QUIC Loss Detection and Control https://datatracker.ietf.org/doc/html/rfc7838 HTTP Alt Services Changelog 8/29/23 https://www.iana.org/assignments/quic/quic.xhtml - IANA’s QUIC List Updated Cisco Umbrella Global Allow List. Changed all the changeling to changelog. Changelog 9/8/23 Check out https://www.murusfirewall.com/adsorb/ A network Ad filter from Murus. They also have some new stuff but I like blocking Ads for anonymity. I used a network level one for a client for almost a decade and they got very little, physical, junk mail. And the same was for me as well. changelog 9/10/23 Added the Adsorb 1.0.1 dmg file Added p59-fmip.icloud.com to my Global Allow List in Cisco Umbrella. Check the Cisco Umbrella Lists folder on the MurusVallum iCloud share and the Global Allow List file on the Github site. Changelog 9/14/23 Added p41-content.icloud.com to my Global Allow List in Cisco Umbrella. Check the Cisco Umbrella Lists folder on the MurusVallum iCloud share and the Global Allow List file on the Github site. A similar product to Adsorb can be found here: https://pi-hole.net. Check it out! They provide complete network protection. Changelog 9/15/23 The source for the Ad block database is here: https://github.com/StevenBlack/hosts. This is a raw list. I also think Adsorb may interfere with Starbucks and other Captive Portals. Changelog 9/18/23 Yep… adsorb or other network-level ad blockers block Ads on Captive Portals. You will need to whitelist the page or turn Adsorb off. Added to the string <string>/usr/libexec/wifip2pd</string> to U_Apple_macOS_AppControl_VAH.mobileconfig in an effort to block PrivateRelay based on the following files being active in lsof when PrivateRelay was enabled. I ran lsof and looked for all the files which has com.apple.net.netagent running or associated with their process: com.apple.net.netagent /usr/libexec/wifip2pd /Users/vaughnhart/Library/Caches/GeoServices /System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter com.apple.net.utun_control com.apple.flow-divert /usr/libexec/networkserviceproxy /usr/libexec/nesessionmanager /var/run/pppconfd /var/run/vpncontrol.sock Changelog 9/19/23 Uploaded my Cisco Umbrella Legacy Migration Report for reference. https://datatracker.ietf.org/wg/masque/documents/ - tunneling over UDP with QUIC. Changelog 9/23/23 Added to script sudo pmset -a womp 0 sudo pmset -a sleep 1 sudo pmset -a displaysleep 2 sudo pmset -a networkoversleep 0 sudo /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -bool true; /bin/launchctl kickstart -k system/com.apple.locationd sudo /usr/bin/defaults write /Library/Preferences/com.apple.locationmenu.plist ShowSystemServices -bool true sudo /usr/sbin/systemsetup -f -setremotelogin off >/dev/null sudo /bin/launchctl disable system/com.openssh.sshd Changelog 9/24/23 Added to script (may be excessive for most… or make it harder to read certain files). sudo /bin/chmod -RN /var/audit sudo /bin/chmod -N /var/audit sudo /bin/launchctl enable system/com.apple.auditd sudo /bin/launchctl bootstrap system /System/Library/LaunchDaemons/com.apple.auditd.plist sudo /usr/sbin/audit -i sudo /bin/chmod -N /etc/security/audit_control sudo /usr/bin/chgrp wheel /etc/security/audit_control sudo /bin/chmod 440 /etc/security/audit_control sudo /usr/sbin/chown root /etc/security/audit_control sudo /usr/bin/chgrp -R wheel /var/audit/* sudo /bin/chmod 440 /var/audit/* sudo /usr/bin/chgrp wheel /var/audit sudo /usr/sbin/chown root /var/audit sudo /bin/chmod 700 /var/audit sudo /usr/bin/sed -i.bak 's/^expire-after.*/expire-after:7d/' /etc/security/audit_control; /usr/sbin/audit -s sudo /usr/sbin/nvram boot-args="" sudo /usr/bin/security authorizationdb write system.login.screensaver "use-login-window-ui" Added to U_Apple_macOS_PrivateRelay_VAH.mobileconfig: <key>allowCloudReminders</key> <false/> <key>allowCloudAddressBook</key> <false/> <key>allowCloudCalendar</key> <false/> <key>allowCloudFreeform</key> <false/> <key>allowCloudMail</key> <false/> <key>allowCloudNotes</key> <false/> <key>allowAirDrop</key> <false/> <key>allowActivityContinuation</key> <false/> <key>forceOnDeviceOnlyDictation</key> <true/> <key>allowPasswordProximityRequests</key> <false/> <key>allowPasswordSharing</key> <false/> <key>allowAirPlayIncomingRequests</key> <false/> <key>allowDiagnosticSubmission</key> <false/> <key>allowApplePersonalizedAdvertising</key> <false/> <key>allowAssistant</key> <false/> <key>allowCloudBackup</key> <false/> <key>allowSharedStream</key> <false/> <key>forceAirDropUnmanaged</key> <true/> <key>forceAirPlayOutgoingRequestsPairingPassword</key> <true/> <key>allowUnmanagedToReadManagedContacts</key> <false/> <key>allowManagedToWriteUnmanagedContacts</key> <false/> <key>allowOpenFromManagedToUnmanaged</key> <false/> <key>allowOpenFromUnmanagedToManaged</key> <false/> <key>allowPairedWatch</key> <false/> <key>forceWatchWristDetection</key> <true/> <key>allowAutoUnlock</key> <false/> <key>allowHostPairing</key> <false/> Check out https://github.com/usnistgov/macos_security for the latest for Mac OS and iOS guidance for which I have the zip files on my iCloud Share: MSCP_Ventura_Rev_3.0.zip MSCP_Sonoma_Rev_1.0.zip MSCP_iOS_17_Rev_1.0.zip Changelog 9/25/23 Added inbound block for port 631 on Vallum and Vallum_UmbrellaDNSOnly Changelog 9/26/23 Added p28-content.icloud.com to Cisco Umbrella Global Allow List. Added inbound block for the Murus application in Vallum and Vallum_UmbrellaDNSOnly Add the new Vallum application zip… vallum-4.1.1.zip changelog 10/23/23 Added in Vallum and Vallum_UmbrellaDNSOnly rules to allow Cisco Secure Client network access. Fixed a port 53 issue in Vallum for Cisco/Umbrella clients as well. changelog 10/27/23 Added Vallum 4.1.2.zip - this seems to be a silent update that isn’t seen via the check for updates in the app… but is on the website. changelog 10/29/23 Fixed qn issue with Vallum and Vallum_UmbrellaDNSOnly where 3rd Party Apps weren’t allowed communication. This also prevented updates… I think. I was unable to update to 13.6.1 and had to allow everything. These Vallum configurations may be revised shortly. changelog 10/30/23 Added the following iCloud sites to the Cisco Umbrella Global Allow List: p25-content.icloud.com p23-content.icloud.com p27-content.icloud.com p63-content.icloud.com p59-sharedstreams.icloud.com changelog 11/6/23 Cleaned up inbound outbound rules for Murus and Murus_UmbrellaDNSOnly. Fixed Vallum and Vallum_UmbrellaDNSOnly rules - removing 3rd party apps rule. changelog 11/12/23 Added p55-content.icloud.com to the Global Allow List in Cisco Umbrella. changelog 11/12/23 Added foodcoop.com to the Global Allow List in Cisco Umbrella. I’m a member of the Park Slope Food Coop since 2009…. What an interesting place. changelog 12/10/23 Added p42-content.icloud.com to the Global Allow List in Cisco Umbrella. changelog 12/11/23 Added dropboxexperiment.com to the Global Allow List in Cisco Umbrella. Added the Security Technical Implementation Guides (STIGs) for U_Apple_iOS-iPadOS_17_V1R1_STIG.zip and U_Apple_macOS_13_V1R3_STIG.zip from public.cyber.mil - really good! changelog 12/14/23 Apple changed something with mobile hotspots and how their systems work… so I needed to enable ipv6 and some other protocols…. The hunt is on for what changed. I think it was done to facilitate QUIC protocol. More research is needed…. I just know I needed to re-enable ipv6 on Wi-fi and Thunderbolt Bridge and remove all ipv6 blocking rules and enable ipv6 on DNS and it looks like sscopmce protocol is used in lookup… which I had disabled. Still finding what changed… Vallum is broken for my mobile hotspot at least. Changelog 12/19/23 I removed the NEW_Vallum and NEW_Murus rules as I can’t find what changed and I think it makes the machine insecure own order to get an internet connection. Changelog 1/26/24 New Vallum and Vallum_UmbrellaDNSOnly rules… less restrictive with what process can talk to Umbrella servers and added a block for protocol 7 (CBT - https://datatracker.ietf.org/doc/rfc2189/) on the inbound and outbound. New Murus and Murus_UmbrellaDNSOnly rules… added the block for CBT (protocol 7). Added the theflixertv.to - free movie site to Umbrella Allow List. Created a miniscriot version without some of the archaic permission edits. Changelog 1/29/24 Shaking Vallum rules down to one profile for UmbrellaDNS_Only: Adding inbound rule app fingerprint for port 53 for Captive Network Assistant and Cisco Secure Client Adding inbound rule app fingerprint for group Umbrella (all addresses whitelist) for Captive Network Assistant and Cisco Secure Client Removing ipv6 blocks for inbound Making inbound DHCP ipv6 compatible - 67-68, 546-547 Making outbound DHCP ipv6 compatible - 67-68, 546-547 Changing outbound Captive Network Assistant to ipv6 compatible Restricting Umbrella to the Cisco Secure Client and removing old app signatures for Umbrella Client Removed ipv6 outbound blocks Adding any rule for protocol version on outbound rules. Removed books on ipv6-local-nets on the inbound and outbound side Removed a local block for the Accordance app. Cleaned up the StIGS… I use the default ones (with some modifications from the Public DOD site). :-) AppControl silences some apps on my system that I don’t like… sorta like removing apps on your iPhone. Changelog 2/1/24 Added back the Haley SSH blocklist to Murus and Murus_UmbrellaDNSOnly - 54k + bad ssh addresses - https://iplists.firehol.org/files/haley_ssh.ipset Changelog 2/21/24 Fixed some multicast/igmp/ipv6 rules in Murus and Murus_UmbrellaDNSOnly. Still have to fix Vallum… Changelog 2/24/24 Added as per firewalld (Linux) and the existing protocol 41 block the ip addresses for 6to4 tunnels - 2002::/16 and 192.88.99.0/24 https://www.rfc-editor.org/rfc/rfc3964 https://insights.sei.cmu.edu/blog/exfiltration-with-ipv6-tunnels-on-windows/ Changelog 2/25/24 Added to Ban in Vallum_UmbrellaDNSOnly as per firewalld (Linux) and the existing protocol 41 block the ip addresses for 6to4 tunnels - 2002::/16 and 192.88.99.0/24 https://www.rfc-editor.org/rfc/rfc3964 https://insights.sei.cmu.edu/blog/exfiltration-with-ipv6-tunnels-on-windows/ Added an outbound rule to allow Cisco Secure Client to connect to any address on port 53 for DNS lookup. Added a rule to all the Loop Group - Trusted System Process outbound connections. Changed DHCP to allow outbound 67, 547 for ipv4 and ipv6 Changed DHCP tp allow inbound 68, 546 for ipv4 and ipv6 respectively. There may be an issue with hotspot DHCP (a protocol or apple process that bypasses/escapes certain rules) and iCloud syncing (a hidden process I’m looking for). Changelog 2/27/24 I switched from Cisco Meraki to Jam NOW! Way better. Changelog 3/13/24 Removed Haley SSH from the Lists Library as it seems to be maxing out the memory usage for Murus. https://iplists.firehol.org/files/haley_ssh.ipset #reflected in Murus and Murus_UmbrellaDNSOnly Changelog 4/4/24 Changed the default Restrictions and Password Policy - fixing what seemed to be issues with the Payload Identifier and the UUID Payload numbers being reused in MDM profile, which might be my fault. But once fixed… it all worked fine. Check those Jamf/MDM logs on what’s being not applied and why. Thank you JaMF> I didn’t see this same details in Meraki. AppControl has been updated to disable more applications. The restriction is built for a web only system with only a few local apps. The idea is less attach footprint (in minimal external software) and usable avenues… since everything and it’s grandmother now calls to the web. Changelog 4/6/24 Removed some rules and added the macsec rules form NIST’s Mac OS Security (high) guidance exactly as typed. Some things are freer and some things have a definitive restriction. This is ofr Murus and Murus_UmbrellaDNSOnly. Updated the AppControl to block access to the Users folder. This might eb really restrictive for applications located in that folder. Changelog 4/8/24 Added the following ip addresses to the Ban lists in DYNDNS in Vallum_UmbrellaDNSOnly (the only Vallum config). These are ip addresses that redirect to malware. 69.30.245.146 78.47.71.170 104.21.11.31 52.223.29.44 Changelog 4/9/24 Updated Restrictions 3 with some new policy edits… making some things automatics. Use at risk as the originator said… that’s written wrong for a reason,. Edited mini script with some passional edits to make some things harder for myself. Use at your own risk. Removed from the Ban list in Vallum_UmbrellaDNSOnly: added to Ban in Vallum 127.0.0.0/8, 0.0.0.0/8, 192.0.2.0/24, 240.0.0.0/4 to allow sharing again. Removed rule blocking multicast addresses. Added IGMP routing. Added inbound pass for Umbrella group - basically a whitelist. Changed the order for outbound DNS traffic… and added an outbound whitelist for all port 443 traffic to Umbrella. changelog 4/17/24 Added port 53 access for all apps to Umbrella. changelog 4/24/24 Added sudo /usr/bin/security authorizationdb write system.login.screensaver "authenticate-session-owner" to miniscript as per the latest NIST Guidance. Added a new Service called APNS for tcp port 5223 communications to the Apple servers in Murus and Murius_UmbrellaDNSOnly. Added a new outbound rule in Vallum_UmbrellaDNSOnly to allow communications to APNS tcp port 5223 to Apple Services only. Updated the latest NIST Guidance zips for Sonoma, Ventura and iOS 17 to this share. Get all the guidance and tips and help here: https://github.com/usnistgov/macos_security Changelog 4/28/24 Really interesting reading… no changes made to the firewalls… https://www.wireguard.com/ https://datatracker.ietf.org/doc/html/draft-pauly-taps-transport-security-01 https://datatracker.ietf.org/doc/html/rfc8922 German hosting service $2.00 https://www.altinsoft.net/germany-linux-hosting Changelog 5/6/24 No firewall changes: I’d recommend looking at these underlying techs to WireGuard… especially Mosh. https://mosh.org/#techinfo http://noiseprotocol.org If you haven’t please update to the Cisco Secure Client - latest version… I’m not sure of my firewall rules don’t allow notification for updates… but I had to check manually and download mine from the Cisco Umbrella website. Changelog 5/7/24 Added a rule to Vallum_UmbrellaDNSOnly for Cisco’s Developer ID. Removed some honeypot inbound rules. Sorry. Changelog 5/9/24 Created a UmbrellaDNSOnly_Haley SSH profile that has the Haley SSH list added back to it. Sometimes the list causes a memory error on my M1 MacBook Air (2020). But it might run fine on all your newer (2021+) machines. http://iplists.firehol.org/?ipset=haley_ssh Changelog 5/21/24 I am getting some errors with Murus and Murus_UmbrellaDNSOnly loading on system startup… so I am removing some lists that never update. I am doing the following to the Ban list in Vallum 185.94.190.158 from https://secureupdates.checkpoint.com/IP-list/IP-blacklist.txt 192.9.135.73 from https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt I have removed the following list from version of Murus: Removed CruzitWeb Attacks which hasn’t been updated since 2023 http://iplists.firehol.org/?ipset=cruzit_web_attacks Removed SpamHaus_edrop for duplicates with SpamHaud_Drop http://iplists.firehol.org/?ipset=spamhaus_edrop Removed CyberCrime for duploicates with Firehol_WebClient http://iplists.firehol.org/?ipset=cybercrime Removed XRoxy_30D which hasn’t been updated since 2023 http://iplists.firehol.org/?ipset=xroxy_30d Removed the direct connection to BinaryDefense… only pulling the Firehol list. http://iplists.firehol.org/?ipset=bds_atif I have added Haley_SSH to all Murus Versions - http://iplists.firehol.org/?ipset=haley_ssh Changelog 5/22/24 Removed the Apple Anchors from all versions of Murus configurations. Changelog 5/27/24 Updated my modified .mil profiles to App Control 2 and Restrictions Policy 5. There were some loopholes that I think I closed and some stuff that an editor didn’t recognize. Cleaned up Vallum_Umbrella_DNSOnly…. Removed some open rules… some stuff might break. Like captive portal assistants. Still trying to figure out Personal Hotspots on iPhone and their use of sscopemce… which I block. Changelog 5/28/24 Added 192.229.221.95 to the Umbrella list in Vallum_UmbrellaDNSOnly… seems it was missing. Changelog 6/1/24 Made some changes to Restrictions Policy 5… err… not changing the name. I’m using Imazing Profile Editor. It has a caveat: if you add a configuration change and then remove it, a change is made to the profile… it adds a hidden VPN configuration (or so is recorded by Jamf NOW) that prohibits it being applied. Dot this I s and cross those T s like crosshairs. +. x-x Changelog 6/11/24 Added p49-content.icloud.com and p32-content.icloud.com to the Cisco Umbrella Global Allow List. Updated Restrictions Policy 5 with the Apple Profile updates via Amazing Profile Editor. Chagelog 6/20/24 DISA link fro cybersecurity training: https://fedvte.usalearning.gov DISA link for the general public: https://fedvte.usalearning.gov/public_fedvte.php Changelog 9/1/24 After updating the restrictions policy - network filter extensions and the filters have to be turned back on…. Because JamfNow does not allow a replacement feature like JamfPro or Cisco MeraKi and I have to re-enable full-disk access for Vallum ES Changelog 9/6/24 Finally “fixed” a setting in my Restrictions policy 5…. Lol… so it’s working properly. Updated some new settings apple added. Changelog 9/18/24 Restrictions Policy 6 - updated for the new OS and also Sonoma… fixed some errors… something about remote viewing with classroom and a Dock issue. Set apps to open Fullscreen. Changeling 10/1/24 Change the removal date for the Restrictions Policy 6 Profile. Added the Vallum 5 Umbrella_DNS_Only config. My version of Umbrella DNS is going away… I cannot renew it so I am looking for an alternative. In fact, all Home version of Umbrella are going away. You’ll have to purchase a Corporate version at a corporate price point. Also, Cisco has removed the personal store for updating your credit cards and renewing ahead of expiration. Please be aware and tell your friends and family. You’ll lose protection on the last date of your subscription. Changelog 10/2/24 Updated Restrictions Policy 6 to block the improve Siri and Search options that are in Diagnostic Submissions Under Privacy and Security I am using iMazing Profile Editor and their options are not the same as listed in NIST Guidance. Changelog 10/4/24 Stage1 and AppControl v3 are my only two mobile profiles. They are not signed. Free to use at your own risk! Changelog 10/16/24 Removed https://talosintelligence.com/documents/ip-blacklist and https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt - added port 2228 for ovh.net in Murus. Vallum has inbound block for unsigned apps. Extensions profile for Cisco and Team Murus apps called Baseline. Updated script file. Removed USG files… which are freely available online… also visit the CIA website for reading that is quite informative. The Freedom of Information Act. READ READ READ. Changeling 11/7/24 Added the following IP address to the Umbrella whitelist group as per Cisco Talos filtering (2a04:e4c7:ffff::/48, 2a04:e4c7:fffe::/48) in both Murus and Vallum rules. Changelog 11/26/24 Added some more OVH ranges to Murus_UmbrellaDNSOnly Added sudo defaults write /Library/Preferences/com.apple.loginwindow EnableMCXLoginScripts -bool TRUE to script without which login and logout scripts won’t run as part of a MDM profile. Zelle me: vaughn@aegisitnyc.com or 646-284-4291 or 347-559-1619 If you have work reach out to me! Social Media: https://www.linkedin.com/in/vahart https://github.com/vaughnhart https://www.icloud.com/iclouddrive/0Si4df9qaPgUT9KzgqsroSIcw#MurusVallum command line quicksheet sudo tcpdump -i en0 -s0 -c 1100 -AeHnnttttvvv -w test.pcap sudo lsof -i -n -P netstat -arn arp -an who -a umask sudo launchctl config user umask 077 sudo log collect --output ~/Desktop/SystemLogs.logarchive --last 20m grep -w 'console' /private/etc/ttys sudo defaults write /Library/Preferences/com.apple.loginwindow EnableMCXLoginScripts -bool TRUE In console search for it.murus.Vallum.AFW to see running log
About
Murus (pf) and Vallum (afw?) configurations layered with Cisco Umbrella and Firehol. Test it and let me know what you thin! It's free for all!
Topics
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published