Creating whitelist of few websites from Terminal
-
03-03-2021 - |
문제
I want to block all websites except one or two websites (white list) while working for 'productivity' purposes (when I am working only). I know how to block individual websites as shown here http://www.wikihow.com/Block-and-Unblock-Internet-Sites-(On-a-Mac) but I want to block all except one or two (i.e., create a white list).
Can it be done from Terminal? (like blocking apps as in the link)
I would prefer to do it without installing any productivity apps.
해결책
To permanently block outgoing traffic to all domains except some you should create a new anchor file and add it to pf.conf and enable the included pf firewall.
Create an anchor file org.user.block.out in /private/etc/pf.anchors
sudo touch /private/etc/pf.anchors/org.user.block.out
with the following content and a trailing empty line
#whitelist mygoodhosts = "{ wikipedia.org, stackexchange.com, 197.10.15.234 }" #ports to block/pass myports = "{ 443, 80, 8080 }" block drop out proto { tcp, udp } from any to any port $myports pass out proto { tcp, udp } from any to $mygoodhosts port $myports
The additional IP address in mygoodhosts is just an example how to add additional items to the whitelist. The same goes for port 8080 in myports.
To allow complete access to stackexchange.com you have to add some more domains because some items (e.g. javascript) are loaded from third-party domains like ajax.googleapis.com.
Modify the file /private/etc/pf.conf but keep a trailing empty line
original file:
scrub-anchor "com.apple/*" nat-anchor "com.apple/*" rdr-anchor "com.apple/*" dummynet-anchor "com.apple/*" anchor "com.apple/*" load anchor "com.apple" from "/etc/pf.anchors/com.apple"
to
scrub-anchor "com.apple/*" nat-anchor "com.apple/*" rdr-anchor "com.apple/*" dummynet-anchor "com.apple/*" anchor "com.apple/*" anchor "org.user.block.out" load anchor "com.apple" from "/etc/pf.anchors/com.apple" load anchor "org.user.block.out" from "/etc/pf.anchors/org.user.block.out"
Parse and test your anchor file to make sure there are no errors:
sudo pfctl -vnf /etc/pf.anchors/org.user.block.out
Now enable the firewall:
sudo pfctl -f /etc/pf.conf -e
To disable
pf
later (after you are done with productive work) simply enter:sudo pfctl -d
The first two steps have only to be done once. If you want to add or remove a domain in the whitelist, stop the firewall, modify org.user.block.out, parse the anchor file and re-enable the firewall.
To enable logging you have to modify several files and add a launch daemon/shell script (all files created/modified probably need a trailing empty line):
Create a log file:
sudo touch /etc/log/pf.log
Modify syslog.conf by adding a line:
local2.* /var/log/pf.log
Add a shell script in /usr/local/bin/pflog.sh witht the content:
#!/bin/sh # bodged solution to absence of pflogd, ref 'Book of PF' p136 ifconfig pflog0 create /usr/sbin/tcpdump -lnettti pflog0 | /usr/bin/logger -t pf -p local2.info
Create a launch daemon /Library/LaunchDaemons/org.user.pflog.plist with the content:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>KeepAlive</key> <true/> <key>Label</key> <string>org.user.pflog</string> <key>ProgramArguments</key> <array> <string>/usr/local/bin/pflog.sh</string> </array> <key>Disabled</key> <false/> <key>RunAtLoad</key> <true/> </dict> </plist>
- Stop pfctl with
sudo pfctl -d
Modify the block drop line in /private/etc/pf.anchors/org.user.block.out to:
block drop out log (all) proto { tcp, udp } from any to any port $myports
Load the logger plist:
sudo launchctl load -w /Library/LaunchDaemons/org.user.pflog.plist
Now re-enable the firewall:
sudo pfctl -f /etc/pf.conf -e
Watch pf.log in Console.app!
After a system update or upgrade some of the original files above may have been replaced and you have to reapply all changes.
다른 팁
Basically using the same strategy as the linked article you posted but in a slightly different way.
First Get the IP addresses of the sites you want to access
Easiest way is just to ping them from Terminal, ping www.google.com
. Record the IP address. If that doesn't give you an IP address, try nslookup nslookup www.google.com
. Record the IP address.
Turn your DNS off
Manually turn your DNS server settings to nothing. If you are using DHCP you may need to set a static IP address on your Mac to accomplish this, or do it on your router / DHCP server and renew your IP.
Allow the sites you want to access
Open you hosts file from Terminal, vi /etc/hosts
and add the IP address and DNS names of the sites you wish to access
216.58.199.78 www.google.com
157.166.226.25 www.cnn.com
Add these to the end of the file.
When your done being productive
Turn you DNS settings back to normal. You may also want to comment out the lines in the hosts file with a #
.
#216.58.199.78 www.google.com
#157.166.226.25 www.cnn.com