-2

Could someone help me block all incoming traffic on my network which has port forwarding set up on the router to allow incoming requests on port 27017 to be sent to the Mac running Mongo internally except for one IP address which I can specify? I tried loading a new anchor file from /etc/pf.conf. In that file I've put the following:

rdr pass on lo0 inet proto udp from xxx.xxx.xxx.xxx to any port 27017 -> 127.0.0.1 port 27017
rdr pass on lo0 inet proto tcp from xxx.xxx.xxx.xxx to any port 27017 -> 172.0.0.1 port 27017

where xxx.xxx.xxx.xxx is the IP address I want to allow in. It does allow that address in, but I think I need to do something else to block all others. The documentation of this stuff is very dense. Any help would be appreciated.

rdiddly
  • 101
  • 1

1 Answers1

0

My Mac is running Catalina. Packet filtering is the solution. /etc/pf.conf configures packet filtering on the Mac. I modified that file to include two new lines:

anchor "com.mydomain"
load anchor "com.mydomain" from "/etc/pf.anchors/com.mydomain"

I created /etc/pf.anchors/com.mydomain with the content below:

block drop in log inet proto tcp from any to any port 27017
pass in quick inet proto tcp from { localhost myremote.com } to any port 27017
pass out from any to { localhost myremote.com }
table <bad-guy-block> persist file "/etc/bad-guy-block-IPs.txt"
block log from <bad-guy-block> to any

The first three lines block everybody except localhost and the IP address I want to allow in to get to 27017. The last two lines prevent any IP address in /etc/bad-guy-block-IPs.txt from being able to access any port on my box. My router is set up to only forward port 27017 to my computer, so it's overkill, but if I open other ports in the future, they'll be blocked. /etc/bad-guy-block-IPs.txt is a simple text file with ip addresses on separate lines. Important to note, after reboot, and, indeed, after modifying any of this, it's necessary to run:

sudo pfctl -f /etc/pf.conf

After a reboot, you need to include the -e option (enable). It is not enabled by default.

rdiddly
  • 101
  • 1