# midline -rw-r--r-- 2.8 KiB View raw
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
#!/bin/bash

RULES='
if = "en0"
allowed_domains = "{
    wikipedia.org
    upload.wikimedia.org
}"

block return out proto {icmp, tcp, udp} from $if to ! $if:network
pass out proto {icmp, tcp, udp} from $if to $allowed_domains
'

function run_post_connect_hook {
    echo "running scripts after block"
    # run your scripts or commands here
}

function run_pre_disconnect_hook {
    echo "running scripts before block"
    # run your scripts or commands here
}

function enable_midline {
    PARSE=$(echo "$RULES" | sudo pfctl -vnf - 2>&1)
    if [ $? -eq 0 ]; then
        run_pre_disconnect_hook
        echo "$RULES" | cat /etc/pf.conf - | sudo pfctl -F rules -evf - > /dev/null 2>&1
        echo "enabled" > /tmp/midline
        echo "blocklist enabled"
    else
        echo "error parsing"
        echo "$PARSE"
    fi
}

function disable_midline {
    if midline_is_enabled; then
        sudo pfctl -f /etc/pf.conf > /dev/null 2>&1
        echo "blocklist disabled"
        rm -f /tmp/midline
        run_post_connect_hook
    else
        echo "midline not enabled"
    fi
}

function midline_is_enabled {
    # Get pf status

    if sudo -n true 2>/dev/null; then
        OUT=$(sudo pfctl -sr 2>&1)

        if [[ "$OUT" == *"block"* ]]; then
            return 0
        else
            return 1
        fi
    else
        # falling back to file check; could get out of sync
        if [ -f /tmp/midline ]; then
            return 0
        else
            return 1
        fi
    fi
}

function echo_help {
    echo -e "midline is a wrapper for pf firewall to get you somewhere between online and offline.

usage: midline [option]

options:

  on     - turn filtering on
  off    - turn filtering off
  toggle - (or no argument) toggles status of midline
  status - return status of midline. exit 0 if on and 1 if off
  reload - flush filters and reload; useful after changing RULES

rules:"


    echo -e "\t$RULES" | fold | awk '{ print "\t" $0 }'
    echo "These can be edited by changing RULES in midline script. Make sure to
\`midline reload\` after updated RULES.

See https://www.openbsd.org/faq/pf/filter.html for rule syntax."
}

if   [[ "$1" == "on" ]]; then
    if ! midline_is_enabled; then
        enable_midline
    else
        echo "midline already enabled"
    fi
elif [[ "$1" == "reload" ]]; then
    enable_midline
elif [[ "$1" == "off" ]]; then
    disable_midline
elif [[ "$1" == "status" ]]; then
    if midline_is_enabled; then
        echo midline is enabled
        exit 0
    else
        echo midline is disabled
        exit 1
    fi
elif [[ "$1" == "" ]] || [[ "$1" == "toggle" ]]; then
    if midline_is_enabled; then
        disable_midline
    else
        enable_midline
    fi
elif [[ "$1" == "help" ]]; then
    echo_help
else
    echo "command \"$1\" not recognized"
    echo_help
    exit 1
fi