1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
#!/bin/bash
RULES='
if = "en0"
allowed_domains = "{
wikipedia.org
upload.wikimedia.org
}"
block return out proto {icmp, tcp, udp} from $if to ! $if:network
pass out proto {icmp, tcp, udp} from $if to $allowed_domains
'
function run_post_connect_hook {
echo "running scripts after block"
# run your scripts or commands here
}
function run_pre_disconnect_hook {
echo "running scripts before block"
# run your scripts or commands here
}
function enable_midline {
PARSE=$(echo "$RULES" | sudo pfctl -vnf - 2>&1)
if [ $? -eq 0 ]; then
run_pre_disconnect_hook
echo "$RULES" | cat /etc/pf.conf - | sudo pfctl -F rules -evf - > /dev/null 2>&1
echo "enabled" > /tmp/midline
echo "blocklist enabled"
else
echo "error parsing"
echo "$PARSE"
fi
}
function disable_midline {
if midline_is_enabled; then
sudo pfctl -f /etc/pf.conf > /dev/null 2>&1
echo "blocklist disabled"
rm -f /tmp/midline
run_post_connect_hook
else
echo "midline not enabled"
fi
}
function midline_is_enabled {
# Get pf status
if sudo -n true 2>/dev/null; then
OUT=$(sudo pfctl -sr 2>&1)
if [[ "$OUT" == *"block"* ]]; then
return 0
else
return 1
fi
else
# falling back to file check; could get out of sync
if [ -f /tmp/midline ]; then
return 0
else
return 1
fi
fi
}
function echo_help {
echo -e "midline is a wrapper for pf firewall to get you somewhere between online and offline.
usage: midline [option]
options:
on - turn filtering on
off - turn filtering off
toggle - (or no argument) toggles status of midline
status - return status of midline. exit 0 if on and 1 if off
reload - flush filters and reload; useful after changing RULES
rules:"
echo -e "\t$RULES" | fold | awk '{ print "\t" $0 }'
echo "These can be edited by changing RULES in midline script. Make sure to
\`midline reload\` after updated RULES.
See https://www.openbsd.org/faq/pf/filter.html for rule syntax."
}
if [[ "$1" == "on" ]]; then
if ! midline_is_enabled; then
enable_midline
else
echo "midline already enabled"
fi
elif [[ "$1" == "reload" ]]; then
enable_midline
elif [[ "$1" == "off" ]]; then
disable_midline
elif [[ "$1" == "status" ]]; then
if midline_is_enabled; then
echo midline is enabled
exit 0
else
echo midline is disabled
exit 1
fi
elif [[ "$1" == "" ]] || [[ "$1" == "toggle" ]]; then
if midline_is_enabled; then
disable_midline
else
enable_midline
fi
elif [[ "$1" == "help" ]]; then
echo_help
else
echo "command \"$1\" not recognized"
echo_help
exit 1
fi