I recently upgraded to High Sierra, and as a security conscious individual, I then enabled the system firewall by visiting System Preferences > Security & Privacy > Firewall, and clicking Turn on the Firewall. This is a great way for users to begin protecting their computer when connected to random networks. However, this falls short when you are a developer and using NFS to share code in your host-only networks.

The default OS X firewall is app-centric, meaning you can just enable NFS for a specific network, you will turn it on for all networks. This is a problem when you only need it on a few interfaces, the VirtualBox host-only networks in this case. After several hours learning about PF, and trying to get the VM’s to access to NFS, the system firewall was ultimately disabled. By configuring PF directly, the VM’s are now able to access NFS, and the system is in persistent stealth mode.

Here’s the configuration that is now used by my laptop, with ideas from Thomas Sarlandie’s Voodoo Privacy, and Gilt Tech’s post about using Docker with OS X. This may need to be tweaked if you are need any VPN interfaces to be scrubbed as well.

The following is placed in /etc/custom-pf.conf

[shell]
ext_ifs = "{" en0 en1 en2 en3 en4 en5 "}"
int_ifs = "{" lo0 vboxnet0 vboxnet1 vboxnet2 vboxnet3 vboxnet4 vboxnet5 vboxnet6 vboxnet7 vboxnet8 vboxnet9 "}"

set block-policy drop
set skip on $int_ifs
scrub in on $ext_ifs all fragment reassemble

block drop in

pass out quick keep state
[/shell]
Once that is done you need to set it up to launch at system boot by putting it in `/Library/LaunchDaemons/com.yourname.pfctl.plist`

[xml]
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Disabled</key>
<false/>
<key>Label</key>
<string>com.yourname.pfctl</string>
<key>WorkingDirectory</key>
<string>/var/run</string>
<key>Program</key>
<string>/sbin/pfctl</string>
<key>ProgramArguments</key>
<array>
<string>pfctl</string>
<string>-E</string>
<string>-f</string>
<string>/etc/custom-pf.conf</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
[/xml]

Once you have that done you need to configure it

sudo launchctl load -w /Library/LaunchDaemons/com.yourname.pfctl.plist

Now the VM’s on the host-only network have full access to the host.