[ { "path": "README.md", "content": "## Preventing OS X from phoning home to Cupertino\n\n### Why\n\n* When you're pentesting, you want your machine to stay absolutely quiet.\n* When you're booked into a public wifi, eavesdroppers may glean personal information from traffic inadvertantly generated by your machine. (Some of the hardcoded URLs use unencrypted http.)\n* If you're a dissident, your whereabouts may be revealed and you may not even know it.\n\n### How\n\n* I searched the entire OS X Mavericks base installation for hardcoded URLs and IP addresses. The domain names used in the URLs are hardwired to 127.0.0.1 in `/etc/hosts`. The IP addresses are natted to 127.0.0.1 in `/etc/pf.conf`. A number of LaunchAgents, LaunchDaemons, UserEventPlugins plus all Dashboard Widgets should be disabled by moving them to, say, `/root/disabled/`. Those are listed in `disabled-services`.\n* Edit `/System/Library/LaunchDaemons/com.apple.mDNSResponder.plist` and add the undocumented option `-NoMulticastAdvertisements`.\n* Disable Dashboard: `defaults write com.apple.dashboard mcx-disabled -boolean YES && killall Dock`\n* Disable some IPv6 features of dubious merit in `/etc/sysctl.conf`.\n\n### Caution\n\n* This is for Mavericks, not Yosemite.\n* It will yield a machine that stays quiet when connected to a network but at the expense of convenience features like push notifications. Also, the log files will show a few error messages because of unavailable services.\n* Several services regularly contact www.apple.com to check for network connectivity. Thus, www.apple.com is blacklisted in `/etc/hosts`. Comment out manually whenever you want to browse that website.\n* When connected to a wifi, the machine will regularly send EAPOL packets which cannot be disabled because OS X cannot packet filter on Layer 2. (`pfctl(8)` only filters on layer 3 and upwards and `ipfw(8)` doesn't work either.)\n* OS X stores wifi passwords in NVRAM. This is apparently used by Internet Recovery. Thus, whenever your machine is stolen or lent to someone else, consider your wifi passwords compromised, regardless if the disk was encrypted. It seems that FindMyMacd clears the NVRAM if the machine was stolen but this is not safe: FindMyMacd itself is apparently controlled by NVRAM variables and a thief may change these to disable it. Wifi passwords can be retrieved from NVRAM like this:\n```\n/usr/libexec/airportd readNVRAM\n\n/usr/sbin/nvram 36C28AB5-6566-4C50-9EBD-CBB920F83843:current-network\n/usr/sbin/nvram 36C28AB5-6566-4C50-9EBD-CBB920F83843:preferred-networks\n/usr/sbin/nvram 36C28AB5-6566-4C50-9EBD-CBB920F83843:preferred-count\n```\n\nNote: This does not work anymore since High Sierra.\n\nNote: Deauthing your device from your AppleID will clear the NVRAM for you.\n\n### Ideas for further hacks\n\n* Use a proxy on the local machine to MitM or spoof traffic to Cupertino.\n" }, { "path": "disabled-services", "content": "/System/Library/InternetAccounts/*\n/System/Library/LaunchAgents/com.apple.syncdefaultsd.plist\n/System/Library/LaunchAgents/com.apple.AddressBook.SourceSync.plist\n/System/Library/LaunchAgents/com.apple.AOSPushRelay.plist\n# tests reachability of www.apple.com\n/System/Library/LaunchAgents/com.apple.CalendarAgent.plist\n/System/Library/LaunchAgents/com.apple.CalendarAgentLauncher.plist\n/System/Library/LaunchAgents/com.apple.EscrowSecurityAlert.plist\n/System/Library/LaunchAgents/com.apple.IMLoggingAgent.plist\n/System/Library/LaunchAgents/com.apple.ManagedClient.agent.plist\n/System/Library/LaunchAgents/com.apple.ManagedClient.enrollagent.plist\n/System/Library/LaunchAgents/com.apple.Maps.pushdaemon.plist\n/System/Library/LaunchAgents/com.apple.SocialPushAgent.plist\n/System/Library/LaunchAgents/com.apple.aos.migrate.plist\n/System/Library/LaunchAgents/com.apple.appstoreupdateagent.plist\n/System/Library/LaunchAgents/com.apple.apsctl.plist\n/System/Library/LaunchAgents/com.apple.bookstoreagent.plist\n/System/Library/LaunchAgents/com.apple.cmfsyncagent.plist\n/System/Library/LaunchAgents/com.apple.coreservices.appleid.authentication.plist\n/System/Library/LaunchAgents/com.apple.findmymacmessenger.plist\n/System/Library/LaunchAgents/com.apple.gamed.plist\n/System/Library/LaunchAgents/com.apple.icbaccountsd.plist\n/System/Library/LaunchAgents/com.apple.icloud.AOSNotificationAgent.plist\n/System/Library/LaunchAgents/com.apple.icloud.AOSNotificationLoginAgent.plist\n/System/Library/LaunchAgents/com.apple.identityservicesd.plist\n/System/Library/LaunchAgents/com.apple.imagent.plist\n/System/Library/LaunchAgents/com.apple.librariand.plist\n/System/Library/LaunchAgents/com.apple.mbloginhelper.user.plist\n/System/Library/LaunchAgents/com.apple.mbpluginhost.user.plist\n/System/Library/LaunchAgents/com.apple.maspushagent.plist\n/System/Library/LaunchAgents/com.apple.mdmclient.agent.plist\n/System/Library/LaunchAgents/com.apple.mdmclient.cloudconfig.agent.plist\n/System/Library/LaunchAgents/com.apple.quicklook.config.plist\n/System/Library/LaunchAgents/com.apple.safaridavclient.plist\n/System/Library/LaunchAgents/com.apple.sbd.plist\n/System/Library/LaunchAgents/com.apple.security.cloudkeychainproxy.plist\n/System/Library/LaunchAgents/com.apple.security.keychain-circle-notification.plist\n/System/Library/LaunchAgents/com.apple.sharingd.plist\n/System/Library/LaunchAgents/com.apple.store_helper.plist\n/System/Library/LaunchAgents/com.apple.storeagent.plist\n/System/Library/LaunchAgents/com.apple.syncservices.SyncServer.plist\n/System/Library/LaunchAgents/com.apple.syncservices.uihandler.plist\n/System/Library/LaunchAgents/com.apple.ubd.plist\n/System/Library/LaunchAgents/com.apple.wifi.WiFiKeychainProxy.plist\n/System/Library/LaunchAgents/com.apple.accountsd.plist\n/System/Library/LaunchDaemons/com.apple.apsd.plist\n/System/Library/LaunchDaemons/com.apple.AOSNotificationOSX.plist\n/System/Library/LaunchDaemons/com.apple.FileSyncAgent.sshd.plist\n/System/Library/LaunchDaemons/com.apple.ManagedClient.cloudconfigurationd.plist\n/System/Library/LaunchDaemons/com.apple.ManagedClient.enroll.plist\n/System/Library/LaunchDaemons/com.apple.ManagedClient.plist\n/System/Library/LaunchDaemons/com.apple.ManagedClient.startup.plist\n/System/Library/LaunchDaemons/com.apple.awacsd.plist\n/System/Library/LaunchDaemons/com.apple.coreservices.appleid.passwordcheck.plist\n/System/Library/LaunchDaemons/com.apple.eapolcfg_auth.plist\n/System/Library/LaunchDaemons/com.apple.familycontrols.plist\n/System/Library/LaunchDaemons/com.apple.findmymac.plist\n/System/Library/LaunchDaemons/com.apple.findmymacmessenger.plist\n/System/Library/LaunchDaemons/com.apple.iCloudStats.plist\n/System/Library/LaunchDaemons/com.apple.laterscheduler.plist\n/System/Library/LaunchDaemons/com.apple.locationd.plist\n/System/Library/LaunchDaemons/com.apple.mbicloudsetupd.plist\n/System/Library/LaunchDaemons/com.apple.mdmclient.daemon.plist\n/System/Library/LaunchDaemons/com.apple.msrpc.echosvc.plist\n/System/Library/LaunchDaemons/com.apple.msrpc.lsarpc.plist\n/System/Library/LaunchDaemons/com.apple.msrpc.mdssvc.plist\n/System/Library/LaunchDaemons/com.apple.msrpc.netlogon.plist\n/System/Library/LaunchDaemons/com.apple.msrpc.srvsvc.plist\n/System/Library/LaunchDaemons/com.apple.msrpc.wkssvc.plist\n# will listen to ports 137, 138 even if turned off in Sharing PrefPane\n/System/Library/LaunchDaemons/com.apple.netbiosd.plist\n/System/Library/LaunchDaemons/com.apple.preferences.timezone.admintool.plist\n/System/Library/LaunchDaemons/com.apple.preferences.timezone.auto.plist\n/System/Library/LaunchDaemons/com.apple.remotepairtool.plist\n/System/Library/LaunchDaemons/com.apple.rpmuxd.plist\n/System/Library/LaunchDaemons/com.apple.security.FDERecoveryAgent.plist\n# this one is getting on my nerves\n/System/Library/LaunchAgents/com.apple.TMHelperAgent.SetupOffer.plist\n/System/Library/UserEventPlugins/AutoTimeZone.plugin\n/System/Library/UserEventPlugins/BTMMPortInUseAgent.plugin\n/System/Library/UserEventPlugins/CaptiveSystemAgent.plugin\n/System/Library/UserEventPlugins/CaptiveUserAgent.plugin\n/System/Library/UserEventPlugins/EAPOLMonitor.plugin\n/System/Library/UserEventPlugins/LocationMenu.plugin\n/System/Library/UserEventPlugins/com.apple.locationd.events.plugin\n/System/Library/UserEventPlugins/com.apple.reachability.plugin\n# new with 10.9.3\n/System/Library/LaunchAgents/com.apple.appleseed.seedusaged.plist\n/System/Library/LaunchDaemons/com.apple.appleseed.fbahelperd.plist\n" }, { "path": "hosts", "content": "##\n# Host Database\n#\n# localhost is used to configure the loopback interface\n# when the system is booting. Do not change this entry.\n##\n127.0.0.1\tlocalhost\n255.255.255.255\tbroadcasthost\n::1 localhost\nfe80::1%lo0\tlocalhost\n#\n127.0.0.1\twww.apple.com\n17.171.8.17\tcrl.apple.com\n17.146.232.12\tswscan.apple.com\t # SoftwareUpdate.framework\n# 127.0.0.1\tqa2-int-swscan.apple.com # SoftwareUpdate.framework\n# 127.0.0.1\tswcdnlocator.apple.com\t # SoftwareUpdate.framework\n127.0.0.1\tvalidation.isu.apple.com # SoftwareUpdate.framework\n# 127.0.0.1\thelp.apple.com\t\t# HelpData.framework\n# 127.0.0.1\thelpqt.apple.com\t# HelpData.framework\n# 127.0.0.1\thelposx.apple.com\t# HelpData.framework\n# 127.0.0.1\tsupport.apple.com\t# HelpData.framework\n# 127.0.0.1\tlookup-api.apple.com\t# Lookup.framework\n# 127.0.0.1\tpubsbuild.apple.com\t# docsetinstalld\n# 127.0.0.1\textensions.apple.com\t # Safari.framework\n# 127.0.0.1\tstage-extensions.apple.com # Safari.framework\n# 127.0.0.1\tplugins.apple.com\t # Safari.framework\n127.0.0.1\tsuggest.yandex.net\t # Safari.framework\n127.0.0.1\tsuggestion.baidu.com\t # Safari.framework\n127.0.0.1\tapi.bing.com\t\t # Safari.framework\n127.0.0.1\tsugg.search.yahoo.net\t # Safari.framework\n# 127.0.0.1\tuserpub.itunes.apple.com # iBooks.app\n# 127.0.0.1\tvocabulary.itunes.apple.com # iBooks.app\n# 127.0.0.1\tgcsp.clb.cddbp.net\t\t# iTunes.app\n# 127.0.0.1\tgcsp.cddbp.net\t\t\t# iTunes.app\n127.0.0.1\tmembers.mac.com\t\t # iTunes.app\n127.0.0.1\tmembers.me.com\t\t # iTunes.app\n127.0.0.1\tsafebrowsing.clients.google.com # iTunes.app\n127.0.0.1\tnikerunning.nike.com\t\t# iTunes.app\n127.0.0.1\ts.mzstatic.com\t\t\t# iTunes.app\n127.0.0.1\tax.itunes.apple.com\t\t# iTunes.app\n127.0.0.1\tlimit.itunesu.com\t\t# iTunes.app\n127.0.0.1\tconfiguration.apple.com\n127.0.0.1\tiforgot.apple.com\n127.0.0.1\tidentity.apple.com\t# AppleIDAuthAgent\n127.0.0.1\tappleid.apple.com\t# Accounts.prefPane\n127.0.0.1\treg1.apple.com\t\t# Setup Assistant.app\n127.0.0.1\tlittlebuddy.apple.com\t# Setup Assistant.app\n127.0.0.1\tiadsdk.apple.com\t# iAdCore.framework\n127.0.0.1\tgil.apple.com # InternetAccounts.framework\n127.0.0.1\tfdereg.apple.com\t# Security.framework\n127.0.0.1\ttimestamp.apple.com\t# Security.framework\n127.0.0.1\tinit-p01st.push.apple.com # ApplePushService.framework\n127.0.0.1\tinit-s01st.push.apple.com # ApplePushService.framework\n127.0.0.1\talbert.apple.com\t # ApplePushService.framework\n127.0.0.1\twww.me.com\t\t# AOSKit.framework\n127.0.0.1\tsetup.icloud.com\t# AOSKit.framework\n127.0.0.1\ticloud.com\t\t# AOSKit.framework\n127.0.0.1\tinit.ess.apple.com\t# IMFoundation.framework\n127.0.0.1\tinit-p01md.apple.com\t# IMFoundation.framework\n127.0.0.1\tscento.apple.com\t# Install.framework\n127.0.0.1\tmac-services.apple.com\t# MailCore.framework\n127.0.0.1\tidisk.mac.com\t\t# OSServices.framework\n127.0.0.1\tvalidation.apple.com\t# PrintingPrivate.framework\n127.0.0.1\tqtpartners.apple.com\t# RTCReporting.framework\n127.0.0.1\tpublic.me.com\t\t# ScreenReader.framework\n127.0.0.1\tpm-members.mac.com\t# btmmdiagnose\n127.0.0.1\tmarimba.apple.com\t# Slideshows.framework\n127.0.0.1\tgsp2.apple.com\t\t# Slideshows.framework\n127.0.0.1\tporco.apple.com\t\t# StoreUI.framework\n127.0.0.1\tiprofiles.apple.com\t# cloudconfigurationd\n127.0.0.1\tsuconfig.apple.com\t# cloudconfigurationd\n127.0.0.1\tradarsubmissions.apple.com # SubmitDiagInfo\n127.0.0.1\tmessagetracer-whitelist.apple.com # SubmitDiagInfo\n127.0.0.1\tspeedtracer.apple.com # Problem Reporter.app\n127.0.0.1\ttracerx-radars.apple.com # Problem Reporter.app\n127.0.0.1\ticalserver.apple.com # ManagedClient.app\n127.0.0.1\tbugreport.apple.com\t # IMLoggingAgent\n127.0.0.1\t1-courier.push.apple.com # IMLoggingAgent\n127.0.0.1\t2-courier.push.apple.com # IMLoggingAgent\n127.0.0.1\t6-courier.push.apple.com # IMLoggingAgent\n127.0.0.1\tinit.itunes.apple.com\t # CommerceKit.framework\n127.0.0.1\tax.init.itunes.apple.com # CommerceKit.framework\n127.0.0.1\tphobos.apple.com\t # CommerceKit.framework\n127.0.0.1\tsandbox.itunes.apple.com # CommerceKit.framework\n127.0.0.1\tstatic.gc.apple.com\t# GameKit.framework\n127.0.0.1\tsandbox.gc.apple.com\t# GameKit.framework\n127.0.0.1\ttd1.apple.com\t\t# GameKit.framework\n127.0.0.1\tz2r0y.apple.com\t\t# GameKit.framework\n127.0.0.1\ttd2.apple.com\t\t# GameKit.framework\n127.0.0.1\tdf6ed.apple.com\t\t# GameKit.framework\n127.0.0.1\ttd3.apple.com\t\t# GameKit.framework\n127.0.0.1\tcp7vi.apple.com\t\t# GameKit.framework\n127.0.0.1\ttd4.apple.com\t\t# GameKit.framework\n127.0.0.1\tgz8rm.apple.com\t\t# GameKit.framework\n127.0.0.1\tlink.gc.apple.com\t# GameKit.framework\n127.0.0.1\tinit.gc.apple.com\t# GameKit.framework\n127.0.0.1\tredcarpet.apple.com\t# HelpViewer.app\n127.0.0.1\tstatic.ips.apple.com\t# Social.framework\n127.0.0.1\tinternalcheck.apple.com\t# CrashReporterSupport.framework\n127.0.0.1\tguzzoni.apple.com\t# AssistantServices.framework\n127.0.0.1\thello.connectivity.me.com # mDNSResponder\n127.0.0.1\tgateway.push.apple.com\t# emond\n127.0.0.1\tpush.apple.com\t\t# networkd\n127.0.0.1\tgsp9-ssl.apple.com\t# locationd\n127.0.0.1\tgsp10-ssl.apple.com\t# locationd\n127.0.0.1\tgsp10-ssl.apple.com.com # locationd\n127.0.0.1\tgs-loc.apple.com\t# locationd\n127.0.0.1\tiphone-ld.apple.com\t# locationd\n127.0.0.1\tcl-dev.apple.com\t# locationd\n127.0.0.1\tcl2.apple.com\t\t# locationd\n127.0.0.1\tcl3.apple.com\t\t# locationd\n127.0.0.1\tgspa35-ssl.ls.apple.com\t# GeoServices.framework\n127.0.0.1\tgsp-ssl.ls.apple.com\t# GeoServices.framework\n127.0.0.1\tgspa21.ls.apple.com\t# GeoServices.framework\n127.0.0.1\tgsp1.apple.com\t\t# GeoServices.framework\n127.0.0.1\tgsps36.ls.apple.com\t# GeoServices.framework\n127.0.0.1\tgs.apple.com\t\t# MobileDevice.framework\n127.0.0.1\tappleconnect.apple.com\t# MobileDevice.framework\n127.0.0.1\tsso.corp.apple.com\t# MobileDevice.framework\n127.0.0.1\tlookup-api.apple.com\t# Dictionary.app\n127.0.0.1\tcopyfight.corante.com\t# CaptiveSystemAgent.plugin\n127.0.0.1\tapsu.apple.com\t\t# AirPort Utility.app\n127.0.0.1\tapfw.apple.com\t\t# AirPort Utility.app\n127.0.0.1\tmetrics.apple.com\t# App Store.app\n127.0.0.1\twu-calculator.apple.com # Calculator.app\n127.0.0.1\ticalbridge.apple.com\t# Calendar.app\n127.0.0.1\tfeedback.apple.com\t# Mail.app\n127.0.0.1\tmanifest2.inn.rdca.ls.apple.com # Maps.app\n127.0.0.1\tslogin.oscar.aol.com\t# Messages.app\n127.0.0.1\tapi.oscar.aol.com\t# Messages.app\n127.0.0.1\tgdata.youtube.com\t # QuickTime Player.app\n127.0.0.1\tuploads.gdata.youtube.com # QuickTime Player.app\n127.0.0.1\tmaps.apple.com\t\t # QuickTime Player.app\n127.0.0.1\tdepot.info.apple.com\t# System Information.app\n127.0.0.1\ticlab.apple.com\t\t# QuickTime Plugin.plugin\n127.0.0.1\taolauth.icloud.com\t# AIM.imservice\n127.0.0.1\taolauthtest.icloud.com\t# AIM.imservice\n127.0.0.1\tapi.screenname.aol.com\t# AIM.imservice\n127.0.0.1\tstartpage.aol.com\t# AIM.imservice\n127.0.0.1\tmy.screenname.aol.com\t# AIM.imservice\n127.0.0.1\tapi.login.aol.com\t# AIM.imservice\n127.0.0.1\tdeveloper.aim.com\t# AIM.imservice\n127.0.0.1\tlogin.oscar.aol.com\t# AIM.imservice\n127.0.0.1\tars.oscar.aol.com\t# AIM.imservice\n127.0.0.1\taimhttp.oscar.aol.com\t# AIM.imservice\n127.0.0.1\ttalk.google.com\t\t# Jabber.impreferencepane\n127.0.0.1\tmsg.yahoo.com\t\t\t # Yahoo.imserviceplugin\n127.0.0.1\tapi.login.yahoo.com\t\t # Yahoo.imserviceplugin\n127.0.0.1\tlogin.yahoo.com\t\t\t # Yahoo.imserviceplugin\n127.0.0.1\tdeveloper.messenger.yahooapis.com # Yahoo.imserviceplugin\n127.0.0.1\tdisplayimage.messenger.yahooapis.com # Yahoo.imserviceplugin\n127.0.0.1\tftrelay.messenger.yahooapis.com\t # Yahoo.imserviceplugin\n127.0.0.1\tattwifi.apple.com\t# CaptiveNetworkSupport\n127.0.0.1\tproddav.apple.com\t# iWork.qlgenerator\n127.0.0.1\trabat.apple.com\t\t# iWork.qlgenerator\n127.0.0.1\tmembers.btmm.icloud.com\t# Shared Screen Viewer.app\n127.0.0.1\tidisk.me.com\t\t# webdav_fs.kext\n127.0.0.1\tcontacts.icloud.com\t# AddressBook.framework\n127.0.0.1\tink.apple.com\t\t# Print.framework\n127.0.0.1\tgir.apple.com\t\t# InstallerPlugins.framework\n127.0.0.1\tphotocast.me.com\t# ScreenSaver.framework\n127.0.0.1\tgallery.me.com\t\t# WebCore.framework\n127.0.0.1\ttid.canon.com\t\t# PTPCamera.app\n127.0.0.1\tfmip.me.com\t\t# AOSNotification.framework\n127.0.0.1\tcourier.sandbox.push.apple.com # apsd\n127.0.0.1\tcourier.push.apple.com\t # apsd\n127.0.0.1\tsandbox.push.apple.com\t # apsd\n127.0.0.1\ttrackingshipment.apple.com # DataDetectors.framework\n127.0.0.1\tevent.apple.com\t\t # DataDetectors.framework\n127.0.0.1\tgsp17-ssl.apple.com\t# GeoServices.framework\n127.0.0.1\tgsp17-2-ssl.apple.com\t# GeoServices.framework\n127.0.0.1\twebservices.mac.com\t# ISSupport.framework\n127.0.0.1\tm3.mac.com\t\t# ISSupport.framework\n127.0.0.1\tiphonesubmissions.apple.com # AppleMobileDeviceHelper.app\n127.0.0.1\tiphonediags.apple.com\t # AppleMobileDeviceHelper.app\n127.0.0.1\tvinkjo8.apple.com\t# SetupAssistantSupport.framework\n127.0.0.1\tsecure.me.com\t\t# SetupAssistantSupport.framework\n127.0.0.1\tturn.oscar.aol.com\t# VideoConference.framework\n127.0.0.1\tapple-mobile.query.yahooapis.com # WeatherKit.framework\n127.0.0.1\tapi.wunderground.com\t\t # WeatherKit.framework\n127.0.0.1\tlookup.apple.com\t# WhitePages.framework\n127.0.0.1\twu.apple.com\t\t# WidgetResources\n127.0.0.1\twu-quotes.apple.com\t# WidgetResources\n127.0.0.1\tiphone-wu.apple.com\t# WidgetResources\n127.0.0.1\twu-stocks.apple.com\t# WidgetResources\n127.0.0.1\twu-charts.apple.com\t# WidgetResources\n127.0.0.1\twu-converter.apple.com\t# WidgetResources\n127.0.0.1\tcaldav.icloud.com\t# CalendarPersistence.framework\n127.0.0.1\tical.mac.com\t\t# CalendarPersistence.framework\n127.0.0.1\tqtsoftware.apple.com\t# QuickTime.framework\n127.0.0.1\tquicktimepro.apple.com\t# QuickTime.framework\n127.0.0.1\tidmsauth-uat.corp.apple.com # Feedback Assistant.app\n127.0.0.1\tidmsa.apple.com\t\t # Feedback Assistant.app\n127.0.0.1\tappleconnect-uat.apple.com # Feedback Assistant.app\n127.0.0.1\tappleseed-stage.apple.com # Feedback Assistant.app\n127.0.0.1\tappleseed.apple.com\t # Feedback Assistant.app\n127.0.0.1\tiforgot-uat.apple.com\t # Feedback Assistant.app\n127.0.0.1\txseedapps.apple.com\t # Feedback Assistant.app\n127.0.0.1\tappleseed-temp.apple.com # Feedback Assistant.app\n127.0.0.1\tcrucio.apple.com\t # Feedback Assistant.app\n127.0.0.1\tac-at.apple.com\t\t # Feedback Assistant.app\n127.0.0.1\tiforgott.apple.com\t # Feedback Assistant.app\n127.0.0.1\tmobile-uat.corp.apple.com # Feedback Assistant.app\n127.0.0.1\tidmswt.corp.apple.com\t # Feedback Assistant.app\n127.0.0.1\tmobile.apple.com\t # Feedback Assistant.app\n127.0.0.1\tprivftp.apple.com\t # Feedback Assistant.app\n127.0.0.1\tcssubmissions-uat.corp.apple.com # Feedback Assistant.app\n127.0.0.1\tcssubmissions.apple.com\t\t # Feedback Assistant.app\n# 127.0.0.1\twww.chromium.org\t # Chromium.app\n# 127.0.0.1\twww.chrome.com\t\t\t # Chromium.app\n# 127.0.0.1\tdeveloper.chrome.com\t\t # Chromium.app\n# 127.0.0.1\tchrome.google.com\t\t # Chromium.app\n# 127.0.0.1\tm.google.com\t\t # Chromium.app\n# 127.0.0.1\twww.google.com\t\t # Chromium.app\n# 127.0.0.1\twww.youtube.com\t\t\t # Chromium.app\n# 127.0.0.1\tcode.google.com\t\t\t # Chromium.app\n# 127.0.0.1\tdocs.google.com\t\t # Chromium.app\n# 127.0.0.1\tgroups.google.com\t # Chromium.app\n# 127.0.0.1\tplus.google.com\t\t\t # Chromium.app\n127.0.0.1\tplus.sandbox.google.com\t\t # Chromium.app\n127.0.0.1\tddm.google.com\t\t\t # Chromium.app\n127.0.0.1\tdrive.google.com\t # Chromium.app\n127.0.0.1\twww.googledrive.com\t # Chromium.app\n127.0.0.1\thistory.google.com\t\t # Chromium.app\n127.0.0.1\tmail.google.com\t\t\t # Chromium.app\n127.0.0.1\ttools.google.com\t\t # Chromium.app\n127.0.0.1\twallet.google.com\t\t # Chromium.app\n127.0.0.1\twallet-web.sandbox.google.com\t # Chromium.app\n# 127.0.0.1\tmaps.google.com\t\t # Chromium.app\n# 127.0.0.1\tpicasaweb.google.com\t\t # Chromium.app\n# 127.0.0.1\tsites.google.com\t\t # Chromium.app\n# 127.0.0.1\tsupport.google.com\t # Chromium.app\n# 127.0.0.1\ttranslate.google.com\t # Chromium.app\n127.0.0.1\tcheckout.google.com\t\t # Chromium.app\n127.0.0.1\tcloudprint.google.com\t\t # Chromium.app\n127.0.0.1\tapis.google.com\t\t # Chromium.app\n127.0.0.1\twww.googleapis.com\t # Chromium.app\n# 127.0.0.1\tmaps.googleapis.com\t # Chromium.app\n# 127.0.0.1\tfonts.googleapis.com\t\t # Chromium.app\n127.0.0.1\tandroid.googleapis.com\t # Chromium.app\n127.0.0.1\ttranslate.googleapis.com # Chromium.app\n127.0.0.1\tclients1.google.com\t\t # Chromium.app\n127.0.0.1\tclients2.google.com\t # Chromium.app\n127.0.0.1\tclients3.google.com\t # Chromium.app\n127.0.0.1\tclients4.google.com\t # Chromium.app\n127.0.0.1\tclients2.googleusercontent.com # Chromium.app\n127.0.0.1\tthemes.googleusercontent.com\t # Chromium.app\n127.0.0.1\tcache.pack.google.com\t # Chromium.app\n127.0.0.1\tcsi.gstatic.com\t\t\t # Chromium.app\n127.0.0.1\tssl.gstatic.com\t\t # Chromium.app\n127.0.0.1\twww.gstatic.com\t\t # Chromium.app\n127.0.0.1\tt0.gstatic.com\t\t\t # Chromium.app\n127.0.0.1\tt1.gstatic.com\t\t\t # Chromium.app\n127.0.0.1\tt2.gstatic.com\t\t\t # Chromium.app\n127.0.0.1\tt3.gstatic.com\t\t\t # Chromium.app\n127.0.0.1\tandroid.clients.google.com\t # Chromium.app\n# 127.0.0.1\tfonts.gstatic.com\t\t # Chromium.app\n127.0.0.1\tsafebrowsing.clients.google.com # Chromium.app\n127.0.0.1\talt1-safebrowsing.google.com\t # Chromium.app\n127.0.0.1\talt2-safebrowsing.google.com\t # Chromium.app\n127.0.0.1\talt3-safebrowsing.google.com\t # Chromium.app\n127.0.0.1\tsafebrowsing.google.com\t\t # Chromium.app\n127.0.0.1\tsb-ssl.google.com\t\t # Chromium.app\n127.0.0.1\ttalkgadget.google.com\t\t # Chromium.app\n127.0.0.1\ttalkx.l.google.com\t\t # Chromium.app\n127.0.0.1\ttalk.google.com\t\t\t # Chromium.app\n127.0.0.1\tmtalk.google.com\t\t # Chromium.app\n127.0.0.1\txmpp.google.com\t\t\t # Chromium.app\n127.0.0.1\txmppx.l.google.com\t\t # Chromium.app\n127.0.0.1\trelay.google.com\t\t # Chromium.app\n127.0.0.1\tstun.l.google.com\t\t # Chromium.app\n127.0.0.1\taccounts.google.com\t\t # Chromium.app\n127.0.0.1\taccounts.youtube.com\t\t # Chromium.app\n127.0.0.1\taccounts.blogger.com\t\t # Chromium.app\n127.0.0.1\ti18napis.appspot.com\t\t # Chromium.app\n127.0.0.1\tgoogleads4.g.doubleclick.net\t # Chromium.app\n127.0.0.1\tgoogleads.g.doubleclick.net\t # Chromium.app\n127.0.0.1\tad.doubleclick.net\t\t # Chromium.app\n127.0.0.1\tpubads.g.doubleclick.net\t # Chromium.app\n127.0.0.1\tc.admob.com\t\t\t # Chromium.app\n127.0.0.1\te.admob.com\t\t\t # Chromium.app\n127.0.0.1\tmedia.admob.com\t\t\t # Chromium.app\n127.0.0.1\tlh3.ggpht.com\t\t\t # Chromium.app\n127.0.0.1\tlh4.ggpht.com\t\t\t # Chromium.app\n127.0.0.1\tlh5.ggpht.com\t\t\t # Chromium.app\n127.0.0.1\tlh6.ggpht.com\t\t\t # Chromium.app\n127.0.0.1\tpagead2.googlesyndication.com\t # Chromium.app\n127.0.0.1\tpartner.googleadservices.com\t # Chromium.app\n127.0.0.1\twww.googleadservices.com\t # Chromium.app\n127.0.0.1\ts0.2mdn.net\t\t\t # Chromium.app\n127.0.0.1\tprod.fastly.net\t\t\t # Chromium.app\n127.0.0.1\tchrome.googleechotest.com\t # Chromium.app\n# 127.0.0.1\tchrome-devtools-frontend.appspot.com # Chromium.app\n# 127.0.0.1\tredirector.googlevideo.com\t # Chromium.app\n# 127.0.0.1\tredirector.gvt1.com\t\t # Chromium.app\n# 127.0.0.1\tetherx.jabber.org \t # Chromium.app\n" }, { "path": "pf.conf", "content": "#\n# Default PF configuration file.\n#\n# This file contains the main ruleset, which gets automatically loaded\n# at startup. PF will not be automatically enabled, however. Instead,\n# each component which utilizes PF is responsible for enabling and disabling\n# PF via -E and -X as documented in pfctl(8). That will ensure that PF\n# is disabled only when the last enable reference is released.\n#\n# Care must be taken to ensure that the main ruleset does not get flushed,\n# as the nested anchors rely on the anchor point defined here. In addition,\n# to the anchors loaded by this file, some system services would dynamically \n# insert anchors into the main ruleset. These anchors will be added only when\n# the system service is used and would removed on termination of the service.\n#\n# See pf.conf(5) for syntax.\n#\n\n#\n# com.apple anchor point\n#\n#scrub-anchor \"com.apple/*\"\n#nat-anchor \"com.apple/*\"\n#rdr-anchor \"com.apple/*\"\n#dummynet-anchor \"com.apple/*\"\n#anchor \"com.apple/*\"\n#load anchor \"com.apple\" from \"/etc/pf.anchors/com.apple\"\n\n# redirect hardcoded ip addresses to 127.0.0.1\ntable file \"/etc/pf.hardcoded\"\nnat to -> 127.0.0.1\n# only allow outbound connections\nblock in log on ! lo0\npass out on ! lo0 proto icmp\npass out on ! lo0 proto udp all\npass out on ! lo0 proto tcp all keep state\n# allow mDNS + IPv6 only on en0 and lo0\nblock out proto udp from any to any port 5353\nblock inet6\npass on { en0 lo0 } proto udp from any to any port 5353\npass on { en0 lo0 } inet6\n# allow only specific ICMPv6 messages, cf. icmp6(4) and\n# http://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml\nblock in on { en0 lo0 } inet6 proto ipv6-icmp\npass in on { en0 lo0 } inet6 proto ipv6-icmp icmp6-type { \\\n toobig timex paramprob \\\n echoreq echorep nirep mtraceresp \\\n groupqry grouprep groupterm 143 151 152 153 \\\n neighbrsol neighbradv 148 149 }\n# allow DHCP OFFER + ACK on en0\npass in on en0 proto udp from any port 67 to any port 68\npass out on ! lo0 route-to 127.0.0.1 from self to \n" }, { "path": "pf.hardcoded", "content": "17.209.80.108\t\t\t\t# MobileDevice.framework\n17.176.69.14 \t \t\t# Setup Assistant.app\n17.176.77.129\t\t\t\t# Setup Assistant.app\n17.176.80.148\t\t\t\t# Setup Assistant.app\n17.176.88.148\t\t\t\t# Setup Assistant.app\n17.230.144.24\t\t\t\t# Setup Assistant.app\n17.230.152.24\t\t\t\t# Setup Assistant.app\n17.230.160.24\t\t\t\t# Setup Assistant.app\n17.230.168.24\t\t\t\t# Setup Assistant.app\n17.219.209.2\t\t\t\t# AVConference.framework\n17.221.43.219\t\t\t\t# ManagedClient.framework\n17.155.5.253\t\t\t\t# GameKitServices.framework\n17.219.209.2\t\t\t\t# GameKitServices.framework\n72.247.44.23\t\t\t\t# GameKitServices.framework (Akamai)\n69.60.7.199\t\t\t\t# IMLoggingAgent (Datagram)\n17.254.0.50\t\t\t\t# wdhelper (nserver.apple.com)\n17.112.144.59\t\t\t\t# wdhelper (nserver4.apple.com)\n17.171.63.40\t\t\t\t# wdhelper\n18.244.0.188\t\t\t\t# memcached (MIT)\n2001:4860:b002::68\t\t\t# memcached (Google)\n" }, { "path": "sysctl.conf", "content": "net.inet6.ip6.accept_rtadv=0\nnet.inet6.icmp6.rediraccept=0\nnet.inet6.icmp6.nodeinfo=0\nnet.inet6.icmp6.nd6_accept_6to4=0\n" } ]