Uninstall/revert script about macos-fortress HOT 23 CLOSED

This is a good idea. I will implement this soon.

I do not have enough cycles this week to give this issue the full attention it deserves, but until I do, here are a few comments that I hope help for your troubleshooting:

1. Firewalling is done at two layers: packet, controlled by pfctl, and the local web proxy, controlled in System Preferences>Network. To reset and turn off the packet filter, do this:

sudo pfctl -Fall
sudo pfctl -d

2. To turn off the system proxy, go to System Preferences>Network>Advanced>Proxy (IIRC) and tell the system not to use your proxy.

There's other updating stuff that the plists control, but that won't affect your networking. Those are controlled by launchctl.

Also if squid is at 100% CPU, that's okay for a little while, but sustained obviously not. When I get a runaway squid process, I do a hard reset:

sudo port unload squid
sudo killall -9 squid
sudo killall -9 '(squid-1)'
sudo port load squid

If that doesn't do it, there's a configuration issue that needs fixing to get squid launched properly.

from macos-fortress.

This is still on my todo list.

I'm aware of the squid issue myself and believe input is caused by a misconfigured launchd plist. I'm investigation—please watch this space.

from macos-fortress.

Yes, renamed to disable.sh. I've updated the comment.

from macos-fortress.

i'm one of those users unfortunately. My apple mail app stopped bringing down new mail after I installed. I'd like to start over and try again. i'm thinking i can delete all the fortress files, then find a command to reset the apple firewall to default values.

from macos-fortress.

That'd be great. Squid proxy is consuming so much CPU power, currently at 98-99%, and I would like to rollback to previous settings but I'm not sure how? Thanks

from macos-fortress.

Thanks, @essandess, for the quick response. I have stopped the Squid process for now.

Look forward to further updates from you on this.

from macos-fortress.

Much appreciated, @essandess! I was seeing similar CPU behavior from Squid (~50-60%, sustained).

from macos-fortress.

Very good info. I was getting the same issue with squid (multiple instances, each with about 13% CPU and using all available cycles. I reloaded it and will monitor.

from macos-fortress.

I've added the uninstall script disable.sh, as well as a modified daemondo Squid.wrapper that will run squid in -N no daemon mode to avoid the known issues with launchd trying to open multiple daemon processes.

I've also added a launch daemon to rotate and prune squid logs.

See the install file for details on how to install these new items, and please let me know if anyone continues to see the problem with runaway squid processes.

I'll post this issue to Macports and file an Apple bug report when I find a free moment.

from macos-fortress.

Just to be clear, should we run the uninstall script and reinstall with the new files?

Thanks for the quick response.

from macos-fortress.

Yes, please run the uninstall script, then rerun the install script. Note that "uninstall" disables the services, but does not delete files or return the original .orig files. Rather, it prints out a list of all installed files that exist and leaves it to you whether to keep them around or not.

The existence of the files will not affect system or network performance because they must be invoked with launchctl (the launchd plists) or pfctl (/etc/pf.conf).

I would appreciate any feedback you have.

from macos-fortress.

@essandess Please check line 17 of the uninstall.sh. It seems that EOF is making everything below into a comment and the code isn't running. It prints to terminal, but doesn't execute.

# commands
SUDO=/usr/bin/sudo
PORT=/opt/local/bin/port
LAUNCHCTL=/bin/launchctl
PFCTL=/sbin/pfctl
CAT=/bin/cat
ECHO=/bin/echo

$CAT <<EOF

from macos-fortress.

To run the commands wholesale, pipe the output to bash:

bash readme-and-install.sh | bash

Or copy and paste into the command line.

I'm being conservative and giving people a chance to see the commands being run, or make any system-specific changes.

I should reflect that in the readme portion—I'll edit that.

from macos-fortress.

Sorry for my poor understanding, but I still can't get the uninstall.sh script to run.

If I try to simply run it like this:
sudo ./uninstall.sh
all of the commands past line 17 are not run. After running the script I verified this by manually unloading some of the launchctl deamons and getting a positive response:
sudo launchctl unload -w net.openbsd.pf.plist
The second time I run that command, I get a "Could not find specified service" error. I take this to mean that uninstall.sh did not unload it.

Indeed, the output of the uninstall.sh doesn't look like most commands were executed:

user$ sudo  ./uninstall.sh
+ SUDO=/usr/bin/sudo
+ PORT=/opt/local/bin/port
+ LAUNCHCTL=/bin/launchctl
+ PFCTL=/sbin/pfctl
+ CAT=/bin/cat
+ ECHO=/bin/echo
+ /bin/cat
'HELPSTRING' | 
OS X Fortress: Firewall, Blackhole, and Privatizing Proxy
for Trackers, Attackers, Malware, Adware, and Spammers
Kernel-level, OS-level, and client-level security for OS X. 

This uninstall script will unload all launch daemons, disable
the pf firewall, and list all insalled files WITHOUT removing them.


Uninstalling…

HELPSTRING

/bin/echo "Uninstalling…"


/bin/echo "Unloading launchctl daemons…"

LAUNCHDAEMONS=/Library/LaunchDaemons

launchctl_unload () { if [ -f / ]; then /usr/bin/sudo /bin/launchctl unload -w /; fi; }

for FNAME in 	net.openbsd.pf.plist 	net.openbsd.pf.brutexpire.plist 	net.emergingthreats.blockips.plist 	net.dshield.block.plist 	net.hphosts.hosts.plist 	net.securemecca.pac.plist 	org.adblockplus.privoxy-adblock.plist 	org.squid-cache.squid-rotate.plist 	; do
	launchctl_unload
done


/bin/echo "Disabling pf firewall…"

/usr/bin/sudo /sbin/pfctl -d


/bin/echo "Killing the squid and privoxy proxies…"

/usr/bin/sudo /opt/local/bin/port unload squid
/usr/bin/sudo  -9 '(squid-1)'
/usr/bin/sudo  -9 squid
/usr/bin/sudo /opt/local/bin/port unload privoxy


/bin/echo "These files still exist…"

fname_exists () { if [ -f  ]; then /bin/echo "File  exists."; fi; }

PROXY_PAC_DIRECTORY=/Library/WebServer/Documents

for FNAME in 	/proxy.pac 	/etc/hosts.orig 	/etc/pf.conf.orig 	/net.openbsd.pf.plist 	/net.openbsd.pf.brutexpire.plist 	/net.emergingthreats.blockips.plist 	/net.dshield.block.plist 	/net.hphosts.hosts.plist 	/net.securemecca.pac.plist 	/org.adblockplus.privoxy-adblock.plist 	~/Library/LaunchAgents/org.opensource.flashcookiedelete.plist 	/usr/local/etc/blockips.conf 	/usr/local/etc/whitelist.txt 	/usr/local/etc/blacklist.txt 	/usr/local/bin/osxfortress_boot_check 	/usr/local/bin/pf_restart 	/usr/local/bin/squid_restart 	/usr/local/bin/privoxy_restart 	/usr/local/bin/privoxy-adblock.sh 	/opt/local/etc/LaunchDaemons/org.macports.Squid/Squid.wrapper.orig 	; do
	fname_exists
done

exit 0
user$ 

I may be doing this all wrong, so please excuse my ignorance. I also tried to pipe the uninstall.sh to bash, but just got a bunch of errors.

from macos-fortress.

Sorry, that's not your fault—it's mine. I'll fix that up.

from macos-fortress.

Please give this a go with the command

bash disable.sh

I renamed this because of functionality.

from macos-fortress.

Also note I misspoke above: the readme-and-install script will print the help string and install everything:

sudo sh readme-and-install.sh

from macos-fortress.

Re squid issue: https://trac.macports.org/ticket/54193#ticket

from macos-fortress.

I had the same issue I had to do a complete reinstall but I didn't take the time to look it up

from macos-fortress.

I had the same issue

Do you mean that you had an issue with a runaway squid process?

from macos-fortress.

It seems the link to your uninstall shell is going to a 404 page currently. Has this been moved?

from macos-fortress.

Re: #5 (comment) [Squid.wrapper with a -N flag.]

I’ve made a few changes that I believe mitigate the problem of squid running at 100% CPU:

• Filed this issue: https://trac.macports.org/ticket/54193
• Changed squid.conf’s shutdown_lifetime 5 seconds to be much less than daemondo’s 20 second timeout to avoid daemondo launching multiple redundant squid processes at boot or on a network change.

const CFTimeInterval kChildDeathTimeout = 20.0;
[See here.]

• Added a robust script macosfortress_boot_check to run by hand at boot time that checks (1) if squid has bound port 3128 and (2) that there is only a single squid process. If not, it kills all running squid and relaunches a controlled squid daemon. 🦑

• Deprecated the modified Squid.wrapper file and use the default Macports daemondo settings.

These changes have fixed this issue on my boxes.

from macos-fortress.

The issues with launchd, daemondo, and squid are fixed in the squid4 port. See c4ecb13.

from macos-fortress.