Website Access Control on macOS
Control website access across your MacFleet devices using advanced hosts file management, DNS filtering, and enterprise policy controls. This tutorial provides comprehensive tools for implementing organizational web access policies.
Understanding Website Access Control Methods
macOS offers multiple approaches for controlling website access:
- Hosts File Management - Local DNS override for specific domains
- DNS Configuration - Network-level filtering via custom DNS servers
- System Proxy Settings - Route traffic through filtering proxies
- Firewall Rules - Block specific IP addresses and port ranges
Basic Website Blocking
Block Single Website
#!/bin/bash
# Block access to a specific website
WEBSITE="www.facebook.com"
# Add entry to hosts file
echo "127.0.0.1 $WEBSITE" >> /etc/hosts
echo "127.0.0.1 facebook.com" >> /etc/hosts
echo "Blocked access to $WEBSITE"Block Multiple Websites
#!/bin/bash
# Block multiple websites at once
BLOCKED_SITES=(
"www.facebook.com"
"facebook.com"
"m.facebook.com"
"www.twitter.com"
"twitter.com"
"www.instagram.com"
"instagram.com"
)
for site in "${BLOCKED_SITES[@]}"; do
echo "127.0.0.1 $site" >> /etc/hosts
echo "Blocked: $site"
done
echo "Website blocking completed"Basic Website Unblocking
Unblock Single Website
#!/bin/bash
# Remove website from hosts file
WEBSITE="www.facebook.com"
/usr/bin/sed -i "" "/127.0.0.1 $WEBSITE/d" /etc/hosts
/usr/bin/sed -i "" "/127.0.0.1 facebook.com/d" /etc/hosts
echo "Unblocked access to $WEBSITE"Unblock All Websites
#!/bin/bash
# Remove all blocking entries from hosts file
/usr/bin/sed -i "" '/^127.0.0.1.*[^localhost]/d' /etc/hosts
echo "All website blocks removed"Enterprise Website Access Control System
#!/bin/bash
# MacFleet Enterprise Website Access Control
# Comprehensive web filtering and policy management system
# Configuration
MACFLEET_DIR="/etc/macfleet"
POLICIES_DIR="$MACFLEET_DIR/web_policies"
REPORTS_DIR="$MACFLEET_DIR/reports"
COMPLIANCE_DIR="$MACFLEET_DIR/compliance"
AUDIT_DIR="$MACFLEET_DIR/audit"
LOG_FILE="/var/log/macfleet_web_access.log"
BACKUP_DIR="$MACFLEET_DIR/backups"
# Create directory structure
create_directories() {
local dirs=("$MACFLEET_DIR" "$POLICIES_DIR" "$REPORTS_DIR" "$COMPLIANCE_DIR" "$AUDIT_DIR" "$BACKUP_DIR")
for dir in "${dirs[@]}"; do
[[ ! -d "$dir" ]] && mkdir -p "$dir"
done
}
# Logging function
log_action() {
local message="$1"
local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
echo "[$timestamp] $message" | tee -a "$LOG_FILE"
}
# Backup hosts file
backup_hosts() {
local backup_file="$BACKUP_DIR/hosts_backup_$(date +%Y%m%d_%H%M%S)"
cp /etc/hosts "$backup_file"
log_action "Hosts file backed up to: $backup_file"
}
# Website Categories for Enterprise Filtering
declare -A WEBSITE_CATEGORIES=(
["social_media"]="facebook.com,twitter.com,instagram.com,linkedin.com,snapchat.com,tiktok.com,pinterest.com"
["entertainment"]="youtube.com,netflix.com,hulu.com,twitch.tv,spotify.com,reddit.com"
["gaming"]="steam.com,epic.com,roblox.com,minecraft.net,ea.com,ubisoft.com"
["shopping"]="amazon.com,ebay.com,etsy.com,shopify.com,aliexpress.com"
["news"]="cnn.com,bbc.com,reuters.com,bloomberg.com,wsj.com"
["adult_content"]="example.com"
["malicious"]="malware.com,phishing-site.com,trojan-host.com"
)
# Security Policies
declare -A SECURITY_POLICIES=(
["high_security"]="social_media,entertainment,gaming,shopping,adult_content,malicious"
["moderate_security"]="adult_content,malicious,gaming"
["minimal_security"]="adult_content,malicious"
["development_team"]="malicious"
["executive_access"]="malicious"
)
# Block websites by category
block_category() {
local category="$1"
local policy="$2"
if [[ -z "${WEBSITE_CATEGORIES[$category]}" ]]; then
log_action "ERROR: Unknown category: $category"
return 1
fi
log_action "Blocking category: $category (Policy: $policy)"
# Split comma-separated domains
IFS=',' read -ra domains <<< "${WEBSITE_CATEGORIES[$category]}"
for domain in "${domains[@]}"; do
# Add multiple variations
echo "127.0.0.1 $domain" >> /etc/hosts
echo "127.0.0.1 www.$domain" >> /etc/hosts
echo "127.0.0.1 m.$domain" >> /etc/hosts
echo "127.0.0.1 mobile.$domain" >> /etc/hosts
log_action "Blocked domain: $domain"
done
# Save policy metadata
echo "category=$category,policy=$policy,timestamp=$(date),user=$(whoami)" >> "$POLICIES_DIR/applied_blocks.log"
}
# Apply security policy
apply_security_policy() {
local policy="$1"
if [[ -z "${SECURITY_POLICIES[$policy]}" ]]; then
log_action "ERROR: Unknown security policy: $policy"
return 1
fi
log_action "Applying security policy: $policy"
backup_hosts
# Clear existing blocks
/usr/bin/sed -i "" '/^127.0.0.1.*[^localhost]/d' /etc/hosts
# Apply categories for this policy
IFS=',' read -ra categories <<< "${SECURITY_POLICIES[$policy]}"
for category in "${categories[@]}"; do
block_category "$category" "$policy"
done
# Flush DNS cache
dscacheutil -flushcache
killall -HUP mDNSResponder
log_action "Security policy '$policy' applied successfully"
# Generate compliance report
generate_compliance_report "$policy"
}
# Advanced DNS-based filtering
configure_dns_filtering() {
local filter_level="$1"
log_action "Configuring DNS filtering: $filter_level"
case "$filter_level" in
"enterprise")
# Use enterprise DNS servers with filtering
networksetup -setdnsservers "Wi-Fi" 208.67.222.222 208.67.220.220
networksetup -setdnsservers "Ethernet" 208.67.222.222 208.67.220.220
;;
"family_safe")
# Use family-safe DNS
networksetup -setdnsservers "Wi-Fi" 208.67.222.123 208.67.220.123
networksetup -setdnsservers "Ethernet" 208.67.222.123 208.67.220.123
;;
"secure")
# Use security-focused DNS
networksetup -setdnsservers "Wi-Fi" 1.1.1.2 1.0.0.2
networksetup -setdnsservers "Ethernet" 1.1.1.2 1.0.0.2
;;
"default")
# Reset to automatic DNS
networksetup -setdnsservers "Wi-Fi" "Empty"
networksetup -setdnsservers "Ethernet" "Empty"
;;
esac
log_action "DNS filtering configured: $filter_level"
}
# Whitelist management for essential business sites
manage_whitelist() {
local action="$1"
local domain="$2"
local whitelist_file="$POLICIES_DIR/business_whitelist.txt"
case "$action" in
"add")
if ! grep -q "^$domain$" "$whitelist_file" 2>/dev/null; then
echo "$domain" >> "$whitelist_file"
# Remove from hosts file if blocked
/usr/bin/sed -i "" "/127.0.0.1.*$domain/d" /etc/hosts
log_action "Added to whitelist: $domain"
else
log_action "Domain already whitelisted: $domain"
fi
;;
"remove")
if [[ -f "$whitelist_file" ]]; then
/usr/bin/sed -i "" "/^$domain$/d" "$whitelist_file"
log_action "Removed from whitelist: $domain"
fi
;;
"list")
if [[ -f "$whitelist_file" ]]; then
echo "Business Whitelist:"
cat "$whitelist_file"
else
echo "No whitelist found"
fi
;;
esac
}
# Emergency access mode
emergency_access() {
local action="$1"
local emergency_file="$POLICIES_DIR/emergency_mode.flag"
case "$action" in
"enable")
# Backup current hosts and clear all blocks
backup_hosts
cp /etc/hosts "$BACKUP_DIR/hosts_before_emergency"
/usr/bin/sed -i "" '/^127.0.0.1.*[^localhost]/d' /etc/hosts
touch "$emergency_file"
echo "emergency_enabled=$(date)" > "$emergency_file"
log_action "EMERGENCY ACCESS ENABLED - All website blocks removed"
;;
"disable")
if [[ -f "$emergency_file" ]]; then
rm "$emergency_file"
# Restore previous configuration if available
if [[ -f "$BACKUP_DIR/hosts_before_emergency" ]]; then
cp "$BACKUP_DIR/hosts_before_emergency" /etc/hosts
log_action "Emergency access disabled - Previous configuration restored"
else
log_action "Emergency access disabled - Manual reconfiguration required"
fi
else
log_action "Emergency access is not currently enabled"
fi
;;
"status")
if [[ -f "$emergency_file" ]]; then
echo "Emergency access: ENABLED"
cat "$emergency_file"
else
echo "Emergency access: DISABLED"
fi
;;
esac
}
# Generate comprehensive compliance report
generate_compliance_report() {
local policy="$1"
local report_file="$REPORTS_DIR/web_access_compliance_$(date +%Y%m%d_%H%M%S).json"
local blocked_domains=$(grep -c "^127.0.0.1" /etc/hosts 2>/dev/null || echo "0")
local whitelist_count=0
[[ -f "$POLICIES_DIR/business_whitelist.txt" ]] && whitelist_count=$(wc -l < "$POLICIES_DIR/business_whitelist.txt")
cat > "$report_file" << EOF
{
"report_metadata": {
"timestamp": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
"hostname": "$(hostname)",
"policy_applied": "$policy",
"report_version": "1.0"
},
"web_access_control": {
"blocked_domains_count": $blocked_domains,
"whitelisted_domains_count": $whitelist_count,
"dns_filtering_active": $(networksetup -getdnsservers Wi-Fi | grep -q "208.67" && echo "true" || echo "false"),
"emergency_mode": $([ -f "$POLICIES_DIR/emergency_mode.flag" ] && echo "true" || echo "false")
},
"security_policy": {
"name": "$policy",
"categories_blocked": "$(echo "${SECURITY_POLICIES[$policy]}" | tr ',' ' ')",
"compliance_frameworks": ["SOX", "HIPAA", "NIST", "ISO27001"]
},
"system_status": {
"hosts_file_size": $(wc -l < /etc/hosts),
"last_dns_flush": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
"backup_available": $([ -d "$BACKUP_DIR" ] && [ "$(ls -1 "$BACKUP_DIR"/hosts_backup_* 2>/dev/null | wc -l)" -gt 0 ] && echo "true" || echo "false")
}
}
EOF
log_action "Compliance report generated: $report_file"
echo "Report saved to: $report_file"
}
# Health check and validation
perform_health_check() {
echo "=== MacFleet Web Access Control Health Check ==="
# Check hosts file integrity
if [[ -f "/etc/hosts" ]]; then
echo "✓ Hosts file exists"
local hosts_size=$(wc -l < /etc/hosts)
echo " - Lines: $hosts_size"
else
echo "✗ Hosts file missing"
fi
# Check blocked domains
local blocked_count=$(grep -c "^127.0.0.1" /etc/hosts 2>/dev/null || echo "0")
echo "✓ Blocked domains: $blocked_count"
# Check DNS configuration
local dns_servers=$(networksetup -getdnsservers Wi-Fi)
echo "✓ DNS servers: $dns_servers"
# Check whitelist
if [[ -f "$POLICIES_DIR/business_whitelist.txt" ]]; then
local whitelist_count=$(wc -l < "$POLICIES_DIR/business_whitelist.txt")
echo "✓ Whitelisted domains: $whitelist_count"
else
echo "○ No whitelist configured"
fi
# Check emergency mode
if [[ -f "$POLICIES_DIR/emergency_mode.flag" ]]; then
echo "⚠️ Emergency mode: ACTIVE"
else
echo "✓ Emergency mode: INACTIVE"
fi
# Check recent activity
if [[ -f "$LOG_FILE" ]]; then
local recent_entries=$(tail -5 "$LOG_FILE" | wc -l)
echo "✓ Recent log entries: $recent_entries"
fi
}
# Fleet deployment function
deploy_to_fleet() {
local policy="$1"
local fleet_file="$2"
if [[ ! -f "$fleet_file" ]]; then
log_action "ERROR: Fleet file not found: $fleet_file"
return 1
fi
log_action "Starting fleet deployment of policy: $policy"
while IFS= read -r host; do
[[ -z "$host" || "$host" =~ ^#.*$ ]] && continue
echo "Deploying to: $host"
# Copy this script to remote host and execute
ssh "$host" "bash -s" << EOF
#!/bin/bash
# Remote deployment of web access policy: $policy
# Create directories
mkdir -p /etc/macfleet/{web_policies,reports,compliance,audit,backups}
# Apply the policy (simplified for remote execution)
$(declare -p WEBSITE_CATEGORIES)
$(declare -p SECURITY_POLICIES)
$(type apply_security_policy | sed '1d')
apply_security_policy "$policy"
EOF
if [[ $? -eq 0 ]]; then
log_action "Successfully deployed to: $host"
else
log_action "Failed to deploy to: $host"
fi
done < "$fleet_file"
log_action "Fleet deployment completed"
}
# Main execution function
main() {
create_directories
case "${1:-}" in
"apply_policy")
apply_security_policy "$2"
;;
"block_category")
backup_hosts
block_category "$2" "manual"
;;
"configure_dns")
configure_dns_filtering "$2"
;;
"whitelist")
manage_whitelist "$2" "$3"
;;
"emergency")
emergency_access "$2"
;;
"health_check")
perform_health_check
;;
"report")
generate_compliance_report "${2:-manual}"
;;
"deploy")
deploy_to_fleet "$2" "$3"
;;
"help"|*)
echo "MacFleet Website Access Control System"
echo ""
echo "Usage: $0 <command> [options]"
echo ""
echo "Commands:"
echo " apply_policy <policy> - Apply security policy (high_security|moderate_security|minimal_security|development_team|executive_access)"
echo " block_category <category> - Block website category (social_media|entertainment|gaming|shopping|news|adult_content|malicious)"
echo " configure_dns <level> - Configure DNS filtering (enterprise|family_safe|secure|default)"
echo " whitelist <action> <domain> - Manage whitelist (add|remove|list)"
echo " emergency <action> - Emergency access control (enable|disable|status)"
echo " health_check - Perform system health check"
echo " report [policy] - Generate compliance report"
echo " deploy <policy> <fleet_file> - Deploy policy to fleet"
echo ""
echo "Examples:"
echo " $0 apply_policy high_security"
echo " $0 whitelist add salesforce.com"
echo " $0 emergency enable"
echo " $0 health_check"
;;
esac
}
# Execute main function
main "$@"Business Hours and User-Friendly Controls
Time-Based Access Control
#!/bin/bash
# Apply different policies based on business hours
apply_time_based_policy() {
local current_hour=$(date +%H)
local day_of_week=$(date +%u)
# Business hours: Monday-Friday 9 AM - 6 PM
if [[ $day_of_week -le 5 ]] && [[ $current_hour -ge 9 ]] && [[ $current_hour -lt 18 ]]; then
echo "Business hours detected - applying strict policy"
apply_security_policy "high_security"
else
echo "Outside business hours - applying relaxed policy"
apply_security_policy "moderate_security"
fi
}User Notification System
#!/bin/bash
# Notify user of website access changes
notify_user() {
local message="$1"
local title="MacFleet Web Access"
# Use osascript for user notification
osascript -e "display notification \"$message\" with title \"$title\" sound name \"Glass\""
# Also log to system
log_action "User notification: $message"
}
# Example usage
notify_user "Website access policy updated to High Security mode"Important Security Considerations
- Hosts file permissions should be restricted to prevent unauthorized modifications
- DNS filtering provides network-level protection beyond local hosts file
- Emergency access procedures should be documented and tested
- Regular backups of hosts file and configuration are essential
- Audit logging helps track policy changes and compliance
Compliance and Reporting
The enterprise system generates comprehensive reports for:
- SOX Compliance - Financial services web access controls
- HIPAA Requirements - Healthcare data protection policies
- NIST Framework - Cybersecurity standards alignment
- ISO 27001 - Information security management
Testing and Validation
Before deploying to production:
- Test individual commands on isolated systems
- Verify DNS resolution after applying policies
- Confirm business applications remain accessible
- Test emergency procedures and restoration
- Validate compliance reporting accuracy
This comprehensive system transforms basic website blocking into an enterprise-grade access control platform with advanced policy management, compliance reporting, and fleet deployment capabilities.
