Wednesday, November 13, 2024

macOS 15.1 Firewall Breaks Third-Party Firewalls

Norbert Heger:

Apple’s built-in firewall is causing troubles when used together with third-party firewalls that are based on Apple’s Network Extension framework (which is actually the only way for third-party developers to create such firewall products for the Mac).

While one of the issues related to DNS lookups has been fixed in macOS 15.1, a new, even more serious one was introduced.

[…]

For the time being, until Apple fixes this serious bug in macOS, we therefore highly recommend to turn off the built-in firewall of macOS when also using Little Snitch or Little Snitch Mini.

Previously:

12 Comments RSS · Twitter · Mastodon


The networking bugs in Sequoia have been painful. Not sure if it's related but I've had a recurring issue where Safari refuses to load web pages entirely, other Webkit-using apps like Instapaper stop responding, and only a reboot fixes the issue. Not to mention the ongoing coreaudiod / SoundSource crashes. For me, Sequoia is the least reliable macOS release in years.


These clowns can't have one release without a major breakage. It's amazing how horrible everything has become. Imagine being a business that relies on selling security software for this platform, or an IT department that wants to rely on the OS or tools installed on it.


@Alan I was seeing that with Sonoma, too, but not in third-party WebKit apps.


Another issue I'm seeing in Safari seems related to opening the developer tools deleting all cookies and local storage. I've seen thread in the WebKit issue tracker, but they claim it's solved. It's not. Everything is just a broken mess.


I shall continue avoiding Sequoia.

Back when Sonoma was released I avoided it for similar reasons -- so many bug reports and breakages. How's it going now? Now that the baton for buggiest macOS seems to have been passed to Sequoia, has Sonoma reached any kind of reasonable level of stability that's at least comparable to Ventura?


@Léo Natan - The exact issue you have described started happening to me over a year ago. I put up with it for a long time. I had been a Safari user since v1.0.

About 5 weeks ago, after opening dev tools and being logged out of every website for the 26,446th time that day and the 166,694,380th time that month, I wanted to take the laptop, snap it in half, set it on fire, and then throw it into a wood chipper, which is also on fire.

Since that's kind of expensive I decided to switch to Firefox instead. It's been an improvement in both reliability and my blood pressure. (I do miss ⌘-Z to reopen the last closed tab though.)


Sander Van Dragt

Mike try command shift t I think for the equivalent feature in Firefox.


Alan writes above on webpages in Safari – Just 20 minutes ago I had to restart Safari to make it load a webpage – clearing the cache didn't help. Hard to tell if it is network related or not – did restart Wi-Fi but it did not help here & tested to ping my external DNS. It does happen more frequently now.


@Bri Sonoma's where it's at for me personally, except for my server that's still on Ventura and will probably stay that way till Sequoia is in a halfway decent state, possibly by the holiday season if my experience of the 15.2 beta is anything to go by. Just hold on until this insanity ceases.

And speaking of Ventura (and it seems Sonoma too), the latest build broke my OpenSMTPD setup because gethostname(3) stopped returning a FQDN, and did the arguably correct thing by only returning the unqualified nodename. I had to do "sudo scutil --set HostName Foo.local" to get the old behaviour back, otherwise smtpd would frantically try to qualify an unresolvable name by doing a getaddrinfo(3) on the addresses of the interfaces returned by resolving the unqualified name, which would only ever result in the unqualified name, instead of a fake but genuine-looking "nodename.local". On other UNIXes you normally arrange things so nodename+searchdomain resolves to the address, and the address always has at least one fully-qualified alias (e.g. in /etc/hosts), so this trick works ... but not on MacOS. So watch out if you use server software that pulls this trick, or you might get a nasty surprise and end up doing what I did, trying to downgrade software looking for the culprit, before realising this was a MacOS change. Bloody Apple.


Apple has been introducing a sh*t show of sketchy, undocumented, breaking changes to its networking subsystems, ever since macOS moved away from NKEs to NEs.

Users pay the price.
We developers pay the price. Loss of trust, business, and by scrambling to run QA blindly and freely for Apple. We were aiming to launch a major new version of our app, but postponed it as a result.
Nobody wins.


@Sander Van Dragt
Agreed, easy to reopen closed tabs as you described or even whole windows with command shit N.


@David My sympathies. It's not you, it's them.

In *principle* I do not object to a userspace filtering subsystem. I mean Windows has its "Windows Filtering Platform" and it's working out all right for them. The real issue is QA on that subsystem *and* the complete lack of transparency into its operation, by administrators and developers, who are supposed to be the chief beneficiaries. That to me just speaks of a certain kind of disdainful hubris, on the part of Apple. Yes indeed, this is "iOSification", in the truest sense—reduce users, including the power users and developers who drive the platform forward, to bumbling idiots. It's inspiring, isn't it?

And thanks for TripMode!

Leave a Comment