macOS Firewall Regressions in Sequoia
[Running]
nslookupclearly causes a DNS request and a response to go over the wire, butnslookupeventually gives up thinking that no servers could be reached.[…]
So if I turn off the macOS firewall, this all works fine. 🤔
[…]
Problem #1: “Block incoming connections” includes DNS responses is new as of macOS Sequoia. Prior to macOS 15 Sequoia “Block incoming connections” meant “Don’t poke a hole in my firewall for this”. Starting with Sequoia, this also includes “Don’t allow responses to DNS requests”, which is clearly a bug in the macOS stateful firewall. Any response to a request that I initiate should be allowed in.
Problem #2: The macOS GUI for firewall rules being disconnected from the existing rules (e.g. cannot change some) is apparently an artifact of macOS switching underlying storage for the firewall rules at some point. And the GUI apparently is only hooked up to the old storage. If you’ve had a Mac for a while, you’ll probably get bitten by this.
It seems the OS firewall can sometimes start blocking access to web browsing after upgrading to macOS Sequoia. At least this was the case for me and some folks on Reddit.
Going to the firewall settings screen, there can be no way to toggle access for the browser.
I have an issue with the firewall too. It does not accept incoming SSH connections. But they are allowed. I think this is a bug. I can tell you how to edit the entry list. You are able to edit some of them because the UI uses an old firewall rule storage. You can not edit the rules that use the new storage. You may edit them with
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --listapps.
I’m also hearing that firewall and other security and networking settings were silently reverted by the Sequoia update.
See also: MacRumors, Reddit, ESET.
Previously:
5 Comments RSS · Twitter · Mastodon
Is the Firewall really worth using. It seems that it is one app that Apple keeps overlooking and needs work, desperately. Is the third party Firewall doing a better job?
There are issues at the moment with VPN apps (like Mullvad) blocking access to essential services like iMessage and FaceTime. Not all VPN apps are affected — the word on the street is that the Wireguard app is not, for example — but many apps that do fancy networking, DNS, or firewalling stuff to implement split networking or kill-switches seem to be. (Mullvad for example creates dynamic firewall rules to prevent leaks.)
Did Apple change some low-level frameworks at the last minute or were VPN companies asleep at the wheel during the beta period? In any case, there seems to be a cluster of networking issues with Sequoia, which did not come to light over the summer…
This is just the worst. Unbelievable to eff up such a basic component. When will Apple finally learn to not release a major OS version every year and instead invest a few years in getting the basics right again? (Spoiler: never.)
> I’m also hearing that firewall and other security and networking settings were silently reverted by the Sequoia update.
There is definitely something that went wrong – I believe very late in the beta process – with Local Network access:
- I just filed FB15176762 - UI for Local Network settings in Sequoia 15.0 24A335 seem disconnected from behavior (it can be read at https://iosdev.space/@cdf1982/113164866859627559, sadly Mastodon didn't let me post the video: basically, after deleting and rebooting an app, the controls in Local Network were still there, duplicated, and toggling one triggered the other, or sometimes both, and in a case it didn't allow to disable a deleted app...)
- JD Gadina filed FB15174703 - macOS Sequoia Local Network permissions only apply to applications in the /Applications directory (https://mastodon.social/@macmade/113163757345604170), which I could also reproduce.
I got bit by this as well. Somehow my browser got blocked in the MacOS firewall and all of a sudden I couldn't resolve DNS. Also, it looks like adding and removing applications from the firewall settings is broken both in the System Settings UI and on the command line via /usr/libexec/ApplicationFirewall/socketfilterfw.
Only thing to do for now is turn the OS firewall off. I'd recommend that anyone who needs a firewall in MacOS 15 rely on LittleSnitch.
