{"id":44972,"date":"2024-09-18T13:51:01","date_gmt":"2024-09-18T17:51:01","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=44972"},"modified":"2024-09-25T15:32:13","modified_gmt":"2024-09-25T19:32:13","slug":"macos-firewall-regressions-in-sequoia","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2024\/09\/18\/macos-firewall-regressions-in-sequoia\/","title":{"rendered":"macOS Firewall Regressions in Sequoia"},"content":{"rendered":"<p><a href=\"https:\/\/infosec.exchange\/@wdormann\/113149199491406975\">Will Dormann<\/a>:<\/p>\n<blockquote cite=\"https:\/\/infosec.exchange\/@wdormann\/113149199491406975\"><p>[Running] <code>nslookup<\/code> clearly causes a DNS request and a response to go over the wire, but <code>nslookup<\/code> eventually gives up thinking that no servers could be reached.<\/p><p>[&#8230;]<\/p><p>So if I turn off the macOS firewall, this all works fine.  &#x1F914;<\/p><p>[&#8230;]<\/p><p>Problem #1: &ldquo;Block incoming connections&rdquo; includes DNS responses is new as of macOS Sequoia. Prior to macOS 15 Sequoia &ldquo;Block incoming connections&rdquo;  meant &ldquo;Don&rsquo;t poke a hole in my firewall for this&rdquo;. Starting with Sequoia, this also includes &ldquo;Don&rsquo;t allow responses to DNS requests&rdquo;, which is clearly a bug in the macOS stateful firewall. Any response to a request that I initiate should be allowed in.<\/p><p>Problem #2: The macOS GUI for firewall rules being disconnected from the existing rules (e.g. cannot change some) is apparently an artifact of macOS switching underlying storage for the firewall rules at some point. And the GUI apparently is only hooked up to the old storage. If you&rsquo;ve had a Mac for a while, you&rsquo;ll probably get bitten by this.<\/p><\/blockquote>\n\n<p><a href=\"https:\/\/waclaw.blog\/macos-firewall-blocking-web-browsing-after-upgrading-to-sequoia\/\">Wac&#x142;aw Jacek<\/a>:<\/p>\n<blockquote cite=\"https:\/\/waclaw.blog\/macos-firewall-blocking-web-browsing-after-upgrading-to-sequoia\/\">\n<p>It seems the OS firewall can sometimes start blocking access to web browsing after upgrading to macOS Sequoia. At least this was the case for me and some folks on Reddit.<\/p>\n<p>Going to the firewall settings screen, there can be no way to toggle access for the browser.<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/chaos.social\/@damjanovic\/113152864210101452\">Ivo Damjanovi&#x107;<\/a>:<\/p>\n<blockquote cite=\"https:\/\/chaos.social\/@damjanovic\/113152864210101452\">\n<p>I have an issue with the firewall too. It does not accept incoming SSH connections. But they are allowed. I think this is a bug. I can tell you how to edit the entry list. You are able to edit some of them because the UI uses an old firewall rule storage. You can not edit the rules that use the new storage. You may edit them with <code>sudo \/usr\/libexec\/ApplicationFirewall\/socketfilterfw --listapps<\/code>.<\/p>\n<\/blockquote>\n\n<p>I&rsquo;m also hearing that firewall and other security and networking settings were silently reverted by the Sequoia update.<\/p>\n\n<p>See also: <a href=\"https:\/\/forums.macrumors.com\/threads\/mac-os-sequoia-builtin-firewall-does-not-allow-ssh-login.2436706\/\">MacRumors<\/a>, <a href=\"https:\/\/www.reddit.com\/r\/MacOS\/comments\/1fievzk\/why_cant_i_edit_my_firewall_settings_macos\/\">Reddit<\/a>, <a href=\"https:\/\/support.eset.com\/en\/alert8723-network-connection-lost-after-upgrading-to-macos-15-with-eset-macos-product-v6?ref=esf\">ESET<\/a>.<\/p>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2024\/09\/17\/little-snitch-6-and-dns-encryption\/\">Little Snitch 6 and DNS Encryption<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2024\/09\/16\/macos-15-sequoia\/\">macOS 15 Sequoia<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2024\/08\/30\/macos-firewall-slows-dns-queries\/\">macOS Firewall Slows DNS Queries<\/a><\/li>\n<\/ul>\n\n<p id=\"macos-firewall-regressions-in-sequoia-update-2024-09-20\">Update (2024-09-20): <a href=\"https:\/\/9to5mac.com\/2024\/09\/19\/security-bite-macos-sequoias-filewall-is-disrupting-security-tools-and-more\/\">Arin Waichulis<\/a>:<\/p>\n<blockquote cite=\"https:\/\/9to5mac.com\/2024\/09\/19\/security-bite-macos-sequoias-filewall-is-disrupting-security-tools-and-more\/\">\n<p>However, according to <a href=\"https:\/\/techcrunch.com\/2024\/09\/19\/apples-new-macos-sequoia-update-breaks-cybersecurity-tools-experts-say\/\">TechCrunch<\/a>, it now appears to be disrupting security tools made by CrowdStrike, SentinelOne, and Microsoft. Social media users are also reporting connection failures with third-party VPNs.<\/p>\n<p>[&#8230;]<\/p>\n<p>Patrick Wardle, a long-time iOS and Mac security expert and founder of the Objective-See Foundation, expressed his frustration, noting that Apple&rsquo;s lack of thorough testing is to blame.<\/p>\n<p>&ldquo;As a developer of macOS security tools, its incredibly frustrating to time and time again have to deal with (understandably) upset users (understandably) blaming your tools for breaking their Macs, when in reality it was Apple&rsquo;s fault all along,&rdquo; Wardle told 9to5Mac.<\/p>\n<\/blockquote>\n<p><a href=\"https:\/\/www.openweb.com\/share\/2mLZG6BRACIdhzapJHHu4UZ8i0J\">Commenters<\/a> on that article are blaming developers for not testing during the macOS beta period, but <a href=\"https:\/\/x.com\/patrickwardle\/status\/1836666279035298243\">Wardle<\/a> shows that the issue <em>had<\/em> been reported to Apple prior to the RC.<\/p>\n\n<p id=\"macos-firewall-regressions-in-sequoia-update-2024-09-25\">Update (2024-09-25): <a href=\"https:\/\/www.theregister.com\/2024\/09\/23\/security_in_brief\/\">Brandon Vigliarolo<\/a>:<\/p>\n<blockquote cite=\"https:\/\/www.theregister.com\/2024\/09\/23\/security_in_brief\/\"><p>Something&rsquo;s wrong with macOS Sequoia, and it&rsquo;s breaking security software installed on some updated Apple systems.<\/p><p>[&#8230;]<\/p><p>Both Microsoft and ESET have posted bulletins about networking problems in macOS 15, and both report different fixes for their respective problems as well.<\/p><p>[&#8230;]<\/p><p>Speaking to <em>The Register<\/em>, Wardle told us he&rsquo;d heard from some of the larger vendors he&rsquo;s spoken to that Apple has acknowledged some unintended changes that it was working on fixing, but said he wasn&rsquo;t sure if that meant the issue was at the firewall or lower-level networking components.<\/p><\/blockquote>\n\n<p>Via <a href=\"https:\/\/x.com\/Sam_Ohanaware\/status\/1838023874707157255\">Sam Rowlands<\/a>:<\/p>\n<blockquote cite=\"https:\/\/x.com\/Sam_Ohanaware\/status\/1838023874707157255\">\n<p>Some users of my software have reported that the auto update system can fail also, in the networking portion of the code.<\/p>\n<\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Will Dormann: [Running] nslookup clearly causes a DNS request and a response to go over the wire, but nslookup eventually gives up thinking that no servers could be reached.[&#8230;]So if I turn off the macOS firewall, this all works fine. &#x1F914;[&#8230;]Problem #1: &ldquo;Block incoming connections&rdquo; includes DNS responses is new as of macOS Sequoia. Prior [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2024-09-18T17:51:03Z","apple_news_api_id":"81135896-39e2-4461-9c12-632cbeb0e619","apple_news_api_modified_at":"2024-09-25T19:32:15Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAAAg==","apple_news_api_share_url":"https:\/\/apple.news\/AgRNYljniRGGcEmMsvrDmGQ","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[728,1204,30,2598,476,506,1227],"class_list":["post-44972","post","type-post","status-publish","format-standard","hentry","category-technology","tag-domain-name-system-dns","tag-firewall","tag-mac","tag-macos-15-sequoia","tag-networking","tag-ssh","tag-top-posts"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/44972","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=44972"}],"version-history":[{"count":4,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/44972\/revisions"}],"predecessor-version":[{"id":45102,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/44972\/revisions\/45102"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=44972"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=44972"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=44972"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}