The same PF bug is breaking one of OrbStack's networking features. I found it hard to believe when I narrowed it down to this, but I guess I'm not alone. Really hoping this is fixed before the stable release.
I didn't get a chance to report this to Apple until yesterday, but I think it's a fairly recent regression, probably from around beta 6.
PF is supposed to be a last-match firewall but it's almost like macOS is doing first-match now: an earlier "block" rule (without "quick") is overriding "pass" rules in a different anchor, which obviously breaks things.
"really hope" is too weak. This has to be fixed before release. A stable release with this would be unacceptable and would be reason for me to abandon Mac OS. You don't deliver a product with this kind of regression if you want it to be used for any kind of serious business
Maybe you don't deliver products like that, but Apple delivers them all the time. Then you have to desperately raise noise on all possible forums, and hope to catch the eye of someone who actually works at a relevant team at Apple, before your customers get too tired of the issues caused by the bug and abandon you.
This is not an Apple-specific issue either, Microsoft works just the same. Large OS releases are a massive undertaking, and the release train don't stop for a
firewall bug - no matter how severe the bug is for the people it does affect.
Half the time I hear of Mac OS updates, it's people having their Macs bricked because they didn't wait for patches to the main release to come out. Every major release seems to have major issues. At least this doesn't render your Mac completely useless.
Great writeup, very succinct and informative, they even have a simple reproduction of the bug.
I love Mullvad!
Tangentially, MacOS has had a lot of weird firewall bugs in the last few releases in general, I wonder what drive them to rip up and redo (I assume? so much of it recently.
The rewrite was definitely influenced by the mandatory migration from kernel extensions to userspace System Extensions, specifically NetworkExtension, between Catalina and Big Sur: https://developer.apple.com/documentation/networkextension
If you're concerned about these kinds of bugs on your local OS platform you may consider "abstracting away" your local connection point via a remote browser. This way, whatever your local machine and OS, you can have a dedicated server that you run your browsing through. Granted it doesn't enclose your entire network connection: only your browsing, but what it does there is change your IP address, mask your location, and add protection from browser 0 days.
We're constantly adding new features add BrowserBox to respect and protect privacy and improve the overall experience. It's open source so you can change it how you want too. If you don't like AGPL-3.0 you can get a commercial license. Come take us for a spin: https://github.com/dosyago/BrowserBoxPro
If you don't want something open source, but prefer the joy of a large company I think Mullvad also has their Mullvad Browser which does something similar!
I don’t know if related, but immediately the last two MacOS upgrades I was unable to get my networking to work. I could connect to Wi-Fi / Ethernet / Hotspot. But nothing would actually connect (e.g. browser, pings, etc) , not even to my router.
The fix both times was to open the Mullvad VPN app just once and everything worked again. No idea why just opening the app would fix the issue.
No wonder, I recently installed the latest sonoma beta and couldn't for the life of me get Mullvad to work. Glad to hear Mullvad is working on a workaround. I even considered downgrading back to Ventura this morning. I feel validated!
Went to look at tailscale vpn and didn't realize it was a service entirely contained within tailscale, so I can't use my existing Mullvad account or credit tailscale with my already-purchased Mullvad credits :(
MacOS has had a host of these types of issues with their network stack over the last few years. They are almost always related to some "Magic" technology Apple is introducing such as AirDrop (raw wifi frames), Siri (multipath tcp) et. al. Essentially Apple have been introducing these new components with special elevated privileges which allow them to bypass or have priority access to the network stack in order to implement whatever brand of cross-protocol hoodoo they may require to function. At best, it's maddening, but at worst its a huge red flag that Apple seems ready and willing to accept these compromises into the functionality of their system. It is impossible to achieve total software control over the network stack in MacOS today.
Not publicly that I have seen, but I can assure you networking and cybersecurity companies (and others) saw this pretty quickly when the bug was first released. I was just glad to see a relatively big company calling out this rather egregious issue.
Readit News
I didn't get a chance to report this to Apple until yesterday, but I think it's a fairly recent regression, probably from around beta 6.
PF is supposed to be a last-match firewall but it's almost like macOS is doing first-match now: an earlier "block" rule (without "quick") is overriding "pass" rules in a different anchor, which obviously breaks things.
This is not an Apple-specific issue either, Microsoft works just the same. Large OS releases are a massive undertaking, and the release train don't stop for a firewall bug - no matter how severe the bug is for the people it does affect.
I love Mullvad!
Tangentially, MacOS has had a lot of weird firewall bugs in the last few releases in general, I wonder what drive them to rip up and redo (I assume? so much of it recently.
We're constantly adding new features add BrowserBox to respect and protect privacy and improve the overall experience. It's open source so you can change it how you want too. If you don't like AGPL-3.0 you can get a commercial license. Come take us for a spin: https://github.com/dosyago/BrowserBoxPro
If you don't want something open source, but prefer the joy of a large company I think Mullvad also has their Mullvad Browser which does something similar!
Do many websites end up blocking traffic if it's originating from e.g. an EC2 instance?
Old article on the topic.
https://9to5mac.com/2015/05/26/apple-drops-discoveryd-in-lat...
Dead Comment
Which is the scope of the bug sure. But doesn't make the check particularly elaborate or beautiful!
I think GP is saying it's beautiful precisely because it needs such a simple and not elaborate test
The fix both times was to open the Mullvad VPN app just once and everything worked again. No idea why just opening the app would fix the issue.
If you have a better way to reach them, lmk.
Deleted Comment
From source: "we have investigated this issue after the 6th beta was released and reported the bug to Apple"