←back to thread

Apple's apps bypass firewalls like LittleSnitch and LuLu on macOS Big Sur

(twitter.com)
1183 points robenkleene | 4 comments | 20 Oct 20 15:51 UTC | HN request time: 0.606s | source
Show context
eptcyka ◴[20 Oct 20 16:14 UTC] No.24839101[source]
Apple seems to do all kinds of weird networking _stuff_. For instance, during wakeup, your T2 equipped Macbook will wait for a DNS response and then use said DNS response to synchronize time via NTP before letting the user use the keyboard. Probably checking timestamps on signatures for the keyboard firmware, or something stupid like that. This only happens if it happens to have a default route.

Similarly, all macOS machines will test a DHCP supplied default route before applying it by trying to reach something on the internet. So if you happen to have some firewall rules that block internet access, no default route will be applied until the internet check times out.

I won't share the other sentiments about the above, but is it really that hard to document these behaviors?

replies(22): >>24839205 #>>24839226 #>>24839281 #>>24839287 #>>24839352 #>>24839401 #>>24839503 #>>24839892 #>>24840087 #>>24840150 #>>24840234 #>>24840673 #>>24840752 #>>24841372 #>>24841670 #>>24842254 #>>24842446 #>>24843973 #>>24843982 #>>24845295 #>>24845368 #>>24847526 #
dheera ◴[20 Oct 20 16:22 UTC] No.24839226[source]
> wait for a DNS response and then use said DNS response to synchronize time via NTP before letting the user use the keyboard

... and what if your network is down? You can't even use your keyboard?

replies(2): >>24839239 #>>24844049 #
eptcyka ◴[20 Oct 20 16:23 UTC] No.24839239[source]
I should've clarified - it only does this if there is a default route. Funnily enough, whilst the firewalls in the original twitter post would possibly fail to catch this traffic, PF will block it just fine.
replies(2): >>24839282 #>>24839522 #
xenospn ◴[20 Oct 20 16:26 UTC] No.24839282[source]
Having a default route does not mean the internet is reachable.
replies(2): >>24839342 #>>24839363 #
1. eptcyka ◴[20 Oct 20 16:30 UTC] No.24839342[source]
I wish Apple agreed.

But on the other hand, there are use cases where checking for the existence of a default route is the best heuristic.

replies(1): >>24840572 #
2. Spivak ◴[20 Oct 20 18:10 UTC] No.24840572[source]
I mean that's what a default route is supposed to mean, right? That this machine can route to any address. It might not get there because of a firewall, or because nothing is at a given address but you're at least claiming to know what to do with a packet destined for anywhere.
replies(2): >>24841111 #>>24841417 #
3. ryukafalz ◴[20 Oct 20 18:59 UTC] No.24841111[source]
I think that’s a reasonable assumption for applications to make. I think that’s a less reasonable assumption for your keyboard to make.
4. ◴[20 Oct 20 19:27 UTC] No.24841417[source]