←back to thread

Apple's apps bypass firewalls like LittleSnitch and LuLu on macOS Big Sur

(twitter.com)
1183 points robenkleene | 2 comments | 20 Oct 20 15:51 UTC | HN request time: 0.581s | source
Show context
eptcyka ◴[20 Oct 20 16:14 UTC] No.24839101[source]
Apple seems to do all kinds of weird networking _stuff_. For instance, during wakeup, your T2 equipped Macbook will wait for a DNS response and then use said DNS response to synchronize time via NTP before letting the user use the keyboard. Probably checking timestamps on signatures for the keyboard firmware, or something stupid like that. This only happens if it happens to have a default route.

Similarly, all macOS machines will test a DHCP supplied default route before applying it by trying to reach something on the internet. So if you happen to have some firewall rules that block internet access, no default route will be applied until the internet check times out.

I won't share the other sentiments about the above, but is it really that hard to document these behaviors?

replies(22): >>24839205 #>>24839226 #>>24839281 #>>24839287 #>>24839352 #>>24839401 #>>24839503 #>>24839892 #>>24840087 #>>24840150 #>>24840234 #>>24840673 #>>24840752 #>>24841372 #>>24841670 #>>24842254 #>>24842446 #>>24843973 #>>24843982 #>>24845295 #>>24845368 #>>24847526 #
dheera ◴[20 Oct 20 16:22 UTC] No.24839226[source]
> wait for a DNS response and then use said DNS response to synchronize time via NTP before letting the user use the keyboard

... and what if your network is down? You can't even use your keyboard?

replies(2): >>24839239 #>>24844049 #
eptcyka ◴[20 Oct 20 16:23 UTC] No.24839239[source]
I should've clarified - it only does this if there is a default route. Funnily enough, whilst the firewalls in the original twitter post would possibly fail to catch this traffic, PF will block it just fine.
replies(2): >>24839282 #>>24839522 #
xenospn ◴[20 Oct 20 16:26 UTC] No.24839282[source]
Having a default route does not mean the internet is reachable.
replies(2): >>24839342 #>>24839363 #
easton ◴[20 Oct 20 16:31 UTC] No.24839363[source]
Probably why the other discussed function exists:

> Similarly, all macOS machines will test a DHCP supplied default route before applying it by trying to reach something on the internet. So if you happen to have some firewall rules that block internet access, no default route will be applied until the internet check times out.

So if the default route doesn't exist yet since it's still checking for internet, it would let you use the keyboard. DHCP probably runs every time the NIC is turned on (like from sleep), and they could just disable this function if you've set a static default route (since they may not be able to reach their NTP server on that route).

replies(1): >>24839425 #
1. eptcyka ◴[20 Oct 20 16:37 UTC] No.24839425[source]
The default route verification is separate from the keyboard issue. I don't know exactly what is going on here, but in the above post what I mean by the system applying a default route is that the route isn't propagated to the system configration's dynamic store and whatever macOS uses for netlink, i.e. the route doesn't show up in `route monitor` until the check finishes. However, I do believe it would still be used at some level, either on the T2 or in the kernel to do the NTP stuff.
replies(1): >>24839998 #
2. sroussey ◴[20 Oct 20 17:21 UTC] No.24839998[source]
The T2 has its own OS, so that makes sense.