←back to thread

Apple's apps bypass firewalls like LittleSnitch and LuLu on macOS Big Sur

(twitter.com)
1183 points robenkleene | 3 comments | 20 Oct 20 15:51 UTC | HN request time: 0.641s | source
Show context
eptcyka ◴[20 Oct 20 16:14 UTC] No.24839101[source]
Apple seems to do all kinds of weird networking _stuff_. For instance, during wakeup, your T2 equipped Macbook will wait for a DNS response and then use said DNS response to synchronize time via NTP before letting the user use the keyboard. Probably checking timestamps on signatures for the keyboard firmware, or something stupid like that. This only happens if it happens to have a default route.

Similarly, all macOS machines will test a DHCP supplied default route before applying it by trying to reach something on the internet. So if you happen to have some firewall rules that block internet access, no default route will be applied until the internet check times out.

I won't share the other sentiments about the above, but is it really that hard to document these behaviors?

replies(22): >>24839205 #>>24839226 #>>24839281 #>>24839287 #>>24839352 #>>24839401 #>>24839503 #>>24839892 #>>24840087 #>>24840150 #>>24840234 #>>24840673 #>>24840752 #>>24841372 #>>24841670 #>>24842254 #>>24842446 #>>24843973 #>>24843982 #>>24845295 #>>24845368 #>>24847526 #
1. codezero ◴[20 Oct 20 21:20 UTC] No.24842446[source]
The keyboard thing is new to me, wow that sucks. The other one sounds like a workaround for captive portals. I think there is some documentation on that wrt Safari and the built in networking, but it was mostly a workaround needed to deal with wifi hotspots that intercept dns until you pay/subscribe, and it causes safari to look hung - so they had to make it clear it wasn’t their browser hanging since it couldn’t make SSL connections.
replies(1): >>24843072 #
2. eptcyka ◴[20 Oct 20 22:46 UTC] No.24843072[source]
Cool, can you reference some docs or any communication from Apple re the captive portal workarounds?

It feels rather heavy handed as there are ways other systems have worked around this that don't hijack routes.

replies(1): >>24848606 #
3. codezero ◴[21 Oct 20 15:13 UTC] No.24848606[source]
I don’t work for Apple, you might ask their developer support.

A quick search for Captive Network Assistant shows it’s not documented.