Sequoia firewall: unable to edit some entries

etresoft wrote:

gunnarstahl wrote:

I just came back from a support call with apple support. And they confirmed exactly what I said. The application firewall should be enabled and active. And when I have to choose between some random guy on the 'net and an apple support person, well I know whom to trust.

It's not a matter of trust. In this case, if that's what they told you, then Apple Support is factually incorrect. The firewall is disabled by default. It's Apple that ships it turned off. If Apple Support has a problem with that, they should take it up with Apple.

Currently it seems that the application filter is broken and that it is a critical bug apple is working on. It is expected to be solved in an update.

Oh, it's most definitely broken. Is it a critical bug? Is Apple working on it? Will it be solved in an update? I'm very skeptical about all of those.

In order to make the application firewall something that is better than its current state of "worse than useless", it would need a fundamental re-write from top to bottom. That's definitely not happening. The problem might not even be in the firewall. It could be a lower-level problem with networking. Apple never noticed this during development because nobody at Apple runs the application firewall.

The fix for the current problem is clear - disable the firewall. This does not harm your security in any way. This is the default setting. You can certainly try it again whenever Apple releases an update. Apple has publicly said that 15.1 is going to be released in October. Maybe they will include a fix with that build.

Yes, it is a matter of trust. In fact, I urge anyone having a valid AppleCare contract to use the support hotline so that they can confirm how to deal with the firewall. And to be quite frank: I find your take on the firewall not only to be wrong but rather to be harmfull. Whether or not you like the apple firewall settings or be under the impression that it does not help, the fact that you try to make others turn their firewall off is irresponsible.

Yes, currently it doesn't work as intended. And Apple's decission to deliver the firewall in a turend-off setting is questionable, to say the least. But going on a public forum and urging people to generally turn the firewall of is ridiculous.

I will not answer any more to this discussion, since I've made myself sufficiently clear.

The firewall is broken in Sequoia.

Old entries are not editable and in many cases browsers like Chrome and Firefox stop working causing a lot of pain to the average Joe. If you google it, you will see it's happening to many folks out there.

We'll have to wait for an update, until then the only solution is to disable the firewall or allowing specific applications from the Terminal.

/usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/<ApplicationName>.app

gunnarstahl wrote:

I just came back from a support call with apple support. And they confirmed exactly what I said. The application firewall should be enabled and active. And when I have to choose between some random guy on the 'net and an apple support person, well I know whom to trust.

It's not a matter of trust. In this case, if that's what they told you, then Apple Support is factually incorrect. The firewall is disabled by default. It's Apple that ships it turned off. If Apple Support has a problem with that, they should take it up with Apple.

Currently it seems that the application filter is broken and that it is a critical bug apple is working on. It is expected to be solved in an update.

Oh, it's most definitely broken. Is it a critical bug? Is Apple working on it? Will it be solved in an update? I'm very skeptical about all of those.

In order to make the application firewall something that is better than its current state of "worse than useless", it would need a fundamental re-write from top to bottom. That's definitely not happening. The problem might not even be in the firewall. It could be a lower-level problem with networking. Apple never noticed this during development because nobody at Apple runs the application firewall.

The fix for the current problem is clear - disable the firewall. This does not harm your security in any way. This is the default setting. You can certainly try it again whenever Apple releases an update. Apple has publicly said that 15.1 is going to be released in October. Maybe they will include a fix with that build.

Barney-15E wrote:

Most apps would have no function without being "curious to the outside world."

You could not use a web browser unless it was "curious to the outside world."

I'm not a native english speaker so maybe it wasn't obvious I was trying to refer to server processes listening to the outside world, waiting for others to initiate contact. For the most part I'm fine with initiating contact myself. For some reason.

If you use your Mac outside your home network, you should disable all of the sharing services. There would then be no need for what you think is a firewall.

So if I'm taking this as literally as you were with the previous one, then what you're saying is that only server processes a Mac can have are file sharing services. Gotcha.

A firewall is not an internet security tool. It is a network management tool. The only reason anyone considers it a security tool is because Microsoft blamed users for the poor security model and told them they wouldn't have been hacked if they had only enabled the firewall.

I wouldn't know about Windows as I'm a Linux/UNIX kinda guy, but I don't mind getting notified if a program running on my machine (intentionally or not) is trying to accept connections from the outside world without it being explicitly allowed.

Call it network management if you wish but I'm also running firewalls on all my (linux) servers accessible from the internet, even though I assume I know the services I have running. Gonna keep on network managing even if it doesn't have any security advantages according to some people on Mac forums.

gunnarstahl wrote:

In fact, I urge anyone having a valid AppleCare contract to use the support hotline so that they can confirm how to deal with the firewall. And to be quite frank: I find your take on the firewall not only to be wrong but rather to be harmfull.

The firewall is off by default. If you have a problem with that, take it up with Apple. That's Apple's decision, not mine. If I'm out here telling you to turn off a default security setting, then you can complain. Why should you disable this default setting? I'm not doing that. I'm telling you to use default settings. If you are claiming that Apple's default security settings are inadequate, then you are the one that needs to support that claim with evidence. And no, if a first-tier Apple Support phone rep told you to does not count.

Yes, currently it doesn't work as intended. And Apple's decission to deliver the firewall in a turend-off setting is questionable, to say the least. But going on a public forum and urging people to generally turn the firewall of is ridiculous.

The is a user-to-user support forum. It is not a forum to debate security practices, Apple decisions, or even low-level network routing. It's a place where people come to get help with their Apple devices. Recent changes in macOS Sequoia are causing many people to experience various networking problems if they have turned on the built-in application firewall. The solution is unequivocal. Turn off the firewall. That's the solution. Problem solved. Zero harm done.

While I agree with most of the statements, I would still expect an OS feature offered by Apple to work as intended.

This is a serious bug they should look into.

I'm having this problem also. Turning the firewall off resolves the issue of some applications being blocked, but it can't be the solution. Luckily it works as a temporary workaround while waiting for an actual resolution.

gotenks wrote:

The firewall is broken in Sequoia.

Its always been broken.

causing a lot of pain to the average Joe.

Average Joes shouldn't be using a firewall. Firewalls are for network administrators. The built-in Apple firewall is useless. It's not that it doesn't work per se. It's that it simply has no functionality for a consumer device. The default behaviour is to allow connections. But even if you restrict connections, you aren't actually restricting anything.

the only solution is to disable the firewall

That is the appropriate solution.

The built-in firewall only applies to the local network. You're protecting your Mac from your phone or maybe your printer. Unless you have an extraordinarily unusual network, no outside connections will even reach your device for the firewall to block them (or allow them).

The only meaningful functionality that the built-in firewall provides is giving people some switches to click on in hopes they will do that instead of downloading one or more of the dozens of scam "security" apps.

Unfortunately, in recent years, the built-in firewall has been so riddled with bugs that people who have fallen for this social media misinformation and are running it in the first place are going to see these bugs and then be even more likely to install 3rd party scam apps.

That is a very ... unpleasant ... take on the subject. Reality is, that regardless of what you deam to be the 'average joe' the system is required to work as expected. In essence the firewall is not there to protect admins but to protect a system running macos.

And to make sure that not outside access to a machine happens in case it is running software that happens to listen to a port. And that can be anything from a software being installed to a website running a malicious script. Or even a software that is not malicious but just has an exploitable bug.

In any case the firewall makes sure that only software, that is supposed to listen to the outside world can access said outside world. And the firewall in macos until sequoia was easily enough configurable so that the aforementioned 'average joe' knew how to use it.

And this ease of use is gone. Hence it needs to be fixed. And no, the answer is not to just disable it.

gunnarstahl wrote:

the firewall is not there to protect admins but to protect a system running macos.

And to make sure that not outside access to a machine happens in case it is running software that happens to listen to a port.

The default behaviour of the application firewall is to allow all access to any running software.

And that can be anything from a software being installed to a website running a malicious script.

If you are hosting a website running a malicious script, then the firewall is the least of your problems.

In any case the firewall makes sure that only software, that is supposed to listen to the outside world can access said outside world.

That is the exact opposite of what a firewall does.

And the firewall in macos until sequoia was easily enough configurable so that the aforementioned 'average joe' knew how to use it.

And this ease of use is gone. Hence it needs to be fixed. And no, the answer is not to just disable it.

Before Sequoia, the application firewall was riddled with bugs. Sure, it was easy enough to configure. It just didn't actually apply any of those configuration changes. 😄

If you want to argue that the built-in firewall needs to be fixed, I'm not going to argue with that. My point is that a false sense of security is worse than no security. If someone wants to host some kind of service on a Mac, they need to be aware that anyone in the world can access that service (assuming they know how to establish a route through their access point, of course - but let's keep it simple - I'm trying to make a point). The problem with the built-in firewall is that it appears to give people this warm fuzzy that they are "protected" somehow, when it does absolutely nothing of the sort.

Don't be upset that I'm telling you to disable it. Be upset that you've been misinformed.

I just came back from a support call with apple support. And they confirmed exactly what I said. The application firewall should be enabled and active. And when I have to choose between some random guy on the 'net and an apple support person, well I know whom to trust.

Currently it seems that the application filter is broken and that it is a critical bug apple is working on. It is expected to be solved in an update.

aoimame wrote:

Since upgrading to Sequoia, I noticed some entries in the Network > Firewall > options... are no longer editable: some apps are stuck, I'm unable to change their settings to allow/block, or delete the entries. the command line `/usr/libexec/ApplicationFirewall/socketfilterfw` also does not work on these apps, see the screen shot, apps like zoom, and Things do not have the ↕️ next to allow/block, and for them the delete - and right click also does not work.

The release notes said that the firewall has some deprecation changes and the settings are no longer in the alf plist, where are they now so I can reset the settings? Thanks!

https://discussions.apple.com/content/attachment/0f4d5bf3-e481-4f7e-a639-d188ab2f4fc2

If you are behind your Network router I would turn off the Firewall and compare your results.

see if there is more here—

closing open ports on a MAC, - Apple Community

I'd be happy with all my outbound facing ports closed, but for some reason a whole bunch of apps I use are curious to the outside world.

Most apps would have no function without being "curious to the outside world."

You could not use a web browser unless it was "curious to the outside world."

If you use your Mac outside your home network, you should disable all of the sharing services. There would then be no need for what you think is a firewall.

A firewall is not an internet security tool. It is a network management tool. The only reason anyone considers it a security tool is because Microsoft blamed users for the poor security model and told them they wouldn't have been hacked if they had only enabled the firewall.

gotenks wrote:

While I agree with most of the statements, I would still expect an OS feature offered by Apple to work as intended.

Agreed.

This is a serious bug they should look into.

Agreed.

However, this is a user-to-user tech support forum. We can't force Apple to make changes. But we also don't like dealing with internet misinformation. We would prefer to just give people the information they need to have a better experience with their devices. For anyone who has enabled the built-in Application firewall, that means turning off the Application firewall.

TheOtherKat wrote:

If the firewall is " a joke" what do you suggest us "Average Joe" do to protect from hackers and outsiders etc

Use default settings. The Application firewall is turned off by default.

You are not at any risk from hackers or outsiders. Don't believe what you read on the internet. The internet isn't true.