Sequoia firewall: unable to edit some entries

etresoft wrote:

Average Joes shouldn't be using a firewall. Firewalls are for network administrators. The built-in Apple firewall is useless. It's not that it doesn't work per se. It's that it simply has no functionality for a consumer device.

Kinda disagree. The built-in Apple firewall has just enough functionality for the average joe. Though average Joe should try not to install too many apps that act as a server listening to the outside world.

The built-in firewall only applies to the local network. You're protecting your Mac from your phone or maybe your printer. Unless you have an extraordinarily unusual network, no outside connections will even reach your device for the firewall to block them (or allow them).

My home network is kinda ordinary. Streaming devices, NAS, what have you. But believe it or not, I also use my computer outside my home network. Say at a cafe or a hospital or a train. Public networks tend to have more actors than just my phone or a printer. But maybe that is just me and my special needs for my laptop.

The only meaningful functionality that the built-in firewall provides is giving people some switches to click on in hopes they will do that instead of downloading one or more of the dozens of scam "security" apps.

I'd be happy with all my outbound facing ports closed, but for some reason a whole bunch of apps I use are curious to the outside world.

I'd be happy with all my outbound facing ports closed, but for some reason a whole bunch of apps I use are curious to the outside world.

Most apps would have no function without being "curious to the outside world."

You could not use a web browser unless it was "curious to the outside world."

If you use your Mac outside your home network, you should disable all of the sharing services. There would then be no need for what you think is a firewall.

A firewall is not an internet security tool. It is a network management tool. The only reason anyone considers it a security tool is because Microsoft blamed users for the poor security model and told them they wouldn't have been hacked if they had only enabled the firewall.

Barney-15E wrote:

Most apps would have no function without being "curious to the outside world."

You could not use a web browser unless it was "curious to the outside world."

I'm not a native english speaker so maybe it wasn't obvious I was trying to refer to server processes listening to the outside world, waiting for others to initiate contact. For the most part I'm fine with initiating contact myself. For some reason.

If you use your Mac outside your home network, you should disable all of the sharing services. There would then be no need for what you think is a firewall.

So if I'm taking this as literally as you were with the previous one, then what you're saying is that only server processes a Mac can have are file sharing services. Gotcha.

A firewall is not an internet security tool. It is a network management tool. The only reason anyone considers it a security tool is because Microsoft blamed users for the poor security model and told them they wouldn't have been hacked if they had only enabled the firewall.

I wouldn't know about Windows as I'm a Linux/UNIX kinda guy, but I don't mind getting notified if a program running on my machine (intentionally or not) is trying to accept connections from the outside world without it being explicitly allowed.

Call it network management if you wish but I'm also running firewalls on all my (linux) servers accessible from the internet, even though I assume I know the services I have running. Gonna keep on network managing even if it doesn't have any security advantages according to some people on Mac forums.

jjohanss wrote:

Barney-15E wrote:

Most apps would have no function without being "curious to the outside world."

You could not use a web browser unless it was "curious to the outside world."

I'm not a native english speaker so maybe it wasn't obvious I was trying to refer to server processes listening to the outside world, waiting for others to initiate contact. For the most part I'm fine with initiating contact myself. For some reason.

Yes, you could install those. I would hope you know what you are installing.

TheOtherKat wrote:

If the firewall is " a joke" what do you suggest us "Average Joe" do to protect from hackers and outsiders etc

Use default settings. The Application firewall is turned off by default.

You are not at any risk from hackers or outsiders. Don't believe what you read on the internet. The internet isn't true.

TheOtherKat wrote:

If the firewall is " a joke" what do you suggest us "Average Joe" do to protect from hackers and outsiders etc

In addition to etresoft's excellent advice, see this:

Effective defenses against malware and ot… - Apple Community

The best defense is between your ears.

That is a very ... unpleasant ... take on the subject. Reality is, that regardless of what you deam to be the 'average joe' the system is required to work as expected. In essence the firewall is not there to protect admins but to protect a system running macos.

And to make sure that not outside access to a machine happens in case it is running software that happens to listen to a port. And that can be anything from a software being installed to a website running a malicious script. Or even a software that is not malicious but just has an exploitable bug.

In any case the firewall makes sure that only software, that is supposed to listen to the outside world can access said outside world. And the firewall in macos until sequoia was easily enough configurable so that the aforementioned 'average joe' knew how to use it.

And this ease of use is gone. Hence it needs to be fixed. And no, the answer is not to just disable it.

gunnarstahl wrote:

the firewall is not there to protect admins but to protect a system running macos.

And to make sure that not outside access to a machine happens in case it is running software that happens to listen to a port.

The default behaviour of the application firewall is to allow all access to any running software.

And that can be anything from a software being installed to a website running a malicious script.

If you are hosting a website running a malicious script, then the firewall is the least of your problems.

In any case the firewall makes sure that only software, that is supposed to listen to the outside world can access said outside world.

That is the exact opposite of what a firewall does.

And the firewall in macos until sequoia was easily enough configurable so that the aforementioned 'average joe' knew how to use it.

And this ease of use is gone. Hence it needs to be fixed. And no, the answer is not to just disable it.

Before Sequoia, the application firewall was riddled with bugs. Sure, it was easy enough to configure. It just didn't actually apply any of those configuration changes. 😄

If you want to argue that the built-in firewall needs to be fixed, I'm not going to argue with that. My point is that a false sense of security is worse than no security. If someone wants to host some kind of service on a Mac, they need to be aware that anyone in the world can access that service (assuming they know how to establish a route through their access point, of course - but let's keep it simple - I'm trying to make a point). The problem with the built-in firewall is that it appears to give people this warm fuzzy that they are "protected" somehow, when it does absolutely nothing of the sort.

Don't be upset that I'm telling you to disable it. Be upset that you've been misinformed.

gunnarstahl wrote:

Reality is, that regardless of what you deam to be the 'average joe' the system is required to work as expected.

That assumes that whoever is making those expectations has reasonable and accurate ones. I can expect that my car will always get the miles per gallon that manufacture said it could get. But, if I only do stop and go city driving, it will never get the highest numbers. The problem is not with the car. It's with my expectations.

I have the same issue:

Firewall was enabled in the past and incoming connections only allowed where I really needed and expected it. Now after the update to macOS15.0 many applications are only working when the firewall is disabled. As far as I can tell, the same applications cannot be edited in the firewall settings.

Besides potential fixes described already by others: Browsing with Firefox should not require any incoming connections. This is by definition outgoing traffic only.

/usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/Firefox.app

(with or without sudo)

is not working for me. I changes the rule from red to green, functionality does not change. Only a disabled firewall does the job. My Firefox is using a proxy server, maybe I am not allowed to use the proxy in the local network? Where can I check this configuration?

Besides potential fixes described already by others: Browsing with Firefox should not require any incoming connections. This is by definition outgoing traffic only.

That statement is patently false. The HTTP protocol works on a request/response basis. You request a webpage from somewhere and it responds by sending you data. There is no way you could read anything if something wasn’t sent back to you.

Unless you’re running a web server, it is not listening for unsolicited communications.

Half of what you write is correct. First it is not HTTP protocol specific, it is valid for all protocols.

Second: A client requests something and the response is sent back to the client - every firewall can handle this (return) traffic. This communication is very different to an "incoming connection", where a listener service is running and waiting for a connection (server behavior). A typical client computer can keep all (incoming) ports closed on the firewall and it will work perfectly fine. In difference you will of course open a port on the firewall when you want to e.g. share data with another computer.

Remember: The macOS firewall has a checkbox: Block all incoming connections. And this is exactly what should do the job for 99% of the users who are running a stand-alone computer - when they are using a macOS version lower than 15.0 - because in this version there is an issue.

The issue is, when you do not allow incoming traffic, also outgoing traffic is blocked.

Second: A client requests something and the response is sent back to the client - every firewall can handle this (return) traffic. This communication is very different to an "incoming connection", where a listener service is running and waiting for a connection (server behavior). A typical client computer can keep all (incoming) ports closed on the firewall and it will work perfectly fine. In difference you will of course open a port on the firewall when you want to e.g. share data with another computer.

Yes, that’s why I mentioned all of that.

The issue is, when you do not allow incoming traffic, also outgoing traffic is blocked.

As with everyone else’s, my NAT router blocks unsolicited incoming connections.

While I agree with most of the statements, I would still expect an OS feature offered by Apple to work as intended.

This is a serious bug they should look into.

This is a serious bug they should look into.

I believe they are putting in all the effort they believe it deserves.