Firewall Issues - ssh_dispatch_run_fatal errors during SSH

So with respect, security is a layered architecture. The default MacOS firewall, while less than optimal for many reasons and uses; still DOES block by default most inbound connections at a minimum. I too personally use Little Snitch as I want way more security than the default provides; however having this as a base doesn't hurt.

That being said, there's another issue here. Many companies REQUIRE that filter to be enabled as part of security profile; or other things are disallowed. So in those cases you're ****** if you do and ****** if you don't ;) I am probably gonna have to revert to a previous backup tonight to get back to functionality.

sandinak wrote:

The default MacOS firewall, while less than optimal for many reasons and uses; still DOES block by default most inbound connections at a minimum.

The default firewall configuration allows any built-in app, and any 3rd party signed app, to accept incoming connections. It doesn't block anything. In some versions, if you manually change settings to block software, it will just change it back to allow. But assuming you have a version that works, then it is only going to block local connections, like from your printer or other computers in your house. For the vast majority of users, no outside connection is going to make it past their modem in the first place.

That being said, there's another issue here. Many companies REQUIRE that filter to be enabled as part of security profile; or other things are disallowed. So in those cases you're ****** if you do and ****** if you don't ;) I am probably gonna have to revert to a previous backup tonight to get back to functionality.

This is a user-to-user support forum for consumer users. Companies typically have all kinds of specialized configurations and software that we don't have and can't support.

We're experiencing a similar issue with Sentinel One and Microsoft Defender here:

This leads to multiple SSL errors. In chrome for instance we see ERR_SSL_PROTOCOL_ERROR very often.

Uninstalling Sentinel One or Defender (Or disabling Network Filters for those) fixes the issue but it's definitely not a solution, especially on corporate networks and computers.

We're trying to investigate if there is a link between those apps Network Filters and the fact that we also have Firewall enabled in MacOS (which is disabled usually by default).

[Edited by Moderator]

rom.ph wrote:

Whilst this is true that Apple cannot fix the problem caused by others, however, this issue should not be ignored.

I'm not saying it should be ignored. I'm saying it should be eliminated. Each and every* Sequoia user has the power to eliminate this problem in just a couple of minutes.

*I don't include corporate users. Some of the most utterly tech clueless people I've ever encountered work in corporate Mac IT support. I feel sorry for people stuck in that position. But this is a user-to-user support forum. We don't work for their company and can't fix those problems.

MacOS 15.0.x borks TCP connections.

It doesn't. I've not had the slightest problem. Sequoia is one of the most stable, trouble free macOS updates that I've encountered in many years.

See Little Snitch blog about Sequoia on TCP, Firewall issues https://obdev.at/blog/should-i-upgrade-to-macos-sequoia-now/

I'm a developer, so I've been running Sequoia since June. Why haven't any of these 3rd party developers or corporate IT folks been doing that? They have the same access to beta builds that I do. If there is any problem, they should be warning their users not to upgrade before they do so. In fact, that's always good advice, especially for anyone dealing with these kinds of low-level system modifications. I don't run Sequoia on my production machine where I do most of my development. That's still running Ventura.

Disabling all third-party Network Filters will alleviate the issue temporarily (until, hopefully a fix on 15.1). macOS Firewall set to **block** all incoming connections (with the exception of some internal processes) works for me as well (you can set this to allow all and fine-tune the setting per third-party application).

Just turn off all filters, firewalls, and 3rd party security apps. No one needs them anyway.

That's the problem. This is a user-to-user support forum. Our goal is solving problems, not blamestorming or wringing hands. There's an easy solution, so why not just solve it?

MacOS 15.0 is new, let's give Apple time to fix it

Doesn't matter to me. I don't have any problems. But it sure sounds like people are having lots of problems with it. So why not just click the "fix it" button? It's literally right there.

if a user installs Sequoia, knowing that there is this bug AND if it is mission critical, then get them to revert back to macOS 14. :)

Reverting to an earlier version of the operating system is a serious chore. In some cases, it may not be possible if people don't have a backup from before the upgrade. An even easier solution is to just click the button.

This is especially nasty for me with Adobe Creative Cloud app installs, and homebrew. Also often affects git pushes/pulls/forks, especially when they are called from within another script (such as homebrew).

Adobe indicates this as error 113, with installation error log messages like:

ERROR: Downloaded Size=327680 of segmentID=69 does match Validator Size=2097152

Homebrew installs often fail with an LibreSSL error, but since downloads nicely resume where they left off, will eventually finish after a series of restarts:

~ ▶ brew reinstall microsoft-excel                                                                                    ⁂
==> Downloading https://officecdnmac.microsoft.com/pr/C1297A47-86C4-4C1F-97FA-950631F94777/MacAutoupdate/Microsoft_Excel
                                                                                                                    0.2%curl: (56) LibreSSL SSL_read: LibreSSL/3.3.6: error:06FFF064:digital envelope routines:CRYPTO_internal:bad decrypt, errno 0

Error: Download failed on Cask 'microsoft-excel' with message: Download failed: https://officecdnmac.microsoft.com/pr/C1297A47-86C4-4C1F-97FA-950631F94777/MacAutoupdate/Microsoft_Excel_16.89.24091630_Installer.pkg
~ ▶ brew reinstall microsoft-excel                                                                                    ⁂
==> Downloading https://officecdnmac.microsoft.com/pr/C1297A47-86C4-4C1F-97FA-950631F94777/MacAutoupdate/Microsoft_Excel
#####################                                                                                              18.9%curl: (56) LibreSSL SSL_read: LibreSSL/3.3.6: error:06FFF064:digital envelope routines:CRYPTO_internal:bad decrypt, errno 0

Error: Download failed on Cask 'microsoft-excel' with message: Download failed: https://officecdnmac.microsoft.com/pr/C1297A47-86C4-4C1F-97FA-950631F94777/MacAutoupdate/Microsoft_Excel_16.89.24091630_Installer.pkg
~ ▶ brew reinstall microsoft-excel                                                                                    ⁂
==> Downloading https://officecdnmac.microsoft.com/pr/C1297A47-86C4-4C1F-97FA-950631F94777/MacAutoupdate/Microsoft_Excel
#####################################                                                                              33.0%curl: (56) LibreSSL SSL_read: LibreSSL/3.3.6: error:06FFF064:digital envelope routines:CRYPTO_internal:bad decrypt, errno 0

Error: Download failed on Cask 'microsoft-excel' with message: Download failed: https://officecdnmac.microsoft.com/pr/C1297A47-86C4-4C1F-97FA-950631F94777/MacAutoupdate/Microsoft_Excel_16.89.24091630_Installer.pkg
~ ▶ brew reinstall microsoft-excel                                                                                    ⁂
==> Downloading https://officecdnmac.microsoft.com/pr/C1297A47-86C4-4C1F-97FA-950631F94777/MacAutoupdate/Microsoft_Excel
#############################################################                                                      54.8%curl: (56) LibreSSL SSL_read: LibreSSL/3.3.6: error:06FFF064:digital envelope routines:CRYPTO_internal:bad decrypt, errno 0

Error: Download failed on Cask 'microsoft-excel' with message: Download failed: https://officecdnmac.microsoft.com/pr/C1297A47-86C4-4C1F-97FA-950631F94777/MacAutoupdate/Microsoft_Excel_16.89.24091630_Installer.pkg
~ ▶ brew reinstall microsoft-excel                                                                                    ⁂
==> Downloading https://officecdnmac.microsoft.com/pr/C1297A47-86C4-4C1F-97FA-950631F94777/MacAutoupdate/Microsoft_Excel
#############################################################################                                      69.0%curl: (56) LibreSSL SSL_read: LibreSSL/3.3.6: error:06FFF064:digital envelope routines:CRYPTO_internal:bad decrypt, errno 0

Error: Download failed on Cask 'microsoft-excel' with message: Download failed: https://officecdnmac.microsoft.com/pr/C1297A47-86C4-4C1F-97FA-950631F94777/MacAutoupdate/Microsoft_Excel_16.89.24091630_Installer.pkg

This memo from Harvard IT lists other common CLI error messages, but its advice to add SSH to macOS firewall did not work:

I am running Sequoia 15.0.1 (24A348) stable release channel on a 2021 MacBook Pro, M1 Max.

I was hoping the recent release of OpenSSL 4.0.0 might address this, but I don't notice any change after upgrading OpenSSL via homebrew.

15.0.1 does not fix for me.

mikeloiterman wrote:

Why is disabling the firewall every time I have to SSH into a server not a long term fix?

Because I have to ssh into a lot of servers and computers frequently and often stay logged into them for long periods of time. So, that essentially means disabling the firewall on my Mac entirely.

Sorry. I meant that disabling the firewall entirely was the long-term fix. It’s a do-nothing app - a placebo. I don’t know for sure that it is causing the problem you describe. But I do know for sure that it’s a waste of time.

I tried turning off "Limit IP address tracking" and "Private WiFi" with no luck. Tried using IPv6 network - hoping the issue is with the IPv4 stack, but still the same.

I have LittleSnitch but it is set to Silent Allow at the moment, since I am at home.

And no, disabling the Mac firewall is not an option.

I have heard of this issue right after Sequoia dropped.

Both issues on M2 Mac mini and M1 Pro MBP - SSH to Raspberry Pi and several other Linux VPS.

For some strange reasons, I was able to transfer 1+GB of file from the MBP to RPi using Forklift and it worked.

UPDATE:

Firewall is ON, Block Incoming is OFF, Stealth ON. Private WiFi is OFF. Limit IP Address Tracking is ON.

NEW: Network->Filter->Little Snitch DISABLED.

So far, so good. Connected to my RPi for 13 minutes (downloading a 1+GB file from the internet) and counting.

Hope this works for you guys.

Just upgraded my Apple M1 Pro to Sequoia 15

Using Synergy to be able to share a cluster of monitors with a PC - it now freezes up constantly =(

WIFI at home

Wired at work

Continuously after SSHing to some servers,

debug2: sshpkt_disconnect: sending SSH2_MSG_DISCONNECT: Packet corrupt

ssh_dispatch_run_fatal: Connection to x.x.x.x port 22: Connection corrupted

Connection to y.y.y.y closed by remote host.

And when I use RDP, I frequently see this POPUP before it kicks off the remote host,,

"Because of error with Data Encryption, connection dropped"

Wish I could just revert Sequoia......

MacOS 15.0.1 fixes this issue.

I can now SSH to my Raspberry Pi with firewall turning on, Network Content Filter (Little Snitch) turned on.

UPDATE: Sorry, false alarm. Issue is still there. Might be a Little Snitch issue this time. Turning it off for the meantime.

@SamWantsYouToChill

that's pretty interesting.... but my ping times aren't that erratic. that's bonkers!

I just lose connection randomly from RDP or SSH.

thought it was my HUB at first but seems to coincide with the latest upgrade

I may abandon Mac soon, if what you're saying it true about it being there for ages !

Whilst this is true that Apple cannot fix the problem caused by others, however, this issue should not be ignored. MacOS 15.0.x borks TCP connections. See Little Snitch blog about Sequoia on TCP, Firewall issues https://obdev.at/blog/should-i-upgrade-to-macos-sequoia-now/

Disabling all third-party Network Filters will alleviate the issue temporarily (until, hopefully a fix on 15.1). macOS Firewall set to **block** all incoming connections (with the exception of some internal processes) works for me as well (you can set this to allow all and fine-tune the setting per third-party application).

As for VPN, well, I use Firefox connected to VPN via Windscribe and it works, so far so good. I have yet to run a VPN for all network connections, perhaps I will do this soon to test.

MacOS 15.0 is new, let's give Apple time to fix it -- also hoping that beta testers report this bug. As for us, let's continue filing bug reports, the more, the better, so Apple gets to prioritize it.

For the meantime, if you are from corporate IT, it is your responsibility to evaluate and certify new software before your users are allowed to download and install it. And if a user installs Sequoia, knowing that there is this bug AND if it is mission critical, then get them to revert back to macOS 14. :)

Upgraded to 15.0.1 this week on my work laptop (MBP 2020 Intel i5)

I've never had this issue before, but now I get it often, with messages like

Bad packet length 261593430.

ssh_dispatch_run_fatal: Connection to <ipaddress-removed> port 22: Connection corrupted