Add setting for unblocking APNS networks #6859
Conversation
hulthe
force-pushed
the
leak-apple-nets
branch
from
b10d9f1 to
b62ccd8
Compare
There was a problem hiding this comment.
Reviewed 13 of 27 files at r1.
Reviewable status: 13 of 27 files reviewed, all discussions resolved
There was a problem hiding this comment.
Reviewed 7 of 7 files at r2.
Reviewable status: 14 of 28 files reviewed, all discussions resolved
hulthe
force-pushed
the
leak-apple-nets
branch
from
0a11dca to
7c97aa0
Compare
There was a problem hiding this comment.
Reviewed 20 of 27 files at r1, 7 of 7 files at r2, 1 of 1 files at r3, all commit messages.
Reviewable status:complete! all files reviewed, all discussions resolved
hulthe
force-pushed
the
leak-apple-nets
branch
from
7c97aa0 to
abbaa18
Compare
There was a problem hiding this comment.
Reviewed all commit messages.
Reviewable status: 27 of 28 files reviewed, all discussions resolved (waiting on @raksooo)
There was a problem hiding this comment.
Reviewed 1 of 1 files at r3, 1 of 1 files at r5.
Reviewable status:
hulthe
force-pushed
the
leak-apple-nets
branch
3 times, most recently
from
6bef35e to
ba3207f
Compare
Co-authored-by: David Lönnhager <[email protected]>
hulthe
force-pushed
the
leak-apple-nets
branch
from
ba3207f to
d0b2b24
Compare
There was a problem hiding this comment.
Reviewed 4 of 4 files at r6.
Reviewable status: 28 of 29 files reviewed, all discussions resolved
| for &port in apple_ports { | ||
| let mut rule_builder = self.create_rule_builder(FilterRuleAction::Pass); | ||
| rule_builder.quick(true); | ||
| let allow_out = rule_builder |
There was a problem hiding this comment.
you should add a further constraint for user = 0 on this rule so that only root processes (such as apsd) can send off-vpn traffic to these ips - currently it looks like any process (even user processes - such as web browsers) can leak out these ips, there's many attack scenarios (though admittedly a bit obscure) in this situation.
There was a problem hiding this comment.
Good idea, but were currently working on getting rid of this feature all together.
This is a temporary mitigation of the MacOS 15 issues with iMessage, etc. It works by simply allowing packets through the firewall on the physical interface if the destination is one of a few specific apple-owned networks.
This change is