How to stop the macOS firewall leaking system network data after a software update
Several sources report the firewall in macOS Sequoia can sometimes leak data after an update. Here's how to test and fix it.
macOS Sequoia can sometimes leak data after an update.
The macOS firewall in System Settings allows you to protect your Mac and filter network traffic based on a set of rules.
Several sites, including mullvad.net have reported that after macOS Sequoia updates, the firewall built into macOS may leak some data, allowing it to avoid firewall rules.
The cause of this leak is unknown - but apparently, a Mac restart fixes the problem after updating.
Background
Being based on BSD, macOS uses a packet-based network filter known simply as Packet Filter or "PF" for short (also known as Berkeley Packet Filter). PF goes way back to the early versions of BSD and OpenBSD when networking was added to UNIX.
PF works based on a set of rules stored in a file, which on macOS is named pf.conf that lives at the root of your Startup Disk in /private/etc. You'll need to turn on invisible files in the macOS Finder, or use the command line in Terminal to view the file.
You can open pf.conf in TextEdit but if you change the contents of the file be sure you understand PF and how the rules file works. You can learn more about pf.conf in Terminal by typing:man pf.conf and pressing Return
pf.conf also points to a folder in /private/etc named pf.anchors which contains sets of individual rules based on domains.
You can also use the tcpdump command in Terminal to print a description of the contents of packets on a network interface based on a boolean expression. For more info on tcpdump in Terminal, type:man tcpdump and press Return
A packet is one unit of information transmitted across a network that contains data, network headers, and routing information. When your computer loads data over a network it does so in chunks (packets) and reassembles received data into something an application can understand.
Packet filtering and firewalls work by allowing or blocking data.
pfctl
pfctl is another command-line utility that can be used to control PF. To see its usage and options in Terminal type:man pfctl and press Return.
For some pfctl commands you may need to use the sudo prefix. pfctl is quite extensive and there's a lot you can do with it.
As mullvad.net mentions, you can use pfctl to see if your Mac is affected by the leak. But we should warn you: don't attempt this unless you're comfortable using Terminal as changing the firewall rules can affect how your Mac receives network data.
You can turn the macOS firewall on or off completely in System Settings->Network->Firewall.
For most Mac users, this bug shouldn't be a big issue - just be sure you Restart your Mac after any system updates and everything should be fine. Hopefully, Apple will fix this bug soon.
You can read more about packet filtering on OpenBSD's website, and in the FreeBSD Handbook.
If you're looking for free firewall router software based on BSD, check out pfsense.
Read on AppleInsider
Comments
- Problems with Airplay on Apple TV3 after upgrading to Sequoia 15.0
- AirPlay not connecting after macOS Sequoia 15.2 update
- Screen Mirroring over Airplay no longer working on MacOS 15.2
The solution in all three discussions is to disable Firewall, set up the Airplay connection and then re-enable Firewall. The Airplay connection continues to work after Firewall is re-enabled but any new connection requires disabling it again. This is very inconvenient but at least it is a workaround.I do not see a lot of discussion about this problem which suggests either Airplay from macOS is not used very much or it is something else on the computers which is causing the problem. If it is the latter I would be very interested to know what I can change to remove the problem.