hoakley August 9, 2019 Macs, Technology

Firewalls, phoning home and whitelists

A few years ago, most Mac users had firewalls in their routers which blocked all incoming connections, and that was all they wanted. Over those years, we’ve increasingly installed software firewalls on our Macs to block outgoing connections. This article looks at some of the issues that arise from doing that.

There are several potentially good reasons for wanting to block specific outgoing connections from your Mac. These include:

preventing legitimate apps from ‘phoning home’ to send personal data to a remote server;
preventing malware from sending data to remote servers;
limiting transfers over capped or expensive connections, such as mobile data connections when travelling.

Different apps are tailored for those purposes. For example, Lulu and Little Snitch are primarly targeted at the first two, while TripMode is aimed at those who use mobile data connections and need to manage their cost. But each of those apps can be used broadly for all three, and more if you wish.

All effective software firewalls require (at least up as far as Mojave) a kernel extension in order to do their work. As far as I’m aware, that prevents any effective firewall from being offered in the Mac App Store. However, currently App Store searches for the term ‘firewall’ return several products which might appear to be functioning as firewalls. Don’t believe them.

Reliance on a kernel extension also brings its own woes. They aren’t easy to install, and in Catalina that’s getting significantly harder. When they are installed, they can cause compatibility issues and may prove a maintenance headache or worse. A proper firewall isn’t something to toy around with: it needs to be configured and maintained, and may well need updating when macOS is updated.

The biggest issue with these firewalls is their configuration. They do self-configure, in that when an app attempts to make an outgoing connection, the firewall informs you, and you can add that to its whitelist. But steadfastly doing that for everything that needs to make such connections can be tiresome and prone to error: you could easily block part of macOS which throws all sorts of other problems.

Apple provides some valuable information to get you started. It lists its well-known ports, for example, which is an important reference for anything networking. It has also recently published a detailed listing of hosts and ports. If you use Adobe Creative Cloud, Adobe provides its current requirements here, although it also advises that these may change without warning. A similar listing for Dropbox is given here.

If you use other cloud-based services, you should be able to obtain similar detailed listings from their providers.

My own free software also makes outgoing connections. Apps which automatically check for updates connect to raw.githubusercontent.com via port 443. SilentKnight and silnite also connect to my GitHub databases at raw.githubusercontent.com via port 443. SilentKnight, silnite and LockRattler run the softwareupdate tool to check for and download Apple’s updates, which requires general access to Apple’s services. Cirrus and Bailiff work with your Mac’s iCloud connection.

Most Mac users will want to ensure that all outgoing connections are permitted to *.apple.com or 17.0.0.0/8. This is particularly important now that Mojave and Catalina check for notarization as well as certificate validation. Running a notarized app for the first time on macOS is now largely dependent on external ticket and certificate checks.

Of course what none of these products can tell you is whether the data being transmitted externally contains private information, nor whether the receiving server is going to allow its abuse.

25Comments

Add yours

1

Vlado on August 9, 2019 at 9:56 am

I was asking myself if the LuLu will work in Catalina? Maybe a hint Sir?

LikeLiked by 1 person
- 2
  
  hoakley on August 9, 2019 at 10:16 am
  
  I don’t know, I’m afraid. It will need to be notarised as it relies on a kernel extension, I believe.
  Howard
  
  LikeLike
  - 3
    
    Valdo on August 9, 2019 at 10:28 am
    
    Hmmm, not a bright future!
    
    LikeLiked by 1 person
    - 4
      
      hoakley on August 9, 2019 at 9:04 pm
      
      More on notarization in the morning, but it shouldn’t be a big deal. Certainly not for a kernel extension: for some years now, developers who build kernel extensions have had to obtain special signing certificates for that purpose from Apple. Notarization is much quicker and simpler.
      Howard.
      
      LikeLike
5

Leo M on August 9, 2019 at 5:04 pm

I just want to know if /etc/hosts files still work on Catalina. Hopefully the GasMask dev notarizes it later.

LikeLiked by 1 person
- 6
  
  hoakley on August 9, 2019 at 9:09 pm
  
  I don’t know, and I’m not sure how settled that would be anyway, as Catalina is still in beta and the new read-only system volume is still evolving. That’s the main threat, I think.
  Howard.
  
  LikeLike
7

Tone Williams (@ToneWilliamsUSA) on August 9, 2019 at 6:06 pm

It seems to me that the very essence of having to communicate with Apple in order to conduct notarization and certificate validation is a violation of privacy and potential security risk. Why? Because Apple then knows a person’s (personal) outgoing connections. It’s not clear to me why I should trust Apple any more than any other third party with my personal metadata.

LikeLiked by 1 person
- 8
  
  hoakley on August 9, 2019 at 9:11 pm
  
  Other than your IP address, I don’t think that anything remotely personal is sent for ticket and certificate validation. Given the vast quantity of such checks, and their dedicated servers, I don’t think that you need have any fears of leakage of anything personal. Remote checks are normally only performed at first run of a quarantined app. If you want to stop them – accepting the security risk – simply strip the quarantine flag before first running that app.
  Howard.
  
  LikeLike
9

Raphael on August 9, 2019 at 8:37 pm

The number of background processes phoning to apple servers is increasing with each OS update

even little snitch (which is otherwise great software) phones to apple servers for the map display

/etc/hosts is great and will still work but there’s no wildcard support *.doubleclick.com, which means your data can still leak to specific untrusted networks

To alleviate concerns about firewall access to kernel, set up an older mac as an outgoing firewall for your whole network

Use more than one VPN simultaneously.

LikeLiked by 1 person
- 10
  
  hoakley on August 9, 2019 at 9:21 pm
  
  I’m puzzled as to what these concerns are, though. Other than your IP address, what private information do you think that Apple is collecting from these brief connections, and what do you think it’s using this information for?
  I think that there is a great deal of paranoia developing over remote connections, and today’s news about 3fun shows how users are missing the obvious: it’s not what certificate trust evaluations might be called by macOS, but the risks that users run in giving web services data which they know is extremely sensitive. Like using Facebook, for example.
  Howard.
  
  LikeLike
  - 11
    
    Raphael on August 10, 2019 at 1:10 am
    
    Apple can tie my IP address to my apple id and credit card (for instance when checking the app store for updates), and it phones home with some version of it constantly. In many ways, this is even more intrusive than google and facebook’s tracking methods.
    
    LikeLiked by 1 person
    - 12
      
      hoakley on August 10, 2019 at 6:02 am
      
      Can? Of course it does. But does it store all those billions of records it gets every day? Even if it did, what does it do with them?
      Google and Facebook sell on the personal data that they harvest, and use it themselves for commercial gain. Both tailor their own response – advertising, promoted material, etc. – to the information about you that they obtain. Does Apple do that?
      It’s not the data you get, it’s what you store and what you do with it that matters, surely. Otherwise you’d never use online banking or use any form of healthcare service on or offline.
      Howard.
      
      LikeLike
13

EcleX on August 9, 2019 at 10:29 pm

The best firewall for Mac is Little Snitch, hands down.

LikeLiked by 1 person
14

blackxacto on August 10, 2019 at 6:46 am

I have used Little Snitch for several years. I am not sure what you are warning us about continuing to use it. It asks me to trust or not anytime anything tries to connect to the web. You only have to be asked one time. The list of allowed items is clearly visible. Even the question box reveals to me what is the source. Is Catalina going to block being asked about unknown communication attempts? Once I’ve gone through the LS setup and I am behind the wall, I can even import the previous allowed list. Or start all over. Yes, I get queried a lot at first, but once it is over, NOTHING communicates without me allowing it, NOTHING.

LikeLiked by 1 person
- 15
  
  hoakley on August 10, 2019 at 6:58 am
  
  Thank you.
  This article doesn’t warn people not to use any of these apps, does it? That’s a personal choice, depending on your assessment of your needs.
  The warning is the same as with any firewall: just as it can block unwanted connections, so it can block connections which you need. I have a steady stream of users of my apps, such as SilentKnight and silnite, and others, who complain that they don’t work, only to realise later that Little Snitch is blocking that app from obtaining data.
  So you may have no problems using Little Snitch, but there are plenty of users who would benefit from being reminded of what they do, how they must whitelist a lot of Apple and other services, and where to find that info out.
  Howard.
  
  LikeLike
  - 16
    
    blackxacto on August 10, 2019 at 7:27 am
    
    Sorry, Sir, I guess I read too quickly. Yes, you are right about providing information for users. So far there isn’t any problem with using Little Snitch. The question for each allocation provides information as to an Apple service, System required service, etc. So I’ve never had any issues with blocking required Apple/System services. It does take awhile to train Little Snitch. New folk’s will not be used to that, but once trained, nothing gets sent to the web without a warning. My trained Little Snitch caught many unknown or sneaky attempts.
    
    LikeLike
    - 17
      
      hoakley on August 10, 2019 at 8:31 am
      
      (Please don’t call me “Sir”!)
      If you’re looking for an overarching point from this article it’s that these software firewalls are different from the firewalls we should all have in our routers. Unless you’re doing unusual things, you should be able to set the latter to block all incoming and not have to change that ever. Many users don’t check their firewall logs, but I keep reminding people to do so.
      These software firewalls need to be maintained. If you install new software, you may well need to put it on your whitelist. Although each of these three tries to make this simple, some users don’t get it right, or misinterpret the dialog. You also need to keep them up to date – I try to avoid non-Apple kernel extensions as much as possible, and there have been kernel panics caused by firewall kernel extensions; that’s always going to be a risk. Most importantly, they’re serious software (otherwise they couldn’t do the job), and I strongly suspect that those products in the Mac App Store aren’t proper software firewalls. Little Snitch, Lulu, and TripMode are, and each has important potential uses, provided they’re used wisely.
      Howard.
      
      LikeLike
18

Valdo on August 10, 2019 at 10:37 am

Howard:
“I think that there is a great deal of paranoia developing over remote connections”

Yes and no. Since Facebook was caught selling private data and Google pushing profiled advertisement all sh*tty company knows that the easiest way to earn money is to steal all possible data from computers and phones and to sell it to whoever.

Fearing Apple phoning home behavior you can switch to Windows, but this collect and sent home even more data. Remains only Linux, there are many versions, but to find, configure, USE and maintain an universal version is very, very hard for average Joe.

I take seriously Apple commitment to privacy and as I use also iCloud I prefer to be “spooked” only by one company. Additionally the LuLu give me the control over sh*tty actors.

LikeLiked by 1 person
- 19
  
  hoakley on August 10, 2019 at 10:43 am
  
  Thanks. I agree. But we always knew Facebook was doing this, and Google – that’s how they make their money. You don’t get much revenue from free services otherwise.
  Howard
  
  LikeLike
20

Javier Gallardo on August 10, 2019 at 8:20 pm

I like the simpler approach of “Air Silence”, which you don’t mention.
(https://radiosilenceapp.com/)
Here, you choose what app-s to silence, before it asks for permission.
My worry (and is a way of asking you) is that perhaps apps install other components that could override “Air Silence” list of chosen apps. Otherwise, I find it quite convenient for my sporadic use…

LikeLiked by 1 person
- 21
  
  blackxacto on August 10, 2019 at 8:59 pm
  
  I want to be told immediately if something tries to connect. Your method hopes you get it right the first time. No way. Maybe I’m wrong.
  
  LikeLiked by 1 person
- 22
  
  hoakley on August 10, 2019 at 10:37 pm
  
  I haven’t looked at Air Silence, although I am aware of it.
  Using a blacklist as it does makes it much quicker and simpler to configure. However, it also makes it of very limited use against malware. If your main purpose is to block malware from phoning home, then I don’t think it’s an ideal choice. However, it looks ideal for someone wanting to control known and legitimate apps from phoning home, which is rather different. It also looks as if it could be useful for anyone trying to limit their data usage.
  Howard.
  
  LikeLike
  - 23
    
    Javier Gallardo on August 12, 2019 at 3:22 pm
    
    My knowledge about macOS or UNIX is minimum… But I keep wondering: “something” in between malware-legit apps?
    I don’t wait for malware phoning home to deal with it… (but perhaps is a quick & safe way of being aware, ok). I’d would like to know if a legit app could install a “legit” piece of code that surpasses proper app blocking (I suspect it can, but I’m not sure. I check connections made after specific blocked app use, with AirSilence too, and nothing yet, but who knows…)
    In my beginning with computers (long ago; call me “sir” 😉 a virus or malware could do a lot of harm without “phoning home”… I suppose “active firewall” is just a strong tool for that, but not main one…
    
    LikeLiked by 1 person
    - 24
      
      hoakley on August 12, 2019 at 4:46 pm
      
      A hardened app is very limited in what it can run – that’s the whole point of the hardening option. It not only prevents it being hijacked by malware, but should prevent it from turning bad itself.
      We don’t yet know how effective that is, of course.
      Howard.
      
      LikeLike
25

Security Bits – 10 August 2019 - Podfeet Podcasts on August 11, 2019 at 9:10 pm

[…] Firewalls, phoning home and whitelists — eclecticlight.co/… […]

LikeLike