The macOS 14 Sonoma betas and release candidate contain a bug that causes the firewall to not filter traffic correctly. As a result, our app does not work.
During the macOS 14 Sonoma beta period Apple introduced a bug in the macOS firewall, packet filter (PF). This bug prevents our app from working, and can result in leaks when some settings (e.g. local network sharing) are enabled. We cannot guarantee functionality or security for users on macOS 14, we have investigated this issue after the 6th beta was released and reported the bug to Apple. Unfortunately the bug is still present in later macOS 14 betas and the release candidate.
We have evaluated whether we can patch our VPN app in such a way that it works and keeps users secure in macOS 14. But unfortunately there is no good solution, as far as we can tell. We believe the firewall bugs must be fixed by Apple.
The bug affects much more than just the Mullvad VPN app. Firewall rules do not get applied properly to network traffic, and traffic that is not supposed to be allowed is allowed. We deem this to be a critical flaw in the firewall, anyone relying on PF filtering, or apps using it in the background on their macOS devices should be cautious about upgrading to macOS 14.
Our recommendations
MacOS 14 Sonoma is scheduled to be released on the 26th of September, if the bug is still present we recommend our users to remain on macOS 13 Ventura until it is fixed.
Technical details
The following steps can be taken on macOS 14 to reproduce the issue. Warning: This will clear out any firewall rules you might have loaded in PF.
In a terminal, create a virtual logging interface and start watching it for traffic matching the rules you will add later:
sudo ifconfig pflog1 create
sudo tcpdump -nnn -e -ttt -i pflog1
Write the following firewall rules to a file named pfrules:
pass quick log (all, to pflog1) inet from any to 127.0.0.1
block drop quick log (all, to pflog1)
In another terminal, enable PF and load the rules:
sudo pfctl -e
sudo pfctl -f pfrules
Ping the mullvad.net webserver:
ping 45.83.223.209
Expected results
- Ping is blocked, since it does not match the only pass rule’s requirements
- The traffic is logged to pflog1. More specifically we expect it to be logged as matching the block rule
Actual results
- Ping is allowed out on the internet, and the response comes back
- No traffic is being logged to pflog1
Cleaning up after the experiment
Disable the firewall and clear all rules.
sudo pfctl -d
sudo pfctl -f /etc/pf.conf
Follow our blog for future updates to this issue.
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.