From Newsgroup: comp.sys.mac.system
On 2020-11-21, -xX(HTML)Xx- <> wrote:
Some default Apple apps on macOS Big Sur, which remains in beta,
bypasses any network firewall or VPN connection a user has connected.
That's a lie. Only application firewalls that use the new Network
Extension Framework are affected. Network firewalls and packet filtering firewalls like the macOS built-in BSD PF firewall are not affected.
---
Despite Apple’s changes to macOS with the release of Big Sur, we can
confirm that the Mullvad app still performs as intended by not allowing Apple’s own apps to bypass our VPN firewall.
Starting in Big Sur, the latest version of macOS released 12 November
2020, Apple excludes its own apps from the content filter provider APIs.
As a result, any network monitoring and security software using these
APIs is unable to detect and block traffic from Apple apps.
Mullvad does not use content filter provider APIs to secure the device. Instead, we use the Packet Filter (PF) firewall which is built into
macOS. This is a packet firewall, not an application firewall, which
means that it does not exclude packets from any apps, including Apple's
own apps.
In other words, our usage of the PF firewall does not allow Apple apps
to leak when Mullvad VPN is blocking the Internet. We have verified this
by observing the network traffic from outside of the Apple machine.
It’s worth noting that Big Sur and its predecessors are built to assume
that they can talk to Apple at any time, but when we don’t allow it, a
few unwanted side effects pop up. For example, the keyboard sometimes
takes longer to wake up from sleep mode. Or, in certain situations, the
Mullvad app takes longer to detect that the computer is online.
However, these issues can only be solved by choosing to leak traffic to
Apple. We consider them a reasonable trade-off in order to achieve
strict blocking rules.
--- <
https://mullvad.net/en/blog/2020/11/16/big-no-big-sur-mullvad-disallows-apple-apps-bypass-firewall/>
--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.
JR
--- Synchronet 3.18b-Win32 NewsLink 1.113