MacOS Big Sur reveals that Apple app communication cannot be controlled by a firewall

The firewall enhances the security of the PC by monitoring and controlling the communication between the PC and the Internet, but in macOS Big Sur, it is reported on Twitter that the Apple application bypasses the firewall and communicates without permission. It's up.

This is true ????

Previously, a comprehensive macOS firewall could be implemented via a Network Kernel Extension (kext)

Apple deprecated kexts, giving us Network Extensions .... but apparently (many of) their apps / daemons bypass this filtering mechanism.

Are we ok with this !? https://t.co/rYkDnuOgLJ

— Patrick wardle (@patrickwardle) October 20, 2020

Until now, firewall apps for macOS have been implemented using kernel extensions, and it has been possible to monitor and control all communications between apps in macOS and the Internet. This kernel extension is scheduled to be deprecated in macOS Big Sur, scheduled for release in the fall of 2020, to ensure security and stability, and instead introduces a DriverKit that runs in user space.

In response to this, third-party firewall apps for macOS have been updated to use DriverKit, but it turned out that firewall apps using DriverKit cannot monitor the communication of Apple apps.

According to security researcher patrick wardle, no matter how devised the firewall application side, traffic could not be confirmed, and therefore communication could not be controlled.

An example, two macOS firewalls: LuLu and Little Snitch

Despite best efforts (eg disabling default rules, creating explicit rules to block, enabling'deny mode'), Apple's App Store appears to be exempt ... the firewalls never even see its traffic, and thus cannot block!? ???? pic.twitter.com/3fwmwRXuJ9

— Patrick wardle (@patrickwardle) October 20, 2020

There are 56 apps set as firewall exceptions such as FaceTime and App Store, and the complete list can be confirmed in 'Info.plist' in '/System/Library/Frameworks/NetworkExtension.framework'. After macOS Big Sur, it seems that it will not be possible to check the communication by the 56 apps on the list from the third party app at all.