Packet filter(pf) firewall misbehaving (kernel loses all network capability)

Question

Level 2

293 points

Packet filter(pf) firewall misbehaving (kernel loses all network capability)

Since using macOS Sonoma I have been having problems with the packet filter firewall. Basically what happens is that at some point my network simply dies and it is definitely the Mac not anything else on the network. I test this by running ping 8.8.8.8 which then fails

%ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1

Etc. Sometimes it even gets me:

% ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
Request timeout for icmp_seq 0
ping: sendto: No route to host
Request timeout for icmp_seq 1
çping: sendto: No route to host
Request timeout for icmp_seq 2
ping: sendto: No route to host

The cause of this has been established with certainty: it is the packet filter, because when I turn that off and on again with:

# pfctl -d
No ALTQ support in kernel
ALTQ related functions disabled
pf disabled
# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=59 time=14.308 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=59 time=12.536 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 12.536/13.422/14.308/0.886 ms
# pfctl -e    
No ALTQ support in kernel
ALTQ related functions disabled
pf enabled
# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=59 time=15.732 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=59 time=14.244 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=59 time=15.379 ms

Simply turning pf off and on again, fixes it.

It seems to me that the kernel somehow has a problem and runs out of resources (so a leak of a kind) which turning pf off and on again, fixes.

Is this already a known problem and if so is there anything I can do (other than turning the firewall off entirely, which I obviously do not like) to prevent this from happening?

Posted on Oct 19, 2024 5:15 AM

Reply

Answer 1

etresoft

Level 9

50,382 points

Oct 19, 2024 5:43 AM in response to Gerben Wierda

Gerben Wierda wrote:

Is this already a known problem

Yes. It's well-known.

is there anything I can do (other than turning the firewall off entirely, which I obviously do not like) to prevent this from happening?

Why don't you want to turn off the firewall? Please explain.

Reply

Answer 2

Gerben Wierda Author

Level 2

293 points

Oct 19, 2024 6:42 AM in response to etresoft

It is good to know this is well known, thank you. It does add to my experience that macOS has become ever more brittle as years go by (as well as Mac hardware becoming m ore brittle too as Apple pushes for maximum performance/efficiency as I have experienced, but that is another story)

Using a firewall doesn't need an explanation (as multi-layered defence is generally a good thing — and the suggestion 'just turn off the firewall' is quite an amazing one, that is kind of admitting Apple provides an unusable essential element) does it?

But anyway the system runs a couple of unix-level services that are not open to the world at large but only to the local network or where I maintain geoblocking (e.g. I have only a few users of my mail server and only from the countries where they reside they can log in). So I have my own specific pf configuration (done with Murus). This is the tail end of having used MacOS X Server, macOS + Server.app + MacPorts, and now simply macOS + MacPorts over the last almost 25 years or so.

Reply

Answer 3

etresoft

Level 9

50,382 points

Oct 19, 2024 7:49 AM in response to Gerben Wierda

Gerben Wierda wrote:

Apple pushes for maximum performance/efficiency

Don't you hate it when that happens.

Using a firewall doesn't need an explanation

Humor me.

multi-layered defence is generally a good thing

defence against what?

the suggestion 'just turn off the firewall' is quite an amazing one

Not at all. It's very normal for people to receive simple, correct answers to problems here in these forums.

But anyway the system runs a couple of unix-level services that are not open to the world at large but only to the local network

What is this "local network"? Explain more please.

Reply

Answer 4

Gerben Wierda Author

Level 2

293 points

Oct 19, 2024 9:36 AM in response to etresoft

I think we're getting off track here. Pf is broken. Turning it off is an option, which is an option one can find acceptable or not. It's a bit like having a lock on your front door that can get stuck. You can decide to leave the door open/unlocked so you can get in and out. That may be acceptable in some situations ('correct answer') and not ('technically correct, but with risks') in others. And even if there is a second door behind it that still can be locked, having multiple (preferably different enough that the weakness of one is not necessarily the weakness of the other) improves security. I like security.

In the end: macOS provides pf. It is not meant to be broken, regardless of finding using pf useful or not.

Reply

Answer 5

etresoft

Level 9

50,382 points

Oct 19, 2024 1:01 PM in response to Gerben Wierda

Gerben Wierda wrote:

It's a bit like having a lock on your front door that can get stuck.

It's more like having a stuck lock on the door of your linen closet. The closet door already has several holes cut out so that you can get to your towels and stuff. But the holes are poorly cut and keep snagging your fancy sheets.

Yes. It's definitely broken. The people who sold you that door with the flaky lock and jagged holes should fix it. I'm not disputing that. But it's just a closet door. Nobody from outside can reach it. It's silly to have a locked closet door with jagged holes on your linen closet. Just get a regular door or maybe a nice shelf. You don't need that kind of contraption in your house.

Very few people have a linen closet that opens to the front yard. It just isn't done. Now the Linens 'n Things warehouse is different. That's a business. They sell linen by the truckload. They have fancy locks on the office doors and lots shipping bays. The locks are high quality. They allow certain people into certain locations and keep unauthorized people out of more sensitive locations. The truck drivers and forklift operators are all professionals.

Networks and firewalls are exactly the same as linens.

Reply

Answer 6

Gerben Wierda Author

Level 2

293 points

Oct 20, 2024 4:14 AM in response to etresoft

I admit my setup isn't typical.

Anyway, I like to do geoblocking on my mail server for instance. That prevents a lot of attacks on the IMAP part and a lot of attacks/spam/phishing on the SMTP part. Pf does that for me. And like that in my setup there is a bit of redundancy.

Anyway, whatever my use case, Apple's reliability and stability was exceptional 10 years ago. Now, the amount of pain it is giving me has been exceptional. See https://www.linkedin.com/pulse/can-i-ever-trust-apple-again-gerben-wierda-pyyue/ for instance.

Reply

Answer 7

Gerben Wierda Author

Level 2

293 points

Oct 20, 2024 5:40 AM in response to lkrupp

As the story (link) says: there is one item that is really macOS-specific that is part of my setup (not available for any other platform) and I do not want to do without it. And I already know which platform I would switch other services to. As the story details, I've moved to Intel NUC + Proxmox + Unbuntu + Docker as one of the two platform (stacks) I now use.

Reply

Answer 8

lkrupp

Level 6

16,315 points

Oct 20, 2024 5:16 AM in response to Gerben Wierda

So switch platforms if that’s how you feel. Why use a platform you no longer trust nor feel is adequate for your special needs. What platform would you switch to?

Reply