I want to be able to disconnect all available interfaces on a device running macOS 11 and above.
For Wi-Fi interfaces I see that this is possible using the CoreWLAN framework.
https://developer.apple.com/documentation/corewlan/cwinterface/1426422-disassociate
However, how can I do something similar for an ethernet interface? I want to be able to reconnect the interface eventually as well.
The reason I want to be able to do this is that I want to drop all existing connections on the device right after I start my content filter or when my filter rules have changed and my filter has already allowed the flow perviously.
Post
Replies
Boosts
Views
Activity
Hello,
I have a requirement to be able to filter all network connections on a (macOS) device and essentially drop all network communication once a command is received.
How can I ensure that existing connections are dropped that weren't previously managed by the content filter?
One way I can think of is we can start our content filter from the start and manage all connections and every inbound and outbound data traffic each connection makes all the time. This is not ideal since we would have to monitor a very large amount of connections.
Is there another way to implement this functionality?
It seems that the SecTrustSettingsSetTrustSettings API requires an alert panel asking for authentication on MacOS Big Sur even when the calling process is running as root.
This would mean the process calling this API must be in a GUI environment. Is there any way for our users to avoid this prompt and have the certificate we generated be inserted and trusted into the System Keychain running as a background daemon? What are some options / alternatives we have to address this issue? It would be ideal if we could set trust settings without requiring a prompt.
I am using NEFilterPacketProvider and I am able to get the provider to call startFilter correctly. However, I am unable to get the packetHandler closure to get called. What could be wrong?
override func startFilter(completionHandler: @escaping (Error?) -> Void) {
os_log("Started Packet Filter")
self.packetHandler = { (context, interface, direction, packetBytes, packetLength) in
os_log("Dropping packet")
return .drop
}
completionHandler(nil)
}
I am running the application within a macOS 10.16 VM in Xcode with SIP disabled.
I am developing an application on macOS using NEPacketTunnelProvider.
Both our client and "VPN Server" are their own separate macOS application that uses NEPacketTunnelProvider.
On the server side, I have this as my configuration
let tunnelSettings = NEPacketTunnelNetworkSettings(tunnelRemoteAddress: "127.0.0.1")
let ipv4Settings = NEIPv4Settings(addresses: ["100.64.0.77"], subnetMasks: ["255.255.255.0"])
let includedRoute = NEIPv4Route(destinationAddress: "192.168.1.0", subnetMask: "255.255.255.0")
ipv4Settings.includedRoutes = [includedRoute]
tunnelSettings.ipv4Settings = ipv4Settings
//call setTunnelSettings to apply settings																																														
The client is able to create and start the tunnel through System Preferences->Network successfully.
When the client receives packets through the virtual utun[x] interface, it forwards them to the the VPN Server.
When the VPN Server receives these packets (ex: SYN), it rewrites the source and destination IP addresses and injects them into its own utun[x] interface on the server's machine. In this case, it rewrites the source destination to 100.64.0.77 and the destination address to 192.168.1.95 (a web server).
Essentially what I want to happen is for the client to be able to communicate with a web server through the VPN server. What I expected was for the web server to receive this packet and respond appropriately with a SYN/ACK, which could then be used to read from the utun[x] interface and send back to the client. However, the web server does not receive any packets. Why is this the case and how can I get these packets to arrive at their destination?
Below I have attached my routing table on the server's side using netstat -nr:
Routing tables
Internet:
Destination				Gateway						Flags				Netif Expire
default						192.168.1.254			UGSc					 en0			
default						link#10						UCSI				 utun2			
100.64.0.77				100.64.0.77				UH					 utun2			
127								127.0.0.1					UCS						lo0			 0.0.1					127.0.0.1					UH						 lo0			
						link#7						 UCS						en0			!
.1					link#7						 UCS						en0			!
.1					link#10						UCSI				 utun2			
.1.92/32		link#7						 UCS						en0			!
.1.99			 8c:a9:82:2e:d6:2e	UHLWI					en0		986
.1.254/32	 link#7						 UCS						en0			!
.1.254			70:f1:96:86:e6:a0	UHLWIir				en0	 1196
0.0/4					link#7						 UmCS					 en0			!
0.0/4					link#10						UmCSI				utun2			
0.0.251				1:0:5e:0:0:fb			UHmLWI				 en0			
.255.255/32 link#7						 UCS						en0			!
.255.255/32 link#10						UCSI				 utun2	
									
Hello,
I'm creating a MacOS application that should contain two Network Extensions (DNS Proxy, Packet Tunnel). How should I go about doing this? Should I have a separate system extensions for each?
My current implementation is that I have one System Extension. Inside of Info.plist under NetworkExtension, I have:
<dict>
	<key>NEMachServiceName</key>
<string>$(TeamIdentifierPrefix)group.testapp.dns</string>																																				
				<key>NEProviderClasses</key>
				<dict>
						<key>com.apple.networkextension.dns-proxy</key>
						<string>$(PRODUCT_MODULE_NAME).DNSProxyProvider</string>
						<key>com.apple.networkextension.packet-tunnel</key>
						<string>$(PRODUCT_MODULE_NAME).PacketTunnelProvider</string>
				</dict>
</dict>
When my OSSystemExtensionRequest completes, I create a NETunnelProviderManager instance and use NEDNSProxyManager.shared(). Then I call saveToPreferences for each after I add configuration to both.
Inside of my DNSProxyProvider, startProxy is called as intended.
Inside of my PacketTunnelProvider, startTunnel is not called automatically. How can I start it programmatically? I'm able to manually start it through System Preferences -> Network.
I'm also seeing some errors after I load the system extension but before I click allow on the prompts to add VPN Configurations and DNS Proxy Configuration.
... [] Failed to save configuration com.testapp.dns: Error Domain=NEConfigurationErrorDomain Code=11 "IPC failed" UserInfo={NSLocalizedDescription=IPC failed}
...-[NEDNSProxyManager saveToPreferencesWithCompletionHandler:]_block_invoke_3: failed to save the new configuration: Error Domain=NEConfigurationErrorDomain Code=11 "IPC failed" UserInfo={NSLocalizedDescription=IPC failed}
I do not get this error if i try to load and save preferences for only one Provider. Why am I failing to save my configuration? Also, is there a way to check all current preferences through Terminal or a GUI?
Class: NEDNSProxyProvider
Function: handleNewFlow(_ flow: NEAppProxyFlow)
Hello, I've set up an macOS application containing a system extension which now receives all DNS requests. This is all good and what I want to happen. However, I'm not sure how to proceed with actually handling the NEAppProxyFlow.
If someone could provide some example code that would handle the DNS requests in the same way in the case that I did not have my DNS requests go through NEDNSProxyProvider that would be wonderful.
Please feel free to ask for clarification if needed. Thank you!
Hi,
What I want to do is be able to intercept all DNS requests a user would make. After intercepting the request, I would then send the request to a server which would then check if the domain name matches one in it's list. If it does match I want to send back to the client another domain name or IP address that they should use. I need this to work on macOS.
I've looked briefly at NEDNSProxyManager. Will I be able to intercept DNS requests with this? Are there any other libraries or code examples I can use to intercept DNS requests? Preferably, in Swift.
Example:
User tries to access "test.fakedomain.com"
Intercept DNS request and send request to Server (through established web socket connection)
Server responds with "not in list go to testsite.com" message if the domain name is not in it's list and the User can continue to proceed to the specified URL
If the Server responds with "in list" message the User does not proceed to go to "test.fakedomain.com" and the user will go to the specified URL in the Server's message instead.
Please do not hesitate to ask for any clarification. Thank you!