Get inbound traffic in handleNewFlow

App & System Services Networking
mhunt@mercadolibre.com OP
Created Jan ’21
Replies 4
Boosts 0
Views 549
Participants 3
Hi, im trying to set up an inbound firewall to only allow localhost and other ips that will be added/removed dynamically. What do you guys think its the best way of doing this?

I have tried this
Code Block      
let rule = NENetworkRule(remoteNetwork: nil,
                remotePrefix: 0,
                localNetwork: nil,
              	localPrefix: 0,
              	protocol: .any,
                direction: .inbound)
    rules = [NEFilterRule(networkRule: rule, action: .filterData)]
       
     
    let filterSettings = NEFilterSettings(rules: rules, defaultAction: .allow)

but when i make a request to a local api on 127.0.0.1:8080 from safari i am not receiving that flow on handleNewFlow. Am i doing something wrong?

Also, if i were to whitelist the ips when creating the NENetworkRule how could i modify this rules dynamically or change them when new ips are added.

Thanks for the help.
Replies  4
Boosts  0
Views  549
Participants  3
mhunt@mercadolibre.com OP
Jan ’21
Actually, with that exact configuration i dont get a single flow on handleNewFlow. I have also tried scanning my mac from another one with nmap but i also dont see that on handleNewFlow
0
Systems Engineer OP
Apple
Jan ’21
Regarding:

Actually, with that exact configuration i dont get a single flow on handleNewFlow.

I'm not surprised about the localhost flow not being captured by your content filter as this is not technically an inbound flow, but rather a local flow to loopback. Regarding nmap, with the filter you have, you should see the TCP / UDP flows for the inbound ports that nmap is scanning from the local network ip. For example, on a local network if you log the flow.description to the handleNewFlow you will see something like:

Code Block text
2021-01-11 06:13:26.367968-0800 0x107331   (socketFlow): 
identifier = ***
sourceAppIdentifier = .com.application.bundle.here
sourceAppVersion = 
sourceAppUniqueIdentifier = 20:{length = 20, bytes = ***}
procPID = 117
eprocPID = 117
direction = inbound
inBytes = 0
outBytes = 0
signature = 32:{length = 32, bytes = *** }
socketID = 966fce0191fa4
localEndpoint = x.x.x.x:88 
remoteEndpoint = x.x.x.x:12345  (nmap machine) 
protocol = 6 (tcp)
family = 2
type = 1
procUUID = ***
eprocUUID = ***



Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
vtewari OP
Jan ’21
I remember reading the Apple doc mentioning that blanket rule like that isn't permitted, we either need to specify port and all IP or all port and some IP. Maybe try adding a port specific rule and verify if anything improves.
0
Systems Engineer OP
Apple
Jan ’21

I remember reading the Apple doc mentioning that blanket rule like that isn't permitted, we either need to specify port and all IP or all port and some IP

This works due to a constructor implementation of NENetworkRule. See the note, "Pass nil to cause the rule to match any remote network.""


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
Get inbound traffic in handleNewFlow
First post date Last post date
 
 
Q