excludedNetworkRules does not take effect

App & System Services Networking
richard_wang OP
Created Apr ’21
Replies 6
Boosts 0
Views 955
Participants 2
Hi there,

I am using AppProxyProvider and it can capture packets as I defined. But when I try to exclude traffics with excludedNetworkRules, but it seems does not work.

Below is my code for setting things up.

I capture all 443 port traffic for includedNetworkRules and exclude facebook.com for excludedNetworkRules.
But facebook.com:443 traffic is still captured.

Code Block 
private func includeRules() -> [NENetworkRule] {
    // Web mode
    let hosts = [("0.0.0.0", "443")]
    var rules: [NENetworkRule] = []
    for host in hosts {
        let ep = NWHostEndpoint(hostname: host.0, port: host.1)
        let rule = NENetworkRule.init(remoteNetwork: ep, remotePrefix: 0, localNetwork: nil, localPrefix: 0, protocol: .any, direction: .outbound)
        rules.append(rule)
    }
    return rules
}
private func excludeRules() -> [NENetworkRule] {
    let hosts = [("facebook.com", "443")]
    var rules: [NENetworkRule] = []
    for host in hosts {
        let ep = NWHostEndpoint(hostname: host.0, port: host.1)
        let rule = NENetworkRule.init(remoteNetwork: ep, remotePrefix: 0, localNetwork: nil, localPrefix: 0, protocol: .any, direction: .outbound)
        rules.append(rule)
    }
    return rules
}
...
settings.includedNetworkRules = includeRules()
settings.excludedNetworkRules = excludeRules()


If I replace like below in excludeRules() by replacing facebook.com domain name with its ip address, then all 443 port traffics is not captured at all.
Code Block 
let hosts = [("157.240.8.35", "443")]



Am I doing anything wrong?

Thanks in advance for any suggestion.
Replies  6
Boosts  0
Views  955
Participants  2
Systems Engineer OP
Apple
Apr ’21
I was able to test these rules:

Code Block swift
let settings = NETransparentProxyNetworkSettings(tunnelRemoteAddress: "x.x.x.x")
settings.includedNetworkRules = [
    
    NENetworkRule(remoteNetwork: NWHostEndpoint(hostname: "0.0.0.0", port: "443"),
                  remotePrefix: 0,
                  localNetwork: nil,
                  localPrefix: 0,
                  protocol:.TCP,
                  direction: .outbound)
]
settings.excludedNetworkRules = [
    NENetworkRule(remoteNetwork: NWHostEndpoint(hostname: "apple.com", port: "0"),
                  remotePrefix: 0,
                  localNetwork: nil,
                  localPrefix: 0,
                  protocol:.TCP,
                  direction: .outbound)
]


And see all *.apple.com traffic go direct as normal, while all port 443 traffic outside of .apple.com went to the proxy.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
richard_wang OP
Apr ’21
Hi Matt,

I am using the same setting as you do:
Code Block 
			let settings = NETransparentProxyNetworkSettings.init(tunnelRemoteAddress: "127.0.0.1")
			settings.includedNetworkRules = [
				NENetworkRule(remoteNetwork: NWHostEndpoint(hostname: "0.0.0.0", port: "443"),
							 remotePrefix: 0,
							 localNetwork: nil,
							 localPrefix: 0,
							 protocol:.TCP,
							 direction: .outbound)
			]
			settings.excludedNetworkRules = [
				NENetworkRule(remoteNetwork: NWHostEndpoint(hostname: "apple.com", port: "0"),
							 remotePrefix: 0,
							 localNetwork: nil,
							 localPrefix: 0,
							 protocol:.TCP,
							 direction: .outbound)
			]

But I can still get apple.com traffic in as seen console when visiting from chrome apple.com:
Code Block 
🤪FZ$--hostName: www.apple.com appId: com.google.Chrome.helper	fzmacappproxy	16:21:02.531007+1000
🤪FZ$--hostName: supportmetrics.apple.com appId: com.google.Chrome.helper	fzmacappproxy	16:21:14.125574+1000


0
richard_wang OP
Apr ’21
Some more traces with that filter rules:
Code Block 
🤪FZ$--hostName: www.apple.com remoteEp: 23.202.173.153:443 appId: com.google.Chrome.helper	fzmacappproxy	18:22:57.007704+1000
🤪FZ$--hostName: supportmetrics.apple.com remoteEp: 17.137.160.100:443 appId: com.google.Chrome.helper	fzmacappproxy	18:23:47.128264+1000
🤪FZ$--hostName: developer.apple.com remoteEp: 17.253.67.203:443 appId: com.google.Chrome.helper	fzmacappproxy	18:23:47.485234+1000


0
richard_wang OP
Aug ’21 
Code Block swift
let settings = NETransparentProxyNetworkSettings(tunnelRemoteAddress: "x.x.x.x")
settings.includedNetworkRules = [
    
    NENetworkRule(remoteNetwork: NWHostEndpoint(hostname: "0.0.0.0", port: "443"),
                  remotePrefix: 0,
                  localNetwork: nil,
                  localPrefix: 0,
                  protocol:.TCP,
                  direction: .outbound)
]
settings.excludedNetworkRules = [
    NENetworkRule(remoteNetwork: NWHostEndpoint(hostname: "apple.com", port: "0"),
                  remotePrefix: 0,
                  localNetwork: nil,
                  localPrefix: 0,
                  protocol:.TCP,
                  direction: .outbound)
]

And see all *.apple.com traffic go direct as normal, while all port 443 traffic outside of .apple.com went to the proxy.

That means no difference between with and without that exclude rule :) Is that right?

0
Systems Engineer OP
Apple
Aug ’21

The point I was trying to make here is that all port 443 traffic outside of apple.com went to the proxy as normal while the rest of the system traffic just flowed through the network stack of the device, thus excluding your proxy.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
richard_wang OP
Sep ’21

But with that configuration, I still set traffic to apple.com 443 as mentioned:

🤪FZ$--hostName: www.apple.com remoteEp: 23.202.173.153:443 appId: com.google.Chrome.helper	fzmacappproxy	18:22:57.007704+1000
🤪FZ$--hostName: supportmetrics.apple.com remoteEp: 17.137.160.100:443 appId: com.google.Chrome.helper	fzmacappproxy	18:23:47.128264+1000
🤪FZ$--hostName: developer.apple.com remoteEp: 17.253.67.203:443 appId: com.google.Chrome.helper	fzmacappproxy	18:23:47.485234+1000
0
excludedNetworkRules does not take effect
First post date Last post date
 
 
Q