What is not allowed to be blocked by a NetworkExtension?

Question

Created Sep ’21

Replies 1

Boosts 0

Participants 2

So I understand that the binary implementing NEFilter[Data|Packet]Provider classes cannot block itself or loopback in order to prevent the system potentially becoming unresponsive.

What else is not allowed to be blocked? I'm talking about Big Sur 11.2 onwards where the "Apple whitelist" was removed.

I'm wondering specifically if things like DHCP, NTP, DNS, and ARP are not allowed to be blocked. Is there a list that is documented somewhere?

If we want to create a list of rules that we want to create in order to allow these services, is there documentation as to what the binary paths, ports used, etc are?

Boost

Answer 1

Systems Engineer OP

Apple

Sep ’21

I'm wondering specifically if things like DHCP, NTP, DNS, and ARP are not allowed to be blocked. Is there a list that is documented somewhere?

There are no documented lists that I am aware of. If you are able to get access to a flow then you can allow / deny the flow.

Myself, personally, I have run tests where I have seen NTP and DNS based traffic coming through the provider, so you could deny these flows. Now, if your question is, "if I deny these flows, will it cause issues on the system," then the answer would be, yes. Denying flows that are sent because the system needs them for a specific reason will cause an interruption for the application that requested them, but this also has to be evaluated against the business needs of your provider.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0