What is not allowed to be blocked by a NetworkExtension?

So I understand that the binary implementing NEFilter[Data|Packet]Provider classes cannot block itself or loopback in order to prevent the system potentially becoming unresponsive.

What else is not allowed to be blocked? I'm talking about Big Sur 11.2 onwards where the "Apple whitelist" was removed.

I'm wondering specifically if things like DHCP, NTP, DNS, and ARP are not allowed to be blocked. Is there a list that is documented somewhere?

If we want to create a list of rules that we want to create in order to allow these services, is there documentation as to what the binary paths, ports used, etc are?

Up vote post of kn-cs Down vote post of kn-cs
489 views
Posted by
kn-cs
Reply
Add a Comment

Replies

I'm wondering specifically if things like DHCP, NTP, DNS, and ARP are not allowed to be blocked. Is there a list that is documented somewhere?

There are no documented lists that I am aware of. If you are able to get access to a flow then you can allow / deny the flow.

Myself, personally, I have run tests where I have seen NTP and DNS based traffic coming through the provider, so you could deny these flows. Now, if your question is, "if I deny these flows, will it cause issues on the system," then the answer would be, yes. Denying flows that are sent because the system needs them for a specific reason will cause an interruption for the application that requested them, but this also has to be evaluated against the business needs of your provider.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment