[HN Gopher] Apple's Private Relay can cause the system to ignore... ___________________________________________________________________ Apple's Private Relay can cause the system to ignore firewall rules Author : vitplister Score : 191 points Date : 2022-04-25 11:30 UTC (11 hours ago) (HTM) web link (mullvad.net) (TXT) w3m dump (mullvad.net) | legrande wrote: | Well I will be turning this off when it's out of beta and I'm | prompted to use it. I already cloak my traffic with a self-hosted | VPN+VPS box that I control. And using Mullvad combined with | Private Relay would be redundant and overkill. Just turn it off | if using a VPN client. | cosmiccatnap wrote: | That is just how a VPN works in general, nothing special. | treesknees wrote: | The article is referring to the Private Relay connection itself | (the "VPN" connection. In quotes because it's not a real VPN) | bypassing the firewall, which is not typical. Apple took some | heat for doing this to their other apps when Big Sur was first | released [1]. | | Mullvad is installing a rule to essentially disallow any non- | VPN'd traffic to prevent leaks. But iCloud Private Relay is not | being stopped by that rule. | | [1] https://arstechnica.com/gadgets/2020/11/apple-lets-some- | big-... | pornel wrote: | Especially rich coming from a VPN vendor, whose business | happens to be threatened by Apple's relay. | VWWHFSfQ wrote: | Seems like a valid complaint to me. Apple is giving | themselves privileges to end-around potential competitors on | their platforms. Although this is not new. | jeffbee wrote: | This isn't something Apple has sneakily reserved for | itself. Any process the user authorizes can access PF_NDRV | sockets which bypass firewall rules. It's a documented | feature of Darwin. | VWWHFSfQ wrote: | I fail to see the difference. apple authorized themselves | to bypass firewall rules without the users input | howinteresting wrote: | Personally I trust Mullvad a million times more than Apple. | Mullvad is one of the few vendors which have earned my trust. | Meanwhile, Apple caved into pressure from the FBI to keep | iCloud message backups unencrypted. | N0RMAN wrote: | Does disabling Private Relay[1] on a DNS-level prevent this? | | [1] https://developer.apple.com/support/prepare-your-network- | for... | xvector wrote: | Yes, but just keep the feature off in the OS. Why go through | these ridiculous workarounds? | ec109685 wrote: | The headline implies that normal user traffic bypasses the | firewall. When in fact, it's only apple system traffic. Still not | great, but way less bad than if the VPN was actually bypassed for | all traffic: | | "It is worth noting that Private Relay (mostly) disables itself | as soon as any firewall rule is added to PF (the system firewall | on macOS devices). The Mullvad VPN app does add firewall rules. | Once you connect the Mullvad app, Private Relay announces that it | has disabled itself. We see no correlation between user traffic | and the leaking packets. We believe they are just some heartbeat | signal calling home to Apple. We do not know what information is | transmitted to Apple, but since the destination is Apple servers, | it is a strong signal to your local network and ISP that you | might be a macOS user." | gigel82 wrote: | It's not the first time Apple allowed certain applications | bypass the firewall / VPN (see | https://www.macworld.co.uk/news/apples-own-programs-bypass-f... | ). | | It is very bad indeed; not even Microsoft dares to do this in | Windows (you can still very much block any network request from | any part of the system via firewalls or DNS ad-blockers). | adamomada wrote: | I've been using little snitch for a decade+ and as far as I | remember it was the only time, and was probably a mistake by | Apple. | | From your link: | | > Objective Development, the developers of Little Snitch, | also writes about the discovery - and that they take it for | granted that Apple will correct it. (Update, 14 January 2021: | Apple indeed appears to have removed the whitelist exemption | in macOS Big Sur 11.2 beta 2.) | tedmiston wrote: | > It is worth noting that Private Relay (mostly) disables | itself as soon as any firewall rule is added to PF (the system | firewall on macOS devices). | | Unclear if that's the case on iOS though. | olliej wrote: | I'm unsure how a VPN and private relay would be expected to | operate concurrently? | | What happens if you enable two VPNs concurrently today? | | Private relay and VPNs serve significantly different purposes - | private relay is very clearly http[s] focused to the extent that | I recall it doesn't cover most traffic? | ec109685 wrote: | Private Relay turns itself off when a VPN is enabled. | tedmiston wrote: | > Private Relay turns itself off when a VPN is enabled. | | I tested this on iOS and Private Relay _does not_ turn itself | off when a VPN is enabled. | tedmiston wrote: | > What happens if you enable two VPNs concurrently today? | | I don't believe it's possible to have more than one VPN | configuration be enabled simultaneously. | Vladimof wrote: | Apple being marketed as a privacy company makes me laugh... about | once a month. | EricE wrote: | Ugh - I appreciat the spirit of what they are doing, but it's yet | another example of the best of intentions getting flattend by | unintended second order effects. | | At least it's still beta! | lazyier wrote: | Seems annoying, but any application can work around any firewall | rules pretty trivially provided they can get at least one type of | connection out to the internet. TCP, UDP, DNS... anything. Just | need that one connection and it can be turned into a tunnel. | | The private relay feature is worth being aware of, but it's | irritating for users to deal with overzealous and clueless admins | who think that locking down systems by disabling features like | this can "increase security". It just ends up getting in the way | of getting work done without any real benefit. | danamit wrote: | The issue here is that an application is bypassing a kernel- | level firewall, seems crazy to me that a Unix system is | allowing that. | ocdtrekkie wrote: | You're ignoring that admins have often legal responsibilities | and compliance requirements to manage and monitor their | networks. It doesn't really matter how I feel about a given VPN | service... if you want to be on my network you have to turn it | off. | | (And yes, I often end up annoying myself by blocking stuff I | myself would like to access at work. But that's my job.) | Maxburn wrote: | This is why apple tells you how to block private relay. | | https://developer.apple.com/support/prepare-your-network- | for... | | mask.icloud.com mask-h2.icloud.com | tinus_hn wrote: | In addition if this service is a problem, consider there | could be a thousand providers you have never heard of | providing the same kind of service but while going out of | their way to make sure you don't actually have a way to | block it. | | If you really 'need' to block that kind of connection the | onus is on you, not on the services. | Maxburn wrote: | Absolutely. There are block lists out there that can help | but they are unlikely to be perfect. This guy seems to be | up to date; https://github.com/oneoffdallas/dohservers | tomjen3 wrote: | Sure and that is understandable, but it doesn't really do | much. My personal phone is not on my employeers wifi but is | still right next to me. There is nothing technical that they | can do, short of a faraday cage for the building, to prevent | me from going where ever I want on it. | | I feel like rules such as yours are a pre smartphone era | thing, when I had to use the company laptop to get online | away from home. | ocdtrekkie wrote: | It does a lot: You aren't exposing our network to security | threats or legal liability. I don't care what you do with | your phone on your own Internet connection. But if you want | to connect it to my Wi-Fi then it has to follow my rules. | msh wrote: | If you don't control the endpoints you don't control the | network. | ocdtrekkie wrote: | It depends. Obviously a lot of effort by certain | monopolistic advertising companies have gone into | ensuring the web platform is increasingly opaque and | difficult to manage or monitor, but it's entirely in the | purview of a network owner to disable or block anything | that can't be inspected to satisfaction. | msh wrote: | Well if you want to block everything that can't be | inspected you will block a lot of common functionality. | | The question about if it's in the network owners purview | to inspect depends on the network and traffic. It could | also be illegal privacy violations. | ocdtrekkie wrote: | There is no reasonable expectation of privacy on someone | else's network, particularly an employer's. Arguably | network operators have the ultimate authority on what | should and shouldn't happen over their networks on their | equipment. | | I understand that ad companies have a vested interest in | circumventing this and trying to move internet standards | to opaque protocols, but until that particular fiefdom is | unseated, we have to make reasonable tradeoffs. | | In the meantime, we block a massive amount of malware by | blocking their ad domains. | hesdeadjim wrote: | Yea, like enforcing the seemingly obvious "don't use the | fucking office network for torrenting". | | I nearly lost my mind when I got a DMCA notice from our ISP. | I never thought I'd need to lecture a team of professionals | that the consequences of losing our office internet would be | significant to the business. | [deleted] | 2Gkashmiri wrote: | you comment "anything. Just need that one connection and it can | be turned into a tunnel." | | this interests me because a few years ago i was subjected to a | government imposed firewall | https://thewire.in/government/kashmir-internet-whitelisted-w... | | and i tried my best to bypass this but i did not have the | energy to fashion a touniquet of sorts. i did end up spinning | up a free amazon vps because apparently "amazon website" was | unblocked and that forced them to allow aws. i ended up simply | using ssh -D to the ip of the vps. that worked for a while but | it was not fun... the connection would drop frequently but | otherwise it was a POC. | | my point is, when we are talking about a hostile adversary like | your government that is out to get you, regular "vpn" does not | work, in my case, i tried every darn thing but until i came up | with my thing, i could not get access to regular internet so | for the next time, what can i do? | teakettle42 wrote: | I've historically used IP over DNS tunneling to pull this | off. | | A major advantage of this approach is that it leverages a | port and protocol that's rarely blocked, and if 53 is | blocked, you can generally still use the approved local dns | servers for your data-carrying queries. | | These days, it looks like there are at least a few well-known | pieces of software to do this, e.g. | https://github.com/yarrick/iodine | hhh wrote: | This is my first thought of how to do my own VPN in a hostile | environment, with the term VPN do you think of consumer VPNs? | (Mullvad, Nord, etc.) | | When I moved to university, bandwidth was limited in the | dormitory to 1mbps/user (in 2016...) This was unacceptable to | me, but we had a private link (non-internet) to the campus | with virtual desktop infrastructure that had no such limits | :). ssh -D immediately gave me 500mbps download to my dorm | room, and I guess this sort of thing is probably why I think | of ssh -D and running on port 53 etc to evade this sort of | thing. Public education in the US can function pretty well as | a government out to get you in terms of digital freedom :) | 2Gkashmiri wrote: | yeah, i even ended up using firefox foxyproxy addon because | then i could either go all in on the proxy or whitelist | style only few websites or blacklist with all websites and | few open. that addon probably was the best thing in all of | it because i was not pushing the entire OS through the | tunnel. | | yeah, i guess for some time, cisco was called out by news | outlets for helping the government impose the firewall | which the company later denied but the damage was done by | then so it didnt really matter, still, i think this just | slipped from their minds, a random port, somethimes 80, | 8080, 3400. it was fun (well considering the circumstances) | with the added risk of incarceration if caught and many | were unfortunately so yeah | jawngee wrote: | It's also great for accessing stuff Vietnamese ISP's try so | poorly to block. | 0xdeadb00f wrote: | Completely tangential but I had no idea (what I assume to be | remnants of) FreeBSD's pf firewall is included, and works, in | standard MacOS. | toast0 wrote: | IIRC, ipfw is there too, but maybe a little less supported, not | sure about FreeBSD's third firewall (ipfilter). | | As with most of the stuff pulled from FreeBSD, it was pulled | around the year 2000, usually with no updates from upstream, | and often with few updates from Apple. Pf's synproxy doesn't | really work on macos, and is unlikely to get fixed. | smegsicle wrote: | meanwhile does everything on wsl2 still bypass windows firewall? | egberts1 wrote: | That's why you always carry your personal pocket-cellular WiFi | modem with custom firewall settings. | | Then turn on Airport mode on your cellphone. | | Sign on to your WiFi. | | IP address Privacy, pretty much assured (assuming you have your | own backend WireGuard and remote VPS-based gateway. ) | VWWHFSfQ wrote: | sounds like a lot of punishment just so you can use an iphone. | maybe try a different device | actionfromafar wrote: | Yeah... like a laptop with OpenBSD? | | Otherwise it sounds like sound advice for any device if you | have the threat profile to warrant it. | VWWHFSfQ wrote: | Seems like a lot of theater to me. If you really have that | kind of risk profile then you're not running your exit on | your own vps. That will singularly identify you and there's | no plausible deniability. And you're leaking way more PII | in a typical web request over your VPN than than just an | IP. I appreciate that people are interested in this stuff | and want to do it, but it sounds pointless really. | mrmuagi wrote: | Isn't this a quite an annoying thing to setup? IRL Live | streamers have these backpacks and they seem needed to be | battery powered and quite bulky. | 3np wrote: | Got any models you have tried and used? | jeroenhd wrote: | I doubt this is a leak, it very much sounds like Apple is using | QUIC to connect home and make the API work. | | Not respecting the system firewall does seem like a flaw, but | Apple has had a history of bypassing attempts at filtering | network traffic. Firewalls have been blocked from working and | Apple services have been made unblockable in later APIs. I'm not | surprised in the slightest that Apple also bypasses your VPN to | call home. | | I don't know if this is a problem, though. If you buy Apple, you | let Apple make the decisions for you, that's how the entire | ecosystem is designed. You must trust Apple unconditionally and | accept traffic sent home to adhere to their privacy settings, or | you should not run macOS at all. Try to run Windows or Linux on | it if you've bought your computer for the hardware quality, | though the M1 makes that nearly impossible without sacrificing | user experience. | KarlKemp wrote: | If you run Windows or Linux you gain nothing. Apple just | demonstrates some ability that operating systems have. They all | have this ability. Apple's benign use of it gives you no new | information. | seanw444 wrote: | Stuff like this in-kernel with Linux is heavily discouraged | and you'd be almost publicly shamed. If it's a problem with | user-space, simply use something else. | | With Mac, you can usually handle the user-space scenario. Not | so much the kernel-space one. | | That's what's great about Linux. You don't have to submit to | somebody else's will if you don't want to. It takes more | effort, but good things always come at some cost. | xvector wrote: | And yet Linux is a terrible choice for the vast majority of | users, no amount of "user choice" will change this. Most | users don't need choice, they need structure and guide | rails. | | Apple is arguably engineering computers and OS UX | "correctly," e.g. better for most people. | ajsnigrutin wrote: | Yep, if some linux kernel component would bypass iptables | and called home, Linus would probably use some very very | profound words, before denying the patch and effectively | killing the "new feature". | thefz wrote: | Benign? Even if you are trying to conceal yourself? And to | justify that, you go off with a "tu quoque"? Boy, how much | are they paying you? | olliej wrote: | Then just .. don't use private relay if you don't want it? | | The problem being reported hear is a VPN provider (or their | firewall rules?) aren't interacting well with what is | fundamentally another firewall/vpn. | | I'm not sure what the usual expected behavior is when you | have multiple conflicting vpn+firewall products? | | Also as far as I can make out private relay isn't a vpn? It | protects http[s], and for https I don't know if it operates | outside of safari? | | I appreciate the fancy language conspiracy nonsense, but | please look at actual facts: | | * this is not free - it is part of the paid iCloud services | afaik | | * it is opt in - you have to decide you want to use this, | they're not just hoovering everything, which gets to | | * even if they were hoovering everything, unlike a vpn, | private relay is actually private | | If you are trying to conceal yourself, VPNs services are | routinely found to be logging what they say they aren't, | and fundamentally all traffic through a VPN can be logged | by them. Private relay is strictly better privacy | guarantees for connections that go through it rather than | the VPN. | | This provider points out a reasonable issue: they have | added rules to simply block some connections _entirely_ , | and it seems like PR should respect that - but as I said | above, I don't know what the usual expected behaviour for | operating multiple VPNs and firewalls concurrently is? | | _finally_ apple documents explicitly how you can disable | iCPR completely, regardless of user setting. | noasaservice wrote: | That sounds like treacherous computing. And I've argued before, | that this smells like a rental with the name of a "sale". | | A computer does what its owner whats it to do. And when Apple | or another company is directing its actions, tells me that what | I have is a rental. | | Either relinquish control, or put it on the market with the | real name. It's not a sale. | Retric wrote: | Apple does tell you how to block this stuff if that's your | concern. Having highly opinionated defaults is required for | "it just works" which millions of users really do want, but | those same defaults will always annoy someone. | hn_version_0023 wrote: | I agree with this take 110% | | As an aside, I'd also like to subscribe to "No as a service". | olliej wrote: | Dude, literally the article says: data gets sent to private | relay if you have it enabled. You can stop it from being | sent by not turning it on. | | What is apple meant to do? Just not provide the service at | all? | | Because private relay is vastly superior to a VPN for web | content, which is what matters to most users? | simonh wrote: | As a user you have made the choice to both enable private | relay, and enable a VPN. Now PR isn't itself a VPN as such, | but clearly there's some level of potential conflict in | making such a decision. If you don't want Private Relay | interfering with network traffic routing, pretty much it's | job as advertised, for goodness sake just switch it off and | the whole problem goes away. | dkonofalski wrote: | >A computer does what its owner whats it to do. | | If you've enabled Private Relay then it's doing exactly that. | pkulak wrote: | You're suggesting that Windows is equal to Linux as an | alternative to MacOS if you favor control and privacy??? | jeroenhd wrote: | Windows doesn't come close to Linux in terms of privacy, but | Linux doesn't come close to Windows in terms of reliability | and professional software support (Photoshop, MS Office, | etc.) without hacks and Github scripts. | | For the technically-minded Linux is an option, but for | everyone else Windows at least allows you to firewall off any | domain you choose. Sure, you'll probably break Windows Update | in some way, but the Windows kernel doesn't try to bypass | your settings (yet). | RobertRoberts wrote: | > "Linux doesn't come close to Windows in terms of | reliability..." | | I can't tell if you being extremely sarcastic or lack | experience running both of these OS's... | xmprt wrote: | Linux is quite reliable. Maybe even more reliable in day | to day use. However it occasionally breaks for me in very | subtle ways and when it does break, I have to use | technical skills to resolve the issue. That doesn't | happen to me on Windows or MacOS. For those reasons, I | don't think I'd suggest Linux to anyone who I didn't feel | would be able to resolve issues on their own. | californical wrote: | I got my parents on Linux Mint after their desktop died, | which I fixed, but they didn't want to buy a new Windows | license. They are absolutely not tech savvy, but only use | the internet and some super basic document editing & | viewing. | | They got used to the system quickly and used it for 4 | years, until the OS went out of LTS and I told them not | to use it anymore... but still, they have no idea what a | terminal is, no tech savvy, but still used it for their | basic use-case for 4 straight years without issue! I | didn't even have to help them after the initial install. | Couldn't have been easier. | heavyset_go wrote: | My experience, as well. I just set up my parents' Linux | desktops to look and act like the systems they were used | to and it's been fine for them for years. They've even | added printers and scanners to their systems without my | help. | asddubs wrote: | I haven't really found windows to be that reliable, | although I don't use it a lot. Lots of weird little | issues and googling dll names, but maybe I'm just | unlucky. a while back i tried installing vscode and it | was literally just an all black window, until i installed | directx or something along those lines. and that's just | off the top of my head | pkulak wrote: | The only thing you said that I agree with is that Windows | has better professional software support. Unfortunately, | that's not what we're talking about. :/ | heavyset_go wrote: | In my experience, if someone's use cases would be well- | suited by Chromebooks or ChromeOS, then desktop Linux will | work just as well, if not better, for them. | | Reliability-wise, desktop Linux is boringly stable these | days as long as you don't insist on the bleeding edge by | using Arch or Debian unstable. | | The MS Office situation has gotten much better with the | rise of online office suite web apps, including Office 365, | as well as professional desktop software like SoftMaker's | closed-sourced and misnomered FreeOffice[1] that has great | compatibility with files written in MS Office's formats. | | Lack of Photoshop is a problem, but if you're doing | animation, special effects or video editing work, Linux has | you covered because companies release Linux versions of | their workstation software like DaVinci Resolve, Houdini, | Autodesk Flame, Blender, Lightworks etc. | | [1] https://www.freeoffice.com/en/ | jolux wrote: | Windows is by far the worst of the three. | danamit wrote: | Not in this use case. | jolux wrote: | With regards to privacy and control, yes. There's loads | of telemetry you can't turn off in Windows anymore, and | you can't even setup Windows 11 without an internet | connection. | evilsetg wrote: | You can. Today I learned how. You just have to press | Shift+F10 to access the console when it asks you to | connect to a network and then enter 'OOBE\BYPASSNRO'. | That is all. To skip the security questions set no | password initially and then set it later using | ctrl+alt+del. | jeffbee wrote: | System VPN is a privileged process and it's quite possible that | it uses raw networking, for efficiency or other implementation | reasons. You'd also see that any Linux process with CAP_NET_RAW | "ignores" iptables. It's good to keep in mind the inherent | limitations of in-system software firewalls. ___________________________________________________________________ (page generated 2022-04-25 23:01 UTC)