[HN Gopher] Apple's Private Relay can cause the system to ignore...
___________________________________________________________________
Apple's Private Relay can cause the system to ignore firewall rules
Author : vitplister
Score : 191 points
Date : 2022-04-25 11:30 UTC (11 hours ago)
(HTM) web link (mullvad.net)
(TXT) w3m dump (mullvad.net)
| legrande wrote:
| Well I will be turning this off when it's out of beta and I'm
| prompted to use it. I already cloak my traffic with a self-hosted
| VPN+VPS box that I control. And using Mullvad combined with
| Private Relay would be redundant and overkill. Just turn it off
| if using a VPN client.
| cosmiccatnap wrote:
| That is just how a VPN works in general, nothing special.
| treesknees wrote:
| The article is referring to the Private Relay connection itself
| (the "VPN" connection. In quotes because it's not a real VPN)
| bypassing the firewall, which is not typical. Apple took some
| heat for doing this to their other apps when Big Sur was first
| released [1].
|
| Mullvad is installing a rule to essentially disallow any non-
| VPN'd traffic to prevent leaks. But iCloud Private Relay is not
| being stopped by that rule.
|
| [1] https://arstechnica.com/gadgets/2020/11/apple-lets-some-
| big-...
| pornel wrote:
| Especially rich coming from a VPN vendor, whose business
| happens to be threatened by Apple's relay.
| VWWHFSfQ wrote:
| Seems like a valid complaint to me. Apple is giving
| themselves privileges to end-around potential competitors on
| their platforms. Although this is not new.
| jeffbee wrote:
| This isn't something Apple has sneakily reserved for
| itself. Any process the user authorizes can access PF_NDRV
| sockets which bypass firewall rules. It's a documented
| feature of Darwin.
| VWWHFSfQ wrote:
| I fail to see the difference. apple authorized themselves
| to bypass firewall rules without the users input
| howinteresting wrote:
| Personally I trust Mullvad a million times more than Apple.
| Mullvad is one of the few vendors which have earned my trust.
| Meanwhile, Apple caved into pressure from the FBI to keep
| iCloud message backups unencrypted.
| N0RMAN wrote:
| Does disabling Private Relay[1] on a DNS-level prevent this?
|
| [1] https://developer.apple.com/support/prepare-your-network-
| for...
| xvector wrote:
| Yes, but just keep the feature off in the OS. Why go through
| these ridiculous workarounds?
| ec109685 wrote:
| The headline implies that normal user traffic bypasses the
| firewall. When in fact, it's only apple system traffic. Still not
| great, but way less bad than if the VPN was actually bypassed for
| all traffic:
|
| "It is worth noting that Private Relay (mostly) disables itself
| as soon as any firewall rule is added to PF (the system firewall
| on macOS devices). The Mullvad VPN app does add firewall rules.
| Once you connect the Mullvad app, Private Relay announces that it
| has disabled itself. We see no correlation between user traffic
| and the leaking packets. We believe they are just some heartbeat
| signal calling home to Apple. We do not know what information is
| transmitted to Apple, but since the destination is Apple servers,
| it is a strong signal to your local network and ISP that you
| might be a macOS user."
| gigel82 wrote:
| It's not the first time Apple allowed certain applications
| bypass the firewall / VPN (see
| https://www.macworld.co.uk/news/apples-own-programs-bypass-f...
| ).
|
| It is very bad indeed; not even Microsoft dares to do this in
| Windows (you can still very much block any network request from
| any part of the system via firewalls or DNS ad-blockers).
| adamomada wrote:
| I've been using little snitch for a decade+ and as far as I
| remember it was the only time, and was probably a mistake by
| Apple.
|
| From your link:
|
| > Objective Development, the developers of Little Snitch,
| also writes about the discovery - and that they take it for
| granted that Apple will correct it. (Update, 14 January 2021:
| Apple indeed appears to have removed the whitelist exemption
| in macOS Big Sur 11.2 beta 2.)
| tedmiston wrote:
| > It is worth noting that Private Relay (mostly) disables
| itself as soon as any firewall rule is added to PF (the system
| firewall on macOS devices).
|
| Unclear if that's the case on iOS though.
| olliej wrote:
| I'm unsure how a VPN and private relay would be expected to
| operate concurrently?
|
| What happens if you enable two VPNs concurrently today?
|
| Private relay and VPNs serve significantly different purposes -
| private relay is very clearly http[s] focused to the extent that
| I recall it doesn't cover most traffic?
| ec109685 wrote:
| Private Relay turns itself off when a VPN is enabled.
| tedmiston wrote:
| > Private Relay turns itself off when a VPN is enabled.
|
| I tested this on iOS and Private Relay _does not_ turn itself
| off when a VPN is enabled.
| tedmiston wrote:
| > What happens if you enable two VPNs concurrently today?
|
| I don't believe it's possible to have more than one VPN
| configuration be enabled simultaneously.
| Vladimof wrote:
| Apple being marketed as a privacy company makes me laugh... about
| once a month.
| EricE wrote:
| Ugh - I appreciat the spirit of what they are doing, but it's yet
| another example of the best of intentions getting flattend by
| unintended second order effects.
|
| At least it's still beta!
| lazyier wrote:
| Seems annoying, but any application can work around any firewall
| rules pretty trivially provided they can get at least one type of
| connection out to the internet. TCP, UDP, DNS... anything. Just
| need that one connection and it can be turned into a tunnel.
|
| The private relay feature is worth being aware of, but it's
| irritating for users to deal with overzealous and clueless admins
| who think that locking down systems by disabling features like
| this can "increase security". It just ends up getting in the way
| of getting work done without any real benefit.
| danamit wrote:
| The issue here is that an application is bypassing a kernel-
| level firewall, seems crazy to me that a Unix system is
| allowing that.
| ocdtrekkie wrote:
| You're ignoring that admins have often legal responsibilities
| and compliance requirements to manage and monitor their
| networks. It doesn't really matter how I feel about a given VPN
| service... if you want to be on my network you have to turn it
| off.
|
| (And yes, I often end up annoying myself by blocking stuff I
| myself would like to access at work. But that's my job.)
| Maxburn wrote:
| This is why apple tells you how to block private relay.
|
| https://developer.apple.com/support/prepare-your-network-
| for...
|
| mask.icloud.com mask-h2.icloud.com
| tinus_hn wrote:
| In addition if this service is a problem, consider there
| could be a thousand providers you have never heard of
| providing the same kind of service but while going out of
| their way to make sure you don't actually have a way to
| block it.
|
| If you really 'need' to block that kind of connection the
| onus is on you, not on the services.
| Maxburn wrote:
| Absolutely. There are block lists out there that can help
| but they are unlikely to be perfect. This guy seems to be
| up to date; https://github.com/oneoffdallas/dohservers
| tomjen3 wrote:
| Sure and that is understandable, but it doesn't really do
| much. My personal phone is not on my employeers wifi but is
| still right next to me. There is nothing technical that they
| can do, short of a faraday cage for the building, to prevent
| me from going where ever I want on it.
|
| I feel like rules such as yours are a pre smartphone era
| thing, when I had to use the company laptop to get online
| away from home.
| ocdtrekkie wrote:
| It does a lot: You aren't exposing our network to security
| threats or legal liability. I don't care what you do with
| your phone on your own Internet connection. But if you want
| to connect it to my Wi-Fi then it has to follow my rules.
| msh wrote:
| If you don't control the endpoints you don't control the
| network.
| ocdtrekkie wrote:
| It depends. Obviously a lot of effort by certain
| monopolistic advertising companies have gone into
| ensuring the web platform is increasingly opaque and
| difficult to manage or monitor, but it's entirely in the
| purview of a network owner to disable or block anything
| that can't be inspected to satisfaction.
| msh wrote:
| Well if you want to block everything that can't be
| inspected you will block a lot of common functionality.
|
| The question about if it's in the network owners purview
| to inspect depends on the network and traffic. It could
| also be illegal privacy violations.
| ocdtrekkie wrote:
| There is no reasonable expectation of privacy on someone
| else's network, particularly an employer's. Arguably
| network operators have the ultimate authority on what
| should and shouldn't happen over their networks on their
| equipment.
|
| I understand that ad companies have a vested interest in
| circumventing this and trying to move internet standards
| to opaque protocols, but until that particular fiefdom is
| unseated, we have to make reasonable tradeoffs.
|
| In the meantime, we block a massive amount of malware by
| blocking their ad domains.
| hesdeadjim wrote:
| Yea, like enforcing the seemingly obvious "don't use the
| fucking office network for torrenting".
|
| I nearly lost my mind when I got a DMCA notice from our ISP.
| I never thought I'd need to lecture a team of professionals
| that the consequences of losing our office internet would be
| significant to the business.
| [deleted]
| 2Gkashmiri wrote:
| you comment "anything. Just need that one connection and it can
| be turned into a tunnel."
|
| this interests me because a few years ago i was subjected to a
| government imposed firewall
| https://thewire.in/government/kashmir-internet-whitelisted-w...
|
| and i tried my best to bypass this but i did not have the
| energy to fashion a touniquet of sorts. i did end up spinning
| up a free amazon vps because apparently "amazon website" was
| unblocked and that forced them to allow aws. i ended up simply
| using ssh -D to the ip of the vps. that worked for a while but
| it was not fun... the connection would drop frequently but
| otherwise it was a POC.
|
| my point is, when we are talking about a hostile adversary like
| your government that is out to get you, regular "vpn" does not
| work, in my case, i tried every darn thing but until i came up
| with my thing, i could not get access to regular internet so
| for the next time, what can i do?
| teakettle42 wrote:
| I've historically used IP over DNS tunneling to pull this
| off.
|
| A major advantage of this approach is that it leverages a
| port and protocol that's rarely blocked, and if 53 is
| blocked, you can generally still use the approved local dns
| servers for your data-carrying queries.
|
| These days, it looks like there are at least a few well-known
| pieces of software to do this, e.g.
| https://github.com/yarrick/iodine
| hhh wrote:
| This is my first thought of how to do my own VPN in a hostile
| environment, with the term VPN do you think of consumer VPNs?
| (Mullvad, Nord, etc.)
|
| When I moved to university, bandwidth was limited in the
| dormitory to 1mbps/user (in 2016...) This was unacceptable to
| me, but we had a private link (non-internet) to the campus
| with virtual desktop infrastructure that had no such limits
| :). ssh -D immediately gave me 500mbps download to my dorm
| room, and I guess this sort of thing is probably why I think
| of ssh -D and running on port 53 etc to evade this sort of
| thing. Public education in the US can function pretty well as
| a government out to get you in terms of digital freedom :)
| 2Gkashmiri wrote:
| yeah, i even ended up using firefox foxyproxy addon because
| then i could either go all in on the proxy or whitelist
| style only few websites or blacklist with all websites and
| few open. that addon probably was the best thing in all of
| it because i was not pushing the entire OS through the
| tunnel.
|
| yeah, i guess for some time, cisco was called out by news
| outlets for helping the government impose the firewall
| which the company later denied but the damage was done by
| then so it didnt really matter, still, i think this just
| slipped from their minds, a random port, somethimes 80,
| 8080, 3400. it was fun (well considering the circumstances)
| with the added risk of incarceration if caught and many
| were unfortunately so yeah
| jawngee wrote:
| It's also great for accessing stuff Vietnamese ISP's try so
| poorly to block.
| 0xdeadb00f wrote:
| Completely tangential but I had no idea (what I assume to be
| remnants of) FreeBSD's pf firewall is included, and works, in
| standard MacOS.
| toast0 wrote:
| IIRC, ipfw is there too, but maybe a little less supported, not
| sure about FreeBSD's third firewall (ipfilter).
|
| As with most of the stuff pulled from FreeBSD, it was pulled
| around the year 2000, usually with no updates from upstream,
| and often with few updates from Apple. Pf's synproxy doesn't
| really work on macos, and is unlikely to get fixed.
| smegsicle wrote:
| meanwhile does everything on wsl2 still bypass windows firewall?
| egberts1 wrote:
| That's why you always carry your personal pocket-cellular WiFi
| modem with custom firewall settings.
|
| Then turn on Airport mode on your cellphone.
|
| Sign on to your WiFi.
|
| IP address Privacy, pretty much assured (assuming you have your
| own backend WireGuard and remote VPS-based gateway. )
| VWWHFSfQ wrote:
| sounds like a lot of punishment just so you can use an iphone.
| maybe try a different device
| actionfromafar wrote:
| Yeah... like a laptop with OpenBSD?
|
| Otherwise it sounds like sound advice for any device if you
| have the threat profile to warrant it.
| VWWHFSfQ wrote:
| Seems like a lot of theater to me. If you really have that
| kind of risk profile then you're not running your exit on
| your own vps. That will singularly identify you and there's
| no plausible deniability. And you're leaking way more PII
| in a typical web request over your VPN than than just an
| IP. I appreciate that people are interested in this stuff
| and want to do it, but it sounds pointless really.
| mrmuagi wrote:
| Isn't this a quite an annoying thing to setup? IRL Live
| streamers have these backpacks and they seem needed to be
| battery powered and quite bulky.
| 3np wrote:
| Got any models you have tried and used?
| jeroenhd wrote:
| I doubt this is a leak, it very much sounds like Apple is using
| QUIC to connect home and make the API work.
|
| Not respecting the system firewall does seem like a flaw, but
| Apple has had a history of bypassing attempts at filtering
| network traffic. Firewalls have been blocked from working and
| Apple services have been made unblockable in later APIs. I'm not
| surprised in the slightest that Apple also bypasses your VPN to
| call home.
|
| I don't know if this is a problem, though. If you buy Apple, you
| let Apple make the decisions for you, that's how the entire
| ecosystem is designed. You must trust Apple unconditionally and
| accept traffic sent home to adhere to their privacy settings, or
| you should not run macOS at all. Try to run Windows or Linux on
| it if you've bought your computer for the hardware quality,
| though the M1 makes that nearly impossible without sacrificing
| user experience.
| KarlKemp wrote:
| If you run Windows or Linux you gain nothing. Apple just
| demonstrates some ability that operating systems have. They all
| have this ability. Apple's benign use of it gives you no new
| information.
| seanw444 wrote:
| Stuff like this in-kernel with Linux is heavily discouraged
| and you'd be almost publicly shamed. If it's a problem with
| user-space, simply use something else.
|
| With Mac, you can usually handle the user-space scenario. Not
| so much the kernel-space one.
|
| That's what's great about Linux. You don't have to submit to
| somebody else's will if you don't want to. It takes more
| effort, but good things always come at some cost.
| xvector wrote:
| And yet Linux is a terrible choice for the vast majority of
| users, no amount of "user choice" will change this. Most
| users don't need choice, they need structure and guide
| rails.
|
| Apple is arguably engineering computers and OS UX
| "correctly," e.g. better for most people.
| ajsnigrutin wrote:
| Yep, if some linux kernel component would bypass iptables
| and called home, Linus would probably use some very very
| profound words, before denying the patch and effectively
| killing the "new feature".
| thefz wrote:
| Benign? Even if you are trying to conceal yourself? And to
| justify that, you go off with a "tu quoque"? Boy, how much
| are they paying you?
| olliej wrote:
| Then just .. don't use private relay if you don't want it?
|
| The problem being reported hear is a VPN provider (or their
| firewall rules?) aren't interacting well with what is
| fundamentally another firewall/vpn.
|
| I'm not sure what the usual expected behavior is when you
| have multiple conflicting vpn+firewall products?
|
| Also as far as I can make out private relay isn't a vpn? It
| protects http[s], and for https I don't know if it operates
| outside of safari?
|
| I appreciate the fancy language conspiracy nonsense, but
| please look at actual facts:
|
| * this is not free - it is part of the paid iCloud services
| afaik
|
| * it is opt in - you have to decide you want to use this,
| they're not just hoovering everything, which gets to
|
| * even if they were hoovering everything, unlike a vpn,
| private relay is actually private
|
| If you are trying to conceal yourself, VPNs services are
| routinely found to be logging what they say they aren't,
| and fundamentally all traffic through a VPN can be logged
| by them. Private relay is strictly better privacy
| guarantees for connections that go through it rather than
| the VPN.
|
| This provider points out a reasonable issue: they have
| added rules to simply block some connections _entirely_ ,
| and it seems like PR should respect that - but as I said
| above, I don't know what the usual expected behaviour for
| operating multiple VPNs and firewalls concurrently is?
|
| _finally_ apple documents explicitly how you can disable
| iCPR completely, regardless of user setting.
| noasaservice wrote:
| That sounds like treacherous computing. And I've argued before,
| that this smells like a rental with the name of a "sale".
|
| A computer does what its owner whats it to do. And when Apple
| or another company is directing its actions, tells me that what
| I have is a rental.
|
| Either relinquish control, or put it on the market with the
| real name. It's not a sale.
| Retric wrote:
| Apple does tell you how to block this stuff if that's your
| concern. Having highly opinionated defaults is required for
| "it just works" which millions of users really do want, but
| those same defaults will always annoy someone.
| hn_version_0023 wrote:
| I agree with this take 110%
|
| As an aside, I'd also like to subscribe to "No as a service".
| olliej wrote:
| Dude, literally the article says: data gets sent to private
| relay if you have it enabled. You can stop it from being
| sent by not turning it on.
|
| What is apple meant to do? Just not provide the service at
| all?
|
| Because private relay is vastly superior to a VPN for web
| content, which is what matters to most users?
| simonh wrote:
| As a user you have made the choice to both enable private
| relay, and enable a VPN. Now PR isn't itself a VPN as such,
| but clearly there's some level of potential conflict in
| making such a decision. If you don't want Private Relay
| interfering with network traffic routing, pretty much it's
| job as advertised, for goodness sake just switch it off and
| the whole problem goes away.
| dkonofalski wrote:
| >A computer does what its owner whats it to do.
|
| If you've enabled Private Relay then it's doing exactly that.
| pkulak wrote:
| You're suggesting that Windows is equal to Linux as an
| alternative to MacOS if you favor control and privacy???
| jeroenhd wrote:
| Windows doesn't come close to Linux in terms of privacy, but
| Linux doesn't come close to Windows in terms of reliability
| and professional software support (Photoshop, MS Office,
| etc.) without hacks and Github scripts.
|
| For the technically-minded Linux is an option, but for
| everyone else Windows at least allows you to firewall off any
| domain you choose. Sure, you'll probably break Windows Update
| in some way, but the Windows kernel doesn't try to bypass
| your settings (yet).
| RobertRoberts wrote:
| > "Linux doesn't come close to Windows in terms of
| reliability..."
|
| I can't tell if you being extremely sarcastic or lack
| experience running both of these OS's...
| xmprt wrote:
| Linux is quite reliable. Maybe even more reliable in day
| to day use. However it occasionally breaks for me in very
| subtle ways and when it does break, I have to use
| technical skills to resolve the issue. That doesn't
| happen to me on Windows or MacOS. For those reasons, I
| don't think I'd suggest Linux to anyone who I didn't feel
| would be able to resolve issues on their own.
| californical wrote:
| I got my parents on Linux Mint after their desktop died,
| which I fixed, but they didn't want to buy a new Windows
| license. They are absolutely not tech savvy, but only use
| the internet and some super basic document editing &
| viewing.
|
| They got used to the system quickly and used it for 4
| years, until the OS went out of LTS and I told them not
| to use it anymore... but still, they have no idea what a
| terminal is, no tech savvy, but still used it for their
| basic use-case for 4 straight years without issue! I
| didn't even have to help them after the initial install.
| Couldn't have been easier.
| heavyset_go wrote:
| My experience, as well. I just set up my parents' Linux
| desktops to look and act like the systems they were used
| to and it's been fine for them for years. They've even
| added printers and scanners to their systems without my
| help.
| asddubs wrote:
| I haven't really found windows to be that reliable,
| although I don't use it a lot. Lots of weird little
| issues and googling dll names, but maybe I'm just
| unlucky. a while back i tried installing vscode and it
| was literally just an all black window, until i installed
| directx or something along those lines. and that's just
| off the top of my head
| pkulak wrote:
| The only thing you said that I agree with is that Windows
| has better professional software support. Unfortunately,
| that's not what we're talking about. :/
| heavyset_go wrote:
| In my experience, if someone's use cases would be well-
| suited by Chromebooks or ChromeOS, then desktop Linux will
| work just as well, if not better, for them.
|
| Reliability-wise, desktop Linux is boringly stable these
| days as long as you don't insist on the bleeding edge by
| using Arch or Debian unstable.
|
| The MS Office situation has gotten much better with the
| rise of online office suite web apps, including Office 365,
| as well as professional desktop software like SoftMaker's
| closed-sourced and misnomered FreeOffice[1] that has great
| compatibility with files written in MS Office's formats.
|
| Lack of Photoshop is a problem, but if you're doing
| animation, special effects or video editing work, Linux has
| you covered because companies release Linux versions of
| their workstation software like DaVinci Resolve, Houdini,
| Autodesk Flame, Blender, Lightworks etc.
|
| [1] https://www.freeoffice.com/en/
| jolux wrote:
| Windows is by far the worst of the three.
| danamit wrote:
| Not in this use case.
| jolux wrote:
| With regards to privacy and control, yes. There's loads
| of telemetry you can't turn off in Windows anymore, and
| you can't even setup Windows 11 without an internet
| connection.
| evilsetg wrote:
| You can. Today I learned how. You just have to press
| Shift+F10 to access the console when it asks you to
| connect to a network and then enter 'OOBE\BYPASSNRO'.
| That is all. To skip the security questions set no
| password initially and then set it later using
| ctrl+alt+del.
| jeffbee wrote:
| System VPN is a privileged process and it's quite possible that
| it uses raw networking, for efficiency or other implementation
| reasons. You'd also see that any Linux process with CAP_NET_RAW
| "ignores" iptables. It's good to keep in mind the inherent
| limitations of in-system software firewalls.
___________________________________________________________________
(page generated 2022-04-25 23:01 UTC)