macOS 14 Sonoma firewall bug fixed!
The firewall bug in macOS 14 Sonoma betas and release candidates that we blogged about last week has been fixed by Apple.
Yesterday Apple released macOS 14 Sonoma Release Candidate 2 (23A344). This version no longer exhibits the invalid firewall rule evaluation that we observed in the earlier release candidate and betas (starting from beta 6). This also means that our VPN app now works fine in latest Sonoma.
Why we were affected
Our VPN app is what we call a privacy preserving VPN client. This means its main purpose is not just to establish a tunnel and make sure it works, but also to ensure there are no leaks and no ways to de-anonymize the user.
To uphold the privacy preserving aspect, we do not think it is enough to solely rely on the routing table or Apple’s content filter provider API for making sure traffic that is supposed to go in the VPN tunnel actually does. Because doing so leaves numerous potential leaks, for example this one that was introduced in Big Sur. At Mullvad we believe in adding as many safety layers as possible. Denying unwanted traffic at the firewall layer is an obvious design choice for us.
The firewall bugs we saw could only be observed if the rules contained the quick option, meaning they terminate firewall rule evaluation early. Without quick, all network traffic will be evaluated by subsequent rules and anchors injected by Apple or other software on the computer. We see this as a potential risk. While it might be possible to write firewall rules for a VPN without quick, we want our rules to be as final as possible, for security.