Hooray, no more ContentFilterExclusionList

Aloha Patrons,
As of macOS 11.2 beta 2, the (in)famous ContentFilterExclusionList is gone!

...ok, wait, what? 🤔

In recent versions of macOS, Apple has moved toward deprecating 3rd-party kernel extensions (kexts) ...including Network Kernel Extensions (NKEs):

Such NKEs were leveraged by 3rd-party security products (such as firewalls), to comprehensively monitor and filter network traffic. 

In order to continue to support such products on modern versions of macOS (10.15+) Apple introduced the user-mode Network Extension Framework. LuLu v2.0+ leverages this new framework to ensure compatibility with these recent versions of macOS. So far so good.

Unfortunately, Apple (without telling anybody) decided to "exclude" or exempt over 50 of its own applications (such as the App Store) and daemons from being routed thru the Network Extension Framework. 

You can view this list by examining the /System/Library/Frameworks/NetworkExtension.framework/Versions/Current/Resources/Info.plist file (looking for the key "ContentFilterExclusionList"):

Due to the ContentFilterExclusionList list any traffic generated from these "excluded" items could not be filtered or blocked by a socket filter firewall (such as LuLu). Many (rightfully) asked, "What good is a firewall if it can't block all traffic?"  I of course also wondered if malware could abuse these "excluded" items to generate network traffic that could surreptitiously bypass any socket filter firewall.  Unfortunately the answer was yes! It was (unsurprisingly) trivial to find a way to abuse these items, and generate undetected network traffic:  

You can read more about this here: "Apple lets some Big Sur network traffic bypass firewalls" ( https://arstechnica.com/gadgets/2020/11/apple-lets-some-big-sur-network-traffic-bypass-firewalls/ ).

Well, after lots of bad press and lots of feedback/bug reports to Apple from developers such as myself, it seems wiser (more security conscious) minds at Cupertino prevailed. The ContentFilterExclusionList list has been removed (in macOS 11.2 beta 2):

Which means, (socket filter) firewalls such as LuLu can now comprehensively filter/block all network traffic:

Woohoo!!! 🥳

You can grab the latest version of LuLu (v2.1.0) from its product page ( https://objective-see.com/products/lulu.html ). It now even runs natively on Apple Silicon (M1)! 

-patrick

By becoming a patron, you'll instantly unlock access to 15 exclusive posts
5
Images
10
Writings
1
Video
By becoming a patron, you'll instantly unlock access to 15 exclusive posts
5
Images
10
Writings
1
Video