Revert: (macOS) New Firewall option: Bypass Apple Services

Fix is not stable.
Commit:
c44b9f1 [c44b9f1]

#394

Author: stenya

daemon/References/macOS/etc/firewall.sh

@@ -5,7 +5,6 @@
 #   sudo pfctl -s rules
 # Show all rules for "ivpn_firewall" anchor
 #   sudo pfctl -a "ivpn_firewall" -s rules
-#   sudo pfctl -a "ivpn_firewall/apple_services" -s rules
 #   sudo pfctl -a "ivpn_firewall/tunnel" -s rules
 #   sudo pfctl -a "ivpn_firewall/dns" -s rules
 # Show table
@@ -102,7 +101,6 @@ function enable_firewall {
       pass out inet proto udp from 0.0.0.0 to 255.255.255.255 port = 67
       pass in proto udp from any to any port = 68
 
-      anchor apple_services all
       anchor tunnel all
       anchor dns all
 _EOF
@@ -130,8 +128,6 @@ function disable_firewall {
     pfctl -a ${ANCHOR_NAME} -t ${EXCEPTIONS_TABLE} -T flush
     pfctl -a ${ANCHOR_NAME} -t ${USER_EXCEPTIONS_TABLE} -T flush
 
-    # remove all rules in tun anchor
-    pfctl -a ${ANCHOR_NAME}/apple_services -Fr
     # remove all rules in tun anchor
     pfctl -a ${ANCHOR_NAME}/tunnel -Fr
     # remove all rules in dns anchor
@@ -188,33 +184,6 @@ _EOF
         block drop out proto tcp from any to ! ${DNS} port = 53
 _EOF
 }
-####
-function allow_apple_services_on {
-    # Ports: https://support.apple.com/en-us/103229    
-    #   443  TCP - Secure Sockets Layer (SSL or HTTPS): TLS websites, iTunes Store, Software Update, Spotlight Suggestions, Mac App Store, Maps, FaceTime, Game Center, iCloud authentication and DAV Services (Contacts, Calendars, Bookmarks), iCloud backup and apps (Calendars, Contacts, Find My iPhone, Find My Friends, Mail, iMessage, Documents & Photo Stream), iCloud Key Value Store (KVS), AirPlay, macOS Internet Recovery, Dictation, Siri, Xcode Server (hosted and remote Git HTTPS, remote SVN HTTPS, Apple Developer registration), Push notifications (if necessary)
-    #   2197 TCP - Apple Push Notification Service (APNS)
-    #   5223 TCP - Apple Push Notification Service (APNS): iCloud DAV Services (Contacts, Calendars, Bookmarks), Push Notifications, FaceTime, iMessage, Game Center, Photo Stream
-    #
-    # IP addresses: https://support.apple.com/en-us/HT210060
-    pfctl -a ${ANCHOR_NAME}/apple_services -f - <<_EOF
-        pass out quick proto tcp from any to 17.249.0.0/16      port { 443, 2197, 5223 } flags any keep state
-        pass out quick proto tcp from any to 17.252.0.0/16      port { 443, 2197, 5223 } flags any keep state
-        pass out quick proto tcp from any to 17.57.144.0/22     port { 443, 2197, 5223 } flags any keep state
-        pass out quick proto tcp from any to 17.188.128.0/18    port { 443, 2197, 5223 } flags any keep state
-        pass out quick proto tcp from any to 17.188.20.0/23     port { 443, 2197, 5223 } flags any keep state
-
-        pass out quick proto tcp from any to 2620:149:a44::/48  port { 443, 2197, 5223 } flags any keep state
-        pass out quick proto tcp from any to 2403:300:a42::/48  port { 443, 2197, 5223 } flags any keep state
-        pass out quick proto tcp from any to 2403:300:a51::/48  port { 443, 2197, 5223 } flags any keep state
-        pass out quick proto tcp from any to 2a01:b740:a42::/48 port { 443, 2197, 5223 } flags any keep state
-_EOF
-
-}
-
-function allow_apple_services_off {
-    pfctl -a ${ANCHOR_NAME}/apple_services -Fr
-}
-####
 
 function main {
 
@@ -274,15 +243,6 @@ function main {
         get_firewall_enabled || return 0
 
         set_dns $2
-
-    elif [[ $1 = "-allow_apple_services_on" ]]; then    
-
-       allow_apple_services_on
-
-    elif [[ $1 = "-allow_apple_services_off" ]]; then    
-
-      allow_apple_services_off
-
     else
         echo "Unknown command"
         return 2

daemon/protocol/protocol.go

@@ -85,7 +85,6 @@ type Service interface {
 	SetKillSwitchAllowLANMulticast(isAllowLanMulticast bool) error
 	SetKillSwitchAllowLAN(isAllowLan bool) error
 	SetKillSwitchAllowAPIServers(isAllowAPIServers bool) error
-	SetKillSwitchAllowAppleServices(isAllowAppleServices bool) error
 	SetKillSwitchUserExceptions(exceptions string, ignoreParsingErrors bool) error
 
 	GetConnectionParams() service_types.ConnectionParams
@@ -705,20 +704,6 @@ func (p *Protocol) processRequest(conn net.Conn, message string) {
 		p.sendResponse(conn, &types.EmptyResp{}, req.Idx)
 		// all clients will be notified in case of successful change by OnKillSwitchStateChanged() handler
 
-	case "KillSwitchSetAllowAppleServices":
-		var req types.KillSwitchSetAllowAppleServices
-		if err := json.Unmarshal(messageData, &req); err != nil {
-			p.sendErrorResponse(conn, reqCmd, err)
-			break
-		}
-		if err := p._service.SetKillSwitchAllowAppleServices(req.IsAllowAppleServices); err != nil {
-			p.sendErrorResponse(conn, reqCmd, err)
-			break
-		}
-		// send the response to the requestor
-		p.sendResponse(conn, &types.EmptyResp{}, req.Idx)
-		// all clients will be notified in case of successful change by OnKillSwitchStateChanged() handler
-
 	// TODO: avoid using raw key as a string
 	// NOTE: please, use 'SetUserPreferences' for future extensions
 	case "SetPreference":

daemon/protocol/types/requests.go

@@ -119,11 +119,6 @@ type KillSwitchSetAllowApiServers struct {
 	IsAllowApiServers bool
 }
 
-type KillSwitchSetAllowAppleServices struct {
-	RequestBase
-	IsAllowAppleServices bool
-}
-
 // KillSwitchSetEnabled request to enable\disable kill-switch
 type KillSwitchSetEnabled struct {
 	RequestBase

daemon/service/firewall/firewall.go

@@ -235,12 +235,6 @@ func RemoveHostsFromExceptions(IPs []net.IP, onlyForICMP bool, isPersistent bool
 	return err
 }
 
-func AllowAppleServices(isAllowAPIServers bool) error {
-	mutex.Lock()
-	defer mutex.Unlock()
-	return implAllowAppleServices(isAllowAPIServers)
-}
-
 // AllowLAN - allow/forbid LAN communication
 func AllowLAN(allowLan bool, allowLanMulticast bool) error {
 	mutex.Lock()

daemon/service/firewall/firewall_darwin.go

@@ -41,8 +41,7 @@ import (
 var (
 	// key: is a string representation of allowed IP
 	// value: true - if exception rule is persistant (persistant, means will stay available even client is disconnected)
-	allowedHosts       map[string]bool
-	allowAppleServices bool
+	allowedHosts map[string]bool
 )
 
 func init() {
@@ -133,15 +132,6 @@ func implClientDisconnected() error {
 	return shell.Exec(nil, platform.FirewallScript(), "-disconnected")
 }
 
-func implAllowAppleServices(isAllowAPIServers bool) error {
-	allowAppleServices = isAllowAPIServers
-	if allowAppleServices {
-		return shell.Exec(log, platform.FirewallScript(), "-allow_apple_services_on")
-	} else {
-		return shell.Exec(log, platform.FirewallScript(), "-allow_apple_services_off")
-	}
-}
-
 func implAllowLAN(isAllowLAN bool, isAllowLanMulticast bool) error {
 	// the rule should stay unchanged independently from VPN connection state
 	isPersistent := true
@@ -281,14 +271,6 @@ func reApplyExceptions() error {
 			err = err2
 		}
 	}
-
-	err3 := implAllowAppleServices(allowAppleServices)
-	if err3 != nil {
-		log.Error(err3)
-		if err == nil {
-			err = err3
-		}
-	}
 	return err
 }
 

daemon/service/firewall/firewall_linux.go

@@ -177,10 +177,6 @@ func implClientDisconnected() error {
 	return shell.Exec(nil, platform.FirewallScript(), "-disconnected")
 }
 
-func implAllowAppleServices(isAllowAPIServers bool) error {
-	return nil // do nothing for Linux
-}
-
 func implAllowLAN(isAllowLAN bool, isAllowLanMulticast bool) error {
 	return doAllowLAN(isAllowLAN, isAllowLanMulticast)
 }

daemon/service/firewall/firewall_windows.go

@@ -185,10 +185,6 @@ func implRemoveHostsFromExceptions(IPs []net.IP, onlyForICMP bool, isPersistent
 	return nil
 }
 
-func implAllowAppleServices(isAllowAPIServers bool) error {
-	return nil // do nothing for Windows
-}
-
 // AllowLAN - allow/forbid LAN communication
 func implAllowLAN(allowLan bool, allowLanMulticast bool) error {
 

daemon/service/preferences/preferences.go

@@ -82,7 +82,6 @@ type Preferences struct {
 	IsFwAllowLAN             bool
 	IsFwAllowLANMulticast    bool
 	IsFwAllowApiServers      bool
-	IsFwAllowAppleServices   bool   // Bypass VPN for Apple Services Traffic. Enabling this option allows traffic from Apple services to bypass the IVPN Firewall, permitting specific Apple IP ranges through, and this traffic may be routed outside the VPN tunnel.
 	FwUserExceptions         string // Firewall exceptions: comma separated list of IP addresses (masks) in format: x.x.x.x[/xx]
 	IsStopOnClientDisconnect bool
 

daemon/service/service.go

@@ -248,10 +248,7 @@ func (s *Service) init() error {
 		log.Error("Failed to initialize firewall with AllowLAN preference value: ", err)
 	}
 
-	if err := firewall.AllowAppleServices(s._preferences.IsFwAllowAppleServices); err != nil {
-		log.Error("Failed to initialize firewall with AppleServices preference value: ", err)
-	}
-
+	//log.Info("Applying firewal exceptions (user configuration)")
 	if err := firewall.SetUserExceptions(s._preferences.FwUserExceptions, true); err != nil {
 		log.Error("Failed to apply firewall exceptions: ", err)
 	}
@@ -1082,14 +1079,13 @@ func (s *Service) KillSwitchState() (status types.KillSwitchStatus, err error) {
 	enabled, isLanAllowed, _, err := firewall.GetState()
 
 	return types.KillSwitchStatus{
-		IsEnabled:            enabled,
-		IsPersistent:         prefs.IsFwPersistant,
-		IsAllowLAN:           prefs.IsFwAllowLAN,
-		IsAllowMulticast:     prefs.IsFwAllowLANMulticast,
-		IsAllowApiServers:    prefs.IsFwAllowApiServers,
-		IsAllowAppleServices: prefs.IsFwAllowAppleServices,
-		UserExceptions:       prefs.FwUserExceptions,
-		StateLanAllowed:      isLanAllowed,
+		IsEnabled:         enabled,
+		IsPersistent:      prefs.IsFwPersistant,
+		IsAllowLAN:        prefs.IsFwAllowLAN,
+		IsAllowMulticast:  prefs.IsFwAllowLANMulticast,
+		IsAllowApiServers: prefs.IsFwAllowApiServers,
+		UserExceptions:    prefs.FwUserExceptions,
+		StateLanAllowed:   isLanAllowed,
 	}, err
 }
 
@@ -1167,18 +1163,6 @@ func (s *Service) SetKillSwitchAllowAPIServers(isAllowAPIServers bool) error {
 	return nil
 }
 
-func (s *Service) SetKillSwitchAllowAppleServices(isAllowAppleServices bool) error {
-	prefs := s._preferences
-	prefs.IsFwAllowAppleServices = isAllowAppleServices
-	s.setPreferences(prefs)
-
-	err := firewall.AllowAppleServices(isAllowAppleServices)
-	if err == nil {
-		s.onKillSwitchStateChanged()
-	}
-	return err
-}
-
 // SetKillSwitchUserExceptions set ip/mask to be excluded from FW block
 // Parameters:
 //   - exceptions - comma separated list of IP addresses in format: x.x.x.x[/xx]

daemon/service/types/types.go

@@ -23,13 +23,12 @@
 package types
 
 type KillSwitchStatus struct {
-	IsEnabled            bool   // FW state
-	IsPersistent         bool   // configuration: true - when persistent
-	IsAllowLAN           bool   // configuration: 'Allow LAN'
-	IsAllowMulticast     bool   // configuration: 'Allow multicast'
-	IsAllowApiServers    bool   // configuration: 'Allow API servers'
-	IsAllowAppleServices bool   // configuration: 'Bypass Apple services'
-	UserExceptions       string // configuration: Firewall exceptions: comma separated list of IP addresses (masks) in format: x.x.x.x[/xx]
+	IsEnabled         bool   // FW state
+	IsPersistent      bool   // configuration: true - when persistent
+	IsAllowLAN        bool   // configuration: 'Allow LAN'
+	IsAllowMulticast  bool   // configuration: 'Allow multicast'
+	IsAllowApiServers bool   // configuration: 'Allow API servers'
+	UserExceptions    string // configuration: Firewall exceptions: comma separated list of IP addresses (masks) in format: x.x.x.x[/xx]
 
 	StateLanAllowed bool // real state of 'Allow LAN'
 }

ui/src/components/settings/settings-firewall.vue

@@ -53,38 +53,6 @@
       >
     </div>
 
-    <!-- Bypass apple services -->
-    <div class="param" tabindex="0">
-      <input
-        type="checkbox"
-        id="firewallBypassAppleServices"
-        v-model="firewallBypassAppleServices"
-      />
-      <label class="defColor" for="firewallBypassAppleServices"
-        >Bypass VPN for Apple Services Traffic</label
-      >
-      <button class="noBordersBtn flexRow" title="Help" v-on:click="$refs.helpBypassAppleServices.showModal()">
-            <img src="@/assets/question.svg" />
-      </button>
-      <ComponentDialog ref="helpBypassAppleServices" header="Info">
-        <div>
-          <p>
-            Since macOS Sequoia (15.0), certain Apple apps (like Messages) may not function correctly 
-            when the IVPN Firewall is enabled because Apple does not respect the system's default routing configuration.
-          </p>
-          <p>
-            Enabling this option allows traffic from Apple services to bypass the IVPN Firewall, 
-            permitting specific Apple IP ranges through, and this traffic may be routed outside the VPN tunnel.
-          </p>
-          <div class="settingsGrayLongDescriptionFont">            
-            This is a temporary workaround until Apple resolves the issue.
-            <br />        
-            Note! This option is applicable only for the WireGuard protocol.
-          </div>
-        </div>
-      </ComponentDialog>
-    </div>
-
     <!-- On-demand Firewall -->
     <div class="settingsBoldFont" tabindex="0">On-demand Firewall:</div>
 
@@ -320,14 +288,6 @@ export default {
         await sender.KillSwitchSetAllowApiServers(value);
       },
     },
-    firewallBypassAppleServices: {
-      get() {
-        return this.$store.state.vpnState.firewallState.IsAllowAppleServices;
-      },
-      async set(value) {
-        await sender.KillSwitchSetAllowAppleServices(value);
-      },
-    },
     firewallAllowLan: {
       get() {
         return this.$store.state.vpnState.firewallState.IsAllowLAN;

ui/src/daemon-client/index.js

@@ -80,7 +80,6 @@ const daemonRequests = Object.freeze({
   KillSwitchGetStatus: "KillSwitchGetStatus",
   KillSwitchSetEnabled: "KillSwitchSetEnabled",
   KillSwitchSetAllowApiServers: "KillSwitchSetAllowApiServers",
-  KillSwitchSetAllowAppleServices: "KillSwitchSetAllowAppleServices",
   KillSwitchSetAllowLANMulticast: "KillSwitchSetAllowLANMulticast",
   KillSwitchSetAllowLAN: "KillSwitchSetAllowLAN",
   KillSwitchSetIsPersistent: "KillSwitchSetIsPersistent",
@@ -1442,12 +1441,6 @@ async function KillSwitchSetAllowApiServers(IsAllowApiServers) {
     IsAllowApiServers,
   });
 }
-async function KillSwitchSetAllowAppleServices(IsAllowAppleServices) {
-  await sendRecv({
-    Command: daemonRequests.KillSwitchSetAllowAppleServices,
-    IsAllowAppleServices,
-  });
-}
 
 async function KillSwitchSetAllowLANMulticast(AllowLANMulticast) {
   await sendRecv({
@@ -1916,7 +1909,6 @@ export default {
 
   EnableFirewall,
   KillSwitchSetAllowApiServers,
-  KillSwitchSetAllowAppleServices,
   KillSwitchSetAllowLANMulticast,
   KillSwitchSetAllowLAN,
   KillSwitchSetIsPersistent,

ui/src/ipc/main-listener.js

@@ -117,12 +117,6 @@ ipcMain.handle(
     return await client.KillSwitchSetAllowApiServers(enable);
   }
 );
-ipcMain.handle(
-  "renderer-request-KillSwitchSetAllowAppleServices",
-  async (event, enable) => {
-    return await client.KillSwitchSetAllowAppleServices(enable);
-  }
-);
 ipcMain.handle(
   "renderer-request-KillSwitchSetAllowLANMulticast",
   async (event, enable) => {

ui/src/ipc/renderer-sender.js

@@ -153,12 +153,6 @@ export default {
       isEnable
     );
   },
-  KillSwitchSetAllowAppleServices: async (isEnable) => {
-    return await invoke(
-      "renderer-request-KillSwitchSetAllowAppleServices",
-      isEnable
-    );
-  },
   KillSwitchSetAllowLANMulticast: async (isEnable) => {
     return await invoke(
       "renderer-request-KillSwitchSetAllowLANMulticast",

ui/src/store/module-vpn-state.js

@@ -67,7 +67,6 @@ export default {
       IsAllowLAN: null,
       IsAllowMulticast: null,
       IsAllowApiServers: null,
-      IsAllowAppleServices: null,
       UserExceptions: "",
     },