OpenSkillIndex← back to search

Hacktricks-skills macos-firewall-bypass-audit

Audit and test macOS firewall configurations for potential bypass vulnerabilities. Use this skill whenever you need to assess macOS firewall security, check for known bypass techniques, enumerate allowed traffic, inspect PF rules, or validate Network Extension filter configurations. This skill helps security professionals identify weaknesses in firewall rules, test for CVE-2024-44206 and other recent vulnerabilities, and harden macOS systems against firewall evasion attacks.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls/SKILL.MD
source content

macOS Firewall Bypass Audit

A skill for security professionals to audit macOS firewall configurations and identify potential bypass vulnerabilities. This skill covers defensive testing of firewall rules, Network Extension filters, and known CVEs.

When to Use This Skill

Use this skill when you need to:

  • Audit macOS firewall configurations for security assessments
  • Test for known firewall bypass vulnerabilities (CVE-2024-44206, PF rule-ordering bugs, etc.)
  • Enumerate allowed network traffic and identify whitelisted applications
  • Inspect Packet Filter (PF) rules generated by GUI firewalls
  • Check for Network Extension filter stability issues
  • Validate that firewall rules are actually blocking intended traffic
  • Research firewall bypass techniques for defensive hardening

Quick Start

# Check currently established connections
lsof -i TCP -sTCP:ESTABLISHED

# Inspect PF rules from GUI firewalls
sudo pfctl -a com.apple/250.ApplicationFirewall -sr

# Check for quick keyword rules (potential leak)
pfctl -sr | grep quick

Audit Categories

1. Whitelist Abuse Detection

Firewalls often whitelist well-known macOS processes. Check if suspicious processes are masquerading as legitimate ones.

What to look for:

  • Processes named 
    launchd
    , 
    mdnsreponder
    , or other Apple-signed binaries
  • Unexpected network activity from whitelisted processes
  • Binary paths that don't match expected system locations

Audit command:

# List all processes with network connections
lsof -i -n | grep -E "(launchd|mdnsreponder|nsurlsessiond)"

2. DNS Resolution Analysis

DNS queries go through 

mdnsreponder
, which is Apple-signed and typically allowed through firewalls.

Audit approach:

  • Monitor DNS traffic patterns
  • Check for unusual DNS query volumes
  • Verify DNS responses match expected domains

3. Browser-Based Traffic Inspection

Browsers can be used to exfiltrate data even when other applications are blocked.

Test browser exfiltration paths:

BrowserCommand
Safari
open -j -a Safari "https://test-domain.com"
Chrome
"Google Chrome" --headless "https://test-domain.com"
Firefox
firefox-bin --headless "https://test-domain.com"

Audit tip: Check if browser processes have outgoing network entitlements:

codesign -d --entitlements :- /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome 2>/dev/null | grep network

4. CVE-2024-44206 Testing (Web Content Filter Bypass)

Vulnerability: Safari/WebKit double URL-encoding bypass in Screen Time filters (patched July 2024).

Test procedure:

# Test if Screen Time filter is vulnerable
open "http://test%2Eexample.com%2F./"

Expected behavior:

  • Patched system: Request blocked by Screen Time
  • Vulnerable system: Safari loads the page despite filter

Remediation: Update to macOS version with July 2024 security patches.

5. PF Rule-Ordering Bug Check (macOS 14 Sonoma)

Vulnerability: Rules with 

quick
keyword silently ignored in early macOS 14 beta (fixed in RC 2, build 23A344).

Test procedure:

# Check for quick rules
pfctl -sr | grep quick

# Verify traffic is actually blocked
sudo tcpdump -n -i en0 not port 53

Expected behavior:

  • If 
    quick
    rules exist but traffic still flows, the bug may be present
  • Verify macOS build number: 
    sw_vers -buildVersion

6. QUIC/ECH Evasion Testing (macOS 12+)

Vulnerability: HTTP/3 over QUIC with Encrypted Client Hello can bypass domain filters.

Test procedure:

# Test Chrome with QUIC/ECH
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \
  --enable-quic \
  --origin-to-force-quic-on=test-domain.com:443 \
  --enable-features=EncryptedClientHello \
  --user-data-dir=/tmp/h3test \
  https://test-domain.com

# Test with curl (8.10+)
curl --http3-only https://test-domain.com

Expected behavior:

  • If domain is blocked but request succeeds, filter cannot parse QUIC/ECH
  • Check firewall logs for UDP/443 traffic

7. Network Extension Filter Stability (macOS 15 Sequoia)

Vulnerability: Early 15.0/15.1 builds crash third-party Network Extension filters.

Test procedure:

# Monitor Network Extension logs
log stream --predicate 'subsystem == "com.apple.networkextension"' --style syslog

# Generate UDP flow stress (run in separate terminal)
python3 - <<'PY'
import socket
for i in range(5000):
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    s.sendto(b'X'*32, ('1.1.1.1', 53))
PY

Expected behavior:

  • Watch for filter crash/restart cycles
  • Check if firewall GUI still shows "active" while rules are dropped

8. Entitlement Enumeration

Find binaries with outgoing network entitlements that could be abused.

Audit command:

# Check specific binary
codesign -d --entitlements :- /path/to/bin 2>/dev/null | \
  plutil -extract com.apple.security.network.client xml1 -o - -

# Scan common locations
for bin in /System/Applications/App\ Store.app/Contents/MacOS/App\ Store \
           /System/Library/CoreServices/Menu\ Extras/User.menu/Contents/MacOS/User; do
  echo "=== $bin ==="
  codesign -d --entitlements :- "$bin" 2>/dev/null | grep -A2 network.client
done

Audit Workflow

Step 1: Baseline Assessment

  1. Document current firewall configuration
  2. List all allowed applications
  3. Capture baseline network traffic
  4. Note macOS version and build number

Step 2: Vulnerability Testing

  1. Test for CVE-2024-44206 (if applicable)
  2. Check PF rule ordering (macOS 14)
  3. Test QUIC/ECH bypass (macOS 12+)
  4. Stress test Network Extension filters (macOS 15)

Step 3: Whitelist Analysis

  1. Enumerate all whitelisted processes
  2. Check for process masquerading
  3. Verify binary paths and signatures
  4. Review DNS resolution patterns

Step 4: Remediation Planning

  1. Update macOS to latest security patches
  2. Configure firewall to block QUIC/UDP-443 if needed
  3. Implement application allowlisting by path, not just name
  4. Enable logging for Network Extension events
  5. Consider additional monitoring for DNS and browser traffic

Scripts

Use the bundled scripts for common audit tasks:

  • check-allowed-traffic.sh
    - List all established TCP connections
  • inspect-pf-rules.sh
    - Display PF rules from GUI firewalls
  • check-entitlements.sh
    - Find binaries with network entitlements
  • test-quic-capability.sh
    - Check if QUIC/ECH is available
  • monitor-netext.sh
    - Watch Network Extension filter logs

References

Safety Notes

  • Always perform audits on systems you own or have explicit authorization to test
  • Some tests may generate network traffic - ensure you're in a controlled environment
  • CVE testing should only be done on systems where you can verify patch status
  • Network Extension stress tests may temporarily impact firewall functionality
  • Document all findings and remediate vulnerabilities discovered