search

objective-see / LuLu

LuLu is the free macOS firewall
GNU General Public License v3.0
9.83k stars 455 forks source link

Domain filtering not working? #519

Open qxlimitedprod opened 1 year ago

qxlimitedprod commented 1 year ago

I'm having a hard time understanding how to utilise filter-by-domain rules and whether the feature works at all.

I have a per-process rule for /usr/bin/perl5.30 that should allow a connection to a certain domain.tld on port 80. It doesn't work. Mind you, if I set the rule to allow the IP x.x.x.x the domain.tld resolves to, instead of the domain name, Lulu allows traffic to pass.

The debug messages from the system console look something like this:

1 Handling new flow: 
        identifier = D89B5B5D-793C-4940-08D7-319E1A3A0000
        sourceAppIdentifier = .com.apple.perl5
        sourceAppVersion = 
        sourceAppUniqueIdentifier = {length = 20, bytes = 0x6cc8d5bc1da6903ffb1d3841f086230f385e633a}
        procPID = 930
        eprocPID = 930
        direction = outbound
        inBytes = 0
        outBytes = 0
        signature = {length = 32, bytes = 0x8b7f6958 9abb1cdd 5e9fae95 8de9b589 ... 442b8ff3 7ca572f8 }
        socketID = 3a1a9e31d708
        localEndpoint = 0.0.0.0:0
        remoteEndpoint = x.x.x.x:80
        remoteHostname = sub.domain.tld.

2 localEndpoint = 0.0.0.0:0
        remoteEndpoint = x.x.x.x:80
        remoteHostname = sub.domain.tld.
        protocol = 6
        family = 2
        type = 1

3 remote endpoint: x.x.x.x:80 / url: (null)

4 address and port set, will check both for match

5 found matching rule for 930/perl5.30: RULE: pid: all, path: *, name: *, code signing info: (null), endpoint addr: *, endpoint port: *, action: 0, type: 3

6 setting verdict to: BLOCK

I see where Lulu could match the x.x.x.x IP address, I don't see where it tried matching the domain name. Apparently nowhere, since at p. 5 processing hits the blanket 'default deny' rule and blocks traffic from passing.

DNS requests were explicitly white-listed - I tried setting a wildcard rule or a per-process for Perl interpreter only. Didn't help.

What am I missing?

Lulu version: 2.4.2.

macOS version: Ventura 13.2.

mdjunior commented 1 year ago

I made some calls using perl here:

/usr/bin/perl -MHTTP::Tiny -e 'print HTTP::Tiny->new->get(q{http://ifconfig.me/all.json})->{content}'

And got logs as follows:

2023-05-28 17:35:13.112901-0300 0x1eb01    Debug       0x0                  16310  0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] remote endpoint: 34.160.111.145:80 / url: (null)
2023-05-28 17:35:13.113059-0300 0x1eb01    Debug       0x0                  16310  0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] found process object in cache: /usr/bin/perl5.30 (pid: 16480)
2023-05-28 17:35:13.113185-0300 0x1eb01    Debug       0x0                  16310  0    com.objective-see.lulu.extension: [com.objective-see.lulu:extension] looking for rule for com.apple.perl5 -> /usr/bin/perl5.30

In the first line of this log, you can see that the URL field is null, but the IP field is filled. Before this connection, I allowed port 53 to the perl process for DNS resolution. I checked with other applications here and I have the impression that the ones that use "Network.framework or NSURLSession connections" have this field filled. This doesn't seem to be the case for perl.