Mac OS X prompts user to allow/deny incoming connections for node

[hantwister]

Hi all,

On a Mac OS X 10.10.2 system with the firewall enabled, I am prompted to allow or deny incoming connections for node upon every update (when Prey's version number, and thus path to the file, changes). Is it possible for the update process to grant a firewall exception to new versions so the user is not asked questions they may not understand?

[ghost]

This was just reported by a customer. @lemavri, the 1.3.7 auto-update triggered more things than what we expected, huh?

I set my device to auto-install new updates. My macbook has firewall enabled by default. Each time the update comes in (presumably this is when updates occur), I am prompted whether or not to allow process "node" to receive in-bound connections. Should my laptop become stolen, update would be blocked from installation without someone allowing this? Or the update proceeds and then cannot be contacted.

Maybe this isn't an issue, but I see this firewall prompt from OS X and know the process that is requesting is part of Prey.

What do you know about this, or what is recommended I do?

Thanks for reporting, @hantwister. The team will take a look ASAP.

Reference: https://secure.helpscout.net/conversation/77374425/16325/

[mauricioschneider]

@hantwister This happens when the Prey client uses uPnP to connect to our servers.

If, by any chance, the user denies the connection, Prey will fallback to the usual connection by interval method, still working properly. While I know the firewall message might be shocking for regular users, there's no much we can do in our end. Actually, if you have a firewall enabled, you'd expect it to warn you and require your approval of unknown attempt for incoming connections.

On the other hand, we are currently considering not using uPnP anymore for establishing a persistent client-server connection, since there are other more reliable ways of ensuring said connection and without all the security implications uPnP has.

[mauricioschneider]

On the other hand, we could add the proper rules to ipfw or pf (depending on the version of OS X) to avoid the gray screen of connection denial. I'll re-open the issue while I my investigation is on the run :+1:

[itsknowone]

I am still getting "icoming connection denied for node" while using Little Snitch. Is there a fix for this? Can I just ignore it and Prey will still work as its supposed to? I added exceptions for Prey but still no luck.

Thanks!

[mauricioschneider]

Hello @itsknowone, the next release will include a fix, at least for the usage of the node dns package that was causing Prey to query "extraneous" IPs, hence triggering LS.

On the other hand, due to the way the updates are handled, the problem still persists if the client gets updated to a newer version.

[itsknowone]

Awesome! Thanks @lemavri

[yashendra2797]

Hey @itsknowone @lemavri I'm facing the same problem with Little Snitch. I install Prey, but after installing I get the notification '"Inoming connection denied for node" around 10 times and that's it. When I open the Prey Control Panel, my Macbook Air is visible, but it can't track the location. It can play a noise and display messages properly though. It showed the location the first time (though it was off by several miles), and now just doesn't show it at all.

I've added all the exceptions I could think of, but to no avail.

[itsknowone]

@yashendra2797

Looks like there will be an update hopefully fixing the annoying notification. But at this point, I don't think there is any fix.

[yashendra2797]

@itsknowone Cool. Thanks!

[mauricioschneider]

The fix is in https://github.com/prey/prey-node-client/blob/master/lib/agent/providers/network/index.js#L126-L168. I'm currently working in the release which includes this and many other improvements.