community – Configure macOS firewall to obtain packets (udp ipv6)

Crossposted from stackoverflow

I am attempting to obtain a udp ipv6 packet on a MacBook (macOS Sonoma 14.6) on a residential web connection.

Disclaimer: I’m a networking noob and a lot of the work beneath is me attempting to be taught.

I am following Beej’s networking information to discover ways to ship packets utilizing the BSD sockets API. I am operating listener.c on Mac and talker.c on a cloud occasion (aws ec2).

I do not need to use port forwarding or NAT until completely obligatory. Ideally residential machines on ipv6 ought to be capable to straight join peer-to-peer with out all that.

• talker is efficiently sending a single ipv6 udp packet from aws ec2 occasion, however listener on macOS shouldn’t be receiving them.

• The connection works the opposite method spherical, sending an ipv6 udp packet from MacBook to aws ec2 occasion works superb utilizing talker and listener. (After following the aws guides on configuring aws VPC, subnet, safety teams – aws manages firewalls, auto assigns ipv6 addresses if you happen to ask it, and so on. so no firewall or community configuration wanted on the field itself)
• I will ping the ipv6 deal with of the MacBook from the aws ec2 occasion, and obtain profitable response.

The major query right here is Apple doesn’t permit this (incoming ipv6 udp on MacBook), or whether or not Apple permits it however I am unable to determine how one can do it.

I have never examined it myself, however from the docs it does appear Home windows Firewall is lots simpler to configure.

My guess is that this has one thing to do with the macOS pf firewall. Mac has each Software firewall and Packet firewall, I couldn’t discover docs for both of them.

I’ve tried recording utilizing tcpdump after which operating talker. I’m not capable of finding any UDP packets on the desired port, so I am assuming the packets are being filtered someplace in between. (Most certainly on the packet firewall of the MacBook.)

I’ve tried utilizing a number of totally different web connections – each residential (fibre optic) and cell, to substantiate the issue shouldn’t be with a particular ISP’s firewall.

Software Firewall

I’ve switched on Settings > Firewall, and switched on the Firewall. (I additionally tried with switched off, that did not work both)

I am undecided at a low-level precisely which firewalls this GUI switches on, there was a earlier stackoverflow reply that was additionally confused about this. (Sorry I am unable to discover the hyperlink proper now, will add as soon as I do.)

My present settings beneath. (I’ve additionally tried with different settings reminiscent of disabling stealth mode)

I am assuming gcc-compiled binaries (gcc -o talker talker.c) are accepted for whitelisting by macOS on this setting web page, I’ve not made a .app file. The GUI did not cease me from choosing it.

Packet firewall

macOS appears to make use of pf from BSD to handle its firewall.

By default there are 6 strains in /and so on/pf.conf

scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/and so on/pf.anchors/com.apple"

Of those solely 2 strains are packet filtering guidelines

Surprisingly commenting all 6 of those strains out appears to do principally nothing, atleast for outgoing connections. Nonetheless in a position to browse web sites (http ipv4 and ipv6), ssh into cloud machines and so on.

For incoming connections, I’m able to ping the ipv6 deal with of the MacBook from aws ec2 occasion

(If there is a good take a look at utilizing nmap for instance, please let me know. I wish to discover out why these 6 strains appear to have no impact.)

If I add one thing like block all then ipv4 ipv6 outgoing does get blocked, displaying this /and so on/pf.conf file shouldn’t be being ignored fully.

/and so on/pf.anchors/com.apple shouldn’t be accessible, so I have no idea what pf guidelines macOS makes use of by default.

Instructions I am utilizing to load new configs of my very own and verify whether or not the principles had been really loaded or not:

sudo pfctl -f /and so on/pf.conf
sudo pfctl -E
sudo pfctl -sa

Principally any customized guidelines I write are being efficiently loaded if I verify utilizing sudo pfctl -sa

Plenty of totally different instructions I’ve tried that every one did not work:

move in inet6 proto udp to port 59999 no state
move in inet6 proto udp to port 59999 preserve state
move in proto udp to port 4950 preserve state
move in proto udp from any to any port 4950 no state

And so forth. I attempted with and with out preserve state, with and with out mentioning inet6, with and with out mentioning from and to, with and with out mentioning particular UDP ports. I am fairly assured my guidelines are getting loaded accurately.

I’ve tried this each, whereas preserving the macOS pf guidelines as nicely, and with out them.

Some posts on BSD discussion board for BSD counsel additionally establishing pf guidelines for different stuff like icmp:
https://boards.freebsd.org/threads/ipv6-not-working-with-pf.66772/

ping is efficiently working so I am undecided any of that is wanted. I did attempt blindly copy-pasting a number of the guidelines with out totally understanding them, I couldn’t get this to work both.

Please let me know if pf guidelines for ipv6 additionally require pf guidelines different stuff like icmp, and if sure, if there is a ready-made minimal pf.conf I can discover for this.

Scanning the UDP ports of MacBook from the aws ec2 occasion utilizing nmap exhibits ports as open|filtered which does not assist.

I’ll attempt doing tcp packets as an alternative of udp, important profit being atleast nmap will inform clearly if ports are open. I may also attempt utilizing ipv4.

Please let me know if you would like me to run any particular assessments.