Firewall: unable to change some app settings

[moiraine_sedai]

Since the release candidate came out, I upgraded to Sequoia yesterday (15.0 (24A335)). One issue I found is that in the Firewall > options..., some apps are stuck and I'm unable to change their settings to allow/block, or delete the entries. the command line `/usr/libexec/ApplicationFirewall/socketfilterfw` also does not work on these apps, see the screen shot, apps like zoom, and Things do not have the ↕️ next to allow/block, and for them the delete - and right click also does not work.

The release notes said that the firewall has some deprecation changes and the settings are no longer in the alf plist, where are they now so I can reset the settings? Thanks!

 

[proalorrs]

Same here ... updated yesterday and Zoom did not work anymore. Found out that build in firewall rules are not editable so only workaround solution was to turn off mac firewall

 

[Baggy Spandex]

Same issue here

 

[Doug_in_the_UK]

Same problem here after upgrading to Sequoia. The only solution (for me) was to turn off the Mac firewall.

 

[manofthematch]

This is a serious bug. I hope there will be a quick fix soon.

 

[Kompost]

Unfortunately, I also have this problem.

In addition, there is another problem with the MacOS firewall: When MacOS automatically adds an app with the permission “Allow incoming connections” confirmed by the user (me), all incoming connections for this app are still blocked. With “block incoming connections” of course also. Also, a change is not registered with the automatically generated entries.
If the entry is created manually via the “plus”, an entry works as desired.

 

[proalorrs]

if i add an entry oder delete one manually, the next time i go into firewall settings -> all manually added entries are gone

 

[manofthematch]

If the entry is created manually via the “plus”, an entry works as desired.

... until you close/reopen settings. Then it is gone again.

My rules list additionally features apps which I uninstalled long ago and I cannot delete these entries.

Come on, Apple. Who has forgotten to test this?

 

[Kompost]

Ups, your are right. Ok, then the only workaround to deactivate the firewall until 15.0.1 hopefully.

 

[PotentPeas]

Similar issue here.
Just upgraded to Sequoia (maybe against my better judgement). Firefox won't work unless I disable the firewall globally! Isn't this only supposed to be blocking *inbound* connections?
Other browsers & apps seem to work fine.
I can see Firefox in the list (firewall settings) and it is set to "Block incoming connections" ... Can't change it (similar to the issue described above), can't remove it from the list with the "minus" button either.

Guess I'm running with the firewall off until the next update comes out.

[Edit]
Found this terminal snip on Reddit which allowed me to get Firefox working with the firewall still turned on.
/usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/Firefox.app

This also set Firefox to "allow incoming connections" in the firewall section of system settings. (Still can't change it from there.)

 

[Ready-for-Apple]

First 4 entries couldn't been changed anymore
sshd-keygen-wrapper is macOS own process if sharing is activated - BUT there's NO sharing activated!?!

Any ideas ?

 

[manofthematch]

sshd-keygen-wrapper is macOS own process if sharing is activated - BUT there's NO sharing activated!?!

That this daemon is listed here does not mean that it is running.

I have the same entry in the firewall rules but there is no process sshd-keygen-wrapper.

 

[PotentPeas]

I see this popping up in the "news" now.

Security Bite: macOS Sequoia's firewall is disrupting security tools [Update: Fixed] - 9to5Mac

9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe...

9to5mac.com

Apple's new macOS Sequoia update is breaking some cybersecurity tools | TechCrunch

On Monday, Apple released its latest computer operating system update called macOS 15, or Sequoia. And, somehow, the software update has broken the

techcrunch.com

Blog post with solution for web browsing -- exact same terminal line that I posted above.

macOS firewall blocking web browsing after upgrading to Sequoia

(Image: UPDATE 2024-10-29: I have no longer been experiencing the connectivity issues described in this post since updating to Sequoia 10.1, maybe even 10.0.1. If you are experiencing issues with I…

waclaw.blog

 

[interstella]

I run some apps for amateur radio that need to talk to each other and found that the firewall appears to block the required UDP ports despite the apps all having incoming connections allowed. The only way round this was to disable the firewall.

 

[alexanderlindo]

I got "sshd-keygen-wrapper" entry removed using the terminal command "sudo /usr/libexec/ApplicationFirewall/socketfilterfw --remove /usr/libexec/sshd-keygen-wrapper" however entries that are present or were presnt in the Applications folder don't seem to go away using "sudo /usr/libexec/ApplicationFirewall/socketfilterfw --remove <path-to-app>" command.

 

[dmi_pi]

The 15.1 update does not fix this issue.

 

[alexanderlindo]

The only way to clear unmodifiable entries in macOS Sequoia's firewall is to "Reset" your computer via System Settings > General > Transfer or Reset. This will clean the OS of all added files, apps and settings, restoring macOS to an out-of-box state. Create a Time Machine backup, reset macOS and then manually add back your apps, files and content from the Time Machine backup. After doing this, the firewall becomes functional and you will also discover that macOS Sequoia runs faster than Sonoma and Ventura.

 

[Doug_in_the_UK]

I now use Norton's firewall.

 

[PotentPeas]

The only way to clear unmodifiable entries in macOS Sequoia's firewall is to "Reset" your computer via System Settings > General > Transfer or Reset.

This will work, but there's got to be a way to just reset the firewall configuration to default without having to do a whole system reset.

 

[ai-pdn]

I asked ChatGPT and was told to boot into recovery mode, disable system integrity protection, reboot, remove firewall config file, re-enable SIP, reboot.

Is anyone brave enough to try this?

 

[bogdanw]

I asked ChatGPT and was told to boot into recovery mode, disable system integrity protection, reboot, remove firewall config file, re-enable SIP, reboot.

As always, that garbage generator is wrong.
You don’t have to disable SIP. From Recovery, you can simply delete the preference files:

cd /Volumes/Macintosh\ HD/Library/Preferences/

rm com.apple.networkextension.*

 

[ryanslikesocool]

I had been experiencing this issue since macOS 15.0 (24A335) but was able to fix it on a Mac mini (M1, 2020) running macOS 15.1.1 (24B91) with information from the previous two posts in this thread.

I initially tried booting into recovery mode and using @bogdanw's approach. /Volumes/Macintosh HD/Library/ existed, but /Volumes/Macintosh HD/Library/Preferences/ didn't (weird...), so I couldn't continue further. I checked a bunch of other preferences folders (there sure are a lot) just in case, but failed to find the right plist files.
So instead, I disabled SIP and booted back into normal macOS. In Finder, I was able to access the preferences directory from earlier and created a backup of the plist files starting with com.apple.networkextension (as described in the previous post) before deleting them.
After that, I booted back into recovery mode and re-enabled SIP. Booting back into normal macOS I was able to see that the firewall settings were cleared out, and all the items that macOS added by default could be modified and removed.
I really hate to admit it, but the applied statistics machine may have regurgitated the right chunk of text. I would've preferred to keep SIP enabled throughout this, but nothing else I've tried over the past couple months seemed to work.

The files I ended up deleting were:

/Volumes/Macintosh HD/Library/Preferences/
    com.apple.networkextension.cache.plist
    com.apple.networkextension.control.plist
    com.apple.networkextension.necp.plist
    com.apple.networkextension.plist
    com.apple.networkextension.uuidcache.plist

Based on the file contents, I'm pretty sure the primary culprits were com.apple.networkextension.plist and com.apple.networkextension.uuidcache.plist.

TL;DR​

1. Backed up the files listed above. Stored them locally and on an external drive just in case.
2. Booted into recovery mode.
3. Disabled SIP.
4. Booted into normal macOS.
5. Deleted the files listed above via Finder.
6. Booted into recovery mode.
7. Enabled SIP.
8. Booted into normal macOS.
9. Stuff works again 🎉

Before	After

 

[PotentPeas]

Booting back into normal macOS I was able to see that the firewall settings were cleared out, and all the items that macOS added by default could be modified and removed.

Thanks for the detailed write-up. I'm going to be trying this soon, as soon as I can be bothered to close out my stuff and reboot. (Actually might be a few days.)

In addition to the firewall rules not able to be modified, I've been encountering an issue where macOS will from time to time ask if random programs that I am running can listen for incoming connections. That's normally fine when I am expecting a program to be legitimately trying to open a listening port and it needs to be whitelisted in the firewall... but it'll be stuff like Microsoft Word or Garage Band or GoToMeeting which have no business "listening" and I don't think that they are really trying to open a listening TCP port. Sometimes I get these requests in batches of 3 or 4 different seemingly unrelated programs at once. I never ran into these prompts (randomly/unexpectedly) before Sequoia.

I wonder if this firewall reset will clean up that behavior, too...?
In any case, very unlikely to ever upgrade to a new version of macOS this early again!

 

[ai-pdn]

I had been experiencing this issue since macOS 15.0 (24A335) but was able to fix it on a Mac mini (M1, 2020) running macOS 15.1.1 (24B91) with information from the previous two posts in this thread.

I initially tried booting into recovery mode and using @bogdanw's approach. /Volumes/Macintosh HD/Library/ existed, but /Volumes/Macintosh HD/Library/Preferences/ didn't (weird...), so I couldn't continue further. I checked a bunch of other preferences folders (there sure are a lot) just in case, but failed to find the right plist files.
So instead, I disabled SIP and booted back into normal macOS. In Finder, I was able to access the preferences directory from earlier and created a backup of the plist files starting with com.apple.networkextension (as described in the previous post) before deleting them.
After that, I booted back into recovery mode and re-enabled SIP. Booting back into normal macOS I was able to see that the firewall settings were cleared out, and all the items that macOS added by default could be modified and removed.
I really hate to admit it, but the applied statistics machine may have regurgitated the right chunk of text. I would've preferred to keep SIP enabled throughout this, but nothing else I've tried over the past couple months seemed to work.

The files I ended up deleting were:

/Volumes/Macintosh HD/Library/Preferences/
    com.apple.networkextension.cache.plist
    com.apple.networkextension.control.plist
    com.apple.networkextension.necp.plist
    com.apple.networkextension.plist
    com.apple.networkextension.uuidcache.plist

Based on the file contents, I'm pretty sure the primary culprits were com.apple.networkextension.plist and com.apple.networkextension.uuidcache.plist.

TL;DR​

1. Backed up the files listed above. Stored them locally and on an external drive just in case.
2. Booted into recovery mode.
3. Disabled SIP.
4. Booted into normal macOS.
5. Deleted the files listed above via Finder.
6. Booted into recovery mode.
7. Enabled SIP.
8. Booted into normal macOS.
9. Stuff works again 🎉

Before	After
View attachment 2456833	View attachment 2456834

Thanks for confirmation. I did the same steps, and now the firewall settings can be changed/deleted. Be sure to back up any VPN connections as this will remove them.

 

[hiapou]

I initially tried booting into recovery mode and using @bogdanw's approach. /Volumes/Macintosh HD/Library/ existed, but /Volumes/Macintosh HD/Library/Preferences/ didn't (weird...), so I couldn't continue further. I checked a bunch of other preferences folders (there sure are a lot) just in case, but failed to find the right plist files.

You need to mount the Macintosh HD - Data volume, which is separate from the base system volume

Open Disk Utility from the main Recovery menu
In the sidebar find the greyed-out volume named Macintosh HD - Data
Click on that volume and then click Mount in the tool bar
You will be prompted for a password if FileVault is active

Once mounted the Data volume will be available until you reboot and you can navigate in the Terminal to /Volumes/Macintosh HD - Data/Library/Preferences to find the files you expect (during a normal boot the Data volume is overlayed on top of the base volume)