SimpleFirewall example is not working

I got it running with some simple modifications (and I turned it into a network logger instead of blocking some connections). It might serve as a starting point for a richer firewall capability.

(1) In the project's "Info" tab, I changed the macOS Deployment Target to 11.0 (because of something I wanted in os_log())

(2) For both targets, in "Signing & Capabilities" tabs, I changed the Team to my organization.

(3) At some point Xcode gives a lot of warnings about changes that should be made to bring it up to date with latest Swift, I let it do that.

(4) I simplified FilterDataProvider.swift to make it a simple logger (it doesn't actually block any connections)

    override func startFilter(completionHandler: @escaping (Error?) -> Void) {
        completionHandler(nil)
    }

and

    override func handleNewFlow(_ flow: NEFilterFlow) -> NEFilterNewFlowVerdict {

        var localName: String = ""
        var remoteName: String = ""
        var remotePort: String = ""
        
        guard let socketFlow = flow as? NEFilterSocketFlow
        else {
            return .allow()
        }
        
        if let remoteEndpoint = socketFlow.remoteEndpoint,
            let localEndpoint = socketFlow.localEndpoint {
            if let hostEndpoint = localEndpoint as? NWHostEndpoint {
                localName = hostEndpoint.hostname
            }
            if let hostEndpoint = remoteEndpoint as? NWHostEndpoint {
                remoteName = hostEndpoint.hostname
                remotePort = hostEndpoint.port
            }
        }

        os_log("firewall log \(localName, privacy: .public) -> \(remoteName, privacy: .public) : \(remotePort, privacy: .public)")
        
        return .allow()
    }

(5) I built it and then dragged the application into the Applications folder and ran it from there.

(6) Then I used the Console app to look for the connection logs. I did this by setting a filter to "firewall" (1), then set the filter type to "process" (2), hit the play button (3), and then looked for the log statements (4).

I still have issue. it looks like FilterDataProvider init was never called.

I attached the log for extension and firewall app.

I saw below also

/Applications/SimpleFirewall.app/Contents/Library/SystemExtensions/com.example.apple-samplecode.SimpleFirewallML4HRHFY98.SimpleFirewallExtension.systemextension: entitlement com.apple.developer.endpoint-security.client not present or not true

debug 09:11:21.169301-0800 SimpleFirewall failed to fetch /Applications/SimpleFirewall.app/Contents/Library/SystemExtensions/com.example.apple-samplecode.SimpleFirewallML4HRHFY98.SimpleFirewallExtension.systemextension/Contents/_CodeSignature/CodeRequirements-1 error=-10 debug 09:11:21.169342-0800 SimpleFirewall SecStaticCode network default: YES debug 09:11:21.169404-0800 SimpleFirewall close(16) err: 0 default 09:11:21.169770-0800 SimpleFirewall Saving configuration SimpleFirewall with existing signature (null)

when I debug the code, both below are called

NEProvider.startSystemExtensionMode() IPCConnection.shared.startListener()

Starting XPC listener was called.

The App registered was called.

Strange thing is that FilterDataProvider init was not called.

Interesting. I'll see if I can get similar errors, but I'm short for time today.

Some of the many mistakes I make include:

(1) Forgetting to run the application in the /Applications folder

(2) Leaving behind an old System Extension from a previous run. From the Terminal, run

systemextensionsctl list

to see what is there and enabled. I think I've had problems when the build number for the network system extension that is installed is older than the current build number for the new network system extension.

Sometimes, when I get a lot of old ones, I reboot my Mac to clean out the terminated system extensions.

(3) Making sure "System Extension" capability is added to the main app's Signing & Capabilities section (it should be for the SimpleFirewall app already)

(4) Run it only on the machine you compile it on, or go through a dance of getting and installing provisioning profiles (including specifying the machines that you want to test on). (This may be only needed for the endpoint system extensions; not certain).

(5) I think I once ran into a situation where my devices I added to the provisioning profile had expired, but I don't see expiration dates on the devices now at the portal.

Regarding disabling SIP, I think (but not certain again) that may only be needed with the endpoint system extension until your organization gets the endpoint capability granted from Apple.

I am confused about the warning about "com.apple.developer.endpoint-security.client" you received. I don't think that is needed for network system extension for the firewall.

tried above, it is not working.

My co-worker experience the same problem.

This weekend I'll try building SImpleFirewall again using another one of my accounts that does not have endpoint capabilities. Maybe I'll be able to duplicate the issue then.