Block all the network traffic except our application

Hey team,

We have a use case where we need to block all the MacOS network traffic except our app's network traffic.

But I don't find any apis from apple with that capability.

I see using NEFilterSettings, we can allow the required endpoints and block all the other endpoints we get from handleNewFlow(_ flow:. But this api has a control in endpoint level not the app level.

Could you suggest if we have any other apis for this use case? Thanks

Post not yet marked as solved Up vote post of srikanthiosdev Down vote post of srikanthiosdev
459 views
Posted by
srikanthiosdev
Reply
Add a Comment

Replies

I would be very surprised if you could do this. An app would have the power to block a critical system resource ? So I think there is no "legitimate" API to do so.

You can give higher priority to your app: https://support.apple.com/en-sg/guide/mac-help/mchlp2711/mac

But this has to be done by the user, not the app itself.

Posted by
Claude31
Up vote reply of Claude31 Down vote reply of Claude31
Add a Comment 
        let rules = allowedHosts.map { hostname in
            let rule = NENetworkRule(destinationNetwork: NWHostEndpoint(hostname: hostname, port: "0"), prefix: 32, protocol: .any)
            return NEFilterRule(networkRule: rule, action: .allow)
        }
        
        let rules1 = ["0.0.0.0", "127.0.0.1"].map { hostname in
            let rule = NENetworkRule(destinationNetwork: NWHostEndpoint(hostname: hostname, port: "0"), prefix: 32, protocol: .any)
            return NEFilterRule(networkRule: rule, action: .drop)
        }
        
        let filterSettings = NEFilterSettings(rules: rules + rules1, defaultAction: .filterData)
        
        apply(filterSettings) { error in
            if let applyError = error {
                os_log(.default, log: OSLog(subsystem: "com.nesedemo.extension", category: "content-filter"), "Failed to apply filter settings: %{public}@", applyError.localizedDescription)
            }
            completionHandler(error)
        }

For endpoint level, I've tried this rule just to blocks all the connection except the host I allow, it works,. Please share your insights on this.

But I don't find an api to control in network traffic from app level.

Posted by
srikanthiosdev
Up vote reply of srikanthiosdev Down vote reply of srikanthiosdev
Add a Comment

I’d use a transparent proxy for this. When you get a flow you can look at its metadata to see if it’s an app you want to allow. If so, return false from the ‘handle new flow’ method and the system will run that flow normally. OTOH, for an app you want to block, return true and then refuse to forward any traffic (you probably want to just close the flow).

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo

  • I checked NEAppProxyProviderManager, but it will be used only with NETunnelProviderManager with per app VPN mode.

    Whereas NETunnelProviderManager requires protocolConfiguration to configure a VPN server. It looks we need setup a VPN server first to begin testing.

    srikanthiosdev
Add a Comment

Hey @eskimo thanks for sharing it.

I checked NEAppProxyProviderManager, but it will be used only with NETunnelProviderManager with per app VPN mode. I can configure per app VPN using

  1. appRules - not ideal, I can’t find a matching rules which excludes only our app.
  2. excludedDomains - I'll leave it as empty, since we'll be allowing flow by filtering app metadata from handleNewFlow(_:)
  3. associatedDomains - not sure if I can give wildcard rules like "0.0.0.0", "127.0.0.1" to match all domains. Could you confirm this?

Also it has limitation where it won't applicable for Apple system apps[except safari].

Posted by
srikanthiosdev
Up vote reply of srikanthiosdev Down vote reply of srikanthiosdev
Add a Comment