Issues with Profile Manager and Loopback lo0

Murus
Post Reply
yellow
Posts: 2
Joined: Mon May 25, 2015 10:02 am

Issues with Profile Manager and Loopback lo0

Post by yellow » Mon May 25, 2015 10:25 am

The manual states Murus bypasses the lo0 interface but I keep having issues with OSX profile manager.

Icefloor has the exact same problem see:
https://discussions.apple.com/thread/5902276
Problem seems to be a loopback issue in icefloor:
open icefloor.conf
sudo nano /Library/Icefloor/icefloor.conf
delete or uncomment the following line:
set skip on lo0
jump to the end of icefloor.conf
add the following line:
pass quick on lo0
I can only apply these settings to Murus by editing the etc/murus/murus.conf and manually load these into the firewall.
sudo pfctl -f /etc/murus/murus.conf

At this point the profile manager works fine till I load the Murus app, as this override the firewall settings with the default one of Murus.
I have been playing around with all the settings but nothing seems to work.

PF log showing the profile manager is internally attempting access the to one of the dynamic ports 49152:65535. I have granted the server full access and should be able to connect. But some rule is blocking access. My guess profile manger is violating one of the build in rules even Murus isn't looking at the lo0 interface.

Server ip 10.0.1.120

log results. Full access (only rules loaded inbound and outbound ALL SERVICES access to everyone)
pf[423]: 00:00:01.082282 rule 12/0(match): block in on en0: 10.0.1.120.443 > 10.0.1.120.61483: Flags [S.], seq 1938483494, ack 2633578238, win 65535, options [mss 16344,nop,wscale 4,nop,nop,TS val 299669284 ecr 299668255,sackOK,eol], length 0
pf[423]: 00:00:03.948984 rule 12/0(match): block in on en0: 10.0.1.120.443 > 10.0.1.120.60277: Flags [S.], seq 1228243291, ack 2499584872, win 65535, options [mss 16344,nop,wscale 4,nop,nop,TS val 299231479 ecr 299203767,sackOK,eol], length 0

with selected services in the inbound it changes the match rule
pf[423]: 00:00:01.609234 rule 35.murus.inbound.1/0(match): block in on en0: 10.0.1.120.443 > 10.0.1.120.53838: Flags [S.], seq 2662751482, ack 796503718, win 65535, options [mss 16344,nop,wscale 4,nop,nop,TS val 308105392 ecr 308103604,sackOK,eol], length 0
pf[423]: 00:00:00.000039 rule 35.murus.inbound.1/0(match): block in on en0: 10.0.1.120.443 > 10.0.1.120.53837: Flags [S.], seq 2872814346, ack 3290306914, win 65535, options [mss 16344,nop,wscale 4,nop,nop,TS val 308105392 ecr 308103604,sackOK,eol], length 0

I also had this problem with the SABNZBD server, but I managed to change the listing address to any address (10.0.1.120 > 0.0.0.0) with sorted the issue out for this program. If selected the local IP it generates the same log entries.

Anyone with similar problems or solutions?

hany
Posts: 466
Joined: Wed Dec 10, 2014 5:20 pm

Re: Issues with Profile Manager and Loopback lo0

Post by hany » Wed May 27, 2015 8:36 pm

Murus 1.2 will let you chose whether to 'skip on lo0' or 'pass quick on lo0' so you don't have to manually edit PF configuration. You'll find the option in Murus Preferences -> Advanced.

yellow
Posts: 2
Joined: Mon May 25, 2015 10:02 am

Re: Issues with Profile Manager and Loopback lo0

Post by yellow » Wed May 27, 2015 9:01 pm

Thank you , that sounds like it would solve my problem. When will the final release come out?

I just had a look at the beta 1.2 but haven't found the option for 'skip on lo0' or 'pass quick on lo0'

hany
Posts: 466
Joined: Wed Dec 10, 2014 5:20 pm

Re: Issues with Profile Manager and Loopback lo0

Post by hany » Thu May 28, 2015 10:02 am

you don't find this option in current Murus 1.2 beta 2, sorry! I've added the option to Murus 1.2 beta 3 (still unreleased), and I've added it just because I read your post (Thank you so much!). We don't know if we are going to release the final 1.2 OR this beta 3. Anyway this will happen very soon: today or tomorrow you will be able to use this option :) So please stay tuned.... after 9 years and 5 firewall front ends, this ugly bug is probably going to be fixed !!! :D

Post Reply