Hi there, I am using TransparentProxyProvider at the moment. And would like to hide all the configurations from network service like what it looks like from SimpleFireWall. Took a look at the source code of SimpleFirewall, didn't quite get the idea on how to make all the configuration items hidden. Thanks in advance for any suggestion. Regards Richard

Hi there, We are using at the moment appproxy from system extension. It works fine. But it is realised that the system extension only prompt with csrutil disable. With csrutil enable, there is no prompt to add it thus cannot use it at all. As far as I understand, SIP is enabled by default. We cannot ask the customers to disable it one by one in order to have system extension work? Thanks in advance for any suggestion. Regards Richard

Hi there, During the test when using appproxy from systemextension (TransparentProxyProvider) capturing 80/443 tcp traffic, it is found that while visiting some website, there are hundreds of tcp flows generated, causing the appproxy stuck for some period (if we have some tasks for each flow). The websites can be some speedtest sites, such as https://www.speedtest.net or some complex forums, for example, https://www.wenxuecity.com Do you have any suggestion on how to reduce the number of flows? Thanks in advance. Regards Richard

Hi there, Would like to see with you any possibility to remove such a prompt when deleting an application with systemexention from /Applications fold with Finder. Thanks in advance for any suggestion. Regards Richard

Hi there, I am using AppProxyProvider and it can capture packets as I defined. But when I try to exclude traffics with excludedNetworkRules, but it seems does not work. Below is my code for setting things up. I capture all 443 port traffic for includedNetworkRules and exclude facebook.com for excludedNetworkRules. But facebook.com:443 traffic is still captured. private func includeRules() - [NENetworkRule] { // Web mode let hosts = [("0.0.0.0", "443")] var rules: [NENetworkRule] = [] for host in hosts { let ep = NWHostEndpoint(hostname: host.0, port: host.1) let rule = NENetworkRule.init(remoteNetwork: ep, remotePrefix: 0, localNetwork: nil, localPrefix: 0, protocol: .any, direction: .outbound) rules.append(rule) } return rules } private func excludeRules() - [NENetworkRule] { let hosts = [("facebook.com", "443")] var rules: [NENetworkRule] = [] for host in hosts { let ep = NWHostEndpoint(hostname: host.0, port: host.1) let rule = NENetworkRule.init(remoteNetwork: ep, remotePrefix: 0, localNetwork: nil, localPrefix: 0, protocol: .any, direction: .outbound) rules.append(rule) } return rules } ... settings.includedNetworkRules = includeRules() settings.excludedNetworkRules = excludeRules() If I replace like below in excludeRules() by replacing facebook.com domain name with its ip address, then all 443 port traffics is not captured at all. let hosts = [("157.240.8.35", "443")] Am I doing anything wrong? Thanks in advance for any suggestion.

Hi there, We are using systemextension for network and now we try to turn on SIP and install/uninstall systemextension. Current status is that: with SIP on, systemextension can be installed correctly, but cannot be uninstalled. The install/uninstall code is like below. Calling installSystemExtension() from the entrance of ProxyManger.swift:loadProxyManager returns success: activation request succeeded And systemextension list common shows the newly installed sysExt. But calling uninstallSystemExtension() from the entrance of ProxyManger.swift:remove() results in error: deactivation request failed authorization: unauthorized And systemextension list common shows no difference. @available(macOS 11.0, *) private func installSystemExtension() { log.info("[LogApp] will submit activation request") let request = OSSystemExtensionRequest.activationRequest( forExtensionWithIdentifier: "com.familyzone.macappproxy.fzmacappproxy", queue: .main ) request.delegate = self OSSystemExtensionManager.shared.submitRequest(request) log.info("[LogApp] did submit activation request") } // MARK: - Unload System Extension @available(macOS 11.0, *) public func uninstallSystemExtension() { log.info("[LogApp] will submit deactivation request") let request = OSSystemExtensionRequest.deactivationRequest( forExtensionWithIdentifier: "com.familyzone.macappproxy.fzmacappproxy", queue: .main ) request.delegate = self OSSystemExtensionManager.shared.submitRequest(request) log.info("[LogApp] did submit deactivation request") } Thanks in advance for any suggestion.

Hi there, Encountered something weird when doing beta test on Monterey Beta 8 while all good with Monterey Beta 6: We use system extension for NETransparentProxyProvider and we block QUIC traffics by below codes: override func handleNewUDPFlow(_ flow: NEAppProxyUDPFlow, initialRemoteEndpoint remoteEndpoint: NWEndpoint) -> Bool { let ep = remoteEndpoint as! NWHostEndpoint flow.open(withLocalEndpoint: nil) { [unowned self] error in guard error == nil else { flow.closeReadWithError(error) flow.closeWriteWithError(error) return } } if ep.port == "80" || ep.port == "443" { flow.closeReadWithError(nil) flow.closeWriteWithError(nil) return } ... } That works pretty well all through Big Sur to Monterey Beta 6. But when I upgraded to Beta 8 with the same, the system suffers: Chrome has no network access anymore. System extension get stuck when first time removed (need a second time to be removed) Sometimes the whole macOS has no network access at all. All these can be recovered by simply let QUIC traffics through or not capturing them. But we need to block such traffic in order that Chrome browser falls back to TCP mode. Thanks in advance for any suggestion! Regards Richard

Hi there, This is newly found that with all udp traffic filtered, SIP phone application doesn't have audio anymore. With wireshark analysis, it seems that STUN protocol gets upset in advance of RTP messages. It turns into some unknown format although we only pipe it through. Only way to workaround is to bypass all rtp ports. But we cannot do that as it is a huge range. Thanks in advance for any suggestion. Attached the case with/without rtp range bypassed. That was tested with linphone SIP phone application.

Hi there, This is the question when using dnsproxy together with appproxy. In case I need to filter all udp traffic through appproxy. How about dns traffic to port 53? It will go through both appproxy and dnsproxy! Do I need to return false inside appproxy for outbound 53 udp traffic without even open the flow? Any conflict of such usage? Thanks in advance for any suggestion. Regards Richard

Hi there, Something interesting and not understand when trying to fetch my appproxy (and dnsproxy) system extension process with commands like below. With Intel macbook pro, all good to fetch back that pid. But with M1 macbook pro, it returns nothing although installed with the same Big Sur 11.6.1. ps -A | grep $MY_SYS_EXTENSION_PROCESS_NAME pgrep $MY_SYS_EXTENSION_PROCESS_NAME Do you have any suggestion to make it the same on M1? Thanks in advance for any suggestion. Regards Richard

Hi there, With app proxy, when in case flow read, tcp connection read or udp session read empty is encountered. In this case, should I return directly, or close flow, connection, session and then return, or should I go on write through the empty data as usual even if it is empty? Put below the code example in case of flow read and connection write.      flow.readData { data, readError in       guard readError == nil, let readData = data else { log.error("[LogApp] Failed to read data from the TCP flow \(self.local.debugDescription)")           local.closeWriteWithError(readError) local.closeReadWithError(readError)         return       }               guard !readData.isEmpty else { log.verbose("[LogApp] Empty data from TCP flow \(self.local.description)") // What should I do here? // return directly // or close flow and return // or keep on going to connection write?       }       connection.send(content: data, completion: .contentProcessed( { connectionError in ...          })) Thanks in advance for any suggestion.

Hi there, This is seen from console log running AppProxyProvider. Sometimes can see like this: nw_endpoint_handler_set_adaptive_write_handler [C978 IPv4#759261e2:443 ready socket-flow (satisfied (Path is satisfied), viable, interface: en0, ipv4, dns)] unregister notification for write_timeout failed Would like to see with you guys what is going on when such logs on show? Is it because the peer flow (connection or session) closed and the local connection (session) timeout? As it have seen with that appproxy gets blocked for a while and then recovers. Is it normal and is it avoidable? Thanks in advance for any suggestion.

Hi there, So far with the deployment of Network System Extension onto end devices of macbook pro, in general it all goes well. However, there do have some older devices, say 2015 macbook proc, even 2019 one has some problem of network drop after running for some time, say, in a couple of hours. Symptom is that network get stuck intermittently and then get totally loss. It seems that from time to time app proxy get stuck and cannot proceed further traffic fast enough, especially for dns request filtering currently going through the same app proxy. Thus causes network loss and not recoverable. So the question is: is there any requirement on the hardware in order to use Network System Extension correctly. Thanks in advance for any suggestion. Richard

Hi there, This is found with duration test on Monterey 12.0. We are using appproxy and pipe through all udp traffics including dns requests (udp port 53). With below script doing only nslookup per second, in a couple of hours, it just fails. No network at all although no error on appproxy level reported. Only way to recover so far is uninstall the system extension. #!/bin/bash i=1 while true do i=$((i+1)) echo "loop $i" nslookup www.google.com sleep 1 done Tried the latest 12.1 beta, same failure. This test has no problem with Bigsur including 11.6. Thanks in advance for any suggestion. Regards Richard

Hi there, As seen from console error periodically message like "deny system-priviledge" for our appproxy, dnsproxy process as well as our system serivce process. Thanks in advance for any suggestion. deny_macappproxy.txt deny_dnsproxy.txt deny_system_service.txt