Objective Development Blog

Back in 2020, when Apple introduced the new Network Extension framework as a mandatory replacement for the previous, kernel extension based NKE interface, third-party firewall products were required to use it for being able to monitor and intercept all kinds of network traffic. However, we quickly realized that the new framework only worked for TCP/UDP-based connections, but not for packets transmitted using the ICMP protocol, which is used for example by the ping command line tool.

So we reported our concerns about this to Apple, arguing that a firewall should never have any holes or backdoors, but that it should be expected to reliably cover all types of network traffic.

And thankfully, they agreed and added ICMP support to the Network Extension framework.

Now, five years later, after upgrading our machines to macOS 15.3, we have once again noticed that ICMP traffic no longer reaches our network extension, so we cannot show it in Network Monitor nor can we intercept and block it.

And as always, this bug not only affects Little Snitch but also any other third-party macOS firewall that uses the Network Content Filter API (which is the only way to perform such kind of filtering on macOS).

We very much hope that ICMP support was not intentionally removed by Apple, but that this is merely “just another bug” that will be fixed in a future macOS update.

Of course, we have already reported our findings to Apple (FB16450831). If you agree that this should be fixed, you may also submit a report, referencing our existing feedback.

Credits: Image by clipground.com licensed under CC BY 4.0