Mac Firewall issue after update to 6.8.400.0

[Jimbo151 1]

After upgrading Mac clients from ESET Endpoint Security 6.8.2.0 to ESET Endpoint Security 6.8.400.0 the firewall blocks access to local services running on the same machine access via 'localhost'

This can be reproduced by the following process.

Under ESET 6.8.2.0

run 'sudo apachectl start' and open hxxp://localhost in any browser and it should display 'It Works!' in the browser

After updating to ESET 6.8.400.0 the same process times out and the following is logged in the firewall log

03/01/2020, 15:14:31 No usable rule found [::]:49830 [::1c1e:c2a6:0:0]:80 TCP root

We have a number of use cases where services are connected to on the local machine which are now broken, I have been unable to craft a new firewall rule to fix this without specifying the source as 'ANY' which is unacceptable for an inbound connection. 

what has changed from 6.8.2.0 to 6.8.400.0 that is stopping the machine from connecting to services running on itself ?

[Peter Randziak 1,130]

Hello @Jimbo151,

I spoke with our macOS support guy and he told me that the issue is already know to us.

Some changes in the personal firewall functionality caused blocking of the localhost connections 😞 

 

The issue can be resolved by creating a rule to allow the localhost connections.

 

We apologize for the inconvenience caused,

Peter

note for us: P_EES6M-5377

[Jimbo151 1]

Hi Peter,

Thanks for the reply - when creating a firewall rule to allow the localhost connection I haven't been able to do it without the source being set to 'All' and the direction inbound.

Is there a way to specify the local machine as the source within a rule ?

When looking at the block event in the log it does not show a source address, just the dynamic source port and I don't see a way to specify 'itself' as the source with in rule 

03/01/2020, 15:14:31 No usable rule found [::]:49830 [::1c1e:c2a6:0:0]:80 TCP root

 

[Peter Randziak 1,130]

Hello @Jimbo151,

have you tried to specify localhost addresses so Remote computer?

The localhost addresses are not routed, so no need to be afraid of exposing it to the network / Internet.

Peter

[itman 1,659]

Hum ........ A bit puzzled here.

EIS/ESS Windows consumer versions have a default firewall that exists at the top of the rule set titled "Allow all traffic within the computer." This rule allows all inbound and outbound traffic to/from remote destination "Local addresses" zone. This zone by default on Windows installations contains IPv4 and Ipv6 localhost addresses; i.e.  127.0.0.1 and ::1. I would assume this default rule also exists on EES?

Appears from the original posting, you want to access localhost addresses other than those noted above. Best way to do this would be to create a new firewall zone named whatever you desire. Specify in that zone 127.0.0.1/x and ::1/x; where "x" is the appropriate CIDR notation for the localhost ranges you want to reference. Or alternatively, only specify the individual localhost addresses you use. Then create a new firewall rule duplicating the details of the above noted "Allow all traffic within the computer" but specifying the new zone name you created in the remote destination rule area. Move that new rule to the top of the existing rule set.

By using a Zone specification, you can add/delete IP addresses at needed without having to modify the new firewall rule.

Below is a screen shot of the existing Eset Windows "Allow all traffic within the computer" rule:

Edited January 15, 2020 by itman

[alvinkatojr 0]

Greetings,

I'm having a similar issue where multiple rules are being created but Eset Cyber Security Pro's firewall keeps blocking internet connection until I create a new rule. 

I've had to switch to interactive firewall mode because the default setting blocks all connections and does n't give any warning in the interface. I have had to confirm and approve every outgoing connection for each application regardless of whether I’d done that before. 

I've attached a picture of some of the many rules I have on my installation. Could I get some assistance or pointers on this? I'm on MacOS Catalina and using Eset 6.8.300.0

Thank you.

 

[Marcos 5,070]

14 hours ago, alvinkatojr said:

I'm having a similar issue where multiple rules are being created but Eset Cyber Security Pro's firewall keeps blocking internet connection until I create a new rule.

Not sure what kind of communication it is, obviously both the local and remote port change. If you don't want to be asked, create a rule with "all" local and remote ports for "system". However, I'm not entirely convinced that it would be safe to do so from security point of view.

[alvinkatojr 0]

Thanks for the response but I think this goes beyond creating rules. The default firewall option used to work without hiccups even when the ports change, the question is why is n't it working now on Mac OS Catalina?

[alvinkatojr 0]

Could I get some assistance or pointers with this issue? Eset Support are yet to get back to me and I'm stuck with a product that won't work as it's supposed to. 

It would be nice if I got some idea of what exactly the problem is and why it's happening.

Thank you.

[Marcos 5,070]

Please follow the instructions at https://forum.eset.com/topic/22315-iphone-turns-on-alert-displays-but-nothing-i-do-suppresses-the-alert/

In particular:
- remove all custom rules (or install ECS from scratch)
- make sure that you mark your network as home or work when detected

In home / work network, any local communication by the system process is allowed automatically. In case of issues, open a support ticket with your local ESET distributor and provide logs collected as per https://support.eset.com/en/use-eset-logcollector-on-macos-and-send-the-logs-to-eset-technical-support.

[alvinkatojr 0]

Thanks for the response Marcos. But I've already installed ECS from scratch and the same issue is occurring. I've also marked my home network as such(see attached screenshot), but the same issue persists. Earlier versions of ESET never had this issue, so I believe this goes beyond my settings and rules.

As for contacting my local ESET distributor, I did that last week and I'm yet to hear back.

It seems something changed in between ECS releases and it's possible the developers don't know about this. Could you raise an issue and escalate because as far as I can tell, I'm not the only one suffering with this and all remedies don't seem to work.

Thanks.

 

[Roland 0]

Hey,

I'm experiencing the very same issue as the OP. When can we expect this to be fixed?

For troubleshooting and workaround for the time being see below: 

I'm not able to access any web service (node, nginx, docker etc...) that I fire up locally on any port. The browser just hangs and having the spinner rotating forever.

None of the following works:

hxxp://localhost:3000
hxxp://127.0.0.1:3000
hxxp://[::1]:3000

 

Most of these servers bind to the unspecified ipv6 address (::) - if it's enabled, this is the expected and default behaviour.  By default, I should be able to access my local web service using the ipv4 address (localhost and 127.0.0.1) and especially with ipv6 address ([::1]).

It is platform specific and seems like most of the OS-s are the same. macOS definitely has dual stack mode enabled by default AND ipv4 is auto-listened if anything binds to the unspecified ipv6 address (::). (see attached and link to an issue)

If I define ipv4 explicitly for the service (localhost, 127.0.0.1 or 0.0.0.0) then it works fine and it is accessible via the browser.

This is what my ESET firewall log looks like. It is clearly blocking my access.

22/02/2020, 11:36:49	No usable rule found	[::]:62323	[::1c1e:f373:0:0]:3000	TCP			root
22/02/2020, 11:36:44	No usable rule found	[::]:62322	[::1c1e:f372:0:0]:3000	TCP			root

 

I was able to get around it by adding the following rule to the firewall (also see attached).

Please note: in order to add the :: address you'll have to type ::0 in the IP Address field in ESET for the button to become active.

All Application - Inbound - TCP - All Remote Ports - All Local Ports - ::0 (the unspecified ipv6 address)

and this is in my logs after adding the rule:

22/02/2020, 18:06:57	Communication allowed by rule	[::]:64541	[::1c1e:fc1d:0:0]:3000	TCP	Allow communication for System		root
22/02/2020, 18:06:57	Communication allowed by rule	[::]:64541	[::1c1e:fc1d:0:0]:3000	TCP	Allow communication for System		root

 

I used freshly installed ESET Cyber Security Pro (6.8.300.0) - default settings - on macOS Mojave (10.14.6) to test and troubleshoot this issue.

However, this came to my attention when I was trying to use my work laptop that has ESET Endpoint Security (6.8.400.0) installed on macOS Catalina (10.15.3).

 

 

 

Edited February 22, 2020 by Roland
typo

[Marcos 5,070]

I would recommend collecting logs as per the instructions at https://support.eset.com/en/kb3404-use-eset-logcollector-on-macos-and-send-the-logs-to-eset-technical-support and opening a support ticket with your local ESET distributor.

[void-void 0]

I run into the same issue. ESET Firewall blocks localhosts which makes software development impossible unless the firewall it completely turned off. When can we expect a fix for that? Everything worked fine on previous versions. I currently have 6.8.300.0 installed on a MacOs Catalina

[Peter Randziak 1,130]

The issue should be resolved in next service release.

Work around is to creating a rule to allow the localhost connections.

We apologize for the inconvenience caused.

Peter

[stevemaser 2]

Is there an ETA on the next service release?   We've been waiting for a fix for the "Restart Computer" issues for what feels like 6 months now...

[Pierre-MP 0]

Is really a nonsense.

We just have updated all our Macs in the offices because of incompatibility of previous ESET version with 10.14.5, and now we still blocked for all local requests. Unable to show the router page, manage switches, access to the local servers and VMs...

It's a shame, sincerely

[Marcos 5,070]

On 4/20/2020 at 7:53 PM, Pierre-MP said:

We just have updated all our Macs in the offices because of incompatibility of previous ESET version with 10.14.5, and now we still blocked for all local requests. Unable to show the router page, manage switches, access to the local servers and VMs...

Please try the latest version of Endpoint 6.8.711 hich has not been released yet and let us know if it resolves the issue: https://forum.eset.com/files/category/3-early-access/

[StefanCoetzer 0]

@Marcos Any update here as to when the official release and solution would be available?

[Marcos 5,070]

3 minutes ago, StefanCoetzer said:

@Marcos Any update here as to when the official release and solution would be available?

There is no ETA yet, it's still in the works. I'd strongly recommend opening a ticket with your local ESET support so that the issue is investigated and possibly fixed in the upcoming version.

[StefanCoetzer 0]

I've created FW rules as per @Roland's recommendation and this works. 

Do you guys have patch notes or a specific status page where we can follow bugs like these + workarounds and timelines on resolution @Marcos?

[Marcos 5,070]

10 minutes ago, StefanCoetzer said:

Do you guys have patch notes or a specific status page where we can follow bugs like these + workarounds and timelines on resolution @Marcos?

There is no public list of issues. Our partners have access to it so they should be able to tell if a particular issue is a known bug.

[robertk 0]

does anyone know how this firewall thing works on localhost development or docker?