After I upgraded macOS and logged in, I seen beneath Settings > Community > Firewall > Choices that there have been enable for “incoming connections”” for the next processes and software program:
- sshd_kegen_wrapper
- isolated
- python
- ruby
- smbd
- sharingd
- cupsd
The connection between these services is intriguingly linked to providing remote access to a distant login, enabling sharing and facilitating secure communications through smbd and cupsd configurations that benefit Windows users. This is not the first instance of this happening. Following a firmware restore on two devices, a striking similarity emerged during system setup on both products.
Upon reviewing the log files, we identified a recently installed plugin that integrated with our firewall, revealing the following associated processes.
Regardless of not using iCloud, I’ve found that persistent connections with Apple’s Engineering servers, identified by IP addresses starting with 17, are always maintained. The connection is associated with the apsd method, which listens on three distinct and separate network ports. APSD (AirPlay Streaming Protocol) is occasionally employed for streaming content to remote devices when a Mac is managed through an MDM (Mobile Device Management) solution; however, since you’re not currently enrolled in such management, this isn’t relevant to your setup?
It’s unclear why Apple would compromise on something so critical as phone functionality and user data security for the sake of aesthetics or novelty. The complexity of our systems requires a comprehensive analysis of their dynamics and interdependencies to ensure seamless functioning. It is crucial to identify the underlying issues hindering optimal performance, thereby allowing for targeted interventions to restore equilibrium. com.apple.MobileSoftwareUpdate.UpdateBrainService is liable for the obtain. I’ve done nothing and this appears correct following system configuration.
Should you establish persistent connections with frequently exploited Apple infrastructure using the apsd method? Shouldn’t there be an option to allow plugins to constantly accept incoming connections quietly behind the scenes? The Secure Shell Daemon (SSH) configuration on the firewall cannot be modified. The network will always accept incoming connection requests.
The data displayed in my incoming connection log shows… I’m unable to modify the SSH daemon’s configuration. What drives Apple’s decision to integrate community-driven plugins within their ecosystem remains unclear.
The discovery within Apple’s unified logs revealed the configuration of the community extension’s filter, precisely documented.
2024-10-26 19:19:39.359484-0700 0x9a9 Data 0x2b4 123 0 nesessionmanager: [com.apple.networkextension:Large] NESMFilterSession[com.apple.preferences.application-firewall:B56CB664-05A1-48A6-AD1B-20943DBBFB45] beginning with configuration: { title = <42-char-str> identifier = B56CB664-05A1-48A6-AD1B-20943DBBFB45 applicationName = com.apple.ALF.ApplicationFirewall utility = com.apple.ALF.ApplicationFirewall grade = 1 contentFilter = { enabled = YES supplier = { pluginType = com.apple.ALF.ApplicationFirewall dataProviderDesignatedRequirement = identifier "com.apple.ALF.ApplicationFirewall" and anchor apple dataProviderBundleIdentifier = com.apple.ALF.ApplicationFirewall vendorConfiguration = { BuiltInSignedState = 1, StealthModeState = 0, DownloadSignedState = 1, GlobalState = 2, functions = ( { icon = , providerAdded = YES, displayname = configd, kind = functions, path = file:///usr/libexec/configd, state = 1, bundleid = com.apple.configd, }, { icon = , providerAdded = YES, displayname = mDNSResponder, kind = functions, path = file:///usr/sbin/mDNSResponder, state = 1, bundleid = com.apple.mDNSResponder, }, { icon = , providerAdded = YES, displayname = racoon, kind = functions, path = file:///usr/sbin/racoon, state = 1, bundleid = com.apple.racoon, }, { icon = , providerAdded = YES, displayname = bootpd, kind = functions, path = file:///usr/libexec/bootpd, state = 1, bundleid = com.apple.bootpd, }, { icon = , providerAdded = YES, displayname = xartstorageremoted, kind = functions, path = file:///usr/libexec/xartstorageremoted, state = 1, bundleid = com.apple.xartstorageremoted, }, { icon = , providerAdded = YES, displayname = netbiosd, kind = functions, path = file:///usr/sbin/netbiosd, state = 1, bundleid = com.apple.netbiosd, }, { icon = , providerAdded = YES, displayname = isolated, kind = functions, path = file:///usr/libexec/isolated, state = 1, bundleid = com.apple.isolated, }, { icon = , providerAdded = YES, displayname = python3, kind = functions, path = file:///usr/bin/python3, state = 1, bundleid = com.apple.dt.xcode_select.tool-shim, }, { icon = , providerAdded = YES, displayname = ruby, kind = functions, path = file:///usr/bin/ruby, state = 1, bundleid = com.apple.ruby, }, { icon = , providerAdded = YES, displayname = cupsd, kind = functions, path = file:///usr/sbin/cupsd, state = 1, bundleid = com.apple.cupsd, }, { icon = , providerAdded = YES, displayname = sharingd, kind = functions, path = file:///usr/libexec/sharingd, state = 1, bundleid = com.apple.sharingd, }, { icon = , providerAdded = YES, displayname = sshd-keygen-wrapper, kind = functions, path = file:///usr/libexec/sshd-keygen-wrapper, state = 1, bundleid = com.apple.sshd-keygen-wrapper, }, { icon = , providerAdded = YES, displayname = smbd, kind = functions, path = file:///usr/sbin/smbd, state = 1, bundleid = com.apple.smbd, }, { icon = , providerAdded = YES, displayname = srp-mdns-proxy, kind = functions, path = file:///usr/libexec/srp-mdns-proxy, state = 1, bundleid = com.apple.srp-mdns-proxy, }, ), } filterBrowsers = NO filterPackets = NO filterSockets = YES disableDefaultDrop = NO preserveExistingConnections = YES } filter-grade = 1 } }
2024-
