https://mullvad.net/en/blog/2023/9/13/bug-in-macos-14-sonoma-prevents-our-app-from-working/ Mullvad logo About Policies Blog Pricing Servers Downloads Help Account Get started Bug in macOS 14 Sonoma prevents our app from working 13 September 2023 APP The macOS 14 Sonoma betas and release candidate contain a bug that causes the firewall to not filter traffic correctly. As a result, our app does not work. During the macOS 14 Sonoma beta period Apple introduced a bug in the macOS firewall, packet filter (PF). This bug prevents our app from working, and can result in leaks when some settings (e.g. local network sharing) are enabled. We cannot guarantee functionality or security for users on macOS 14, we have investigated this issue after the 6th beta was released and reported the bug to Apple. Unfortunately the bug is still present in later macOS 14 betas and the release candidate. We have evaluated whether we can patch our VPN app in such a way that it works and keeps users secure in macOS 14. But unfortunately there is no good solution, as far as we can tell. We believe the firewall bugs must be fixed by Apple. The bug affects much more than just the Mullvad VPN app. Firewall rules do not get applied properly to network traffic, and traffic that is not supposed to be allowed is allowed. We deem this to be a critical flaw in the firewall, anyone relying on PF filtering, or apps using it in the background on their macOS devices should be cautious about upgrading to macOS 14. Our recommendations MacOS 14 Sonoma is scheduled to be released on the 26th of September, if the bug is still present we recommend our users to remain on macOS 13 Ventura until it is fixed. Technical details The following steps can be taken on macOS 14 to reproduce the issue. Warning: This will clear out any firewall rules you might have loaded in PF. In a terminal, create a virtual logging interface and start watching it for traffic matching the rules you will add later: sudo ifconfig pflog1 create sudo tcpdump -nnn -e -ttt -i pflog1 Write the following firewall rules to a file named pfrules: pass quick log (all, to pflog1) inet from any to 127.0.0.1 block drop quick log (all, to pflog1) In another terminal, enable PF and load the rules: sudo pfctl -e sudo pfctl -f pfrules Ping the mullvad.net webserver: ping 45.83.223.209 Expected results * Ping is blocked, since it does not match the only pass rule's requirements * The traffic is logged to pflog1. More specifically we expect it to be logged as matching the block rule Actual results * Ping is allowed out on the internet, and the response comes back * No traffic is being logged to pflog1 Cleaning up after the experiment Disable the firewall and clear all rules. sudo pfctl -d sudo pfctl -f /etc/pf.conf Follow our blog for future updates to this issue. Mullvad * About * Help * Servers * Pricing * Blog * What is privacy? * Why Mullvad VPN? * What is a VPN? * Download * Press * Jobs Policies * Open source * Privacy policy * Cookies * Terms of service * Partnerships and resellers * Reviews, ads and affiliates * Reporting a bug or vulnerability Address * Mullvad VPN AB * Box 53049 * 400 14 Gothenburg * Sweden * support@mullvad.net * GPG key * Onion service Follow us * @mullvadnet * @mullvadnet * MullvadNet * Mullvad VPN * mullvad Language English l`rbyW@ Dansk Deutsch English Espanol frsy Suomi Francais Italiano Ri Ben Yu hangugeo Nederlands Norsk Polski Portugues Russkii Svenska phaasaaaithy Turkce Fan Ti Zhong Wen Jian Ti Zhong Wen