macOS firewall blocking web browsing after upgrading to Sequoia

Wacław Jacek

UPDATE 2024-10-29: I have no longer been experiencing the connectivity issues described in this post since updating to Sequoia 10.1, maybe even 10.0.1. If you are experiencing issues with Internet connectivity on Sequoia, I recommend updating to the most recent version of macOS.

Aside from that, it is still not possible to remove some firewall entries. That’s another bug we might have to wait some time to get resolved.

It seems the OS firewall can sometimes start blocking access to web browsing after upgrading to macOS Sequoia. At least this was the case for me and some folks on Reddit.

Going to the firewall settings screen, there can be no way to toggle access for the browser.

If this is the case for you, you can use the CLI tool /usr/libexec/ApplicationFirewall/socketfilterfw to tweak firewall settings.

After doing these changes, your browser should have access to the Internet again. Other software might still not function. E.g. on my computer, nvm and Spotify still didn’t work so the steps below would have to be followed for any apps still not working separately. Disabling the entire firewall might be a more convenient (albeit less secure) workaround for you.

  1. Open the terminal app.
  2. Find the path to your web browser under /Applications. You can list available software by running ls -l /Applications in the terminal.
  3. You can run this command to check
  4. Then, run this command to add your browser to the firewall (despite it being already there, I know). E.g.:
    • To allow Firefox access, run:
      /usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/Firefox.app
    • To allow Google Chrome access, run:
      /usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/Google\ Chrome.app

33 responses to “macOS firewall blocking web browsing after upgrading to Sequoia”

  1. Kamalneet Singh Kalsi Avatar
    Kamalneet Singh Kalsi

    Thanks a million

    Reply
    1. Wacław Jacek Avatar
      Wacław Jacek

      You’re welcome! Really glad I could help.

      Reply
  2. Kamalneet Singh Kalsi Avatar
    Kamalneet Singh Kalsi

    any idea for the path to universal control and controlcenter app as they do not show up with “ls -l /Applications” and my iphone mirroring stops working with firewall ON probably due to these 2 apps

    Reply
    1. Wacław Jacek Avatar
      Wacław Jacek

      Hmm! Perhaps this is possible if you know where these apps live. E.g. some seem to live under /System/Library/. Maybe if you do this in the terminal it will work:

      find /System/Library -iname '*universal*.app' This should show any apps matching the pattern.

      On my machine this returned:
      waclaw@MacBook-Pro Library % find /System/Library -iname 'universal.app'
      find: /System/Library/DirectoryServices/DefaultLocalDB/Default: Permission denied
      /System/Library/CoreServices/UniversalAccessControl.app
      /System/Library/CoreServices/UniversalControl.app
      [...]

      That last one looks promising. You could try adding it to the firewall: /usr/libexec/ApplicationFirewall/socketfilterfw --add '/System/Library/CoreServices/UniversalControl.app'

      Reply
  3. Aditya Wirayudha Avatar
    Aditya Wirayudha

    Thanks a heap. Your solution works like a charm.

    Reply
    1. Wacław Jacek Avatar
      Wacław Jacek

      Thank you! I’m super happy to hear that.

      Reply
  4. Michael Tsai – Blog – macOS Firewall Regressions in Sequoia

    […] Wacław Jacek: […]

    Reply
  5. Kurt Knick Avatar
    Kurt Knick

    Thanks for your post. I run into problems when i try to download a large amount of files via ssh. after a short while the download stuck. disabling the firewall allow to download the files. as far i can see, the settings in the firewall options are fine. any ideas regarding this issue?

    Reply
  6. John Leamaer Avatar
    John Leamaer

    This works; but it doesn’t make any sense; a browser should never require incoming connections. It connects outbound.

    Reply
    1. Wacław Jacek Avatar
      Wacław Jacek

      Agreed! I am just as baffled.

      Reply
      1. Jan Schermer Avatar
        Jan Schermer

        My guess is that the problem is in connection tracking – it doesn’t treat the inbound reply packet as belonging to the same connection.

        Reply
        1. Wacław Jacek Avatar
          Wacław Jacek

          Interesting theory! I think that it has to do with what the firewall sees as traffic to filter too.

          Reply
  7. KW Avatar
    KW

    Hi @Wacław Jacek

    Any ideas on safari for this method? I’ve tried finding the application path (entering that IE safari.app) yet it’s stating…

    “unrecognised option”

    Reply
    1. Wacław Jacek Avatar
      Wacław Jacek

      Maybe there’s a typo in your command? Try: /usr/libexec/ApplicationFirewall/socketfilterfw --add '/Applications/Safari.app'

      Reply
  8. Elisabeth Elmquist Avatar
    Elisabeth Elmquist

    Under the Firewall list I see that it is not possible to unblock ‘Firefox’. but I do not have the possibility to change ‘ControlCentre’ either!

    Reply
  9. Isaac Avatar
    Isaac

    Thank you so much, you saved half the people who updated to Sequoia

    Reply
    1. Wacław Jacek Avatar
      Wacław Jacek

      Thank you! I really appreciate it.

      Reply
  10. Apple’s new macOS Sequoia update is breaking some cybersecurity tools | TechCrunch

    […] with DNS and running his firewall on his macOS machine. Another security researcher, Wacław Jacek, wrote in a blog post that, “it seems the OS firewall can sometimes start blocking access to web […]

    Reply
  11. Kmaquiling Avatar
    Kmaquiling

    would you help me fixing dns issue after upgrading to sequoia?
    I followed the steps above this is the result I’m getting.
    Firewall settings cannot be modified from command line on managed Mac computers.

    Reply
  12. Johnny Avatar
    Johnny

    Thank you that works. Why does this happen? And what is the command to revert back please? And will this cause any issue?

    Reply
  13. Pete McDonnell Avatar
    Pete McDonnell

    Thank you a ton! I was really stuck on this issue! 🙂

    Reply
  14. Phil King Avatar
    Phil King

    Really helpful – hopefully Apple and/or VPNs figure out a more permanent solution and push update live. If and when that does happen, anything you recommend to reverse the command you suggest and return to normal?

    Reply
  15. Paulo Fragoso Avatar
    Paulo Fragoso

    Very good! Now I can understand a little bit about macOS firewall. In my case I have problems with Wireguard some minutes past away all traffic is blocked for Google Chrome and I don’t know why. Is possible list all rules loaded like pfctl -sa in *BSD?

    Reply
  16. Luke Avatar
    Luke

    Hi!
    After the update some apps do not connect even when firewall is allowing them to connect. One is DOTA 2 which can’t connect to servers at all.

    Reply
    1. Wacław Jacek Avatar
      Wacław Jacek

      Hi! 👋 Interesting. Have you tried with the firewall completely off? Maybe the app that is actually making the connection is different than the path you’ve added an exception for?

      Reply
  17. rahmat Avatar
    rahmat

    thankyou! this work

    Reply
  18. Rafael Avatar
    Rafael

    Thanks a lot! For me, this update broke my email apps — now fixed! Just a quick question: Do the apps added via –add overrule the “Block all incoming connections” setting. Because, in my opinion, this seems to be the case. The question is whether this is intentional or not. If we trust the GUI settings, this might not be intentional. Do you have any more insights on this?

    Reply
    1. Wacław Jacek Avatar
      Wacław Jacek

      Unfortunately, no idea. I would imagine they don’t but I don’t know the inner workings of the firewall settings.

      Reply
  19. Fred Avatar
    Fred

    To get rid of the uneditable firewall entries “com.[appname]” after macOS 15.0 update you can try to rebuild the com.apple.networkextension preferences by deleting the com.apple.networkextension.XXX.plist files from /Library/Preferences (of course, SIP has to be disabled for this) as firewall settings are no longer stored in the “ALF.plist” and appear to be partially imported via the network extension framework. Somehow migration of the old application firewall entries fails.
    For me rebuilding networkextension.xxx.plists worked on Intel and Apple Silicon systems. The only remaining unmodifiable entry was “ssd-keygen-wrapper”.
    I don’t know if this also resolves other firewall related issues in macOS 15.0… but
    after “reallowing” other installed network extensions everything seems to work fine for now.

    Reproduce this at your own risk and backup any productive system before playing around with system pref files!

    Cheers, Fred

    Reply
    1. Jack Avatar
      Jack

      Thank you Fred! This is the only thing I found that worked to get my macOS 15.3.2 firewall working on an M1 processor after a recent upgrade from the latest Ventura. I haven’t tried it on Intel, but I’m confident per your experience it will work.

      Reply
  20. Scott Sherratt Avatar
    Scott Sherratt

    Unfortunately, this did not allow Little Snitch 6.1.2 to work with the Firewall Enabled (required by IT). /usr/libexec/ApplicationFirewall/socketfilterfw –add /Applications/Little\ Snitch.app

    Reply
  21. Francis Avatar
    Francis

    Hi this is so usefull, but how can you block an app? you only shared how to allow apps

    Reply
    1. Wacław Jacek Avatar
      Wacław Jacek

      Thanks!

      Now that this bug seems to be fixed, you should be able to do it from the UI, by clicking the + button at the bottom of the app list.

      After adding the app, you should be able to pick whether it should be blocked or allowed.

      Reply

Leave a Reply to Kurt Knick Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.