That is, if I enable the firewall just once, I am not able to get email privacy working again. I tried the solution suggested and it didn't fix things. I have a feeling the same technology underlies both features. I doubt even Apple's OS engineers would be able to tell you every impact of filtering the traffic of system daemons like that.I had asked about the mail privacy as well as the private relay. Recommending this sort of overly controlling filtering of system services is a bad idea, as you have no idea what other things may be impacted. Unless you're saying you block it from Apple but not the SSL provider domains? Fucking around with fundamental SSL operations is pretty dumb, even if you're some sort of SSL expert. ocspd doesn't just do developer certs but all SSL cert stapling, which is rather important to maintain proper SSL stapling. IPFW (PF) is just as fine grained, it just doesn't have the fancy GUI that LS does. I had suggested earlier to start with the Firewall and branch-out from there if you're going to be using LS as an active firewall. Even then, these particular services aren't always needed. As you dive deeper past Userland, you'll find that not all those services are needed, hence I only activate / allow them when I'm using them for fine-tuning, or updating specific things. For regular users, keeping them open is fine. Tsur, to answer your original question, most of those services aren't necessary to have a great functioning OS, they just make it convenient rather than you activating each daemon whenever you need / want those services.
Should I be allowing them to talk to Apple? Do they need to? Upon installing, I found all the above listed services (and probably more) trying to connect and was a little dumbfounded. I've been meaning to check it out for awhile, but the normal $45 seemed a little much. On a whim, I just bought Little Snitch for like $12. I am a “little” more paranoid than most, so I don’t even allow configd, helpd, mapspushd, ntpd, ocspd, photolibraryd, SpotlightNetHelper, AGSService, ,xlc, or storeinappd, connect to the outside.
VALLUM FIREWALL FOR MAC REVIEW INSTALL
I also stated that when I first install an App, that ocspd connects, but after if check the certs, that port is closed until the next round of updates or App installations. El Capitan (like profile provisioning introduced in Sierra), but there are real and technical issues/reasons why I run my machines the way I do. Maybe you (Thinine) aren't up-to-speed on all the technical changes in Sierra vs. Also a great read on 9to5mac's site.ĩto5mac's article on Sierra's treatment of expired certificates: The guys over at 1Password had a great blog on the subject.
If a Developer's Certificate is not renewed (by the yearly timestamp, among some other technical behind the scenes activities) with Sierra, it will actually de-activate that App, where-as in El Capitan, the App will continue to run without issues.
VALLUM FIREWALL FOR MAC REVIEW CODE
Sierra treats Apple Certificates different than El Capitan, and unless there is malicious code running on that "already approved App" for instance - from the Apps store, it doesn't need to be active. OCSPD does NOT need to be checking into Apple more than 3 times a day (which if you tracked the daemons' activities, it tends to do). I'm more of a "to each their own" type of person, but to call it stupid is over-the-top reaction-ism. Blocking ocspd, for example, is just stupid. Yes, they're rather important, some more than others.
0 kommentar(er)
