From eed65d4f607d6d71c76c36a5eef71d30ebcd15a3 Mon Sep 17 00:00:00 2001
From: Alexandr Stelnykovych <alexandr.stelnykovych@ivpn.net>
Date: Tue, 15 Oct 2024 13:24:18 +0300
Subject: [PATCH] Revert: (macOS) New Firewall option: Bypass Apple Services

Fix is not stable.
Commit:
c44b9f186be412f07dd8d512515cfdd778fe8e36 [c44b9f18]

https://github.com/ivpn/desktop-app/issues/394
---
 daemon/References/macOS/etc/firewall.sh       | 40 -------------------
 daemon/protocol/protocol.go                   | 15 -------
 daemon/protocol/types/requests.go             |  5 ---
 daemon/service/firewall/firewall.go           |  6 ---
 daemon/service/firewall/firewall_darwin.go    | 20 +---------
 daemon/service/firewall/firewall_linux.go     |  4 --
 daemon/service/firewall/firewall_windows.go   |  4 --
 daemon/service/preferences/preferences.go     |  1 -
 daemon/service/service.go                     | 32 ++++-----------
 daemon/service/types/types.go                 | 13 +++---
 .../components/settings/settings-firewall.vue | 40 -------------------
 ui/src/daemon-client/index.js                 |  8 ----
 ui/src/ipc/main-listener.js                   |  6 ---
 ui/src/ipc/renderer-sender.js                 |  6 ---
 ui/src/store/module-vpn-state.js              |  1 -
 15 files changed, 15 insertions(+), 186 deletions(-)

diff --git a/daemon/References/macOS/etc/firewall.sh b/daemon/References/macOS/etc/firewall.sh
index ee07cad8..8b5fee44 100755
--- a/daemon/References/macOS/etc/firewall.sh
+++ b/daemon/References/macOS/etc/firewall.sh
@@ -5,7 +5,6 @@
 #   sudo pfctl -s rules
 # Show all rules for "ivpn_firewall" anchor
 #   sudo pfctl -a "ivpn_firewall" -s rules
-#   sudo pfctl -a "ivpn_firewall/apple_services" -s rules
 #   sudo pfctl -a "ivpn_firewall/tunnel" -s rules
 #   sudo pfctl -a "ivpn_firewall/dns" -s rules
 # Show table
@@ -102,7 +101,6 @@ function enable_firewall {
       pass out inet proto udp from 0.0.0.0 to 255.255.255.255 port = 67
       pass in proto udp from any to any port = 68
 
-      anchor apple_services all
       anchor tunnel all
       anchor dns all
 _EOF
@@ -130,8 +128,6 @@ function disable_firewall {
     pfctl -a ${ANCHOR_NAME} -t ${EXCEPTIONS_TABLE} -T flush
     pfctl -a ${ANCHOR_NAME} -t ${USER_EXCEPTIONS_TABLE} -T flush
 
-    # remove all rules in tun anchor
-    pfctl -a ${ANCHOR_NAME}/apple_services -Fr
     # remove all rules in tun anchor
     pfctl -a ${ANCHOR_NAME}/tunnel -Fr
     # remove all rules in dns anchor
@@ -188,33 +184,6 @@ _EOF
         block drop out proto tcp from any to ! ${DNS} port = 53
 _EOF
 }
-####
-function allow_apple_services_on {
-    # Ports: https://support.apple.com/en-us/103229    
-    #   443  TCP - Secure Sockets Layer (SSL or HTTPS): TLS websites, iTunes Store, Software Update, Spotlight Suggestions, Mac App Store, Maps, FaceTime, Game Center, iCloud authentication and DAV Services (Contacts, Calendars, Bookmarks), iCloud backup and apps (Calendars, Contacts, Find My iPhone, Find My Friends, Mail, iMessage, Documents & Photo Stream), iCloud Key Value Store (KVS), AirPlay, macOS Internet Recovery, Dictation, Siri, Xcode Server (hosted and remote Git HTTPS, remote SVN HTTPS, Apple Developer registration), Push notifications (if necessary)
-    #   2197 TCP - Apple Push Notification Service (APNS)
-    #   5223 TCP - Apple Push Notification Service (APNS): iCloud DAV Services (Contacts, Calendars, Bookmarks), Push Notifications, FaceTime, iMessage, Game Center, Photo Stream
-    #
-    # IP addresses: https://support.apple.com/en-us/HT210060
-    pfctl -a ${ANCHOR_NAME}/apple_services -f - <<_EOF
-        pass out quick proto tcp from any to 17.249.0.0/16      port { 443, 2197, 5223 } flags any keep state
-        pass out quick proto tcp from any to 17.252.0.0/16      port { 443, 2197, 5223 } flags any keep state
-        pass out quick proto tcp from any to 17.57.144.0/22     port { 443, 2197, 5223 } flags any keep state
-        pass out quick proto tcp from any to 17.188.128.0/18    port { 443, 2197, 5223 } flags any keep state
-        pass out quick proto tcp from any to 17.188.20.0/23     port { 443, 2197, 5223 } flags any keep state
-
-        pass out quick proto tcp from any to 2620:149:a44::/48  port { 443, 2197, 5223 } flags any keep state
-        pass out quick proto tcp from any to 2403:300:a42::/48  port { 443, 2197, 5223 } flags any keep state
-        pass out quick proto tcp from any to 2403:300:a51::/48  port { 443, 2197, 5223 } flags any keep state
-        pass out quick proto tcp from any to 2a01:b740:a42::/48 port { 443, 2197, 5223 } flags any keep state
-_EOF
-
-}
-
-function allow_apple_services_off {
-    pfctl -a ${ANCHOR_NAME}/apple_services -Fr
-}
-####
 
 function main {
 
@@ -274,15 +243,6 @@ function main {
         get_firewall_enabled || return 0
 
         set_dns $2
-
-    elif [[ $1 = "-allow_apple_services_on" ]]; then    
-
-       allow_apple_services_on
-
-    elif [[ $1 = "-allow_apple_services_off" ]]; then    
-
-      allow_apple_services_off
-
     else
         echo "Unknown command"
         return 2
diff --git a/daemon/protocol/protocol.go b/daemon/protocol/protocol.go
index 8888f237..4bb3d8a8 100644
--- a/daemon/protocol/protocol.go
+++ b/daemon/protocol/protocol.go
@@ -85,7 +85,6 @@ type Service interface {
 	SetKillSwitchAllowLANMulticast(isAllowLanMulticast bool) error
 	SetKillSwitchAllowLAN(isAllowLan bool) error
 	SetKillSwitchAllowAPIServers(isAllowAPIServers bool) error
-	SetKillSwitchAllowAppleServices(isAllowAppleServices bool) error
 	SetKillSwitchUserExceptions(exceptions string, ignoreParsingErrors bool) error
 
 	GetConnectionParams() service_types.ConnectionParams
@@ -705,20 +704,6 @@ func (p *Protocol) processRequest(conn net.Conn, message string) {
 		p.sendResponse(conn, &types.EmptyResp{}, req.Idx)
 		// all clients will be notified in case of successful change by OnKillSwitchStateChanged() handler
 
-	case "KillSwitchSetAllowAppleServices":
-		var req types.KillSwitchSetAllowAppleServices
-		if err := json.Unmarshal(messageData, &req); err != nil {
-			p.sendErrorResponse(conn, reqCmd, err)
-			break
-		}
-		if err := p._service.SetKillSwitchAllowAppleServices(req.IsAllowAppleServices); err != nil {
-			p.sendErrorResponse(conn, reqCmd, err)
-			break
-		}
-		// send the response to the requestor
-		p.sendResponse(conn, &types.EmptyResp{}, req.Idx)
-		// all clients will be notified in case of successful change by OnKillSwitchStateChanged() handler
-
 	// TODO: avoid using raw key as a string
 	// NOTE: please, use 'SetUserPreferences' for future extensions
 	case "SetPreference":
diff --git a/daemon/protocol/types/requests.go b/daemon/protocol/types/requests.go
index f6a94905..21af671a 100644
--- a/daemon/protocol/types/requests.go
+++ b/daemon/protocol/types/requests.go
@@ -119,11 +119,6 @@ type KillSwitchSetAllowApiServers struct {
 	IsAllowApiServers bool
 }
 
-type KillSwitchSetAllowAppleServices struct {
-	RequestBase
-	IsAllowAppleServices bool
-}
-
 // KillSwitchSetEnabled request to enable\disable kill-switch
 type KillSwitchSetEnabled struct {
 	RequestBase
diff --git a/daemon/service/firewall/firewall.go b/daemon/service/firewall/firewall.go
index 9aa1952f..413f48ac 100644
--- a/daemon/service/firewall/firewall.go
+++ b/daemon/service/firewall/firewall.go
@@ -235,12 +235,6 @@ func RemoveHostsFromExceptions(IPs []net.IP, onlyForICMP bool, isPersistent bool
 	return err
 }
 
-func AllowAppleServices(isAllowAPIServers bool) error {
-	mutex.Lock()
-	defer mutex.Unlock()
-	return implAllowAppleServices(isAllowAPIServers)
-}
-
 // AllowLAN - allow/forbid LAN communication
 func AllowLAN(allowLan bool, allowLanMulticast bool) error {
 	mutex.Lock()
diff --git a/daemon/service/firewall/firewall_darwin.go b/daemon/service/firewall/firewall_darwin.go
index 72d5ef90..4b1e4ee0 100644
--- a/daemon/service/firewall/firewall_darwin.go
+++ b/daemon/service/firewall/firewall_darwin.go
@@ -41,8 +41,7 @@ import (
 var (
 	// key: is a string representation of allowed IP
 	// value: true - if exception rule is persistant (persistant, means will stay available even client is disconnected)
-	allowedHosts       map[string]bool
-	allowAppleServices bool
+	allowedHosts map[string]bool
 )
 
 func init() {
@@ -133,15 +132,6 @@ func implClientDisconnected() error {
 	return shell.Exec(nil, platform.FirewallScript(), "-disconnected")
 }
 
-func implAllowAppleServices(isAllowAPIServers bool) error {
-	allowAppleServices = isAllowAPIServers
-	if allowAppleServices {
-		return shell.Exec(log, platform.FirewallScript(), "-allow_apple_services_on")
-	} else {
-		return shell.Exec(log, platform.FirewallScript(), "-allow_apple_services_off")
-	}
-}
-
 func implAllowLAN(isAllowLAN bool, isAllowLanMulticast bool) error {
 	// the rule should stay unchanged independently from VPN connection state
 	isPersistent := true
@@ -281,14 +271,6 @@ func reApplyExceptions() error {
 			err = err2
 		}
 	}
-
-	err3 := implAllowAppleServices(allowAppleServices)
-	if err3 != nil {
-		log.Error(err3)
-		if err == nil {
-			err = err3
-		}
-	}
 	return err
 }
 
diff --git a/daemon/service/firewall/firewall_linux.go b/daemon/service/firewall/firewall_linux.go
index c65937d7..616242eb 100644
--- a/daemon/service/firewall/firewall_linux.go
+++ b/daemon/service/firewall/firewall_linux.go
@@ -177,10 +177,6 @@ func implClientDisconnected() error {
 	return shell.Exec(nil, platform.FirewallScript(), "-disconnected")
 }
 
-func implAllowAppleServices(isAllowAPIServers bool) error {
-	return nil // do nothing for Linux
-}
-
 func implAllowLAN(isAllowLAN bool, isAllowLanMulticast bool) error {
 	return doAllowLAN(isAllowLAN, isAllowLanMulticast)
 }
diff --git a/daemon/service/firewall/firewall_windows.go b/daemon/service/firewall/firewall_windows.go
index 9586e5fe..a17349bb 100644
--- a/daemon/service/firewall/firewall_windows.go
+++ b/daemon/service/firewall/firewall_windows.go
@@ -185,10 +185,6 @@ func implRemoveHostsFromExceptions(IPs []net.IP, onlyForICMP bool, isPersistent
 	return nil
 }
 
-func implAllowAppleServices(isAllowAPIServers bool) error {
-	return nil // do nothing for Windows
-}
-
 // AllowLAN - allow/forbid LAN communication
 func implAllowLAN(allowLan bool, allowLanMulticast bool) error {
 
diff --git a/daemon/service/preferences/preferences.go b/daemon/service/preferences/preferences.go
index ef97551a..3ba1fcba 100644
--- a/daemon/service/preferences/preferences.go
+++ b/daemon/service/preferences/preferences.go
@@ -82,7 +82,6 @@ type Preferences struct {
 	IsFwAllowLAN             bool
 	IsFwAllowLANMulticast    bool
 	IsFwAllowApiServers      bool
-	IsFwAllowAppleServices   bool   // Bypass VPN for Apple Services Traffic. Enabling this option allows traffic from Apple services to bypass the IVPN Firewall, permitting specific Apple IP ranges through, and this traffic may be routed outside the VPN tunnel.
 	FwUserExceptions         string // Firewall exceptions: comma separated list of IP addresses (masks) in format: x.x.x.x[/xx]
 	IsStopOnClientDisconnect bool
 
diff --git a/daemon/service/service.go b/daemon/service/service.go
index a067c72d..b8d2f2f0 100644
--- a/daemon/service/service.go
+++ b/daemon/service/service.go
@@ -248,10 +248,7 @@ func (s *Service) init() error {
 		log.Error("Failed to initialize firewall with AllowLAN preference value: ", err)
 	}
 
-	if err := firewall.AllowAppleServices(s._preferences.IsFwAllowAppleServices); err != nil {
-		log.Error("Failed to initialize firewall with AppleServices preference value: ", err)
-	}
-
+	//log.Info("Applying firewal exceptions (user configuration)")
 	if err := firewall.SetUserExceptions(s._preferences.FwUserExceptions, true); err != nil {
 		log.Error("Failed to apply firewall exceptions: ", err)
 	}
@@ -1082,14 +1079,13 @@ func (s *Service) KillSwitchState() (status types.KillSwitchStatus, err error) {
 	enabled, isLanAllowed, _, err := firewall.GetState()
 
 	return types.KillSwitchStatus{
-		IsEnabled:            enabled,
-		IsPersistent:         prefs.IsFwPersistant,
-		IsAllowLAN:           prefs.IsFwAllowLAN,
-		IsAllowMulticast:     prefs.IsFwAllowLANMulticast,
-		IsAllowApiServers:    prefs.IsFwAllowApiServers,
-		IsAllowAppleServices: prefs.IsFwAllowAppleServices,
-		UserExceptions:       prefs.FwUserExceptions,
-		StateLanAllowed:      isLanAllowed,
+		IsEnabled:         enabled,
+		IsPersistent:      prefs.IsFwPersistant,
+		IsAllowLAN:        prefs.IsFwAllowLAN,
+		IsAllowMulticast:  prefs.IsFwAllowLANMulticast,
+		IsAllowApiServers: prefs.IsFwAllowApiServers,
+		UserExceptions:    prefs.FwUserExceptions,
+		StateLanAllowed:   isLanAllowed,
 	}, err
 }
 
@@ -1167,18 +1163,6 @@ func (s *Service) SetKillSwitchAllowAPIServers(isAllowAPIServers bool) error {
 	return nil
 }
 
-func (s *Service) SetKillSwitchAllowAppleServices(isAllowAppleServices bool) error {
-	prefs := s._preferences
-	prefs.IsFwAllowAppleServices = isAllowAppleServices
-	s.setPreferences(prefs)
-
-	err := firewall.AllowAppleServices(isAllowAppleServices)
-	if err == nil {
-		s.onKillSwitchStateChanged()
-	}
-	return err
-}
-
 // SetKillSwitchUserExceptions set ip/mask to be excluded from FW block
 // Parameters:
 //   - exceptions - comma separated list of IP addresses in format: x.x.x.x[/xx]
diff --git a/daemon/service/types/types.go b/daemon/service/types/types.go
index bab06849..90c811aa 100644
--- a/daemon/service/types/types.go
+++ b/daemon/service/types/types.go
@@ -23,13 +23,12 @@
 package types
 
 type KillSwitchStatus struct {
-	IsEnabled            bool   // FW state
-	IsPersistent         bool   // configuration: true - when persistent
-	IsAllowLAN           bool   // configuration: 'Allow LAN'
-	IsAllowMulticast     bool   // configuration: 'Allow multicast'
-	IsAllowApiServers    bool   // configuration: 'Allow API servers'
-	IsAllowAppleServices bool   // configuration: 'Bypass Apple services'
-	UserExceptions       string // configuration: Firewall exceptions: comma separated list of IP addresses (masks) in format: x.x.x.x[/xx]
+	IsEnabled         bool   // FW state
+	IsPersistent      bool   // configuration: true - when persistent
+	IsAllowLAN        bool   // configuration: 'Allow LAN'
+	IsAllowMulticast  bool   // configuration: 'Allow multicast'
+	IsAllowApiServers bool   // configuration: 'Allow API servers'
+	UserExceptions    string // configuration: Firewall exceptions: comma separated list of IP addresses (masks) in format: x.x.x.x[/xx]
 
 	StateLanAllowed bool // real state of 'Allow LAN'
 }
diff --git a/ui/src/components/settings/settings-firewall.vue b/ui/src/components/settings/settings-firewall.vue
index d63b6268..f62a5e82 100644
--- a/ui/src/components/settings/settings-firewall.vue
+++ b/ui/src/components/settings/settings-firewall.vue
@@ -53,38 +53,6 @@
       >
     </div>
 
-    <!-- Bypass apple services -->
-    <div class="param" tabindex="0">
-      <input
-        type="checkbox"
-        id="firewallBypassAppleServices"
-        v-model="firewallBypassAppleServices"
-      />
-      <label class="defColor" for="firewallBypassAppleServices"
-        >Bypass VPN for Apple Services Traffic</label
-      >
-      <button class="noBordersBtn flexRow" title="Help" v-on:click="$refs.helpBypassAppleServices.showModal()">
-            <img src="@/assets/question.svg" />
-      </button>
-      <ComponentDialog ref="helpBypassAppleServices" header="Info">
-        <div>
-          <p>
-            Since macOS Sequoia (15.0), certain Apple apps (like Messages) may not function correctly 
-            when the IVPN Firewall is enabled because Apple does not respect the system's default routing configuration.
-          </p>
-          <p>
-            Enabling this option allows traffic from Apple services to bypass the IVPN Firewall, 
-            permitting specific Apple IP ranges through, and this traffic may be routed outside the VPN tunnel.
-          </p>
-          <div class="settingsGrayLongDescriptionFont">            
-            This is a temporary workaround until Apple resolves the issue.
-            <br />        
-            Note! This option is applicable only for the WireGuard protocol.
-          </div>
-        </div>
-      </ComponentDialog>
-    </div>
-
     <!-- On-demand Firewall -->
     <div class="settingsBoldFont" tabindex="0">On-demand Firewall:</div>
 
@@ -320,14 +288,6 @@ export default {
         await sender.KillSwitchSetAllowApiServers(value);
       },
     },
-    firewallBypassAppleServices: {
-      get() {
-        return this.$store.state.vpnState.firewallState.IsAllowAppleServices;
-      },
-      async set(value) {
-        await sender.KillSwitchSetAllowAppleServices(value);
-      },
-    },
     firewallAllowLan: {
       get() {
         return this.$store.state.vpnState.firewallState.IsAllowLAN;
diff --git a/ui/src/daemon-client/index.js b/ui/src/daemon-client/index.js
index 0d5d03c9..37ccc9e2 100644
--- a/ui/src/daemon-client/index.js
+++ b/ui/src/daemon-client/index.js
@@ -80,7 +80,6 @@ const daemonRequests = Object.freeze({
   KillSwitchGetStatus: "KillSwitchGetStatus",
   KillSwitchSetEnabled: "KillSwitchSetEnabled",
   KillSwitchSetAllowApiServers: "KillSwitchSetAllowApiServers",
-  KillSwitchSetAllowAppleServices: "KillSwitchSetAllowAppleServices",
   KillSwitchSetAllowLANMulticast: "KillSwitchSetAllowLANMulticast",
   KillSwitchSetAllowLAN: "KillSwitchSetAllowLAN",
   KillSwitchSetIsPersistent: "KillSwitchSetIsPersistent",
@@ -1442,12 +1441,6 @@ async function KillSwitchSetAllowApiServers(IsAllowApiServers) {
     IsAllowApiServers,
   });
 }
-async function KillSwitchSetAllowAppleServices(IsAllowAppleServices) {
-  await sendRecv({
-    Command: daemonRequests.KillSwitchSetAllowAppleServices,
-    IsAllowAppleServices,
-  });
-}
 
 async function KillSwitchSetAllowLANMulticast(AllowLANMulticast) {
   await sendRecv({
@@ -1916,7 +1909,6 @@ export default {
 
   EnableFirewall,
   KillSwitchSetAllowApiServers,
-  KillSwitchSetAllowAppleServices,
   KillSwitchSetAllowLANMulticast,
   KillSwitchSetAllowLAN,
   KillSwitchSetIsPersistent,
diff --git a/ui/src/ipc/main-listener.js b/ui/src/ipc/main-listener.js
index 97ee2a9e..d0e82689 100644
--- a/ui/src/ipc/main-listener.js
+++ b/ui/src/ipc/main-listener.js
@@ -117,12 +117,6 @@ ipcMain.handle(
     return await client.KillSwitchSetAllowApiServers(enable);
   }
 );
-ipcMain.handle(
-  "renderer-request-KillSwitchSetAllowAppleServices",
-  async (event, enable) => {
-    return await client.KillSwitchSetAllowAppleServices(enable);
-  }
-);
 ipcMain.handle(
   "renderer-request-KillSwitchSetAllowLANMulticast",
   async (event, enable) => {
diff --git a/ui/src/ipc/renderer-sender.js b/ui/src/ipc/renderer-sender.js
index 682806fe..bcaf084d 100644
--- a/ui/src/ipc/renderer-sender.js
+++ b/ui/src/ipc/renderer-sender.js
@@ -153,12 +153,6 @@ export default {
       isEnable
     );
   },
-  KillSwitchSetAllowAppleServices: async (isEnable) => {
-    return await invoke(
-      "renderer-request-KillSwitchSetAllowAppleServices",
-      isEnable
-    );
-  },
   KillSwitchSetAllowLANMulticast: async (isEnable) => {
     return await invoke(
       "renderer-request-KillSwitchSetAllowLANMulticast",
diff --git a/ui/src/store/module-vpn-state.js b/ui/src/store/module-vpn-state.js
index d9f04a14..6d3d5cc3 100644
--- a/ui/src/store/module-vpn-state.js
+++ b/ui/src/store/module-vpn-state.js
@@ -67,7 +67,6 @@ export default {
       IsAllowLAN: null,
       IsAllowMulticast: null,
       IsAllowApiServers: null,
-      IsAllowAppleServices: null,
       UserExceptions: "",
     },