Apparently Patrick Wardle describes a security hole, which uses the NetworkExtension framework to make it as if his code is Apple code, and thus ignores the firewall rules. My guess is, that it'll get patched and that will be that.
If you think about it, blocking OS stuff makes less sense. You're already trusting the OS to a great degree.
(I can understand the need for most people to control the OS to a great degree, but personally I don't feel that need for macOS, which is my workhorse.)
You should be able to deny/allow connections for any app, including 1st party apps.
This isn’t only an issue of trust. There are apps made to meter your connection (e.g. when you’re using your phone as a Personal Hotspot), where you’d like to see how much bw your 1st party apps are using, and have the option to block them.
Yes, but you won't have much visibility into anything encrypted (HTTPS). Which is everything. You'll just see opaque traffic going to certain IP addresses and you also won't know what process on the computer caused it. Doing this in the OS is way nicer.
Personally, I fixed this by getting an unlimited mobile data subscription, which was only €20/month here in The Netherlands. But I understand that most people can't get that.
What does seem weird to me, is that they didn't implement a low data mode into macOS, like they do with iOS.
For me that begs the question as to why this mechanism exists in the first place, though. Maybe apple will patch this vulnerability but people will find a way to exploit it again.
I'm sure there are advantages to system processes avoiding the firewall (inept admins unable to block updates for example) but does that outweigh the downsides?
Apparently Patrick Wardle describes a security hole, which uses the NetworkExtension framework to make it as if his code is Apple code, and thus ignores the firewall rules. My guess is, that it'll get patched and that will be that.
If you think about it, blocking OS stuff makes less sense. You're already trusting the OS to a great degree.
(I can understand the need for most people to control the OS to a great degree, but personally I don't feel that need for macOS, which is my workhorse.)