OS Firewall Being Disabled

When the PIA client starts to connect, it completely shuts down the Mac OS firewall. Does anyone know if this is dangerous and if it exposes the machine to hackers, and if there are any ways to fix this?

Would turning the firewall back on again after PIA has connected be helpful?
«1

Comments

  • edited June 2017 Posts: 7
    I don't think it matters too much as all the traffic from PIA is firewalled anyhow. I've never used firewall on OS X as it plays havoc with certain sites and apps I use.

    have a look at this article: http://www.makeuseof.com/tag/mac-really-need-firewall/

    I recommend an app such as Little Snitch or Hands Off for limiting what apps can send/receive traffic.

    Post edited by OSXer on
  • edited June 2017 Posts: 496
    That sounds like an OS issue, not PIA. The PIA app is nothing more than a GUI to configure OpenVPN. OVPN is the engine used to setup and connect the VPN. So, if, and this is a big if, anything is causing your FW to showdown, it will be OpenVPN or one of it parameters.
    Post edited by Omnibus_IV on
  • Posts: 601
    That sounds like an OS issue, not PIA. The PIA app is nothing more than a GUI to configure OpenVPN. OVPN is the engine used to setup and connect the VPN. So, if, and this is a big if, anything is causing your FW to showdown, it will be OpenVPN or one of it parameters.
    False. The PIA app does indeed disable the OSX firewall and has been doing so since at least ver. 63. PIA has never given a credible reason for why they disable the OSX firewall. I won't use the PIA app for this very reason, and many other reasons. Plainly put the PIA app is buggy and even dangerous.  I use Viscosity instead, but there are other OpenVPN app options too, such as Tunnelblick.

    OSXer is correct about using Little Snitch. I use it myself, along with the OSX firewall. I will never use an app by a company that thinks it prudent to disable my firewall without even telling me, and telling me why. Is there another app in the entire world that does that?
  • Posts: 496
    Have to disagree with you. If PIA has the ability to overwrite OSX then Apple is violating their own standard of their closed architecture. This is the main reason why people will jailbreak their phones, to gain control.

    You may believe that PIA has that power over OSX however, I do not.

    JMHO
  • edited July 2017 Posts: 601
    Believe what you want, Omnibus. Apparently you haven't been around here long enough to know the kind of insanity that PIA is capable of perpetrating in the name of "security," including crippling an inherently secure OS. And why are you implying that it's somehow Apple's fault that PIA is hacking their OS? Is it also Apple's fault that PIA disables OSX LAN? This too has been a huge issue since at least ver. 55.

    Do a little searching in the forums and you'll discover that dozens of OSX users have complained of the same problem, and it's been going on since ver. 54. Here's just one of many examples.

    PIA has never denied that they disable the OSX firewall. In fact they've admitted it. Their so-called Support has been confronted about it many times in the past two years and have yet to fix it. As I've said elsewhere, PIA is a marketing company, and they're very good at marketing. They are not a technically savvy or competent networking business.
    Post edited by tomeworm on
  • Posts: 301
    When the PIA client starts to connect, it completely shuts down the Mac OS firewall. Does anyone know if this is dangerous and if it exposes the machine to hackers, and if there are any ways to fix this?

    Would turning the firewall back on again after PIA has connected be helpful?
     https://helpdesk.privateinternetaccess.com/hc/en-us/articles/115000442028-Why-Does-The-VPN-Disable-The-Firewall-
  • Posts: 496
    Then I stand corrected. :)
  • edited July 2017 Posts: 601

    Why Does The VPN Disable The Firewall?


    "PIA disables the firewall because it implements its own one and blocks any traffic that's not to or from the VPN server."

    Now there's an brilliant answer! Spoken like a true PIA Tech Support prevaricator, umm, I mean genius.

    Sorry PIA. The correct answer is: "We're a bunch of freaking morons who don't know how to write code that's compatible with OSX. So we'll just hack the OS to disable the firewall. And then we'll pawn that off as 'security'."

    Can anyone show me even just one other vpn service in the entire world that does this? No? Didn't think so.

    Like I say, use the PIA app at your own peril. If they actually think disabling the OSX firewall is a good idea then how can we have any confidence that their app doesn't have other major flaws in it too?
    Post edited by tomeworm on
  • edited July 2017 Posts: 301
    tomeworm said:

    Why Does The VPN Disable The Firewall?


    "PIA disables the firewall because it implements its own one and blocks any traffic that's not to or from the VPN server."

    Now there's an brilliant answer! Spoken like a true PIA Tech Support prevaricator, umm, I mean genius.

    Sorry PIA. The correct answer is: "We're a bunch of freaking morons who don't know how to write code that's compatible with OSX. So we'll just hack the OS to disable the firewall. And then we'll pawn that off as 'security'."

    Can anyone show me even just one other vpn service in the entire world that does this? No? Didn't think so.

    Like I say, use the PIA app at your own peril. If they actually think disabling the OSX firewall is a good idea then how can we have any confidence that their app doesn't have other major flaws in it too?
    I gave you an answer to the question stated above whether you believe it or not is not my problem.

    Have a great day.

    ~ Private Internet Access VPN Customer.
    Post edited by OpenVPN on
  • Posts: 601
    Hey OpenVPN, no reason to take my reply personally. It wasn't directed at you. It was directed at PIA tech support.
  • Posts: 301
    tomeworm said:
    Hey OpenVPN, no reason to take my reply personally. It wasn't directed at you. It was directed at PIA tech support.
    Oh I know but there's also absolutely no reason to insult them either because they're human beings and they do their very best to provide the most secure and private Internet experience. I just think you should cut them a break.
  • edited July 2017 Posts: 601
    OpenVPN said:
    Oh I know but there's also absolutely no reason to insult them either because they're human beings and they do their very best to provide the most secure and private Internet experience. I just think you should cut them a break.
    There are dozens of reasons to insult them, all of which are well deserved.

    And just how long should I cut them some slack for? 1 year? 2 years? 3 years? Seriously. Just how long should we have to wait before they fix the messes they've created? The reality is I cut them slack month after month after month. They release one new "update" after another only to have the same exact bugs and defects, and they even introduce new bugs and defects with new "updates." A lot of us were more than patient and cut them all kinds of slack. Where did that get us?

    You may think me rude and demanding. But believe it or not I've been more than patient.

    PIA spends a fortune on marketing/hype. If they took just 10% of their marketing budget and spent it on R&D, and hiring competent tech support people, instead of marketing hype, they wouldn't have so many angry customers.
    Post edited by tomeworm on
  • Posts: 301
    tomeworm said:
    OpenVPN said:
    Oh I know but there's also absolutely no reason to insult them either because they're human beings and they do their very best to provide the most secure and private Internet experience. I just think you should cut them a break.
    There are dozens of reasons to insult them, all of which are well deserved.

    And just how long should I cut them some slack for? 1 year? 2 years? 3 years? Seriously. Just how long should we have to wait before they fix the messes they've created? The reality is I cut them slack month after month after month. They release one new "update" after another only to have the same exact bugs and defects, and they even introduce new bugs and defects with new "updates." A lot of us were more than patient and cut them all kinds of slack. Where did that get us?

    You may think me rude and demanding. But believe it or not I've been more than patient.

    PIA spends a fortune on marketing/hype. If they took just 10% of their marketing budget and spent it on R&D instead they wouldn't have so many angry customers.
    Why are you so upset by the firewall being disabled? How exactly does this affect user experience for computer performance?
  • Posts: 601
    OpenVPN said:
    Why are you so upset by the firewall being disabled? How exactly does this affect user experience for computer performance?
    Do you enable the firewall on your router? If so do you know why? How exactly does this affect user experience for computer performance? If PIA could figure out a way of having their app disable the firewall on your router would you be okay with that?
  • Posts: 301
    tomeworm said:
    OpenVPN said:
    Why are you so upset by the firewall being disabled? How exactly does this affect user experience for computer performance?
    Do you enable the firewall on your router? If so do you know why? How exactly does this affect user experience for computer performance? If PIA could figure out a way of having their app disable the firewall on your router would you be okay with that?
    Yes, I do have a firewall enabled on my router. I have never enabled firewalls which are built into the operating system. This thread is specifically referring to the firewall that is built into Mac OS being disabled when the application is running. I have no problems.
  • Posts: 601
    So you're okay with PIA hacking your OS? I don't know of a single security expert who would be okay with any of this. It raises too many red flags. But if it doesn't bother you then don't let me deter you. If they take down your firewall what else are they doing to your OS without your knowledge? How exactly have you determined that you "have no problems"? The reality is you can't be sure.

    What we can be sure of is that PIA made a technical decision to shut off the OSX firewall not because it complies with Apple best practices (doing so accomplishes just the opposite) or because it's a good security measure (just the opposite!). They did so only because they're too technically incompetent to write an app that functions within the framework of OSX. No other vpn app in the world does this, only PIA.

    There are honest vpn providers who, rather than cobbling together shabby OSX apps acknowledge they lack the programming expertise to do the job right and recommend their customers use a third party OpenVPN app like Viscosity or Tunnelblick. PIA should either do that or hire a competent programmer and finish the job properly.


  • edited July 2017 Posts: 301
    tomeworm said:
    So you're okay with PIA hacking your OS? I don't know of a single security expert who would be okay with any of this. It raises too many red flags. But if it doesn't bother you then don't let me deter you. If they take down your firewall what else are they doing to your OS without your knowledge? How exactly have you determined that you "have no problems"? The reality is you can't be sure.

    What we can be sure of is that PIA made a technical decision to shut off the OSX firewall not because it complies with Apple best practices (doing so accomplishes just the opposite) or because it's a good security measure (just the opposite!). They did so only because they're too technically incompetent to write an app that functions within the framework of OSX. No other vpn app in the world does this, only PIA.

    There are honest vpn providers who, rather than cobbling together shabby OSX apps acknowledge they lack the programming expertise to do the job right and recommend their customers use a third party OpenVPN app like Viscosity or Tunnelblick. PIA should either do that or hire a competent programmer and finish the job properly.


    PIA VPN doesn't hack your operating system or compromise the security of your computer or mobile device. It simply establishes a secure connection from your Device to one of their servers (which you pay them to access.) When establishing this secure connection PIA establishes it's own firewall in order to prevent various leaks. If they were hacking our Devices Apple would never allow them to make their application available for download on the iOS app store. Apple only allows companies and vendors who are strictly vetted by them to have their applications on the IOS app store. If you dislike this service so much why are you still paying for access to their network? Please explain that to me.  When you install the application you gave the application permission to control your network settings which is how they're able to change your DNS resolution and shut off your IPv6 Signal. If you don't like it cancel your subscription and switch to another provider, it's that simple.
    Post edited by OpenVPN on
  • Posts: 601
    OpenVPN said:
    PIA VPN doesn't hack your operating system or compromise the security of your computer or mobile device. It simply establishes a secure connection from your Device to one of their servers (which you pay them to access.) When establishing this secure connection PIA establishes it's own firewall in order to prevent various leaks. If they were hacking our Devices Apple would never allow them to make their application available for download on the iOS app store. Apple only allows companies and vendors who are strictly vetted by them to have their applications on the IOS app store. If you dislike this service so much why are you still paying for access to their network? Please explain that to me.  When you install the application you gave the application permission to control your network settings which is how they're able to change your DNS resolution and shut off your IPv6 Signal. If you don't like it cancel your subscription and switch to another provider, it's that simple.
    You're implying that Apple has somehow given an official stamp of approval to PIA's OSX app because its iOS app is on the Apple iOS store? Now you're just being dishonest by loading up the discussion with logical fallacies. Thanks but no thanks -- I won't engage in a debate with a prevaricator.

    You are free to bow down and worship PIA and think they're the greatest thing since sliced bread (falls jelly-side up every time) and I am free to be critical of their OSX app (which I haven't used in almost two years), and their pathetic support which grows worse by the day. It's one of the wonderful things about free speech and a free market economy. We get to patronize who we want while also being critical of their failures and shortcomings.
  • Posts: 301
    tomeworm said:
    OpenVPN said:
    PIA VPN doesn't hack your operating system or compromise the security of your computer or mobile device. It simply establishes a secure connection from your Device to one of their servers (which you pay them to access.) When establishing this secure connection PIA establishes it's own firewall in order to prevent various leaks. If they were hacking our Devices Apple would never allow them to make their application available for download on the iOS app store. Apple only allows companies and vendors who are strictly vetted by them to have their applications on the IOS app store. If you dislike this service so much why are you still paying for access to their network? Please explain that to me.  When you install the application you gave the application permission to control your network settings which is how they're able to change your DNS resolution and shut off your IPv6 Signal. If you don't like it cancel your subscription and switch to another provider, it's that simple.
    You're implying that Apple has somehow given an official stamp of approval to PIA's OSX app because its iOS app is on the Apple iOS store? Now you're just being dishonest by loading up the discussion with logical fallacies. Thanks but no thanks -- I won't engage in a debate with a prevaricator.

    You are free to bow down and worship PIA and think they're the greatest thing since sliced bread (falls jelly-side up every time) and I am free to be critical of their OSX app (which I haven't used in almost two years), and their pathetic support which grows worse by the day. It's one of the wonderful things about free speech and a free market economy. We get to patronize who we want while also being critical of their failures and shortcomings.
    You can believe whatever you want, I don't care. I don't think I could say anything that could convince you otherwise.
  • Posts: 601
    OpenVPN said:
    You can believe whatever you want, I don't care. I don't think I could say anything that could convince you otherwise.
    You could start by being honest. That would help your credibility, thereby making you more believable.
  • Posts: 301
    tomeworm said:
    OpenVPN said:
    You can believe whatever you want, I don't care. I don't think I could say anything that could convince you otherwise.
    You could start by being honest. That would help your credibility, thereby making you more believable.
    For all we know you could be a PIA competitor.
  • Posts: 496
    OpenVPN's credibility is sound.
  • Posts: 301
    OpenVPN's credibility is sound.
    Thank you.
  • The setting that disables the firewall is… "Request port forwarding - ON". I turned this option OFF and my firewall was not turned off when I connected to PIA VPN.
  • Posts: 601
    jprokos said:
    The setting that disables the firewall is… "Request port forwarding - ON". I turned this option OFF and my firewall was not turned off when I connected to PIA VPN.
    Interesting discovery @jprokos. But it's not consistent with what I'm seeing. I have several versions of the PIA app, including the current ver. 75, and they all disable the OSX firewall every time I use the PIA app to make a connection, regardless of the "Request port forwarding" setting (at least ever since PIA started doing that). This is just one of multiple reasons why I rarely ever use the PIA app and use Viscosity instead.

    What PIA app version are you running? What OSX version?

    The questions for PIA remain:
    Why PIA do you insist on disabling the OSX firewall entirely when your app is open and a connection is initiated?
    Are the technical abilities of your software engineers insufficient to write an app that follows Apple best practices like technically proficient developers do?
    What other hacks are you doing to the Mac OS without our knowledge or permission?
  • tomeworm said:

    There are dozens of reasons to insult them, all of which are well deserved.

    And just how long should I cut them some slack for? 1 year? 2 years? 3 years? Seriously. Just how long should we have to wait before they fix the messes they've created? The reality is I cut them slack month after month after month. They release one new "update" after another only to have the same exact bugs and defects, and they even introduce new bugs and defects with new "updates." A lot of us were more than patient and cut them all kinds of slack. Where did that get us?

    You may think me rude and demanding. But believe it or not I've been more than patient.

    PIA spends a fortune on marketing/hype. If they took just 10% of their marketing budget and spent it on R&D, and hiring competent tech support people, instead of marketing hype, they wouldn't have so many angry customers.
    And this is your last warning. Whatever your opinion, our staff do not come to work to be insulted. Ever. They do not deserve that.

    Just for the record, we have lots of extremely competent tech support people, I personally hired every single one of them.... and my background is ~20 years of networking including working for the Army creating and maintaining secure and encrypted communication networks.

    If you continue to subject any PIA staff (or other users) to insults, you will be banned. Like I said, this is your last warning.

    Regards

    Jayson Q.
    Head of Customer Support
  • edited November 2017 Posts: 601
    PIAJayson said:
    tomeworm said:

    There are dozens of reasons to insult them, all of which are well deserved.

    And just how long should I cut them some slack for? 1 year? 2 years? 3 years? Seriously. Just how long should we have to wait before they fix the messes they've created? The reality is I cut them slack month after month after month. They release one new "update" after another only to have the same exact bugs and defects, and they even introduce new bugs and defects with new "updates." A lot of us were more than patient and cut them all kinds of slack. Where did that get us?

    You may think me rude and demanding. But believe it or not I've been more than patient.

    PIA spends a fortune on marketing/hype. If they took just 10% of their marketing budget and spent it on R&D, and hiring competent tech support people, instead of marketing hype, they wouldn't have so many angry customers.
    And this is your last warning. Whatever your opinion, our staff do not come to work to be insulted. Ever. They do not deserve that.

    Just for the record, we have lots of extremely competent tech support people, I personally hired every single one of them.... and my background is ~20 years of networking including working for the Army creating and maintaining secure and encrypted communication networks.

    If you continue to subject any PIA staff (or other users) to insults, you will be banned. Like I said, this is your last warning.

    Regards

    Jayson Q.
    Head of Customer Support
    You're waiting 3 months to respond to this comment? And you do so only by threatening me?

    I too have a military network design background, Jayson, including going all the way back to X25 packet switching and Arpanet days. But let's please refrain from flashing our curriculum vitaes about, shall we? It's irrelevant to the subject matter at hand.

    If my questions and concerns, as expressed in these forums over many months, weren't so consistently ignored by your staff (and worse yet some threads have been closed entirely to silence the concerns of myself and other customers), and if I weren't so consistently shouted down by PIA fanboys, I dare say my demeanor here would be far more cordial. Like I say I've been more than patient. Rather than threatening a paying customer you should put forth some effort in determining why I'm so displeased.
    Post edited by tomeworm on
  • Posts: 533
    So back on topic, we've discussed this internally and was able to get a proper answer from our CTO: the reason we disable the app firewall is to prevent any possible leaks outside of the VPN while connected.

    So why do we have to disable it then? That's a bit of a trickier question, but it essentially boils down to the fact that the way the app firewall works, or more specifically the way it manages the pf rules in the kernel is undocumented. That in turn means we can either take a guess of how the app firewall manages the rules and put ours in a way that will still work and take the risk of it breaking at any future update Apple does, or not take the chance and disable it for the duration of the VPN session so we have exclusive control on the firewall. We picked the latter.

    In general, relying on undocumented behavior is a huge risk because it being undocumented means that it is subject to change at any time as they have no obligation to not break apps relying on it. For all we know, the firewall could suddenly decide to flush all the rules and reinsert them if they decide it's easier than figuring out what to remove and what to add, or worse if our additional rules confuses it and it decides to do the safe thing of just resetting it entirely from scratch. So while it is worrying for some users to see the app firewall getting disabled, it's still a better option for PIA to disable it so that we can have the peace of mind that PIA cannot leak anything on Mac.

    For those to whom that's an issue, then we suggest using the alternatives like Tunnelblick and Viscosity which offers many more advanced options for those users anyway.
  • edited November 2017 Posts: 533
    @tomeworm
    (and worse yet some threads have been closed entirely to silence the concerns of myself and other customers)
    No, I have never (and never will) close threads to silence concerns or anything. I'm more than happy to let people discuss PIA's flaws: we're not perfect, nobody is, and every opinion is valuable even if it's negative.

    The reason I have closed the other threads a while ago was neither because of you, nor because I wanted to silence anything. I closed them down because it had turned into a mess of insults and the vote to close those was unanimous within the team. And so was the vote to ban jbis.

    We have issues, there's no denial of that. We're well aware of most of them. That's no excuse to continuously shit on the developer's heads (and I'm saying that as someone that has pissed off the developers a few times). Why do you even bother staying here if you use such a better competitor anyway?

    In general we're tired of the constant negativity and hostility on the forums because it's reached a point where it just makes new people run away or not even bother. This is the reason why I have closed threads, and that's also that same reason that prompted Jayson to give you your final warning earlier. We want the forums to become a friendly place again where people feel welcomed.

    I don't have anything against you or anyone here, so can we just keep it friendly m'kay?
    Post edited by Max-P on
  • Max-P: thank you for giving the reasoning for the OS X firewall disable. I can see why a customer using OS X and PIA together may want to trust PIA with its privacy more than OS X's firewall, and for them, it's the right choice. For others, not using it is sufficient. I would recommend PIA have a notice for OS X users too to let them know this is normal behavior so there are no surprises (surprises = more tech support load too!)

    Thanks for the transparency and I hope knowing the explanation and that there is are other options for VPN providers is sufficient for everyone.
Sign In or Register to comment.