OS Firewall Being Disabled
When the PIA client starts to connect, it completely shuts down the Mac OS firewall. Does anyone know if this is dangerous and if it exposes the machine to hackers, and if there are any ways to fix this?
Would turning the firewall back on again after PIA has connected be helpful?
Would turning the firewall back on again after PIA has connected be helpful?
Comments
have a look at this article: http://www.makeuseof.com/tag/mac-really-need-firewall/
I recommend an app such as Little Snitch or Hands Off for limiting what apps can send/receive traffic.
OSXer is correct about using Little Snitch. I use it myself, along with the OSX firewall. I will never use an app by a company that thinks it prudent to disable my firewall without even telling me, and telling me why. Is there another app in the entire world that does that?
You may believe that PIA has that power over OSX however, I do not.
JMHO
Do a little searching in the forums and you'll discover that dozens of OSX users have complained of the same problem, and it's been going on since ver. 54. Here's just one of many examples.
PIA has never denied that they disable the OSX firewall. In fact they've admitted it. Their so-called Support has been confronted about it many times in the past two years and have yet to fix it. As I've said elsewhere, PIA is a marketing company, and they're very good at marketing. They are not a technically savvy or competent networking business.
Why Does The VPN Disable The Firewall?
"PIA disables the firewall because it implements its own one and blocks any traffic that's not to or from the VPN server."
Now there's an brilliant answer! Spoken like a true PIA Tech Support prevaricator, umm, I mean genius.
Sorry PIA. The correct answer is: "We're a bunch of freaking morons who don't know how to write code that's compatible with OSX. So we'll just hack the OS to disable the firewall. And then we'll pawn that off as 'security'."
Can anyone show me even just one other vpn service in the entire world that does this? No? Didn't think so.
Like I say, use the PIA app at your own peril. If they actually think disabling the OSX firewall is a good idea then how can we have any confidence that their app doesn't have other major flaws in it too?
Have a great day.
~ Private Internet Access VPN Customer.
And just how long should I cut them some slack for? 1 year? 2 years? 3 years? Seriously. Just how long should we have to wait before they fix the messes they've created? The reality is I cut them slack month after month after month. They release one new "update" after another only to have the same exact bugs and defects, and they even introduce new bugs and defects with new "updates." A lot of us were more than patient and cut them all kinds of slack. Where did that get us?
You may think me rude and demanding. But believe it or not I've been more than patient.
PIA spends a fortune on marketing/hype. If they took just 10% of their marketing budget and spent it on R&D, and hiring competent tech support people, instead of marketing hype, they wouldn't have so many angry customers.
What we can be sure of is that PIA made a technical decision to shut off the OSX firewall not because it complies with Apple best practices (doing so accomplishes just the opposite) or because it's a good security measure (just the opposite!). They did so only because they're too technically incompetent to write an app that functions within the framework of OSX. No other vpn app in the world does this, only PIA.
There are honest vpn providers who, rather than cobbling together shabby OSX apps acknowledge they lack the programming expertise to do the job right and recommend their customers use a third party OpenVPN app like Viscosity or Tunnelblick. PIA should either do that or hire a competent programmer and finish the job properly.
You are free to bow down and worship PIA and think they're the greatest thing since sliced bread (falls jelly-side up every time) and I am free to be critical of their OSX app (which I haven't used in almost two years), and their pathetic support which grows worse by the day. It's one of the wonderful things about free speech and a free market economy. We get to patronize who we want while also being critical of their failures and shortcomings.
What PIA app version are you running? What OSX version?
The questions for PIA remain:
Why PIA do you insist on disabling the OSX firewall entirely when your app is open and a connection is initiated?
Are the technical abilities of your software engineers insufficient to write an app that follows Apple best practices like technically proficient developers do?
What other hacks are you doing to the Mac OS without our knowledge or permission?
Just for the record, we have lots of extremely competent tech support people, I personally hired every single one of them.... and my background is ~20 years of networking including working for the Army creating and maintaining secure and encrypted communication networks.
If you continue to subject any PIA staff (or other users) to insults, you will be banned. Like I said, this is your last warning.
Regards
Jayson Q.
Head of Customer Support
I too have a military network design background, Jayson, including going all the way back to X25 packet switching and Arpanet days. But let's please refrain from flashing our curriculum vitaes about, shall we? It's irrelevant to the subject matter at hand.
If my questions and concerns, as expressed in these forums over many months, weren't so consistently ignored by your staff (and worse yet some threads have been closed entirely to silence the concerns of myself and other customers), and if I weren't so consistently shouted down by PIA fanboys, I dare say my demeanor here would be far more cordial. Like I say I've been more than patient. Rather than threatening a paying customer you should put forth some effort in determining why I'm so displeased.
So why do we have to disable it then? That's a bit of a trickier question, but it essentially boils down to the fact that the way the app firewall works, or more specifically the way it manages the pf rules in the kernel is undocumented. That in turn means we can either take a guess of how the app firewall manages the rules and put ours in a way that will still work and take the risk of it breaking at any future update Apple does, or not take the chance and disable it for the duration of the VPN session so we have exclusive control on the firewall. We picked the latter.
In general, relying on undocumented behavior is a huge risk because it being undocumented means that it is subject to change at any time as they have no obligation to not break apps relying on it. For all we know, the firewall could suddenly decide to flush all the rules and reinsert them if they decide it's easier than figuring out what to remove and what to add, or worse if our additional rules confuses it and it decides to do the safe thing of just resetting it entirely from scratch. So while it is worrying for some users to see the app firewall getting disabled, it's still a better option for PIA to disable it so that we can have the peace of mind that PIA cannot leak anything on Mac.
For those to whom that's an issue, then we suggest using the alternatives like Tunnelblick and Viscosity which offers many more advanced options for those users anyway.
The reason I have closed the other threads a while ago was neither because of you, nor because I wanted to silence anything. I closed them down because it had turned into a mess of insults and the vote to close those was unanimous within the team. And so was the vote to ban jbis.
We have issues, there's no denial of that. We're well aware of most of them. That's no excuse to continuously shit on the developer's heads (and I'm saying that as someone that has pissed off the developers a few times). Why do you even bother staying here if you use such a better competitor anyway?
In general we're tired of the constant negativity and hostility on the forums because it's reached a point where it just makes new people run away or not even bother. This is the reason why I have closed threads, and that's also that same reason that prompted Jayson to give you your final warning earlier. We want the forums to become a friendly place again where people feel welcomed.
I don't have anything against you or anyone here, so can we just keep it friendly m'kay?
Thanks for the transparency and I hope knowing the explanation and that there is are other options for VPN providers is sufficient for everyone.