Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

dimme

macrumors 68040
Original poster
Feb 14, 2007
3,217
31,174
SF, CA
I have a M1 Mac mini that I use to back up several Macs. I log in via ssh. Since I upgraded to Sequoia I can not ssh into the mini if the firewall in on. I made sure the firewall rule allows ssh-keygen-wrapper. If I turn off the firewall ssh works fine. What am I missing.
 

mloiterman

macrumors newbie
Aug 2, 2008
21
8
I'm having firewall issues with SSH as well, but my problem isn't quite the same:



From my Mac, I ssh into a local server running in my LAN. After a few minutes I get this error:

Bad packet length 2489765067. ssh_dispatch_run_fatal: Connection to 192.168.30.2 port 22: Connection corrupted

I can trigger it by ssh'ing into pretty much any server or computer on my network and then executing a command like:

ping google.com

within 10 - 30 seconds, the connection drops with the error above.

Happens with IPv4 and IPv6. Happens with Terminal and iTerm apps.

Disabling the firewall fixes the issue.
 

MrSimmo

macrumors member
Oct 17, 2014
57
31
I'm getting exactly the same - outbound from my MBA M1 Sequoia -> Ubuntu and every few minutes it bombs out with

ssh_dispatch_run_fatal: Connection to 192.168.5.20 port 22: Connection corrupted
 
  • Like
Reactions: v1zenith

quisguous

macrumors newbie
Jun 9, 2009
29
2
Same issue. MBA M2 + Sequoia. SSH is unreliable--after a minute or two the connection drops. Can't git clone repos. Disabling the firewall eliminates the issue.
 
  • Like
Reactions: v1zenith

mfram

Contributor
Jan 23, 2010
1,345
386
San Diego, CA USA
Hmmm, I'm not seeing this issue. I'm using the SecureCRT app to SSH out to my home server. The firewall is enabled on my MBP. I'm not having any drops or other weirdness.
 

MrSimmo

macrumors member
Oct 17, 2014
57
31
To add to this, I spun up a Samba server on the Ubuntu server in question to see if it was purely SSH or whether the issue is affecting other procotols and I'm seeing transfers hang on that as well.
 

tomekwsrod

macrumors regular
Apr 16, 2018
123
120
Firewall is bugged since the previous version of macOS as well. If you switch it off it may still be running. They if you switch it on, just maybe you will disable it. There is no way to predict it sometimes.
 

dimme

macrumors 68040
Original poster
Feb 14, 2007
3,217
31,174
SF, CA
I would like to clear the firewall setting and start fresh, but the info on line I have found is outdated and reference a file that I don't have. Does anyone know where the firewall setting are stored in Sequoia?
 

interstella

macrumors 6502
Sep 29, 2013
303
187
Suffolk, England
There's another thread about firewall problems on here somewhere. It looks like it's a bit of a mess. I can't get apps to communicate with each other via UDP ports unless I disable the firewall.
 

v1zenith

macrumors newbie
Sep 22, 2024
1
0
Bad packet length 2678558786.


ssh_dispatch_run_fatal: Connection to 192.168.1.9 port 22: Connection corrupted
Yeah i have the same problem when connecting to my ubuntu server via ssh.
 

turbo79

macrumors member
May 24, 2006
52
38
I'm having the same issue on Sequoia.

Bad packet length 2336425768
ssh_dispatch_run_fatal: Connection to ... port 22: Connection corrupted
 

MrSimmo

macrumors member
Oct 17, 2014
57
31
I saw an article the other day where Microsoft and Crowdstrike are advising customers of the same thing so hopefully its got enough media attention for Apple to fix it in the next update.
 

gilby101

macrumors 68030
Mar 17, 2010
2,865
1,594
Tasmania
The Firewall may be part of the trouble, but at least some of the disconnections above are likely due to macOS changing the MAC address of the Wi-Fi interface. By default Sequoia "rotates" the Wi-Fi MAC (media access control) address at frequent intervals.

This is set in System Settings > Wi-Fi > Details... > Private Wi-Fi address. This can be:
Off - it will use the MAC address in the Wi-Fi hardware,
Fixed - it will use a pseudo-random MAC address but keep it the same for that network,
Rotating - it will change frequently.

The trouble with rotating is that a change of MAC address will mess with a) DHCP and IP address and b) the ARP cache on connected devices.

Make sure it is set to Off or Fixed. You will now get a little Privacy Warning triangle - ignore it. The "Learn more..." link doesn't mention the "Private Wi-Fi address" setting.

Apple has not fully thought through the implications of "rotating".
 

warpmoon

macrumors newbie
Jun 7, 2009
14
0
The Firewall may be part of the trouble, but at least some of the disconnections above are likely due to macOS changing the MAC address of the Wi-Fi interface. By default Sequoia "rotates" the Wi-Fi MAC (media access control) address at frequent intervals.

This is set in System Settings > Wi-Fi > Details... > Private Wi-Fi address. This can be:
Off - it will use the MAC address in the Wi-Fi hardware,
Fixed - it will use a pseudo-random MAC address but keep it the same for that network,
Rotating - it will change frequently.

The trouble with rotating is that a change of MAC address will mess with a) DHCP and IP address and b) the ARP cache on connected devices.

Make sure it is set to Off or Fixed. You will now get a little Privacy Warning triangle - ignore it. The "Learn more..." link doesn't mention the "Private Wi-Fi address" setting.

Apple has not fully thought through the implications of "rotating".
Are you certain it rotates MAC address for an active connection as opposed to just randomising it when connecting?
 

mac_hack_attack

macrumors member
Oct 20, 2021
42
46
Are you certain it rotates MAC address for an active connection as opposed to just randomising it when connecting?
MAC addresses are not a per connection property.

It's the hardware address for the interface and, in simple scenarios, a one-to-one pairing with an IP address(any IP address must resolve to exactly one and only one MAC address - though multiple IPs can resolve to same MAC).

When a MAC address changes, it changes for all connections on that interface. All other systems will update their ARP IP->MAC mapping. How this will affect active connections(on various OSs including routers with custom network drivers + hardware accel off-loading) is hard to predict as it's not considered "normal" for IP->MAC mapping to change on a regular basis.
 

gilby101

macrumors 68030
Mar 17, 2010
2,865
1,594
Tasmania
Are you certain it rotates MAC address for an active connection as opposed to just randomising it when connecting?
A bit of experimentation shows that it is not changed frequently - even following reboots. So I now think it is not likely to be big issue.
When a MAC address changes, it changes for all connections on that interface. All other systems will update their ARP IP->MAC mapping. How this will affect active connections(on various OSs including routers with custom network drivers + hardware accel off-loading) is hard to predict as it's not considered "normal" for IP->MAC mapping to change on a regular basis.
This is what worries me.
 

Buadhai

macrumors 65816
Jan 15, 2018
1,111
432
Korat, Thailand
Not to be too repetitive, but I have an M2 MBA and an Intel iMac (2019). I've always been able to log on to one from the other using public key authentication. Obviously, remote login is enabled on both. Not so obviously, the firewall is disabled on both.

I can no longer ssh into either machine from the other Mac. This is what a verbose login looks like:

Code:
Fifteen:~ mnewman$ ssh -vv sellotape
OpenSSH_9.8p1, LibreSSL 3.3.6
debug1: Reading configuration data /Users/mnewman/.ssh/config
debug1: /Users/mnewman/.ssh/config line 3: Applying options for *
debug1: /Users/mnewman/.ssh/config line 37: Applying options for sellotape
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to sellotape port 22.

I can log on from either Mac to a Raspberry Pi:

Code:
Fifteen:~ mnewman$ ssh raspsky
Linux raspsky 5.10.103-v7l+ #1529 SMP Tue Mar 8 12:24:00 GMT 2022 armv7l


The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.


Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Oct  2 13:44:30 2024 from 192.168.0.78
pi@raspsky:~/webcam $

And, I can login to the M2 MBA Mac from the Pi:

Code:
pi@raspsky:~/webcam Me$ ssh mnewman@fifteen
Last login: Wed Oct  2 13:44:54 2024 from 192.168.0.65
Fifteen:~ mnewman$

But not to the Intel iMac from the same Pi:

Code:
pi@raspsky:~/webcam $ ssh -vv mnewman@sellotape
OpenSSH_7.9p1 Raspbian-10+deb10u4, OpenSSL 1.1.1n  15 Mar 2022
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "sellotape" port 22
debug2: ssh_connect_direct
debug1: Connecting to sellotape [192.168.0.75] port 22.
debug1: connect to address 192.168.0.75 port 22: No route to host
ssh: connect to host sellotape port 22: No route to host

Note that the firewall is disabled on the Intel iMac, so there should be no problem with port 22.

And, at this point, I'm stuck.
 

Buadhai

macrumors 65816
Jan 15, 2018
1,111
432
Korat, Thailand
Guess what works?

Code:
Fifteen:~ mnewman$ ssh sellotape.local
Last login: Wed Oct  2 14:19:51 2024 from fe80::4d5:db02:81d6:74d5%en1
Sellotape:~ mnewman$
Sellotape:~ mnewman$ ssh fifteen.local
Last login: Wed Oct  2 14:21:20 2024 from fe80::450:cba3:1b05:cffa%en0
Fifteen:~ mnewman$
 

kraiggers

macrumors newbie
Jul 28, 2019
10
4
Hey, the OP question got immediately hijacked by a different ssh problem.

Has anyone else seen / fixed / identified the OP issue? I also cannot ssh into my Mac (running Sequioa 15.0.1) via name.local.

Doing so works fine via direct IP, dns forward, and tailscale. It *only* fails via name.local. (Yes, the apps have local network access.)
 

MrSimmo

macrumors member
Oct 17, 2014
57
31
15.0.1 is still broken for me across quite a few machines.

- SSH and SMB connections keep failing. Disabling the firewall is a workaround but not a great one.

- 15.0.1 is now interrupting and messing with VPN connections which didn't happen in 15.0.

- The network framework seems now to be causing application lockups such as Cyberduck now frequently freezes, needing a force quit. This didn't happen in 15.0.

- My Ubuntu servers UFW firewall are reporting ddos attempts from the Mac IP addresses. For some reason the machines are now making rapid and mass connections to the servers when a single attempt is made. This is causing the Ubuntu firewall to think its being attacked.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.