OTA upload blocked by Mac Sequoia firewall

Hi,
when uploading a firmware.bin via OTA I get the error message

19:02:26 [INFO]: Waiting for device…
19:02:36 [ERROR]: No response from device

I found that probably the firewall on my Macbook (Sequoia 15.2) blocks the TCP communication. If I temporarily disable the firewall, the upload is sucessful. In the firewall options I probably could add the application for which communication should be allowed. Currently “python3” is already in that list, but I have no idea which program should be added here. I was searching for firewall logs, but could not find any on the system which could give me some hints about the blocked communication.

I would be very happy for further advice how to solve this problem.

Thanks.
Peter

I use Sequoia and do OTAs without issue. My firewall is (for this conversation) set to factory standards, and I’m not encountering this. If this was an issue with the common configuration, there would be much wailing on the topic. So something is likely unique to your world.

Are you using some kind of aftermarket firewall that needs additional configuration? It’s probably best to not whitelist by application name (especially when that application is an interpreter that can run essentially anything, like Python) but by port number or some other more focused constraint.

Most firewalls allow outbound connections initiated by apps on your side (e.g. an OTA program, a web browser, an ftp client, whatever) and focus on blocking incoming connections. Perhaps your configuratino is set too aggressively to be useful.

Thanks for your hints. I only use the built-in firewall of Sequoia. I sniffed the communication between the macbook and the esp32 device. When the firewall is active, first four UDP packets are sent between them. Then the esp32 sends a TCP syn packet, followed by a syn/ack from the macbook and an ack from the esp32. After that no more TCP packets are sent. I assume, that at this point the firewall blocks the TCP stream, as it was initiated from the esp32 and therefore is seen as incoming traffic.
I am wondering whether the sequence of UDP and TCP packets are the normal behavior or whether the ArduinoOTA function in my code somehow behaves wrong. Anyway, I will search further on …
As far as I understood, I can not easily configure the built-in frewall based on allowed ports or protocols. May be this could be done on command line level (?).

Yes it is. The PC sends an invitation to the ESP via UDP.
Then the ESP connects to the PC via TCP and downloads the new firmware.

That seems approximately reasonable. And turning off the firewall lets it rock? So odd.

I just confirmed my Macs are set to block all incoming connections and allow incoming connections from a list of apps I can mostly name and that seem right (Finder, Chrome) as well as a bunch of stuff from Homebrew (Python, Ruby, Smbd, Sshd)

I’m set to allow from built-in, allow from signed, and disable stealth.

Generally, if I modify system files, I’ll initial them and/or mark them with a date and URL of why I thought something was a good idea to change. I see no such markers in /etc/pf.conf or /etc/pf.anchors/com.apple

I’m not that Doctor gaslighting you that YOU don’t have a problem. I certainly can’t explain what you’re seeing. I’m just explaining that I don’t think that I have a problem … on any of the 3-4 (one new, one recently retired) that I’ve used to push OTAs to my various ESP32 and RISC-V devices including one just a few hours ago, currently running a test.

You confirmed that turning it off lets it work, right?

I don’t know if it’s comfortable or alarming to hear this. Sometimes it seems like we may feel like the only Mac developer that’s not doing draggy-droppy artsy stff, but I don’t think we’re as rare as we were. (Just this morning, I learned another well known name of many groups, including this one, is a Mac user by choice.)

Is there anythng I can check to help compare notes?

After days of searching and trying I got it working now. Here are the steps I did (may be helpful for other users having the same issue):

In the past my platformIO installation was configured to use the built-in python interpreter, located at ./.platformio/python3/bin/python3.

As mentioned before, the MacOS firewall was blocking the TCP connection when trying to upload to the ESP device. I could see this also when I tried to upload the firmware just with the following command:

./.platformio/python3/bin/python3 espota.py -d -i 192.168.1.234 -f firmware.bin
(no upload possible)

Then I tried the same but using a seperate python3 on the system:

/usr/local/bin/python3 espota.py -d -i 192.168.1.234 -f firmware.bin
(upload successful)

In both cases I added an entry for both python versions in the firewall configuration (firewall->options), but I assume that for the built-in python3 (./.platformio/python3/bin/python3) the firewall did not consider the related entry in the options and therefore blocked the connection anyway.

In the last step I selected the seperate python interpreter (/usr/local/bin/python3) within platformIO (“View->Command palette”).

BTW, since Sequoia 15.0 there seems to be some issues with the firewall. This seems to be the case even for 15.2: when I tried to delete apps from the options list, clicking “OK” and opened the option list again, all deleted apps were in the list again. There are several discussions in the net regarding these issues.

1 Like