Comment by inkyoto

It apepars that the default application firewall blocking rules are overly restrictive.

There are two «firewalls» in OS X: the IP packet filter (controlled pfctl) and the application level one (controlled by /usr/libexec/ApplicationFirewall/socketfilterfw). The one that is causing a lot of grief for upgraded users is the latter one.

The workaround is to remove/disable the app level blocking rules manually:

1. Get a list of app level firewall rules:

  /usr/libexec/ApplicationFirewall/socketfilterfw --listapps

2. Locate the app(s) of interest.

3. Disable the app specific rules:

  /usr/libexec/ApplicationFirewall/socketfilterfw --unblockapp <path to the app from the list in step 1>

Alternatively, the app can be removed from the list of application firewall rules:

  /usr/libexec/ApplicationFirewall/socketfilterfw --remove <path to the app from the list in step 1>

That will fix the problem, e.g. with Firefox (tested) or WireGuard (reported by somebody else above, untested).

If a DoH DNS configuration is used, it also makes sense to explicitly whitelist the DoH provider in «pfctl» rules at IPv4/IPv6 and domain levels.