My Apple OSX server (Mountain Lion) at home is the centre of my network and entertainment system. It provides provides the following services:
- DNS
- DHCP
- VMWare Server platform (VMWare fusion)
- Air Video HD Server (for streaming video over the network)
- General Internet download station
Since several (soft-, and hardware) upgrades and redesigns of my internal network (from a single VLAN to a multi-VLAN with firewall services and traffic inspection) several services failed under certain circumstances. E.g. Air-Video would work internally where the client was in the same network as the OSX server network interface. But trying to connect through the SSL VPN stopped working for some reason. Also, the VNC Viewer did work in the old days, but stopped working over time. Same for several static NAT entries; worked before, and stopped working without 'no reason'. Other services like ssh did work in the old and new network design....
I disabled the OSX internal firewall (System Preferences), because firewalling had been moved to a Juniper SRX firewall. No need to burden the server with redundant processes within the network.
Since the internal services did work properly, there was no real hurry in fixing the problems. Every now-and-then I would schedule some time to investigate.
Layer 3 connectivity from the client to the server (and back) was OK, since I could ping from the client to the server and visa-versa. Traffic captures didn't show anything wrong with the traffic either. The traffic arrived on the proper interface, but there was no return traffic. So access to the specific services (VNC, Air Video etc.) would not work.
Firewall (Juniper SRX) configuration consisted only of allow-any-any rules between in the Security Zones / VLAN's within the internal network.
For some reason I started searching on the Internet again in regards to firewalling and OSX. This time I found some terminal commands [1, 2] related to ipfw. The following list command gave me an overview of ACTIVE firewall rules on the OSX server platform..... WTF!?
[server:~ user]$ sudo ipfw list Password: 00001 allow udp from any 626 to any dst-port 626 01000 allow ip from any to any via lo0 01030 deny log ip from any to 127.0.0.0/8 01040 deny log ip from 224.0.0.0/4 to any in 01050 deny log tcp from any to 224.0.0.0/4 in 12300 allow tcp from any to any established 12301 allow tcp from any to any out 12302 allow tcp from any to any dst-port 22 12302 allow udp from any to any dst-port 22 12303 allow udp from any to any out keep-state 12304 allow tcp from any to any dst-port 53 out keep-state 12304 allow udp from any to any dst-port 53 out keep-state 12305 allow udp from any to any in frag 12306 allow tcp from any to any dst-port 311 12307 allow tcp from any to any dst-port 625 12308 allow icmp from any to any icmptypes 8 12309 allow icmp from any to any icmptypes 0 12310 allow igmp from any to any 12311 allow tcp from any to any dst-port 993 12312 allow tcp from any to any dst-port 25 12312 allow udp from any to any dst-port 25 12313 allow tcp from any to any dst-port 443 12314 allow tcp from any to any dst-port 465 12315 allow tcp from any to any dst-port 80 12316 allow tcp from any to any dst-port 587 12319 allow udp from any to any dst-port 67 12320 allow tcp from any to any dst-port 53 12320 allow udp from any to any dst-port 53 12321 allow tcp from any to any dst-port 8443 12322 allow udp from any to any dst-port 68 12323 allow tcp from any to any dst-port 8843 12325 allow tcp from any to any dst-port 20-21 12326 allow udp from any to any dst-port 514 12327 allow udp from any to any dst-port 69 12330 allow ip from 10.0.0.0/8 to any 12331 allow ip from 192.168.0.0/16 to any 12332 allow ip from 192.168.1.0/24 to any via en0 keep-state 12333 allow udp from any 68 to any dst-port 67 via en0 65534 deny log ip from any to any 65535 allow ip from any to any [server:~ user]$
I thought that I had disabled the internal firewall, but the ipfw was still running with a number of rules. Going through these rules I saw that this was from the time that the firewall was in use in a pre OSX Mountain Lion period.
Further investigation revealed that the firewall functionality was removed from the Server component. This explained a lot. I think I might have overlooked the alert during the upgrade, or that I didn't realise the impact it might have at the time. Anyway, the command on the page combined with a flush of the data completely removes the firewall rules. Add an additional flush and everything is gone.
[server:~ user]$ sudo mv /etc/ipfilter /etc/ipfilter-old [server:~ user]$ sudo ipfw flush Are you sure? [yn] y Flushed all rules. [zeus:~ administrator]$ sudo ipfw list 65535 allow ip from any to any
Having done that, I could access the Air Video HD server and VNC. Which is strange, since nothing in the firewall logging was explicitly denying traffic to those ports, and the last rule (65535) is basically an implicit allow.
Having solved this, I might need to recheck my DHCP problem from last week. This solution might have solved that as well.