Mac OS X Server ignores remote HTTP connections, but accepts local ones

I cannot get Mac OS X Server's web server to accept connections from other machines on the same LAN. This is on OS X 10.8.2, running on a Mac mini which originally shipped with Lion Server.

I can connect to it from the server itself, such as by going to http://localhost or http://hostname.example.com in Safari.

Notice that connecting via the box's domain name works. This is because:

$ netstat -na | grep 80.*LISTEN
tcp46      0      0  *.80                   *.*                    LISTEN

That is, Apache is listening on all interfaces, not just lo.

If I telnet server 80 from a client machine while doing a packet capture on both sides, I only see repeated TCP SYN packets. (server perspective, client perspective)

Disabling the firewall in the Security and Privacy settings pane doesn't change the symptom.

The firewall configuration looks harmless to me. (Dumped via pfctl -sa.)

I'm certain the problem isn't on the client side. I've tried accessing it from:

a month old iMac over GigE
a 2 year old MacBook Pro over WiFi
a 5 year old netbook running Ubuntu 12.04 over GigE and WiFi

This server is headless, and I do all my work on it from client machines on the LAN, via both SSH and VNC. This means that while I am failing to connect to this server on TCP port 80, I am successfully using it on TCP ports 22 and 5900. This behavior is what caused me to start looking at the firewall configuration.

Here's what the network looks like:

home office network

There are two network switches because this network is spread over two rooms, with one switch in each room and a single cable going between them. I ruled out the managed switch as the problem source with the WiFi test. I exonerated the dumb switch by temporarily running a long cable from the server to the managed switch.

The cable modem and the WiFi router (an AirPort Extreme) each have 4-port switches built in, but only one port on each is used, so no traffic goes through them that doesn't absolutely have to. The DHCP and caching DNS servers are turned off on both routers, since those duties are being done (successfully!) by the server in question. The AirPort is in bridging-only mode.

And yes, I've rebooted the server. And the clients. And the routers. And the switches. 🙂

My best guess is that the problem stems from having upgraded this box from Lion Server. If so, a complete reinstall will fix this, but that goes against all of my Unix server management training. I want to fix this server in place, if I can.

$ sudo ipfw show 01000 19228642 23229993542 allow ip from any to any via lo0 01010 0 0 deny ip from any to 127.0.0.0/8 [etc...] 65534 23505 3467352 deny ip from any to any 65535 0 0 allow ip from any to any

Best Answer

OS X actually has (at least) 3 firewalls. Since you've turned off the application firewall (in System Preferences -> Security & Privacy -> Firewall) and checked the Berkeley packet filter (pfctl -sa), I'm guessing it's the old ipfw that's doing the blocking. You can check with sudo ipfw show -- that'll list the active rules, along with counts of how many packets and bytes each one has applied to:

If your listing only shows rule #65535 (the allow rule at the end), my guess is wrong and you have to look elsewhere. If it does show other rules, you probably have a third-party firewall config program installed somewhere (I don't think the Apple-supplied ipfw config software is still there in 10.8); take a look in /Library/StartupItems and /Library/LaunchDaemons for things that might be relevant.

Best Answer

Related Solutions

Settings for Firewall and AirPort Extreme Router to Open a Port

MacOS – How should I set up the firewall and DHCP with an AirPort Extreme and Lion Server

Related Question