Every 7–10 days, all internet browsing on my Mac stops working. I can use Firefox, Safari, Chrome, but I'm able to surf only Google and few other sites.
So I tried to telnet a webserver on the local LAN on port 80
telnet 192.168.10.10 80
telnet says "connected", but "tcpdump -n host clienthost" at the server side can't see any traffic. I expect to see at least a SYN packet from the client.
When I telnet the same server to port 25
telnet 192.168.10.10 25
I can see immediately the regular SYN traffic coming on the server's tcpdump.
My suspect is that the Mac has some "socket filter" or "IP filter" or "Interface filter" installed, which is intercepting traffic on port 80 and forwarding to the real server only when after a correct HTTP request is composed on the socket (I composed it with telnet).
Please note that OS X firewall and parental control are both switched off.
Who is intercepting all my HTTP traffic? I have uninstalled all anti-viruses now.
Is there a way, a commandline tool or an application, which enumerates all socket/IP/interface filters and remove them?
A similar tool for windows could be sysinternal's "autoruns", but on OS X?
EDIT:
The solution to the specific problem has been found: it was OS X parental control. It was disabled, never activated, but the parental control filter was still filtering port 80. We entered on System Preferences -> Parental control, clicked on the lock icon and unlocked with the user's password. Then we clicked a second time on the lock icon to lock again, and traffic on port 80 has been immediately started to flow directly from my telnet client to the server.
A bug on apple parental control activation ?
The question is still open: how can I enumerate all IP/socket/interface filters installed on OS X ?
Best Answer
You can use the following command in the Terminal:
It will display a list of all sets of filter rules, translation rules, limits, etc. set on the network packet filter.