I have two computers on the same LAN:
-
old: macOS High Sierra + Server.app
-
new: macOS Mojave + Server.app
Both have the Application Firewall turned off
When I run nc -l 8082 on one I can connect to it from the other using a telnet client, both ways. I can also connect from other Macs on the local network.
But when connected to from the outside, the High Sierra computer accepts network connections, while the Mojave computer doesn't.
In other words, I set router NAT and router firewall to accept port 8082 and route it to old, the old computer is available for connections. I see the traffic (NAT and fw) in the logging on the (Ubiquiti) router (I've set logging active on the NAT rule and the allow firewall rule):
Dec 28 03:48:21 ubntrouter kernel: [WAN_IN-40-A]IN=eth1 OUT=switch0 MAC=24:a4:3c:b3:ae:0a:02:1d:b5:ca:a9:4b:08:00 SRC=[outsideclient] DST=[old:privateip] LEN=60 TOS=0x10 PREC=0x00 TTL=55 ID=18302 DF PROTO=TCP SPT=35900 DPT=8082 WINDOW=29200 RES=0x00 SYN URGP=0
Dec 28 03:48:21 ubntrouter kernel: [NAT-2-DNAT] IN=eth1 OUT= MAC=24:a4:3c:b3:ae:0a:02:1d:b5:ca:a9:4b:08:00 SRC=[outsideclient] DST=[publicip] LEN=60 TOS=0x10 PREC=0x00 TTL=56 ID=18302 DF PROTO=TCP SPT=35900 DPT=8082 WINDOW=29200 RES=0x00 SYN URGP=0
But when I do exactly the same with the new computer, I get 'Connection refused'. I still see the same (except for private inside ip of course) traffic attempt in the logging of the router, though:
Dec 28 03:49:24 ubntrouter kernel: [WAN_IN-40-A]IN=eth1 OUT=switch0 MAC=24:a4:3c:b3:ae:0a:02:1d:b5:ca:a9:4b:08:00 SRC=[outsideclient] DST=[new:privateip] LEN=60 TOS=0x10 PREC=0x00 TTL=55 ID=53334 DF PROTO=TCP SPT=35946 DPT=8082 WINDOW=29200 RES=0x00 SYN URGP=0
Dec 28 03:49:24 ubntrouter kernel: [NAT-2-DNAT] IN=eth1 OUT= MAC=24:a4:3c:b3:ae:0a:02:1d:b5:ca:a9:4b:08:00 SRC=[outsideclient] DST=[publicip] LEN=60 TOS=0x10 PREC=0x00 TTL=56 ID=53334 DF PROTO=TCP SPT=35946 DPT=8082 WINDOW=29200 RES=0x00 SYN URGP=0
After many hours hunting for a mistake, checking and double-checking, I must now cautiously conclude that the difference is in High Sierra versus Mojave. Somehow, HighSierra accepts the network traffic, while Mojave blocks it. I suspect Apple security measures, accepting traffic from the local IP range but not when originating from outside that IP range.
Assuming that is the case. What could be causing this (application firewall is off) and how can I fix it so I can actually provide a service from my Mac to the outside world?
Best Answer
A macOS server system provides two and half firewalls:
ipfw). Partly fixed here: How to setup the adaptive firewall.Only the last one is exclusive to systems with Server.app installed and configured.
Launching Server.app for the first time will modify /etc/pf.conf and add an additional pf anchor: /private/etc/pf.anchors/com.apple.server-firewall. This anchor loads additional anchors from /Library/Server/Firewall/Anchors/.
By default all firewalls are off and defunct and no substantial rules are defined.
As soon as you change in Server.app: Server > hostname > Access > Default Network Access the default setting all networks to something else, the linked anchors are fed with rules depending on your settings and the pf daemon is launched. Changing back to all networks will remove all rules related to default network access but the pf daemon continues to run.
AFAIR there is no difference between the various Server v5 versions (at least El Capitan - Catalina) regarding the initial setting of Default Network Access which always is and was all networks.