10.6 Server's Firewall Blocks It's Own Internet Connection

I had this problem about two years ago when I was trying to run 10.6 on my home server (Mac mini) for the first time. Eventually I gave up, reverted the mini back to 10.5, and ram problem-free for years. When 10.7 came out, I tried to upgrade the mini to that. That didn't go well either, but mostly due to Lion missing many many features (suprise!). So I figured that 10.6's problems were fixed by now, and gave it another shot. It went fine and I've been running for about a month problem free (or so I thought). But now it's offline again. I finally found one other person on another forum that had the EXACT same problem as me. And reading this description, I realize that I have been having problems all long, I just assumed they were my ISP's problems, not my own.
So here's what happens. The firewall in 10.6 server will "freak out". It will be running normally, then suddenly it will go haywire and block everything. And I mean everything. My computer won't even be able to get an IP via DHCP. Everything is blocked. But as soon as you stop the firewall, everything works normally. You can even modify the firewall rules, and set it up so there are NO deny rules, and EVERY connection to and from every host is set to allow. And the firewall still blocks everything. This is the same exact thing that happened 2 years ago when I first tried to run 10.6 Server on my mini. The difference is that back then, this would happen either immediatly, or within a day. This time around, with 10.6.8, it took about a month before suddenly, without any provocation, all internet connections stopped.
I've had this happen on multiple computers. I don't do anything special, I just set up a basic firewall scheme where everything in the LAN range is allowed, and everything from "any" is allowed only to service ports I'm running. The basic gateway setup. Now I was running 10.6 Server on my laptop (for netbooting) and it would do the same thing. But because my laptop wasn't acting as a gateway, I could just turn the firewall off (you need the firewall for NAT). My mini server IS acting as a gateway, as was another mini I set up for a client of mine (that eventualy I changed over so they were running off an airport, and the mini server was just a client. But I don't want that setup at home, I want my mini to be the router).
I have verizon Fios internet. 25/25, it's great. The ONT is in my basement, and it's plugged into the same fused outlet as our freezer. From time to time, when the power goes out, it trips that breaker and the outlet goes dead. My itnernet is gone and I have to go reset the outlet. Once I do, my mini won't get an IP from Verizon until I reboot the mini. Not once. Not twice. Usually 5-10 reboots, and suddenly it will get an IP. I always assumed this was a verizon problem. Until I read someone else's post about this same problem. Turns out, that's the firewall blocking DHCP again! If you turn the firewall off, you don't have to keep rebooting, it will grab an IP right away.
At least I'm not crazy! So what is going on here? Does anyone have any idea what is going on with my firewall, or how I can fix it?
Lastly, after 4.5 hours of complete inability to get an internet connection with the firewall on, it just started working again. I now have fully functional, normal internet. I find it hard to believe 10.6 has a firewall that is simply broken. I find it even harder to believe I'm imagining things, or that I've had fluke after fluke. Something is going on with 10.6 Server.

The DNS skapegoat just doesn't make sense.
Why would "improper" DNS cause OS X's firewall to block all network connections? Even the server's ability to make it's own DHCP connection?
As far as a router, I don't want to use a cheap unreliable residential router. I have a home file server that, aside from running 10.6, makes a super reliable router. And port mapping aside, OS X Server's DHCP server is great to use. Rock solid. It makes no sense to run a cheap residential router when I have a home server. Then every 6-18 months, I get to deal with that router slowly failing, as my internet connection gets slower and slower. No thanks.
So back to this firewall issue. I've talked to Apple aobut this before, and they give the same generic "DNS has to be right" answer to basically every problem I've ever had with 10.6 Server (hinting at endless CalDAV problems). But no one has every explained what that specifically means, or how something like wrong DNS (whatever that even means) can cause the firewall to block everything. This just makes no sense to me. And this especially does not explain why, after 10 reboots or so, everything just magically starts running normally.
I just had an incedent today where I woke up to no internet. I rebooted 3 times. Each time, I either got a self-assigned IP address, or the ethernet interface would toggled between "unplugged" and "no-ip". I could turn the firewall off and the server would INSTANTLY start functioning normally. I'd happily run without a firewall, and just turn all services I'm not using off. However NAT needs the firewall, so without the firewall, the Server is the only Mac on the network that has an internet connection. So I kept rebooting and rebooting, and I think about 8 reboots later, like magic, the server came up, grabbed an IP, and everything started working normally.
Also my IP through my ISP is dynamic, and that isn't going to change. So yes, I am trying to use OS X Server as my router on a dynamic internet connection. I've been doing this since the days of Mac OS X Server 10.1. Only 10.6 has had any problems at all.
So really, "10.6 is more picky about DNS" isn't an answer to this problem. Or, at least, it's not a sufficient answer. I need much more information than that.

Similar Messages

  • TS1717 I can't connect to the Itunes server..firewall is allowing it but no connection..ideas?

    I can't connect to the Itunes server..firewall is allowing it but no connection to the Itunes store. The sign in and password are correct

    Why not do a "Restore"  in iTunes to set it back to factory settings? That will eliminate any previous information that is causing you issues in use. You will have an iPod which you can sync as if it is new with your settings and info.

  • HT1483 I get a message "The Itunes server could not be contacted, check your internet connection" when trying to check for Ipod Nano software updates. I have a 1st generation Nano and haven't updated the software for a while. My internet connection is wor

    I get a message "The Itunes server could not be contacted, check your internet connection" when trying to check for Ipod Nano software updates. I have a 1st generation Nano and haven't updated the software for a while. My internet connection is working. Was thre a change in the internet address for NANO software updates? Do I have to reconfigure something in Itunes to point to the correct address?

    What version of iTunes are you using?  The latest is 10.6.3. In iTunes, choose Help -> About iTunes to check the version number. If it's lower than 10.6.3, download the latest version from here.
    B-rock

  • How to simulate server 2012+clients connetion in virtualbox without internet connection

    Hi, I am new to this forum and also not familiar with simulation in virtualbox. I want to know how to simulate server 2012+clients connection in virtualbox without internet connection. I couldn't join the client computer (windows 7 installed) to
    the domain (the  windows server 2012). I already added the DHCP , AD DS and DNS roles features in the windows server 2012. Can someone put me through?

    If you're using VirtualBox you might be better off asking this over on their forum
    https://forums.virtualbox.org/, since it's not a Microsoft product. That said I have used it myself, and I think what you need is to ensure you're using the Internal Networking option
    http://www.virtualbox.org/manual/ch06.html#network_internal and make sure that both virtual machines have their network card setup with the same name / network ID. Once that's done you
    can configure them on the same network range and they should be able to communicate.

  • Operations Manager - Site Role - Notification Server Windows Firewall Block Monitor

    I'm getting this alert popping up in Opsman and was wondering what rule was triggering it. It seems as though the monitor lists rule:
    <RuleId>D07ACE61-FB84-4461-9F52-ABBA07C2EE3A</RuleId>
    but when I ask powershell:
    PS C:\> Get-SCOMRule -Id "D07ACE61-FB84-4461-9F52-ABBA07C2EE3A"
    PS C:\>
    I get no love.
    At any rater I'm wondering if perhaps I'm getting this rule because the firewall is disabled? Currently (working on changing this) windows servers run with firewalls off. We have a large firewall managed by the security group who we submit rules to so traffic
    can pass.
    I think this is checking for a port but i'm not sure. I read the following article and it mentions make sure that port 10123 is open. When I check the rules I see that we have a rule that allows TCP 10123, and also that we have clients making connections
    to the site server over that port.
    So, is it merely because the firewall is disabled?
    Jeffrey S. Patton Jeffrey S. Patton Systems Specialist, Enterprise Systems University of Kansas 1001 Sunnyside Ave. Lawrence, KS. 66045 (785) 864-0242 | http://patton-tech.com

    Hi,
    Are you using scom 2007 or scom 2012?
    For SCOM 2007, you can use this one for test:
    Get-Rule
    http://technet.microsoft.com/en-us/library/gg132234.aspx
    Alex Zhao
    TechNet Community Support

  • Firewall Blocks Ovi Suite's Internet Access - Down...

    Hi, I access the internet through a firewall that I have no control over - sadly it blocks whatever ports Ovi Suite tries to use to connect to the internet to check for updates. Would like to get the Belle update, but when I try to check for updates, it fails because the firewall here is blocking it.
    There is nothing I can do about this.
    Is there a way to download these updates manually?

    Hi jetston, what firewall software do you have in use? It might be good to contact to firewall software vendor and ask, that they have whitelisted Nokia Suite.
    If you can give vendor name here, we can also try getting Nokia Suite whitelisted.
    It might be also good idea to try installing Nokia Suite to your home PC and do Nokia Belle update there to your phone.
    Cheers, Samuli

  • Firewall blocks Airplay (even under 'allow all traffic')

    Hi every body,
    I am somewhat at the end of my knowledge. I have a mac mini server running Lion 10.7.2 server. Interestingly, my the server's firewall blocks
    a) all airplay traffic and
    b) 'reading Airport confirguration' requests
    even when the firewall is set to 'allow all traffic'. However, when I completely switch it off, everything works just fine.
    Any help would really be appreciated.
    Thanks a lot.
    Nonresidentalien
    P.S. I have also tried to open ports 80 (t), 443(t), 554 (t/u), 3689(t), 5297(t), 5289(t/u), 5353(u), 49159(u) and 49163(u) with no success

    Pointing to the IPv6 thread was a good idea. After reading it, I found out that the firewall preferences in Server Admin only show you IPv4 related firewall rules.
    There is a terminal command that allows you to play with IPv6 rules. And by doing so, I was actually able to get AirPlay working again.
    First, you want to show you the current IPv6 firewall rules. In my case they looked like this (10.7.2):
    reptilehouse:~ sascha$ sudo ip6fw show
    01000        285      96163 allow ipv6 from any to any via lo0
    01100         66       5750 allow ipv6 from any to ff02::/16
    65000          0          0 deny ipv6 from any to any
    65535          6        306 allow ipv6 from any to any
    As you can see, rule number 01100 only allows traffic to the local subnet, while the next rule (65000) blocks anything else. So you want to get rid of 65000:
    reptilehouse:~ sascha$ sudo ip6fw delete 65000
    To confirm, show the rule table again and you should see 65000 is gone:
    reptilehouse:~ sascha$ sudo ip6fw show
    01000        285      96163 allow ipv6 from any to any via lo0
    01100         66       5750 allow ipv6 from any to ff02::/16
    65535          6        306 allow ipv6 from any to any
    Mind you, the rule numbers could be different on your system and you could see more or less rules. But you get the idea.
    What I don't know if whether this is sticky, e.g. survives a reboot.

  • The iPad update server could not be contacted. Please check your internet connection or try again later.

    Cant update my sons ipad 2 to ios 5. We got it at christmas and have not been able to update it. Keep getting the ipad update server could not be contacted. check your internet connections or try again later. I have tried turning off my firewall and tried at all times of the day or night. Im using windows 7 on my PC.

    The only other thing that I can think of to try is to restart everything. Quit iTunes, reboot your PC, restart the iPad and then try again.
    Here is an article about troubleshooting iPad updating issues. It could be some other security settings that you have that are blocking the update from proceeding. There are a number of things that are discussed in this support article. Check it out and see if there is anything in it that you can try.
    http://support.apple.com/kb/ts1275

  • No Internet connection was found. Please check your Internet settings or firewall.

    When I try to update I get this message:
    "No Internet connection was found. Please check your Internet settings or firewall."
    and porgram won't update.
    I tried "fixes" offered on ADOBE website to no avail.
    Anyone know how to fix this ?
    1 minute of silence for that awesome forum that ADOBE was....sniff sniff

    ADOBE  tech "support" isn't of much use in this. They suggest me to manually update. I know CS3 is fixed update not requiring more download after 3.2, but my updater used to run fine and now it doesn't on a freesh computer install. I'd like to fix this cause this is an indicator that something is wrong on my computer.
    The only advice I got after 15-20 minutes was to check permissions on my computer, that this might be cause of it.
    I put permission on my firewall to all adobe program I could find on my computer, turned off UAC doesn't work; tried firewall + spyware + antivirus to zero protection = doesn't work either.
    I've read that been plugged into a router on a 2 computers network can cause problem. How ? I know Adobe Updater doesn't support proxy server.
    http://kb2.adobe.com/cps/331/331931.html
    I tried puggin directly into modem and didn't change anything.  I think maybe that my main computer might be blocking or filtering my internet connection or a setup in it: I don't know networking setup at all.
    Maybe it's windows vista on my computer that has updated to something that would block my adobe updater.
    Any suggestion ?
    Thank you.

  • Why does my Cisco router firewall block Windows Server 2012 traffic, but not Windows Server 2008 traffic?

    Hello,
       I run a small business network with five physical servers: three Dell servers running Windows Server 2008 R2, one custom build running 2008, and another custom build running 2012 with Domain Controller Role (same hardware for both custom builds). 
    The Dell servers are all running the Hyper-V role and each has a number of 2008 VMs.  I also have a 2012 VM with the Domain Controller Role on one of the Hyper-V servers and another VM with a completely base install of 2012.
       All servers are plugged into a Cisco SG300-52 switch which is uplinked to a Cisco 881 router which is connected to a cable TWC provided Ubee cable modem.  I have no VLANs setup.  I do have the Firewall on the router configured
    to inspect most traffic.
       Here is my problem:  I cannot connect to most of the internet on ANY 2012 server (and all exhibit the exact same behavior), but I have NO problems connecting to the internet from 2008 servers.  Here is what I already know:
       1.) I can ping the outside world just fine so ICMP is passing to any external host.
       2.) Two of the 2012 servers are DCs running DNS services and they can connect to the internet just fine for DNS requests because they are doing a perfectly good job of providing DNS services to my network.
       3.) Here's where it gets really weird: I can browse in internet explorer to Bing.com and it works.  I can also go to a couple other Microsoft websites (though they are very slow).  If I click on any link in Bing, however, it doesn't
    work and gives me a page not available error.  If I connect to a non-MS website like Google or my company website, I get page not available.
        4.) I have tried to telnet to port 80 at Bing and it works.  I have tried to telnet to port 80 at google.com and it won't connect.  The 2008 servers have no issue telneting to either bing or google on port 80 and none of my client
    PCs on the network do either.
        5.) Windows Update will not connect and neither will any other update service such as AVG (I have AVG Antivirus installed WITHOUT firewall on two of the three servers. The base 2012 VM has no software installed and no roles...I built it
    just to see if it could connect after a fresh install and it still cannot.)
        6.) The network connection does not indicate limited connectivity (probably because ICMP appears to be passing successfully)
         7.) If I connect the server directly to the modem it has full internet access.
         8.) All internal LAN connectivity is perfectly fine and runs at full speed.
         9.) I have scoured the internet trying to find other examples of this particular kind of connectivity issue on 2012 and I have found two TechNet articles that are similar, but they both had the same resolution: changing the router
    worked, but no one knows why. (I would have included the links, but apparently I cannot do that yet)
    My question is this: What is different about Windows Server 2012 networking that would render it unable to communicate through a router that Windows Server 2008 has no problems with?  I ask because, unlike in these two articles where they were
    running personal networking equipment they could easily upgrade, I'm running a Cisco 881 with what should be virtually limitless configuration options and I have no desire to replace it.  I have to assume the issue is somehow related to the firewall configuration,
    which I could fix easily, but I don't know what to change.  If anyone knows what changed in 2012 and why I would be able to browse to bing and other MS sites but no where else, please pass them along.  Thanks.

    This is the IP Config for the 2012 DC:
    Windows IP Configuration
       Host Name . . . . . . . . . . . . : COMPANYDC02
       Primary Dns Suffix  . . . . . . . : company.local
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : company.local
    Ethernet adapter Ethernet:
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
       Physical Address. . . . . . . . . : 00-25-90-DC-EF-D5
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::81d5:53cf:bd07:14ed%12(Preferred)
       IPv4 Address. . . . . . . . . . . : 10.10.10.202(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 10.10.10.1
       DHCPv6 IAID . . . . . . . . . . . : 301999504
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-96-D5-C3-00-25-90-DC-EF-D5
       DNS Servers . . . . . . . . . . . : 10.10.10.202
                                           10.10.10.221
       NetBIOS over Tcpip. . . . . . . . : Enabled
    Tunnel adapter isatap.{9929D989-8E88-4096-A1CB-61F1DB173FA3}:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    Tunnel adapter Teredo Tunneling Pseudo-Interface:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    This is the IP Config for the fresh install 2012 VM:
    Windows IP Configuration
       Host Name . . . . . . . . . . . . : WIN-800299O7ES6
       Primary Dns Suffix  . . . . . . . :
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : company.local
    Ethernet adapter Ethernet:
       Connection-specific DNS Suffix  . : company.local
       Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
       Physical Address. . . . . . . . . : 00-15-5D-0A-5C-02
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 10.10.10.49(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : Saturday, August 23, 2014 10:23:01 PM
       Lease Expires . . . . . . . . . . : Wednesday, August 27, 2014 10:23:01 PM
       Default Gateway . . . . . . . . . : 10.10.10.1
       DHCP Server . . . . . . . . . . . : 10.10.10.1
       DNS Servers . . . . . . . . . . . : 10.10.10.220
                                           10.10.10.221
       NetBIOS over Tcpip. . . . . . . . : Enabled
    Tunnel adapter isatap.company.local:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : company.local
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    NOTE: 10.10.10.220 and 10.10.10.221 are the other domain controllers on my network.  One of them is 2012 and one of them is 2008.  They are both functioning correctly for providing DNS services.  The 2012 Virtual DC, however, still has
    the internet connectivity issue that this whole post was about in the first place.
    NOTE2: When I logged on to COMPANYDC02 this morning, it told me that I had new Windows Updates that needed to be downloaded.   Confused, I checked the most recent time WU had checked for updates at it had successfully checked for updates last night
    at 10pm.  Of course, it failed when trying to download them, but it appears that once in a while, a connection gets through successfully...

  • File Receiver Adapter: Server to Server transfer (FXP) Blocked

    Hi XIs
    I have a scenario RFC -> XI -> FILE (ftp)! It works on DEV and QA environments! On PRD it does not work:
    Error occurred while connecting to the FTP server "ftp:21": java.lang.IllegalStateException: Error during STOR/APPE epilogue: com.sap.aii.adapter.file.ftp.FTPEx: 425 Connection to foriegn address blocked. Server to Server transfer (FXP) Blocked [REF: 0BFA456B50B3]
    First I thougt my firewall was blocking something! But from prompt I can do ftp.

    Hi
    We are getting the same error...any other way to solve this?
    thanks

  • Firewall blocking access to Hyper-V Virtual Machine. Please hep!

    Hi there, I hope this is the right spot for this. Allow me to explain the setup we have. We have a server with Hyper-V installed and a VC made for a DC  for a small domain we have.  I was able to remote into the new DC, and our exchange server
    was picking it up as a DC. So far so good.....
    Now, here's where we seem to have a problem. We Installed 'Symantec Endpoint Protection' As we have this on a few servers, we had a set of settings for servers. (I didn't set this part up) Now. the problem we are having is that it seems the end point protection
     on the Hyper-C  Host is blocking connections from Exchange/other computers (access shared folders and logging in). What  can i do to resolve this?  Connections seem to be fine, (Exchange will pick up the the DC, and i can access shared
    folders) when i  disable the firewall and network threat protection on the Hyper-V Host.  
    Our Exchange server is 2010
    We are using Server 08 R2
    Can someone please advise me on how i can get this resolved, so i don't have to leave the server with Hyper not behind a firewall or network threat protection. 

    Hi,
    I am Chetan Savade from Symantec Technical Support Team.
    There was a known issue between SEP and Hyper-V traffic. It's been resolved in the latest release of SEP. If not using the latest version upgrade to the latest version can be a possible solution.
    SEP 12.1 RU4 MP1a (12.1.4104.4130) is the latest verison. 
    HyperV traffic was blocked with Symantec Endpoint Protection Firewall enabled
    Fix ID: 3181006
    Symptom: The Symantec Endpoint Protection firewall blocks HyperV traffic.
    Solution: Modified the loopback packet processing in the Teefer driver.
    Reference: http://www.symantec.com/docs/TECH216262 
    Best Regards,
    CHETAN

  • I would like to know which apple server dictation connects to so that my proxy server will stop blocking it. Which apple server does it connect too?

    I would like to know which apple server dictation connects to so that my proxy server will stop blocking it. Which apple server does it connect too?

    I would presume so, but it might be worth your while to experiment and play around with different combinations to see if you can block FaceTime while keeping Game Center open.  Good luck!

  • Firewall blocks ssh since Sept 12 update

    I have a Mac Pro Early 2008 running Lion 10.7.1 (11826). Since the "Security Update 2011-005" yesterday morning (Sept 12), the firewall does not allow incoming ssh connections, even though "remote login" is enabled in the "Sharing" preferences pane, and the firewall config page under "Security & Privacy" shows that "Remote Login (SSH)" is set to "Allow incoming connections". I do this all the time, and the behavior definitely changed with yesterday's update.
    To be clear, with the firewall turned off, I am able to ssh into the machine from another machine on the local network. When I turn the firewall on, despite the options set as described above, I am unable to make an ssh connection. This worked before yesterday's update. I think that Apple broke something with the update.

    Okay, I just found out you have to query anchor rules with a special switch (-a).
    I just found out there is no entry for SSH which should read something like
    "pass in on inet proto tcp from any to any port ssh keep state"
    euler:~ dr$ sudo pfctl -a "com.apple/100.InternetSharing" -vvvsr
    No ALTQ support in kernel
    ALTQ related functions disabled
    euler:~ dr$ sudo pfctl -a "com.apple/250.ApplicationFirewall" -vvvsr
    No ALTQ support in kernel
    ALTQ related functions disabled
    @0 block drop in inet proto icmp all icmp-type echoreq
      [ Evaluations: 306       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 33285 ]
    @1 block drop in inet6 proto ipv6-icmp all icmp6-type echoreq
      [ Evaluations: 228       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 33285 ]

  • My Firefox can't synchronize after updating to version 26. Our organization uses MS ISA server as firewall.

    Our organization uses MS ISA server as firewall.

    Can your IT check whether there are any error messages logged in ISA that might explain why the connection is not working (assuming it is a connection issue)?

Maybe you are looking for