[l008com]

This forum really needs a button to report spammers.

[l008com]

I’ve been having this problem since 10.6 came out, on every machine I’ve put 10.6 Server on. I’m so glad I finally found SOMEONE else that has seen this problem.
My current home server/router was running 10.5. I upgraded it to 10.6 about a month ago. Ran great for a month, then a few hours ago, my firewall decided no more internet connection. Just like you, i can turn off the firewall and the internet comes right back. But then NAT doesn’t work. I’ve configured the firewall to allow ALL traffic, but it still allows NO traffic. I’m probably going to throw a quick install of 10.5 on a usb disk and boot my server off that, so I can at least get some internet going here.

[l008com]

UPDATE

Maybe about a month ago, I decided to update my mini server from 10.5 to 10.7. After that didn’t go well for different reasons, I figured I’d try 10.6, they MUST have fixed it by now. IT seemed like they had, it was running great for a month.

Then tonight at about 2am, the 10.6 firewall started blocking all internet connections. Even after being changed to allow ALL traffic, the firewall still kills everything the instant it’s turned on. Including simply GETTING an IP address from my ISP via DHCP. The firewall even blocks that.

What I don’t understand is, why am I the only one that has these problems? And yet I have them on EVERY machine I’ve ever put 10.6 Server on. How is it that no one else is having these problems, and I’m having nothing BUT these problems???

Also, a solution would be helpful too.
For now, I’m going to try running the 10.6.8 Server Combo installer. Maybe that will somehow help. If not…. I’m going to be an unhappy s.o.b.

[l008com]

Can a moderator edit the title of this thread to match my original intentions as close as possible… and then delete this reply? Thanks.

[l008com]

Solution was to use the full path to ipfw in the shell script, /sbin/ipfw
Now everything runs great, and my firewall is reset every day right when it should be.

[l008com]

*ping*

Any ideas, anyone?

[l008com]

I wish I noticed that this forum changed my topic. I posted this with something more like this:

10.7 <-VPN-> 10.5

[l008com]

Actually… funny story.

Right about the time I implemented my self-signed SSL certs (before i was not using SSL), one of my realtime databases shut down. I did not know this because theres no possible way to know such a thing. So I implement self signed SSL on both of my servers, and it starts taking forever to send email. Well, thats because in en effort to get people to stop using their server, they purposely made their server delay responses. Trying to trigger the admin (me) to look into the matter. After a year, I finally got annoyed enough to look into it. I deleted that one realtime db server, and now the emails are FLYING off my server at high speed. Things are working to well, I’m now thinking about implementing SPF checking on my server. Nearly all of my spam has my address as the To and the From. SPF should significantly reduce the amount of spam i get, to almost nothing.

[l008com]

WIth the macbook, you name it. The Mini is the main router/dhcp server for my network. But the macbook wasn’t getting an IP over wireless no matter what network I was connecting to. Is there something special you have to do to the 10.6 firewall?

[l008com]

OK so this is most strange. On a whim, I shut off the firewall on my MacBook, and everything worked perfectly. I turned it back on, and wifi was dead but ethernet was still working just like before. And whats even more strange, my firewall is set up to allow all traffic from ‘any’ where. Nevermind that there aren’t any settings at all in Server Admin about blocking specific network interfaces. I have no idea what is going on here. Makes me think the problem I had with my mini was of the same source, something the firewall was doing. Any thoughts?

[l008com]

No luck 🙁

[l008com]

Well I found a solution, but it’s not great. I run the following commands daily (nightly).

sudo rm /var/db/af/blacklist;
sudo ipfw delete set 17;
sudo /usr/libexec/afctl;

This deletes any memory afctl has of it’s rules. Then it manually deletes all the rules it’s made. Then it recreates it’s database file.

This will make your rules start over every night so you won’t get ‘rule number overflow’ headaches.

OF COURSE the whole point of afctl is auto-expiring firewall rules. So if you’re going to do this, I might as well have my server firewall addresses directly to ipfw instead of bothering with afctl. I’m going to leave it using afctl now only because its already set up and running. At least I can be away from my server now without having a rule number overflow which for several different reasons brings my server to it’s knees.

[l008com]

SO

If I disable my script, or in other words if I don’t run afctl for about two hours… long enough for all rules to expire, and then some…

Then if I turn the script back on, it will start again 1700.
So how can I reset the rule numbers, without stopping using afctl?

[l008com]

The rules are expiring when they should. The problem is that all new rules are incremented by 5. So even though the rules started at 1700, right now i have about 200 active dynamic rules that are numbered from 9570 to 9825. Every new rule is +5, even though there are no more rules between 1700 and 9570. Once I get up to rule 12300, my dynamic rules start to come after the included default firewall rules.

Here this will make it easy to see:
http://img71.imageshack.us/img71/7927/picture1kc3.png

So after about 3 days of running this script, new rules get to 12300 and above. Then the dynamic rules stop working.
I need some way to keep all of afctl’s between 1700 and 12300. There aren’t that many rules at any one time. They all expire after 60 minutes.

And they are all bots. Other people’s scripts that are set up to load my home page repeatedly. Repeatedly can mean once every 5 minutes, or it could mean 10 times per second. Lots of different ways but in the end this script works amazingly well, right up until the rules get too high.

[l008com]

I’ve seen that before. The only thing there that looks like it could possibly be helpful is the default_set. I say possibly because I’m not sure what it means by rule set. Can I somehow put all my afctl rules into group B, and have that whole group run in a certain order within my main list of firewall rules?

[Author]

Posts