Skip navigation

Firewall blocks Airplay (even under 'allow all traffic')

4500 Views 13 Replies Latest reply: Aug 16, 2012 11:51 AM by Abinyah Walker RSS
nonresidentalien51 Calculating status...
Currently Being Moderated
Nov 30, 2011 5:59 AM

Hi every body,

 

I am somewhat at the end of my knowledge. I have a mac mini server running Lion 10.7.2 server. Interestingly, my the server's firewall blocks

a) all airplay traffic and

b) 'reading Airport confirguration' requests

even when the firewall is set to 'allow all traffic'. However, when I completely switch it off, everything works just fine.

 

Any help would really be appreciated.

 

Thanks a lot.

 

Nonresidentalien

 

 

P.S. I have also tried to open ports 80 (t), 443(t), 554 (t/u), 3689(t), 5297(t), 5289(t/u), 5353(u), 49159(u) and 49163(u) with no success

Mac mini, Mac OS X (10.7.2), Server
  • cryptochrome Level 1 Level 1 (5 points)

    Same issue here. Strangely enough, I don't see anything is the firewall logs at all.

  • cryptochrome Level 1 Level 1 (5 points)

    Pointing to the IPv6 thread was a good idea. After reading it, I found out that the firewall preferences in Server Admin only show you IPv4 related firewall rules.

     

    There is a terminal command that allows you to play with IPv6 rules. And by doing so, I was actually able to get AirPlay working again.

     

    First, you want to show you the current IPv6 firewall rules. In my case they looked like this (10.7.2):

     

    reptilehouse:~ sascha$ sudo ip6fw show

    01000        285      96163 allow ipv6 from any to any via lo0

    01100         66       5750 allow ipv6 from any to ff02::/16

    65000          0          0 deny ipv6 from any to any

    65535          6        306 allow ipv6 from any to any

     

    As you can see, rule number 01100 only allows traffic to the local subnet, while the next rule (65000) blocks anything else. So you want to get rid of 65000:

     

    reptilehouse:~ sascha$ sudo ip6fw delete 65000

     

    To confirm, show the rule table again and you should see 65000 is gone:

     

    reptilehouse:~ sascha$ sudo ip6fw show

    01000        285      96163 allow ipv6 from any to any via lo0

    01100         66       5750 allow ipv6 from any to ff02::/16

    65535          6        306 allow ipv6 from any to any

     

    Mind you, the rule numbers could be different on your system and you could see more or less rules. But you get the idea.

     

    What I don't know if whether this is sticky, e.g. survives a reboot.

    Mac Pro, Mac OS X (10.7), Nehalem Octa-2.66 Ghz, 20 GB RAM
  • cryptochrome Level 1 Level 1 (5 points)

    Ok, here is how you make it survive a boot. Edit /etc/ipfilter/ip6fw.conf.apple to your liking. Make sure you edit through terminal or you won't have access to the file. I used "sudo pico".

     

    If you haven't used the ip6fw command, you will see the block rule in the file. just delete it. To be on the safe side, I also added a new rule like this:

     

    add 1200 allow all from any to any

  • capaho Level 4 Level 4 (3,650 points)

    Opening the firewall to allow all traffic on any port on a server that is connected to the Internet, whether ipv4 or ipv6, is extremely dangerous.  In such a case, it's only a matter of time (usually sooner rather than later) before the server becomes compromised.  Unless you're eager to have your server join a botnet, configure the firewall properly rather than simply disable it.

  • cryptochrome Level 1 Level 1 (5 points)

    of course. never said otherwise. I was just giving hints on what's going on. before, no one even knew it was the (hidden) ip6 firewall that's blocking AirPlay. whether you disable the firewall entirely or configure it to your needs is all up to you. in my case, I have a dedicated firewall protecting my internet uplink. additional internal firewall makes no sense in my case.

     

    by the way, I am still unable to make these ip6 firewall settings stick and survive a reboot. server admin tools does not allow to change ip6 rules at all, and changing them through terminal will not stick. any ideas anyone how to make those changes persistant?

  • capaho Level 4 Level 4 (3,650 points)

    Actually, I wasn't intending to suggest that you were advocating disabling the firewall, I was merely following up with some general advice.  I can't count the number of times I've read posts here where people reported "fixing" problems by disabling their firewalls.

     

    As to your custom rules, changes made in the terminal will be lost the next time the computer is rebooted.  To make them permanent you would probably need to add them to the ip6fw.conf file found in /etc/ipfilter.

  • cryptochrome Level 1 Level 1 (5 points)

    That's exactly where I added them (ip6fw.conf) but the OS seems to overwrite that file during boot with the defaults again.

     

    Looks like the IPv6 firewall in OS X is clearly not ready for prime time.

  • capaho Level 4 Level 4 (3,650 points)

    cryptochrome wrote:

     

    Looks like the IPv6 firewall in OS X is clearly not ready for prime time.

     

    Which just adds further evidence to my suspicion that Apple is not seriously commited to servers.

     

    You might try creating a shell script to run at startup that will add your custom rules to the firewall.

  • spekkie Level 1 Level 1 (20 points)

    So here just my five cents. First of all server.app does not let you edit ip6fw it only turns it on with the default config that will block pretty much everything. So first thing to do is to disable this behavior to make any change stick. So turn on the firewall first.

    From a terminal do:

    [sudo nano /etc/ipfilter/ip_address_groups.plist]

    Edit /etc/ipfilter/ip_address_groups.plist and change:

    <key>IPv6Mode</key> <string>NoRules</string>

    <key>IPv6Control</key> <false/>

     

    Just to be sure reboot.

     

    Now we are going to add an rule to allow only the local network to connect in and out.

    So you will stil be safe from the outside but inside you wil be able to get to everything.

    Again from the terminal the following command:

     

    sudo ip6fw add 30000 allow ipv6 from fe80::/10 to fe80::/10 via en0

     

    that's it now you should be able to use airplay again.

  • spekkie Level 1 Level 1 (20 points)

    Another way to edit your firewall is to the app waterroof http://www.hanynet.com/waterroof/

  • UnMercenary Calculating status...

    For Lion you'll want to use IceFloor

  • Abinyah Walker Calculating status...

    This solved my problem. No reboot required.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.