1 Reply Latest reply: Sep 28, 2012 5:02 PM by Miles Muri
Miles Muri Level 3 Level 3 (675 points)

We've been using NAT with Lion Server and ML Server as described in the KB article but this config has broken on of our servers with the 10.8.2 / Server 2.1 (and 2.1.1) update. Basically, the pfctl lauch daemon won't load (exited with code: 1). Has anyone else seen this in their setups? Better yet, has anyone found a solution to this problem?

 

Here's a bit of diagnostics with pfctl:

 

 

bash-3.2# pfctl -vvv -s info
No ALTQ support in kernel
ALTQ related functions disabled
Status: Disabled                              Debug: Urgent


Hostid:   0xc1eda31d
Checksum: 0x00000000000000000000000000000000


State Table                          Total             Rate
  current entries                        0               
  searches                               0            0.0/s
  inserts                                0            0.0/s
  removals                               0            0.0/s
Source Tracking Table
  current entries                        0               
  searches                               0            0.0/s
  inserts                                0            0.0/s
  removals                               0            0.0/s
Counters
  match                                  0            0.0/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  dummynet                               0            0.0/s
Limit Counters
  max states per rule                    0            0.0/s
  max-src-states                         0            0.0/s
  max-src-nodes                          0            0.0/s
  max-src-conn                           0            0.0/s
  max-src-conn-rate                      0            0.0/s
  overload table insertion               0            0.0/s
  overload flush states                  0            0.0/s

 

 

bash-3.2# pfctl -v -n -f /etc/pf.conf
scrub-anchor "/*" all fragment reassemble
nat-anchor "/*" all
rdr-anchor "/*" all
anchor "/*" all
dummynet-anchor "/*" all


Loading anchor com.apple from /etc/pf.anchors/com.apple
scrub-anchor "/*" all fragment reassemble
nat-anchor "/*" all
rdr-anchor "/*" all
anchor "/*" all
anchor "/*" all
anchor "/*" all
anchor "/*" all


Loading anchor com.apple/100.NATRules from /etc/pf.anchors/NATRules
nat on en0 inet from 192.168.42.0/23 to any -> (en0) round-robin
pass on lo0 inet6 from fe80::1 to any flags S/SA keep state
pass inet6 from ::1 to any flags S/SA keep state
pass inet from 127.0.0.1 to any flags S/SA keep state
pass inet from 192.168.42.0/23 to any flags S/SA keep state


Loading anchor com.apple/400.AdaptiveFirewall/ from /Applications/Server.app/Contents/ServerRoot/private/etc/pf.anchors/400.AdaptiveFirewall
table <blockedHosts> persist file "/var/db/af/blockedHosts"
block drop in quick from <blockedHosts> to any

 

launchctl doesn't throw an error when you unload then reload /System/Library/LaunchDaemons/com.apple.pfctl.plist but it does write an error to syslog:

 

Sep 27 13:50:37 localhost com.apple.launchd[1] (com.apple.pfctl[47]): Exited with code: 1

 

Any ideas? This was working with 10.8.1 but broke with 10.8.2 and Server.app 2.1.x

 

Thanks,

 

Miles