We've been using NAT with Lion Server and ML Server as described in the KB article but this config has broken on of our servers with the 10.8.2 / Server 2.1 (and 2.1.1) update. Basically, the pfctl lauch daemon won't load (exited with code: 1). Has anyone else seen this in their setups? Better yet, has anyone found a solution to this problem?
Here's a bit of diagnostics with pfctl:
bash-3.2# pfctl -vvv -s info No ALTQ support in kernel ALTQ related functions disabled Status: Disabled Debug: Urgent Hostid: 0xc1eda31d Checksum: 0x00000000000000000000000000000000 State Table Total Rate current entries 0 searches 0 0.0/s inserts 0 0.0/s removals 0 0.0/s Source Tracking Table current entries 0 searches 0 0.0/s inserts 0 0.0/s removals 0 0.0/s Counters match 0 0.0/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s dummynet 0 0.0/s Limit Counters max states per rule 0 0.0/s max-src-states 0 0.0/s max-src-nodes 0 0.0/s max-src-conn 0 0.0/s max-src-conn-rate 0 0.0/s overload table insertion 0 0.0/s overload flush states 0 0.0/s
bash-3.2# pfctl -v -n -f /etc/pf.conf scrub-anchor "/*" all fragment reassemble nat-anchor "/*" all rdr-anchor "/*" all anchor "/*" all dummynet-anchor "/*" all Loading anchor com.apple from /etc/pf.anchors/com.apple scrub-anchor "/*" all fragment reassemble nat-anchor "/*" all rdr-anchor "/*" all anchor "/*" all anchor "/*" all anchor "/*" all anchor "/*" all Loading anchor com.apple/100.NATRules from /etc/pf.anchors/NATRules nat on en0 inet from 192.168.42.0/23 to any -> (en0) round-robin pass on lo0 inet6 from fe80::1 to any flags S/SA keep state pass inet6 from ::1 to any flags S/SA keep state pass inet from 127.0.0.1 to any flags S/SA keep state pass inet from 192.168.42.0/23 to any flags S/SA keep state Loading anchor com.apple/400.AdaptiveFirewall/ from /Applications/Server.app/Contents/ServerRoot/private/etc/pf.anchors/400.AdaptiveFirewall table <blockedHosts> persist file "/var/db/af/blockedHosts" block drop in quick from <blockedHosts> to any
launchctl doesn't throw an error when you unload then reload /System/Library/LaunchDaemons/com.apple.pfctl.plist but it does write an error to syslog:
Sep 27 13:50:37 localhost com.apple.launchd (com.apple.pfctl): Exited with code: 1
Any ideas? This was working with 10.8.1 but broke with 10.8.2 and Server.app 2.1.x