Figuring out what is blocking HTTP request on macOS Mojave?
I have a simple http-server running with an index.html, which I'm trying to serve over to another device over LAN. I can access the website in the host computer using localhost and it is recorded as a successful HTTP 200. Although when I try to access it with the other client device, the http server shows no sign of any request and the device times out.
I believe a firewall in my Mac is blocking the connection, but I hear that there are multiple firewalls within a Mac and they may possibly keep changing it with each OS update.
e.g.
Thread that shows OS has multiple firewalls in place
Firewall may change on OS update
Firewall Logs Now Disapeared (can't view appfirewall.log)
So I'm now using macOS Mojave, and I have very little experience using networking tools to verify what goes on in my network (So please forgive my ignorance).
What firewalls does macOS Mojave use?
Where can I find the logs (So I can see if my other device's http-request got denied)?
Is there any other thing that I may not know about that can stop my http-request? If so what tools can I use to verify?
--------- Additional Detail ---------
- I'm have an angular webpack development server serving at it's usual port 4200 and then use ghostlab to proxy serve it at port 8005 for my external devices. (This had stopped working though so I did the below to see if I can access the website dist folder another way)
- I had used the node package http-server and served a test website with just index.html. It serves on both http://127.0.0.1:8080 and LAN ip address of http://192.168.0.28:8080.
- I can reach 192.168.0.28:8080 locally on the host machine chrome browser but on an iOS client device using safari's browser it never gets a response. So I'm thinking a firewall is blocking it somewhere down the line. Although being able to confirm through appfirewall.log (which seems to be gone) or similar places I may not know about that I should be looking at is what I'm trying to figure out.
---- Further Detail -----
Thank you Francis for your answer.
Shown below is my routing table
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.0.1 UGSc 147 0 en0
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 9 277366 lo0
169.254 link#5 UCS 0 0 en0 !
192.168.0 link#5 UCS 3 0 en0 !
192.168.0.1/32 link#5 UCS 2 0 en0 !
192.168.0.1 b0:c2:87:51:37:e7 UHLWIir 58 52 en0 583
192.168.0.2 link#5 UHLWIi 1 152 en0 !
192.168.0.13 0:71:47:32:79:99 UHLWI 0 81 en0 285
192.168.0.19/32 link#5 UCS 1 0 en0 !
192.168.0.19 80:e6:50:a:23:64 UHLWI 0 2 lo0
192.168.0.255 ff:ff:ff:ff:ff:ff UHLWbI 0 1 en0 !
224.0.0/4 link#5 UmCS 3 0 en0 !
224.0.0.251 1:0:5e:0:0:fb UHmLWI 0 0 en0
224.6.7.8 1:0:5e:6:7:8 UHmLWI 0 8 en0
239.255.255.250 1:0:5e:7f:ff:fa UHmLWI 0 149 en0
255.255.255.255/32 link#5 UCS 1 0 en0 !
255.255.255.255 ff:ff:ff:ff:ff:ff UHLWbI 0 1 en0 !
Internet6:
Destination Gateway Flags Netif Expire
default fe80::b2c2:87ff:fe51:37e7%en0 UGc en0
default fe80::%utun0 UGcI utun0
default fe80::%utun1 UGcI utun1
::1 ::1 UHL lo0
2606:6000:609b:1200::/64 link#5 UC en0
2606:6000:609b:1200::4 80:e6:50:a:23:64 UHL lo0
2606:6000:609b:1200:14c1:e8b6:1ff0:8ef1 80:e6:50:a:23:64 UHL lo0
2606:6000:609b:1200:81e5:bdd5:155e:a21d 80:e6:50:a:23:64 UHL lo0
fe80::%lo0/64 fe80::1%lo0 UcI lo0
fe80::1%lo0 link#1 UHLI lo0
fe80::%en0/64 link#5 UCI en0
fe80::14d6:6308:5edd:9f41%en0 80:e6:50:a:23:64 UHLI lo0
fe80::b2c2:87ff:fe51:37e7%en0 b0:c2:87:51:37:e7 UHLWIir en0
fe80::%awdl0/64 link#7 UCI awdl0
fe80::74f1:5eff:fefa:3028%awdl0 76:f1:5e:fa:30:28 UHLI lo0
fe80::%utun0/64 fe80::1d55:b5dc:3cd5:864%utun0 UcI utun0
fe80::1d55:b5dc:3cd5:864%utun0 link#11 UHLI lo0
fe80::%utun1/64 fe80::df6e:b1c3:74ea:f75c%utun1 UcI utun1
fe80::df6e:b1c3:74ea:f75c%utun1 link#12 UHLI lo0
ff01::%lo0/32 ::1 UmCI lo0
ff01::%en0/32 link#5 UmCI en0
ff01::%awdl0/32 link#7 UmCI awdl0
ff01::%utun0/32 fe80::1d55:b5dc:3cd5:864%utun0 UmCI utun0
ff01::%utun1/32 fe80::df6e:b1c3:74ea:f75c%utun1 UmCI utun1
ff02::%lo0/32 ::1 UmCI lo0
ff02::%en0/32 link#5 UmCI en0
ff02::%awdl0/32 link#7 UmCI awdl0
ff02::%utun0/32 fe80::1d55:b5dc:3cd5:864%utun0 UmCI utun0
ff02::%utun1/32 fe80::df6e:b1c3:74ea:f75c%utun1 UmCI utun1
-- PF --
pfctl -vvv -s all
=>
No ALTQ support in kernel
ALTQ related functions disabled
TRANSLATION RULES:
@0 nat-anchor "com.apple/*" all
[ Owner : nil Priority : 0 ]
[ Evaluations: 1003456 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 89 ]
@0 rdr-anchor "com.apple/*" all
[ Owner : nil Priority : 0 ]
[ Evaluations: 2053469 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 89 ]
FILTER RULES:
@0 scrub-anchor "com.apple/*" all fragment reassemble
[ Owner : nil Priority : 0 ]
[ Evaluations: 3848799 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 89 ]
@0 anchor "com.apple/*" all
[ Owner : nil Priority : 0 ]
[ Evaluations: 2053469 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 89 ]
DUMMYNET RULES:
@0 dummynet-anchor "com.apple/*" all
[ Owner : nil Priority : 0 ]
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 89 ]
INFO:
Status: Enabled for 1 days 15:36:27 Debug: Urgent
Hostid: 0x995c6c3b
Checksum: 0x79872649e3817f920d20509d6509b712
State Table Total Rate
current entries 0
searches 2551721 17.9/s
inserts 0 0.0/s
removals 0 0.0/s
Source Tracking Table
current entries 0
searches 0 0.0/s
inserts 0 0.0/s
removals 0 0.0/s
Counters
match 2053469 14.4/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 1451 0.0/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
dummynet 0 0.0/s
Limit Counters
max states per rule 0 0.0/s
max-src-states 0 0.0/s
max-src-nodes 0 0.0/s
max-src-conn 0 0.0/s
max-src-conn-rate 0 0.0/s
overload table insertion 0 0.0/s
overload flush states 0 0.0/s
TIMEOUTS:
tcp.first 120s
tcp.opening 30s
tcp.established 86400s
tcp.closing 900s
tcp.finwait 45s
tcp.closed 90s
tcp.tsdiff 30s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
grev1.first 120s
grev1.initiating 30s
grev1.estblished 1800s
esp.first 120s
esp.estblished 900s
other.first 60s
other.single 30s
other.multiple 60s
frag 30s
interval 10s
adaptive.start 6000 states
adaptive.end 12000 states
src.track 0s
LIMITS:
states hard limit 10000
app-states hard limit 10000
src-nodes hard limit 10000
frags hard limit 5000
tables hard limit 1000
table-entries hard limit 200000
OS FINGERPRINTS:
696 fingerprints loaded
Interface Notes:
I was unable to run full command for
for DUDE in $( ifconfig -lu ); do ifconfig ${DUDE} | grep -q “192.168.0.19” && echo ${DUDE};
Commands that ran through with node http web server up at port 8080
ifconfig ${DUDE}
=>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
nd6 options=201<PERFORMNUD,DAD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
XHC20: flags=0<> mtu 0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 80:e6:50:0a:23:64
inet6 fe80::14d6:6308:5edd:9f41%en0 prefixlen 64 secured scopeid 0x5
inet 192.168.0.19 netmask 0xffffff00 broadcast 192.168.0.255
inet6 2606:6000:609b:1200:14c1:e8b6:1ff0:8ef1 prefixlen 64 autoconf secured
inet6 2606:6000:609b:1200:d9dc:a4c3:7c4b:14e4 prefixlen 64 autoconf temporary
inet6 2606:6000:609b:1200::4 prefixlen 64 dynamic
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304
ether 02:e6:50:0a:23:64
media: autoselect
status: inactive
awdl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1484
ether 76:f1:5e:fa:30:28
inet6 fe80::74f1:5eff:fefa:3028%awdl0 prefixlen 64 scopeid 0x7
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active
en1: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=60<TSO4,TSO6>
ether 72:00:05:09:7f:80
media: autoselect <full-duplex>
status: inactive
en2: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=60<TSO4,TSO6>
ether 72:00:05:09:7f:81
media: autoselect <full-duplex>
status: inactive
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=63<RXCSUM,TXCSUM,TSO4,TSO6>
ether 72:00:05:09:7f:80
Configuration:
id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
ipfilter disabled flags 0x2
member: en1 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 8 priority 0 path cost 0
member: en2 flags=3<LEARNING,DISCOVER>
ifmaxaddr 0 port 9 priority 0 path cost 0
nd6 options=201<PERFORMNUD,DAD>
media: <unknown type>
status: inactive
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
inet6 fe80::1d55:b5dc:3cd5:864%utun0 prefixlen 64 scopeid 0xb
nd6 options=201<PERFORMNUD,DAD>
utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380
inet6 fe80::df6e:b1c3:74ea:f75c%utun1 prefixlen 64 scopeid 0xc
nd6 options=201<PERFORMNUD,DAD>
netstat -an | grep 8080
=>
tcp4 0 0 *.8080 *.* LISTEN
I'm still studying on what some of this output means and will work on getting a remote device to connect to my mac. Will provide further updates soon.
------- Next Update ---------
So I've tried to connect to the arbitrary port on both the local and remote machine.
Start Listening on port 54321
nc -v -b en0 -l 54321
Connecting to it..
nc -v -z 192.168.0.19 54321
Local Response =>
found 0 associations
found 1 connections:
1: flags=82<CONNECTED,PREFERRED>
outif lo0
src 192.168.0.19 port 49845
dst 192.168.0.19 port 54321
rank info not available
TCP aux info available
Connection to 192.168.0.19 port 54321 [tcp/*] succeeded!
Remote Response =>
nc: connectx to 192.168.0.19 port 54321 (tcp) failed: Operation timed out
Web server Connection Attempt...
echo -n "GET / HTTP/1.0\r\n\r\n" | nc 192.168.0.19 8080
Local Response =>
HTTP/1.1 400 Bad Request
Web Server Response from local Request =>
- no change in logs
Remote Response =>
HTTP/1.1 400 Bad Request
Web Server Response from remote Request =>
- no change in logs
Solution 1:
My friend, let’s get down to business:
On the box running the webserver open the Terminal app and become the superuser by typing
sudo -sand entering your user’s password.Show me your firewall configuration and the routing table. Post the output of
pfctl -vvv -s all, as well asnetstat -nrFire up the webserver, and ensure it is properly configured to serve. A misconfiguration there is beyond the scope of this answer. I assume the webserver runs on a host with the NAT/intranet IP address of 192.168.0.28.
-
Determine network interface on the intranet and fire up a listener on arbitrary port 54321:
for DUDE in $( ifconfig -lu ) ; do ifconfig ${DUDE} | grep -q “192.168.0.28” && echo ${DUDE} ; doneThis will give you the network interface. Then make sure something is bound to port 8080
netstat -an | grep 8080If nothing is returned here, your webserver is not bound to an interface @ port 8080, and there is likely a webserver misconfiguration or process race condition binding to that interface at that port number. The latter can happen when another process already has a particular interface / port bound. Do an
lsof -i | grep 8080to see what occupies that port, if anything.Fire up a listener on arbitrary port 54321 with
nc -v -b [network interface] -l 54321 On a remote Mac, BSD, Linux, or even UNIX host which is connected to the same NAT/intranet network, fire up a command prompt to access a system shell — via opening the Terminal app in Utilities on a Mac... Or on a windoze box run cmd.exe and telnet to 192.168.0.28:8080. Not sure if colon is proper syntax for CMD shell.
Attempt to connect to the listener we just set up on port 54321 with
nc -v -z 192.168.0.28 54321-
Attempt to connect to your problematic webserver via
echo -n "GET / HTTP/1.0\r\n\r\n" | nc 192.168.0.28 8080
That should help isolate the problem until I can see the firewall configuration and the routing table I requested above...
There are no filter rules in your PF ruleset, assuming that the com.apple anchor has not set any -- double check with a
sudo pfctl -vvv -a com.apple -sr
And please forgive me the oversight of this:
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
It likely is on. Without messing with its config, let's temporarily disable it, and then retest the nc tests I describe above...:
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off
Then rerun the tests above. Change the 'off' above to 'on' to re-enable the app firewall after that. I am fairly confident that this will resolve the issue. If it does, then we just need to configure the app firewall -- a walk in the park, and I will advise after knowing the results...
F.
Solution 2:
My first thought is that you don't have a clear network path from your iOS device to the Mac to begin with. Download a utility like https://apps.apple.com/us/app/ping-network-utility/id576773404, and ping your Mac. Report back whether the ping works.
If you can’t even ping the Mac, it’s highly unlikely that you’ll be able to connect to it. Before you dive into firewalls, check that your router is set to let devices communicate with each other. Some will not allow connections between devices by default, only to devices on the Internet.