Figuring out what is blocking HTTP request on macOS Mojave?

I have a simple http-server running with an index.html, which I'm trying to serve over to another device over LAN. I can access the website in the host computer using localhost and it is recorded as a successful HTTP 200. Although when I try to access it with the other client device, the http server shows no sign of any request and the device times out.

I believe a firewall in my Mac is blocking the connection, but I hear that there are multiple firewalls within a Mac and they may possibly keep changing it with each OS update.

e.g.

  • Thread that shows OS has multiple firewalls in place

  • Firewall may change on OS update

  • Firewall Logs Now Disapeared (can't view appfirewall.log)

So I'm now using macOS Mojave, and I have very little experience using networking tools to verify what goes on in my network (So please forgive my ignorance).

  • What firewalls does macOS Mojave use?

  • Where can I find the logs (So I can see if my other device's http-request got denied)?

  • Is there any other thing that I may not know about that can stop my http-request? If so what tools can I use to verify?

--------- Additional Detail ---------

  • I'm have an angular webpack development server serving at it's usual port 4200 and then use ghostlab to proxy serve it at port 8005 for my external devices. (This had stopped working though so I did the below to see if I can access the website dist folder another way)
  • I had used the node package http-server and served a test website with just index.html. It serves on both http://127.0.0.1:8080 and LAN ip address of http://192.168.0.28:8080.
  • I can reach 192.168.0.28:8080 locally on the host machine chrome browser but on an iOS client device using safari's browser it never gets a response. So I'm thinking a firewall is blocking it somewhere down the line. Although being able to confirm through appfirewall.log (which seems to be gone) or similar places I may not know about that I should be looking at is what I'm trying to figure out.

---- Further Detail -----

Thank you Francis for your answer.

Shown below is my routing table

Routing tables

Internet:
Destination        Gateway            Flags        Refs      Use   Netif Expire
default            192.168.0.1        UGSc          147        0     en0
127                127.0.0.1          UCS             0        0     lo0
127.0.0.1          127.0.0.1          UH              9   277366     lo0
169.254            link#5             UCS             0        0     en0      !
192.168.0          link#5             UCS             3        0     en0      !
192.168.0.1/32     link#5             UCS             2        0     en0      !
192.168.0.1        b0:c2:87:51:37:e7  UHLWIir        58       52     en0    583
192.168.0.2        link#5             UHLWIi          1      152     en0      !
192.168.0.13       0:71:47:32:79:99   UHLWI           0       81     en0    285
192.168.0.19/32    link#5             UCS             1        0     en0      !
192.168.0.19       80:e6:50:a:23:64   UHLWI           0        2     lo0
192.168.0.255      ff:ff:ff:ff:ff:ff  UHLWbI          0        1     en0      !
224.0.0/4          link#5             UmCS            3        0     en0      !
224.0.0.251        1:0:5e:0:0:fb      UHmLWI          0        0     en0
224.6.7.8          1:0:5e:6:7:8       UHmLWI          0        8     en0
239.255.255.250    1:0:5e:7f:ff:fa    UHmLWI          0      149     en0
255.255.255.255/32 link#5             UCS             1        0     en0      !
255.255.255.255    ff:ff:ff:ff:ff:ff  UHLWbI          0        1     en0      !

Internet6:
Destination                             Gateway                         Flags         Netif Expire
default                                 fe80::b2c2:87ff:fe51:37e7%en0   UGc             en0
default                                 fe80::%utun0                    UGcI          utun0
default                                 fe80::%utun1                    UGcI          utun1
::1                                     ::1                             UHL             lo0
2606:6000:609b:1200::/64                link#5                          UC              en0
2606:6000:609b:1200::4                  80:e6:50:a:23:64                UHL             lo0
2606:6000:609b:1200:14c1:e8b6:1ff0:8ef1 80:e6:50:a:23:64                UHL             lo0
2606:6000:609b:1200:81e5:bdd5:155e:a21d 80:e6:50:a:23:64                UHL             lo0
fe80::%lo0/64                           fe80::1%lo0                     UcI             lo0
fe80::1%lo0                             link#1                          UHLI            lo0
fe80::%en0/64                           link#5                          UCI             en0
fe80::14d6:6308:5edd:9f41%en0           80:e6:50:a:23:64                UHLI            lo0
fe80::b2c2:87ff:fe51:37e7%en0           b0:c2:87:51:37:e7               UHLWIir         en0
fe80::%awdl0/64                         link#7                          UCI           awdl0
fe80::74f1:5eff:fefa:3028%awdl0         76:f1:5e:fa:30:28               UHLI            lo0
fe80::%utun0/64                         fe80::1d55:b5dc:3cd5:864%utun0  UcI           utun0
fe80::1d55:b5dc:3cd5:864%utun0          link#11                         UHLI            lo0
fe80::%utun1/64                         fe80::df6e:b1c3:74ea:f75c%utun1 UcI           utun1
fe80::df6e:b1c3:74ea:f75c%utun1         link#12                         UHLI            lo0
ff01::%lo0/32                           ::1                             UmCI            lo0
ff01::%en0/32                           link#5                          UmCI            en0
ff01::%awdl0/32                         link#7                          UmCI          awdl0
ff01::%utun0/32                         fe80::1d55:b5dc:3cd5:864%utun0  UmCI          utun0
ff01::%utun1/32                         fe80::df6e:b1c3:74ea:f75c%utun1 UmCI          utun1
ff02::%lo0/32                           ::1                             UmCI            lo0
ff02::%en0/32                           link#5                          UmCI            en0
ff02::%awdl0/32                         link#7                          UmCI          awdl0
ff02::%utun0/32                         fe80::1d55:b5dc:3cd5:864%utun0  UmCI          utun0
ff02::%utun1/32                         fe80::df6e:b1c3:74ea:f75c%utun1 UmCI          utun1

-- PF --

pfctl -vvv -s all

=>

No ALTQ support in kernel
ALTQ related functions disabled
TRANSLATION RULES:
@0 nat-anchor "com.apple/*" all
  [ Owner : nil          Priority : 0     ]
  [ Evaluations: 1003456   Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 89 ]
@0 rdr-anchor "com.apple/*" all
  [ Owner : nil          Priority : 0     ]
  [ Evaluations: 2053469   Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 89 ]

FILTER RULES:
@0 scrub-anchor "com.apple/*" all fragment reassemble
  [ Owner : nil          Priority : 0     ]
  [ Evaluations: 3848799   Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 89 ]
@0 anchor "com.apple/*" all
  [ Owner : nil          Priority : 0     ]
  [ Evaluations: 2053469   Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 89 ]

DUMMYNET RULES:
@0 dummynet-anchor "com.apple/*" all
  [ Owner : nil          Priority : 0     ]
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 89 ]

INFO:
Status: Enabled for 1 days 15:36:27           Debug: Urgent

Hostid:   0x995c6c3b
Checksum: 0x79872649e3817f920d20509d6509b712

State Table                          Total             Rate
  current entries                        0
  searches                         2551721           17.9/s
  inserts                                0            0.0/s
  removals                               0            0.0/s
Source Tracking Table
  current entries                        0
  searches                               0            0.0/s
  inserts                                0            0.0/s
  removals                               0            0.0/s
Counters
  match                            2053469           14.4/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                           1451            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  dummynet                               0            0.0/s
Limit Counters
  max states per rule                    0            0.0/s
  max-src-states                         0            0.0/s
  max-src-nodes                          0            0.0/s
  max-src-conn                           0            0.0/s
  max-src-conn-rate                      0            0.0/s
  overload table insertion               0            0.0/s
  overload flush states                  0            0.0/s

TIMEOUTS:
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
grev1.first                 120s
grev1.initiating             30s
grev1.estblished           1800s
esp.first                   120s
esp.estblished              900s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start             6000 states
adaptive.end              12000 states
src.track                     0s

LIMITS:
states        hard limit    10000
app-states    hard limit    10000
src-nodes     hard limit    10000
frags         hard limit     5000
tables        hard limit     1000
table-entries hard limit   200000

OS FINGERPRINTS:
696 fingerprints loaded

Interface Notes:

I was unable to run full command for

for DUDE in $( ifconfig -lu ); do ifconfig ${DUDE} | grep -q “192.168.0.19” && echo ${DUDE}; 

Commands that ran through with node http web server up at port 8080

ifconfig ${DUDE}

=>

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
    options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
    inet 127.0.0.1 netmask 0xff000000
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
    nd6 options=201<PERFORMNUD,DAD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
XHC20: flags=0<> mtu 0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    ether 80:e6:50:0a:23:64
    inet6 fe80::14d6:6308:5edd:9f41%en0 prefixlen 64 secured scopeid 0x5
    inet 192.168.0.19 netmask 0xffffff00 broadcast 192.168.0.255
    inet6 2606:6000:609b:1200:14c1:e8b6:1ff0:8ef1 prefixlen 64 autoconf secured
    inet6 2606:6000:609b:1200:d9dc:a4c3:7c4b:14e4 prefixlen 64 autoconf temporary
    inet6 2606:6000:609b:1200::4 prefixlen 64 dynamic
    nd6 options=201<PERFORMNUD,DAD>
    media: autoselect
    status: active
p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304
    ether 02:e6:50:0a:23:64
    media: autoselect
    status: inactive
awdl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1484
    ether 76:f1:5e:fa:30:28
    inet6 fe80::74f1:5eff:fefa:3028%awdl0 prefixlen 64 scopeid 0x7
    nd6 options=201<PERFORMNUD,DAD>
    media: autoselect
    status: active
en1: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
    options=60<TSO4,TSO6>
    ether 72:00:05:09:7f:80
    media: autoselect <full-duplex>
    status: inactive
en2: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
    options=60<TSO4,TSO6>
    ether 72:00:05:09:7f:81
    media: autoselect <full-duplex>
    status: inactive
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    options=63<RXCSUM,TXCSUM,TSO4,TSO6>
    ether 72:00:05:09:7f:80
    Configuration:
        id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
        maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
        root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
        ipfilter disabled flags 0x2
    member: en1 flags=3<LEARNING,DISCOVER>
            ifmaxaddr 0 port 8 priority 0 path cost 0
    member: en2 flags=3<LEARNING,DISCOVER>
            ifmaxaddr 0 port 9 priority 0 path cost 0
    nd6 options=201<PERFORMNUD,DAD>
    media: <unknown type>
    status: inactive
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
    inet6 fe80::1d55:b5dc:3cd5:864%utun0 prefixlen 64 scopeid 0xb
    nd6 options=201<PERFORMNUD,DAD>
utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380
    inet6 fe80::df6e:b1c3:74ea:f75c%utun1 prefixlen 64 scopeid 0xc
    nd6 options=201<PERFORMNUD,DAD>

netstat -an | grep 8080

=>

tcp4       0      0  *.8080                 *.*                    LISTEN

I'm still studying on what some of this output means and will work on getting a remote device to connect to my mac. Will provide further updates soon.

------- Next Update ---------

So I've tried to connect to the arbitrary port on both the local and remote machine.

Start Listening on port 54321

nc -v -b en0 -l 54321

Connecting to it..

nc -v -z 192.168.0.19 54321

Local Response =>

found 0 associations
found 1 connections:
     1: flags=82<CONNECTED,PREFERRED>
    outif lo0
    src 192.168.0.19 port 49845
    dst 192.168.0.19 port 54321
    rank info not available
    TCP aux info available

Connection to 192.168.0.19 port 54321 [tcp/*] succeeded!

Remote Response =>

nc: connectx to 192.168.0.19 port 54321 (tcp) failed: Operation timed out

Web server Connection Attempt...

echo -n "GET / HTTP/1.0\r\n\r\n" | nc 192.168.0.19 8080

Local Response =>

HTTP/1.1 400 Bad Request

Web Server Response from local Request =>

  • no change in logs

Remote Response =>

HTTP/1.1 400 Bad Request

Web Server Response from remote Request =>

  • no change in logs

Solution 1:

My friend, let’s get down to business:

  1. On the box running the webserver open the Terminal app and become the superuser by typing sudo -sand entering your user’s password.

  2. Show me your firewall configuration and the routing table. Post the output of pfctl -vvv -s all , as well as netstat -nr

  3. Fire up the webserver, and ensure it is properly configured to serve. A misconfiguration there is beyond the scope of this answer. I assume the webserver runs on a host with the NAT/intranet IP address of 192.168.0.28.

  4. Determine network interface on the intranet and fire up a listener on arbitrary port 54321:

    for DUDE in $( ifconfig -lu ) ; do ifconfig ${DUDE}  | grep -q “192.168.0.28” && echo ${DUDE} ; done
    

    This will give you the network interface. Then make sure something is bound to port 8080

    netstat -an | grep 8080
    

    If nothing is returned here, your webserver is not bound to an interface @ port 8080, and there is likely a webserver misconfiguration or process race condition binding to that interface at that port number. The latter can happen when another process already has a particular interface / port bound. Do an lsof -i | grep 8080 to see what occupies that port, if anything.

    Fire up a listener on arbitrary port 54321 with nc -v -b [network interface] -l 54321

  5. On a remote Mac, BSD, Linux, or even UNIX host which is connected to the same NAT/intranet network, fire up a command prompt to access a system shell — via opening the Terminal app in Utilities on a Mac... Or on a windoze box run cmd.exe and telnet to 192.168.0.28:8080. Not sure if colon is proper syntax for CMD shell.

  6. Attempt to connect to the listener we just set up on port 54321 with nc -v -z 192.168.0.28 54321

  7. Attempt to connect to your problematic webserver via

    echo -n "GET / HTTP/1.0\r\n\r\n" | nc 192.168.0.28 8080
    

That should help isolate the problem until I can see the firewall configuration and the routing table I requested above...


There are no filter rules in your PF ruleset, assuming that the com.apple anchor has not set any -- double check with a

sudo pfctl -vvv -a com.apple -sr

And please forgive me the oversight of this:

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate

It likely is on. Without messing with its config, let's temporarily disable it, and then retest the nc tests I describe above...:

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off

Then rerun the tests above. Change the 'off' above to 'on' to re-enable the app firewall after that. I am fairly confident that this will resolve the issue. If it does, then we just need to configure the app firewall -- a walk in the park, and I will advise after knowing the results...

F.

Solution 2:

My first thought is that you don't have a clear network path from your iOS device to the Mac to begin with. Download a utility like https://apps.apple.com/us/app/ping-network-utility/id576773404, and ping your Mac. Report back whether the ping works.

If you can’t even ping the Mac, it’s highly unlikely that you’ll be able to connect to it. Before you dive into firewalls, check that your router is set to let devices communicate with each other. Some will not allow connections between devices by default, only to devices on the Internet.