Is macOS Mojave (and up?) doing extra network blocking compared to macOS High Sierra?
Solution 1:
A macOS server system provides two and half firewalls:
- Application Firewall (with a GUI > System Preferences > Security & Privacy)
- pf (only 3rd-party GUIs)
- Adaptive Firewall which is (or at least was) based on ipfw and pf (and thus in parts flawed because Apple botched it by removing
ipfw). Partly fixed here: How to setup the adaptive firewall.
Only the last one is exclusive to systems with Server.app installed and configured.
Launching Server.app for the first time will modify /etc/pf.conf and add an additional pf anchor: /private/etc/pf.anchors/com.apple.server-firewall. This anchor loads additional anchors from /Library/Server/Firewall/Anchors/.
By default all firewalls are off and defunct and no substantial rules are defined.
As soon as you change in Server.app: Server > hostname > Access > Default Network Access the default setting all networks to something else, the linked anchors are fed with rules depending on your settings and the pf daemon is launched. Changing back to all networks will remove all rules related to default network access but the pf daemon continues to run.
- all networks will allow NATed traffic from the Internet directed to your server
- private networks will prohibit NATed traffic from the Internet directed to your server based on the propagated rules.
AFAIR there is no difference between the various Server v5 versions (at least El Capitan - Catalina) regarding the initial setting of Default Network Access which always is and was all networks.