Very bizarre situation. I have inherited a few Xservers from a previous admin that I have been charged with cleaning up on various levels. I am familiar with settings in Ubuntu and am very comfortable with the command line—including compiling from source—on top of knowing how to maneuver around the command line in OS X as well. But have come across something utterly baffling on one of the servers which is running 10.6.8 (Snow Leopard).
First oddity, I would like to turn the software firewall completely off. Sounds as simple as going into Server Admin and just telling it to stop the firewall right? Nope! So if I turn off the firewall, and I do the following command to double check in the command line:
sysctl -a | grep net.inet.ip.fw.enable
The results are as expected:
net.inet.ip.fw.enable: 0
But then if I check it again within 5 minutes or so, it becomes magically enabled again:
net.inet.ip.fw.enable: 1
Ditto with NAT forwarding.
sysctl -a | grep net.inet.ip.forwarding
Disable it in the Server Admin, and this is the result:
net.inet.ip.forwarding: 0
A few minutes later:
net.inet.ip.forwarding: 1
WTF?!? I checked crontabs and I am the only user on the machine.
I do have the Server Admin app on another machine set to watch this machine, but it’s not running all of the time. And this issue did exist prior to that. I am not 10o% familiar with sysctl so need some guidance. FWIW, I do have some Ethernet tweaks I have set in /etc/sysctl.conf very recently, but no other commands or settings connected to the above.
Why would these settings seem to magically change after a few minutes? What can be done to stop that.
Thanks in advance for the help & pointers.
EDIT: Contents of /etc/hostconfig as per one of the comments below:
AFPSERVER=-NO-
AUTHSERVER=-NO-
TIMESYNC=-NO-
QTSSWEBADMIN=-NO-
QTSSRUNSERVER=-NO-
MYSQLCOM=-YES-
IPFORWARDING=-NO-
Just a thought but you could use the tool
auditctlto see what processes are touching your/etc/sysctl.conf.You can read more about auditctl over in this thread:
Specifically this answer:
The gist is you run this command:
And then watch the log file to see who's the guilty process:
Okay, solved this one. Thanks for all of the advice folks!
What happened is there is a Java application running via a Mac shell program on this machine that has different options for creating a Jetty-based web interface. Somehow this was set to take over port 80—the standard HTTP port—and disabling that by changing the port URL to something else—like 666666—solved the issue.
net.inet.ip.fw.enableandnet.inet.ip.forwardingstay set at0(aka: disabled) and don’t come back to life when the port is changed to a non-standard port for HTTP purposes.That said, I still need to have content delivered via a standard port 80 connection. So I turned on web services on the server & set a reverse proxy from that to port 666666. All behaves as it should.
But what is disturbing to me is how the application was able to takeover some
sudolevel functions—such as settingsysctloptions—without seemingly ever asking for an admin password. Is that normal for Jetty apps or idiosyncratic to this app? Maybe it asked for an admin password when it was installed before I even go to it? Do not know or care for now. But clearing this up cleared up lots of networking issues on this box now that this application is no longer hijacking routing & firewall functions.