Mac firewall blocking nginx (port 80) from external side

10

2

I installed nginx using ports and started it with sudo. Accessing the nginx welcome page from localhost works perfectly, however accessing it from an external computer fails.

Doing an nmap on the computer from the outside reveals

80/tcp   filtered http

So clearly the mac firewall is blocking the port. I then proceed to add the nginx executable to the firewall exception list, however the nmap still shows up as port 80 being filtered and I'm unable to access the webpage. The exact binary that is in the list is /opt/local/sbin/nginx which to my knowledge seems correct

Any ideas what I should do? Thanks!

P.S. Turning the firewall off does allow me to access the website from the outside world, however that isn't an ideal solution.

Alex Ionescu

Posted 2012-12-14T09:30:51.347

Reputation: 109

I don't have an answer, but here are a couple of things to look at: check /var/log/appfirewall.log to see if it has anything useful, and run sudo lsof -i:80 to make sure it's really nginx doing the listening (and that it's listening on all IPs, not just 127.0.0.1). – Gordon Davisson – 2012-12-14T22:40:21.740

Hey Gordon, thanks for the suggestions!

My firewall log looks like this when I try to connect: Dec 18 02:12:56 MacBook-Pro.local socketfilterfw[80663] <Info>: Deny connecting from my.ip.is.here:55843 to port 80 proto=6

And this is the output of the listening table: nginx 80437 root 6u IPv4 0x35ec104ccb86c175 0t0 TCP *:http (LISTEN) nginx 80438 nobody 6u IPv4 0x35ec104ccb86c175 0t0 TCP *:http (LISTEN)

Looks like everything should be correct, but it's still getting blocked :( – Alex Ionescu – 2012-12-18T08:13:54.707

Is it possible you have two nginx executables, one allowed in the firewall and one not? That's the only thing I can think of... – Gordon Davisson – 2012-12-18T13:11:35.563

Answers

10

This worked for me (OSX 10.9):

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --add /usr/local/Cellar/nginx/1.4.4/bin/nginx
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --unblockapp /usr/local/Cellar/nginx/1.4.4/bin/nginx

When tried doing it through symlink (to avoid redoing this process when nginx is upgraded), got the following error: The application is not part of the firewall after running:

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --unblockapp /usr/local/bin/nginx

Eugene

Posted 2012-12-14T09:30:51.347

Reputation: 201

I got the same message "The application is not part of the firewall", and in my cas it was a case sensitive issue... i wrote cellar instead of Cellar. when i used Capital C, it worked!! Thanks – Ofer Segev – 2016-03-24T16:54:37.693

3

Been trying to figure this out for ages, eventually doing the following in the terminal:

$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --remove /usr/local/Cellar/nginx/1.10.0/bin/nginx
Application at path ( /usr/local/Cellar/nginx/1.10.0/bin/nginx ) removed from firewall

$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --add /usr/local/Cellar/nginx/1.10.0/bin/nginx
The application is already a part of the firewall

$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw --unblockapp /usr/local/Cellar/nginx/1.10.0/bin/nginx
Incoming connection to the application is permitted

And it seemed to fix the issue.

I did also drag the nginx application into the approved applications list on OS X firewall.

John Griffiths

Posted 2012-12-14T09:30:51.347

Reputation: 131

These steps worked for me, but I also had to restart nginx for the website to actually start loading. – Hippo – 2018-11-21T05:02:36.190

0

I'm on El Capitan (10.11.6). You can manually exclude nginx from the firewall using the GUI. This solved it for me.

First, go the System Preferences. Then go to Security & Privacy, and click the Firewall tab.

Click the 'Firewall Options' button and add nginx as an excluded application here:

enter image description here

Nginx was located in /usr/local/Cellar/nginx/1.10.3/bin/nginx for me. I couldn't navigate to this in the file explorer in System Preferences, so to get around it I made a shortcut to nginx on my desktop and selected that.

dspacejs

Posted 2012-12-14T09:30:51.347

Reputation: 113

0

I've run into this same problem. I suspect it has to do with nginx's master/worker process model confusing Apple's appfirewall implementation.

The solution I've found is to tell appfirewall to allow the nginx process:

$ sudo /usr/libexec/ApplicationFirewall/socketfilterfw -t nginx

I don't recall if this persists across reboots or not. If it doesn't, create a launch plist in /Library/LaunchAgents to do this on boot, if you want.

dossy

Posted 2012-12-14T09:30:51.347

Reputation: 282

This doesn't work on Mac OS X 10.9.3 either. Apple has removed the -t option. – Siu Ching Pong -Asuka Kenji- – 2014-06-25T12:50:59.273

1This doesn't work on 10.8. It complains that -t is an invalid option. Furthermore, if I add via --add `which nginx`, it adds it, but it doesn't recognize it if I go to remove it with the --remove option. – Brendan – 2013-03-20T21:49:53.647

0

change your $PATH

let system find the nginx in /usr/local/Cellar/nginx/nginx-xx/bin/nginx firstly

march1993

Posted 2012-12-14T09:30:51.347

Reputation: 1

Asked: 2012-12-14T09:30:51.347

Viewed: 9 049 times

Active: 2018-09-06T16:12:06.090