Why do `net.inet.ip.forwarding` and `net.inet.ip.fw.enable` kernel sysctl settings stay enabled even after disabling them on an Xserve running 10.6.8

kernelmac-osx-serverosx-snow-leopardsysctl

Very bizarre situation. I have inherited a few Xservers from a previous admin that I have been charged with cleaning up on various levels. I am familiar with settings in Ubuntu and am very comfortable with the command line—including compiling from source—on top of knowing how to maneuver around the command line in OS X as well. But have come across something utterly baffling on one of the servers which is running 10.6.8 (Snow Leopard).

First oddity, I would like to turn the software firewall completely off. Sounds as simple as going into Server Admin and just telling it to stop the firewall right? Nope! So if I turn off the firewall, and I do the following command to double check in the command line:

sysctl -a | grep net.inet.ip.fw.enable

The results are as expected:

net.inet.ip.fw.enable: 0

But then if I check it again within 5 minutes or so, it becomes magically enabled again:

net.inet.ip.fw.enable: 1

Ditto with NAT forwarding.

sysctl -a | grep net.inet.ip.forwarding

Disable it in the Server Admin, and this is the result:

net.inet.ip.forwarding: 0

A few minutes later:

net.inet.ip.forwarding: 1

WTF?!? I checked crontabs and I am the only user on the machine.

I do have the Server Admin app on another machine set to watch this machine, but it’s not running all of the time. And this issue did exist prior to that. I am not 10o% familiar with sysctl so need some guidance. FWIW, I do have some Ethernet tweaks I have set in /etc/sysctl.conf very recently, but no other commands or settings connected to the above.

Why would these settings seem to magically change after a few minutes? What can be done to stop that.

Thanks in advance for the help & pointers.

EDIT: Contents of /etc/hostconfig as per one of the comments below:

AFPSERVER=-NO-
AUTHSERVER=-NO-
TIMESYNC=-NO-
QTSSWEBADMIN=-NO-
QTSSRUNSERVER=-NO-
MYSQLCOM=-YES-
IPFORWARDING=-NO-

Best Answer

Just a thought but you could use the tool auditctl to see what processes are touching your /etc/sysctl.conf.

You can read more about auditctl over in this thread:

Specifically this answer:

The gist is you run this command:

% sudo auditctl -p a -w /etc/sysctl.conf

And then watch the log file to see who's the guilty process:

% tail -f /var/log/audit/audit.log
Related Topic