After a power outage, this started happening:
Feb 14 15:36:35 www serveradmin: servermgr_nat: nat config:Error:Cannot launch natd
The Appple front-ends (like serveradmin) are not very verbose so I've found a good troubleshooting step to be to run the underlying deamon with the same config files, manually:
www:/etc/nat root# natd -config /etc/nat/natd.conf.apple
natd: unknown protocol (null). Expected tcp or udp
Aha! Indeed, the last line looks weird:
redirect_port (null) (null):3050
When it should be something like:
-redirect_port proto targetIP:targetPORT[-targetPORT]
[aliasIP:]aliasPORT[-aliasPORT]
[remoteIP[:remotePORT[-remotePORT]]]
Digging a little deeper, we find that natd.conf.apple is actually re-written every time you serveradmin start nat (so modifying it directly is pointless). The values are populated from /etc/nat/natd.plist. If the latter doesn't exist, it's it's created from /etc/nat/natd.plist.default.
Since I was convnced I hadn't modified my natd.plist, I just did a
> mv natd.conf.apple natd.conf.apple.old
> mv natd.plist natd.plist.old
> serveradmin start nat
And that got things running again. What's really weird is the cause of this:
www:/etc/nat root# diff natd.plist natd.plist.old
18a19,25
><key>redirect_port</key>
> <array>
> <dict>
> <key>targetPortRange</key>
> <integer>3050</integer>
> </dict>
> </array>
How that targetPortRange got there, I still don't know…