Mac OS X Server 10.3, 10.4: About firewall settings and logging
Summary
The Mac OS X Server firewall protects your server from unauthorized remote access. This document supplements the Network Services Administration guide with information on troubleshooting and custom configuration.
You can use the Server Admin application to configure the Mac OS X Server firewall, or IPFilter. You may also configure certain settings by manually editing configurations files.
Products Affected
Mac OS X Server 10.4, Mac OS X Server 10.3
When the firewall starts
The IPFilter startup item loads configured rules into the firewall at startup. It enables or disables the firewall based on the setting of the IPFILTER flag in the /etc/hostconfig file. The firewall is disabled by default.
Note: If you view processes, you will not see a separate process for firewall or IPFilter. The rules are loaded directly to the operating system's kernel, then applied based on your settings.
About the ipfilter folder
The /etc/ipfilter/ folder contains the files used to configure firewall. When you use Server Admin to configure firewall, it saves changes to these files. When Server Admin saves a set of rules, the old rules are flushed; the file /etc/ipfilter/ipfw.conf.apple is generated, and rules in that file are loaded into the firewall using the ipfw(8) command.
Additionally, any rules added to /etc/ipfilter/ipfw.conf are loaded into the firewall. This file includes comments about how to add rules to the file. To read them, open the file in a text editor.
10.3 Only: Logging denied packets
The Logging options in the Firewall pane allow you to select "all allowed" or "all denied" packets. If you select denied packets, it does not log packets denied due to "unreach" or "reset" rules.
Using Advanced options
The Advanced section of the Firewall pane allows you to create rules at your own discretion, which could be invalid if you make mistakes. In the event that you create an invalid rule, a message is written to the system log indicating the type of error (though not which rule caused it). The invalid rule and subsequent rules are not loaded into the firewall, but valid rules preceding the error are loaded. Because invalid rules could potentially put the server into an unusable state, you should only use the Advanced pane if you are certain that you are qualified to do so.
10.3 Only: Using a large number of rules
The amount of time required to load rules into the firewall is a function of the number of rules. If many specific ports are opened in the General list, for example, it could take ten seconds or more to load rules into the firewall.
If enough rules are enabled to require more than 90 seconds, the Server Admin application presents a dialog suggesting that the server-side component has crashed or timed out. A SIGALARM message also normally appears in the system log file. To avoid the time-out, either reduce the number of rules or manage the rules outside of the Server Admin application.
Required when using NAT
If you enable the NAT service, you are also required to enable the firewall service.
Port 80 blocked by default
By default the firewall blocks HTTP port 80, which is commonly used for Web services.
For more information about this topic, see the Network Services Administration guide. It is located on disc 2 of your Mac OS X Server disc set, and here: http://www.apple.com/server/pdfs/Network_Services.pdf