Mac OS X 10.6 Server Admin: About Firewall Service
You configure Firewall service using Server Admin. You can also configure some settings by manually editing configuration files.
The illustration below shows an example firewall process.
Services such as Web and FTP are identified on your server by a Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port number. When a computer tries to connect to a service, Firewall service scans the rule list for a matching port number.
When a packet arrives at a network interface and the firewall is enabled, the packet is compared to each rule, starting with the lowest-numbered (highest-priority) rule. When a rule matches the packet, the action specified in the rule (such as permit or deny) is taken. Then, depending on the action, more rules can be applied.
The rules you set are applied to TCP packets and to UDP packets. In addition, you can set up rules for restricting Internet Control Message Protocol (ICMP) or Internet Group Management Protocol (IGMP) using advanced rule creation.
If you plan to share data over the Internet and you don’t have a dedicated router or firewall to protect your data from unauthorized access, you must use Firewall service. This service works well for small to medium businesses, schools, and small or home offices.
Large organizations with a firewall can use Firewall service to exercise a greater degree of control over their servers. For example, workgroups in a large business, or schools in a school system, can use Firewall service to control access to their own servers.
Firewall service also provides stateful packet inspection, which determines whether an incoming packet is a legitimate response to an outgoing request or part of an ongoing session. This permits packets that would otherwise be denied.