Mac OS X 10.6 Server Admin: About Firewall Service

This article has been archived and is no longer updated by Apple.
About Firewall Service

You configure Firewall service using Server Admin. You can also configure some settings by manually editing configuration files.

The illustration below shows an example firewall process.

Services such as Web and FTP are identified on your server by a Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port number. When a computer tries to connect to a service, Firewall service scans the rule list for a matching port number.

When a packet arrives at a network interface and the firewall is enabled, the packet is compared to each rule, starting with the lowest-numbered (highest-priority) rule. When a rule matches the packet, the action specified in the rule (such as permit or deny) is taken. Then, depending on the action, more rules can be applied.

The rules you set are applied to TCP packets and to UDP packets. In addition, you can set up rules for restricting Internet Control Message Protocol (ICMP) or Internet Group Management Protocol (IGMP) using advanced rule creation.

Important:  When you start Firewall service the first time, only ports essential to remote administration of the server are open, including secure shell (22) and several others. Other ports are dynamically opened to permit specific responses to queries initiated from the server. To permit remote access to other services on your computer, open more ports using the Services section of the Settings pane.

If you plan to share data over the Internet and you don’t have a dedicated router or firewall to protect your data from unauthorized access, you must use Firewall service. This service works well for small to medium businesses, schools, and small or home offices.

Large organizations with a firewall can use Firewall service to exercise a greater degree of control over their servers. For example, workgroups in a large business, or schools in a school system, can use Firewall service to control access to their own servers.

Firewall service also provides stateful packet inspection, which determines whether an incoming packet is a legitimate response to an outgoing request or part of an ongoing session. This permits packets that would otherwise be denied.

Related Topics
Basic Firewall Practices
Firewall Startup
Last Modified: Aug 6, 2013

Additional Product Support Information