Mac OS X 10.6 Server Admin: Firewall Setup Overview
After you decide the types of rules to configure, use the following steps to set up Firewall service. If you need more help to perform these steps, see and the other topics referred to in the steps.
If you’re new to working with Firewall service, learn and understand firewall concepts, tools, and features of Mac OS X Server and BIND. For more information, see About Firewall Rules.
Then determine which services you want to provide access to. Mail, Web, and FTP services generally require access from computers on the Internet. File and Print services are more likely to be restricted to your local subnet.
After you decide the services to protect using Firewall service, determine the IP addresses you want to permit access to your server and the IP addresses you want to deny access to your server. Then configure the suitable rules.
In Server Admin, select Firewall and click Start Firewall. By default, this blocks all incoming ports except those used to configure the server remotely. If you’re configuring the server locally, turn off external access immediately.
Create an IP address group that the firewall rules will apply to. By default, an IP address group is created for all incoming IP addresses. Rules applied to this group affect all incoming network traffic. See Configuring Address Groups Settings.
Activate service rules for each address group. In the Services pane, you can activate rules based on address groups as destination IP numbers. See Configuring Services Settings.
Use logging settings to enable Firewall service event logging. You can also set what types and how many packets get logged. See Configuring Firewall Logging Settings.
Configure advanced firewall rules to further configure other services, strengthen network security, and fine-tune your network traffic through the firewall. See Configuring Advanced Firewall Rules.
By default, all UDP traffic is blocked, except traffic arriving in response to an outgoing query. Apply rules to UDP ports sparingly, if at all, because denying some UDP responses could inhibit normal networking operations.
If you configure rules for UDP ports, don’t select the “Log all allowed packets” option in the Firewall Logging settings pane in Server Admin. Because UDP is a connectionless protocol, every packet to a UDP port is logged if you select this option.
To learn how IP rules work, read About Firewall Rules.
You turn Firewall service on using Server Admin. See Starting Firewall Service.