Open Ports

Your server has more than 65,000 ports, or doors. How many of them are used when you install Mac OS X Server? How do find out which ones are open and which ones may be relatively insecure? How do you close these doors?

Mac OS X Server comes with a powerful service called a firewall. Perhaps you're installing a server that's already behind your organization's firewall, and you don't see the need for another firewall inside your business. After all, you're protected from the outside world. But who is protecting you from others within your company? What about other people who wish to peruse this new Mac OS X Server without your permission? Instituting a firewall is an excellent idea, even if your users are all local.

Firewall basics

A firewall either permits or denies access to your Mac OS X Server from persons attempting to gain access to the server over the server's interfaces (usually, in the case of Mac OS X Server, your built-in Ethernet interfaces). If a person tries to access a service like FTP on your server, and the FTP service is running, then your server allows them in on port 21. If you have the Apple File Sharing service on, you're letting users connect over port 548.

Again, there are over 65,000 ports; so at first, managing a firewall may seem overwhelming. Keep in mind one simple rule: Close off all ports, and open ports only when people complain that they can't access certain services or when you have a given set of services open that most users will utilize. In this fashion, you open only what you know about, and you effectively shut out all other users by removing access to those ports.

The Firewall service

On Mac OS X Server, Apple has built in an interface for the firewall. Before you set a firewall in place, let's examine the Firewall window.

The Overview tab shows the current firewall rules (Figure 10.6). They're listed in order of importance by the numeric value of the rule. For example, rule 65535 always allows all connections from any IP address to any IP address on your server. Rules that may restrict access are given a lower number and thus a higher priority.

The Log tab shows the Firewall log file (Figure 10.7). You can specify what gets logged in the settings window, as you'll see in a moment.

The Settings tab displays three additional tabs (Figure 10.8):

• You'll do most of your firewall work in the General tab . It displays two panes: "IP Address group" and a list of common ports. The "IP Address group" pane lets you create separate sets of rules, based on the IP address(es) of your server. The common ports window shows (what Apple considers) the ports most commonly associated with Mac OS X Server and its subsequent services. There are columns for activating the firewall on that port, the port number, and a description of the service that runs over that port(s).

  Figure 10.8. The Settings tab of the Firewall service shows both the IP Address group pane and the list of common ports.

  

  
  

• The Logging tab sets parameters for the logging that the firewall reports (Figure 10.9). It's important to remember that if you enable both allowed and denied packets, your log file will grow very quickly if your server does any sharing.

  Figure 10.9. You can set the type of logging for your firewall using the Logging tab of the Settings tab.

  

  
  

• The Advanced tab lets you add firewall rules that may need to be more specific or are missing from the General tab's common ports window (Figure 10.10).

  Figure 10.10. The Advanced tab of the Settings tab shows customized firewall rules.

  

  
  

IP address groups

Now that you're familiar with most of the pieces of the firewall, let's fit them together. The first thing you need to do is determine how your server is set up. This will determine how your firewall IP address groups will be oriented. For example, if you have just one interface connection, such as Built-in Ethernet, you may only wish to configure the IP address group associated with your server's IP address. If you have more than one network interface active, such as a server that's used as a router, you may want to enable different rules on different interfaces.

If you're new to the firewall and want to be sure you cover all your bases, you can choose the "any" group. Rules applied here apply to any network interface with any IP address (Figure 10.11). You can also use the editing buttons to add, delete, duplicate, or edit an IP address group (Figure 10.12).

When you set up your server and turn on various services, the firewall IP address group associated with the topmost interface in your Network Preference pane automatically selects most of the services you currently have running. This is a safeguard against your accidentally turning on your firewall and being locked out of services you configured (Figure 10.13).

When you're ready to set up the firewall, take an inventory of the other services you're offering. You'll want to ensure you're providing proper access to those services. As soon as you start your firewall, a "deny all" rule will take effect: This means that the only ports open to the outside will be those that are selected in the list of common ports.

Tip

• If you're using an Xserve and doing all remote administration, be very careful not to enable the firewall without ensuring that you have access using at least port 22 (ssh). If you deny access on all ports, how will you get in?

Turning on the basic firewall:

Tip

• Be careful not to enable or disable services on each IP address group unless you're sure that's what you want to do.

Advanced FTP rules

A basic firewall is one order of protection. But what if you have ports you wish to open that aren't on the list of common ports? What if you always want your FTP service to respond to just one IP address only, and no other? Using the Advanced tab of the firewall settings, you can further define rules based on several other criteria.

To add an advanced FTP rule:

1.	Launch the Server Admin tool located in /Applications/Server, and authenticate as the administrator (Figure 10.19). Figure 10.19. Launch the Server Admin tool, and authenticate.
2.	Choose the Firewall service from the Computers & Services list (Figure 10.20). Figure 10.20. Select the Firewall service from the Computers & Services list.
3.	Click the Settings tab , and then click the Advanced tab (Figure 10.21). Figure 10.21. Select the Advanced tab from the Settings tab in the Firewallservice.
4.	Click the Add button . The advanced setup dialog for a new rule opens (Figure 10.22). Figure 10.22. The advanced rule dialog shows all available fields.
5.	From the Action pop-up menu, choose one of the following actions for the rule (Figure 10.23): Allow Deny Other Figure 10.23. Choose an action for an advanced rule. In this case, choose to allow packets in.
6.	From the Protocol pop-up menu, choose one of the following protocols to allow (Figure 10.24): UDP TCP Other Figure 10.24. Choose a protocol for an advanced rule. In this case, allow TCP. If you aren't sure which protocol to use, you can choose Other and enter the word all in the list (Figure 10.25). Figure 10.25. When you choose the Other option, you can enter the word all in the associated field to cover all potential protocols.
7.	Choose FTP File Service from the Service pop-up menu, and decide whether you want to log information related to this rule (Figures 10.26 and 10.27). Figure 10.26. Choose from the list of possible preset services in the Service pop-up menu. Figure 10.27. Select the FTP service, and choose to log all associated packets. The corresponding port for this service appears under Port for the Destination.
8.	In the Source section of the dialog, enter the IP address of the computer that is connecting to your server and the port from which the connection is coming (Figure 10.28). Figure 10.28. Configure the incoming (source) IP and port information. You can choose from any IP address group in the Address pop-up menu, use a subnet, or use a range of IP addresses (Figure 10.29). Figure 10.29. The Address pop-up menu shows the available options when you're choosing the source address.
9.	In the Destination section of the window, enter the IP address group or IP address of your server (Figure 10.30). Figure 10.30. Configure the destination IP address and port information for the server itself. The port numbers (in this case, FTP) automatically fill in for you (from step 7).
10.	In the Interface section, choose which type of packets to allow (Figure 10.31): In (incoming) Out (outgoing) Other Figure 10.31. You can display interface-specific options via the pop-up menu. In this case, choose Other to refrain from limiting both incoming and outgoing access (Figure 10.32). Click the OK button . Figure 10.32. Choose Other to refrain from limiting both incoming and outgoing access.
11.	Click the Save button to save your settings. You've added an advanced rule that allows connections to your server from a computer with the IP address 170.25.3.67. The next step would be to create a rule that denies all FTP packets. You can then move rules up or down for order of precedence in the Advanced tab (Figure 10.33). Figure 10.33. You can move rules up and down via drag and drop in the Advanced rule tab.

Tips

• Obviously, there are thousands of rule combinations: rules that govern an interface entering your organization and an interface going out to the Internet, rules that are extremely restrictive or extremely lax, and the option of adding rules within Server Admin and within another file (/etc/ipfilter/ipfw.conf).

• You can see all the firewall rules from the command line by typing sudo ipfw show.

• You can erase any firewall rules by typing sudo ipfw flush from the command line. Of course, doing this leaves your server vulnerable to attack.

• Once you use Server Admin to make changes to the firewall and save those changes, the rules are rewritten.