Ready to watch this entire course?
Become a member and get unlimited access to the entire skills library of over 4,900 courses, including more Business and personalized recommendations.Start Your Free Trial Now
- View Offline
- Deploying, troubleshooting, and understanding OS X 10.6 DNS server
- Understanding and configuring OS X and OS X Server-based firewalls
- Fixing server- and client-side firewalls
- Configuring and troubleshooting DHCP
- Setting up and troubleshooting a VPN server
Skill Level Intermediate
To configure the server-side firewall, we begin by enabling the firewall service so we can configure it, and we do that in the Server Admin application. We open Server Admin, click on the server name, go to Settings > Services, click the check box next to the Firewall, click Save, and it pops up here in the sidebar. When we select Firewall, the first place it's going to take us is to Settings and Address Groups. So, we're going to start our configuration by deleting any address groups that we will not use, and then we'll add back in any groups that we will use.
We will not be using the 192.168-net or the 10-net. 10-net, because we don't have that anywhere near us, and 192.168 because it's just a little too open. So we're going to get rid of both of these. We do so by clicking the minus sign, same thing there, and then we click the Plus button in order to get a new group. Now, we just name the group based on whatever we think might make sense. Following Apple's model, I've just chosen to say 192.168.12-net, but then I need to actually change the addresses in the group to match what I said.
By the way, if you want to create a firewall rule that will only affect one machine, you can specify one specific IP address that will have specific rules. But we're not going to do that. We're going to click the Plus button here and we will put in exactly the CIDR notation for the group we want. Now, you'll need to know basic CIDR notation, and by the way that's spelled CIDR, to do this, but that's not so bad, because you really only need to remember the numbers 16, which gives you about 65,000 addresses, 22, which gives you about a thousand addresses, 24, which gives you about 254 addresses, and 31, which gives you one usable address.
There are others in there, and we'll actually use a couple of different ones. But you'll have most of what you need with those numbers. So, you can see that's not that much to remember. With the additional ones that I'm going to throw in here, you'll probably end up with six or seven that you'll want to memorize, because they are very useful to know. Because of the math involved in addressing, you'll also have to be aware of where the network ranges are allowed to begin and end. A great tool to help with that is a CIDR calculator. Many are available on the Internet. Some are web apps, others are widgets. I even have an iPhone app that does it. Whatever tool you like, there are lots out there.
The CIDR notation relates directly to the way you have configured your network. For example, we're going to set up an address group just for our internal DHCP address pool right now, and we know that that will be set up for DHCP later on in this class. So we sort of have that planned out. The pool is going to be from 192.168.12.64 to 192.168.12.127. That's only 62 addresses, I know, but you can make yours whatever you want. For us, that's going to be enough.
We do that like this. So as you can see, once you've got your CIDR notation in there, the address range is calculated for you below and you can double-check your work to make sure that it is, in fact, going to be the numbers that you've specified. Due to the math involved again with CIDR notation, your address ranges have to end and begin at certain numbers, so it doesn't always work out exactly the way that you would want to. But this is a great way to configure groups and have your firewall specifically control those groups. So, this is going to hit 64 through 127.
What I could do here is I could add a . 64 right there, and I could just make it the exact CIDR notation, so I see that in my list. Once you have it, click OK, double -check your work, all looks good. Let's make another one. Click the Plus button. This one is going to be for our VPN range and in this one I'll just use a different option here. I'm just going to say VPN Range 192.168.12. What I'm pointing out here is that it doesn't have to be in that format that we were showing before.
It can really be just about anything as long as it fits into this box. What's really important as far as your mathematical configurations go is down here in the Addresses in group section. Click the Plus button, 192.168.12, and this one we want to be a little bit higher in our range. Now, I know I'm going to be using a VPN later in this title, so the ranges for the clients I want to be different from my DHCP range. So my VPN range is going to be 192.168.12. 128, and that's going to go out through 159.
So, that one is going to be a /27 notation, right? 128 to 159, and again, it doesn't give us that many addresses. That's 30 IPv4 addresses and that, by the way, corresponds to a subnet mask that could be written that would say basically the same thing of 255.255.255.224. So, if you're more used to doing subnet masks, understand that CIDR notation has a direct correlation there. It's just a different way of writing the same thing. Click OK and so now we've got our DHCP range which we've written in this way, and we've got our VPN range which we've written in this way.
If you want to include the names of the groups in your groups, you can do that. I just use the two different ones so we have an example of each. Click Save. We've got our IP address groups. Now we go over to Services and when Editing services for, now we see our custom edited groups here in this list. Now, here in the Services section, we want to enable only the protocols and services that we really need for the groups where they're necessary. The default behavior for the "any" group, which is basically anyone that's not included in the two other groups we specified, is to let all traffic out but only the necessary ports for Server Admin, etcetera, to come in.
Anything else you want to let in you have to turn on yourself in this any address group, and then be as restrictive or as open as you deem appropriate, given your organization and your data and the security level you need with the other groups. I recommend a cautious approach here. In any new group, always turn on the ports that are in Apple's any group, by default. So, for example, you see here, we've got these top four TCP (outgoing), TCP (established), UDP Fragments, and UDP outbound and responses, and then IGMP. If we scroll down, we've got a few others.
We've got SSH, we've got Mail: SMTP, and Server Admin and Server Preferences. You really want to be certain that you go through this list, DNS Directory Access, and make sure that all of these services are not only enabled in the any group, but also in your other groups, because when you create a new group, those services are not turned on by default. Now, I'm going to configure these while we let time pass here, because this takes some time. I'm going to go through and check these check boxes.
For you, it will just be a flip of a second, but in real time here, we're going to take some time and turn on all the appropriate services. All right, so I have now gone through and basically duplicated the allowed traffic in each of these areas. In the any group, these things were turned on and I've turned them on here in our second group, and our third group which is going to be for VPN users. What this ensures me of is that anything that is required to do incoming traffic will be allowed, and anything that's required for server administration will also be allowed.
Now, once I've got this thing up and running and everything works properly, I can go back into my VPN Range, for example, and I can turn off Server Admin access, or I can turn off SSH access from that range. Same thing from the DHCP Range that we've set up here. But I like to start things off with the same access that was available in our original any group, because that's going to ensure that we don't lose our server administration capabilities once we turn this thing on, which is really important. Once you have your ports configured for access the way you want them here in Services, you can turn on Stealth Mode over here in Advanced.
So, your server won't respond to pings, and if you wish, you can change the low-priority routing rules in the Advanced tab. Just remember, usually there's no reason to change these default behaviors, but if you're an old hand at firewall administration and you have a good reason to do so, you can change the priority of these rules or enable and disable them here. Just remember, the firewall rules are numbered and prioritized with the largest numbers having the lowest priority here. Tread lightly here, and when you're done, save your work and start the firewall. Now, once that's done, it's important to understand that you aren't seeing everything that could be considered a firewall here in Server Admin.
The adaptive firewall is a monitor called Emond that watches traffic coming into the server and then can create and disable firewall rules, like these, on the fly, completely automatically. It does this when certain preset conditions are met. So by default, the behavior that is turned on that most of you will find interesting is the failed login attempt monitor, which will block login attempts from a given IP address after 10 failed login attempts from that IP address. After a 15-minute wait, login attempts can made from that IP address again.
So, this basically just provides you with some protection from automated attempts to guess users' passwords. Now that we've looked at the server-side of firewalling, I'm going to quit Server Admin. We'll switch back over to our client system. Here on our client system, I wanted to show you some stuff about firewalling on the client. Even though this course isn't really about the Mac OS X client, I wanted to show you how you can turn on and configure the client-side firewall to work on your client machine. While IPFW, the firewall we just configured on Mac OS X Server, is actually present in the kernel on Mac OS X client as well, the application firewall is not IPFW, and you get to that from System Preferences, in Security, under the Firewall tab.
You'll have to authenticate in order to get in here. To get to the Advanced button over here, you're going to have to click the Start button and then once you click Advanced, your system will already have Automatically allow signed software to receive incoming connections checked and enabled. Depending upon what services you've already got running on your client, you may, whenever you click that Advanced button, receive a bunch of allow or deny access queries. Just respond with those according to what you think is appropriate. Once you're in here, I'd like to point out a couple of things.
This box here is where you can allow or deny access to the network for specific applications. You can see because we already have some services turned on, they've been Allowed incoming connections by default completely automatically. If we click the Plus button, we can find others that are sitting here, like this, for example. Click Add. And that will now be allowed incoming connections. Of course, we can also select here and block those incoming connections for that application if we wish to do so. Now, this would be only necessary if this application were not a signed application that was signed digitally by the application developer.
As long as this check box here is checked, there is a certain amount of automation to the allowing or the denying of access for applications to the network. As you can see down here, we have the ability to enable stealth mode, just like we did on the server. This again, will allow this system to not respond to ping traffic whenever it receives it. If you're in a place with a network that you don't necessarily trust, [00:11:30.401 coffee shop, trade show, someplace where you don't necessarily know everybody that's going to be there, you can always just raise all shields.] supersede everything that you've got configured here and block everything except for outgoing traffic.
Remember that even with shields raised to full, you can still make outgoing requests for things like web pages and those web pages will come back to you. It's just that services you might turn on like iChat won't be able to automatically signify to others on the network that you have come online. Essentially, requests that are allowed to come in to you must result from a request you made through the firewall. All other attempts to connect to your computer will fail. To enable that, you just click the OK button and firewall is already on, so you're all set up. Now, to turn that off whenever you get back from that trade show or coffee shop, all you need to do is come back in here, uncheck Block all incoming connections, and click OK. If you wanted to, you could even click Stop and just turn off the firewall entirely right here. Of course, if you have any problems with the firewall on your server or your client, you're going to need to troubleshoot that firewall, which is what we're going to do next.