Ready to watch this entire course?
Become a member and get unlimited access to the entire skills library of over 4,900 courses, including more Business and personalized recommendations.Start Your Free Trial Now
- View Offline
- Deploying, troubleshooting, and understanding OS X 10.6 DNS server
- Understanding and configuring OS X and OS X Server-based firewalls
- Fixing server- and client-side firewalls
- Configuring and troubleshooting DHCP
- Setting up and troubleshooting a VPN server
Skill Level Intermediate
The way we configured the firewall in the last movie left your client in the awkward position of being unable to access the server remotely. That's okay because right now you're experiencing what happens if you set up a firewall rule and it blocks your access. It really isn't possible to get past it, is it? It's rather annoying. Well, this is why we advised you to have a monitor, keyboard and mouse attached to the server, because this is where you're going to actually really, really need it. On the server, we want you to open up Server Admin. When you open up Server Admin, you're going to go to the Server, go to Firewall, and under Settings, in Address Groups, what we're going to do is we're going to create a new rule that has the IP address of our client machine.
We're going to allow it full access. Okay? So we're going to click the Plus button, we're going to give it a name that makes sense to us, and we're going to put in exactly its IP address, and we're using 12.20. If you're using a different IP address, feel free to put it in here now, and click OK. So now, we've got our Server Admin client, we click Save, and we can now come over here to the Server Admin client, which by default is going to only Allow traffic to these ports, which is nothing, and we're going to allow all traffic to the Server Admin client.
When we click Save, now you'll be able to access your server from your client system. So, there we are. We have basically gone through the troubleshooting process here of realizing that we have disabled our access to the server using the firewall and we've gone in directly using the keyboard and mouse and monitor to turn on that access. So, now that that's done and we have the firewall rules configured the way we want, you have changed your rules either incrementally or dramatically to get them exactly the way that you want them, and you're going to want to use IPFW to list all those rules that are configured on the firewall.
Now, you could obviously look at that list here and kind of combine the combination of all the rules that you've got available here to you, but this isn't as slick and convenient as doing it in the Terminal. So, that's what we're going to do. I'm going to quit Server Admin. We're going to go to the Utilities folder and open up Terminal. When we get in there, we're just going to type sudo -s, so that the rest of our section here will be done as root, then we're going to type ipfw list. What results here is a list of all of the rules that we have configured in our firewall.
So, all I'm going to do is I'm going to select all of this and I'm going to Command+C to copy it. Come back over here into the Finder. I'm going to go into TextEdit, change this to Plain Text, and I'm going to paste the contents into this TextEdit document, and then I'm going to save this document right here to my Desktop as Firewall Rules. This is going to be very useful in a little bit, but for right now, let's stay right here in Terminal, and we'll talk about what this here is doing.
The first column of numbers you're seeing there are the firewall rule numbers, which is an important thing to have because in the future there's going to be some stuff we need to do that can only identify these rules by that number. So, that's why we have that text document copied off to the side there. We also have the traffic type and the service port number, which will be how you identify which service is enabled. The ipfw list doesn't help you out the way Server Admin does and that it won't list the server associated with a given port.
You have to either know the port and what service it's associated with or have a reference nearby to consult, so you know what's what. A very good reference is available at Apple's web site in the well-known TCP ports KB article, which is available at support.apple.com. It can be useful to copy and paste this list of rules into a text document or somewhere else for later access. I put it in a text document, but keep in mind you could put this list on a password-protected blog page or Wiki page in your IT department. There are several places where you could put it obviously, but you just want to make sure that your rules are documented here.
If you want to turn off the firewall, but can't access Server Admin for some reason, you could just use the sysctl command in the Terminal. So, let's go ahead and do that now. I'm going to type clear in order to clear out the space and I'm going to type sysctl -w net.inet.ip.fw.enable. If it works successfully, you'll get this as a response. We can turn it back on again simply by replacing that 0 with the number 1, and hit Return.
That turns it back on. Now, if the firewall is running on your server and you're sure the rules are configured correctly, but you still can't log in, for example, from a remote system, there is another possibility. It's possible that the Adaptive Firewall has kicked in, because someone's tried to log in too many times from your IP address and failed every time. In that case, just wait for more than 15 minutes and try again. The Adaptive Firewall will have expired its temporary rule by then and it should let you in. Of course, if you can't wait, you could always try logging in from a different IP address too.
If your firewall on the server is still misbehaving, you can find out why fairly easily, by opening up the log file for ipfw in Console and watching the traffic. We can do that easily from right here by typing open /var/log/. That's the path to it and then just typing the name, ipfw.log. By doing that, it tells the Console application to open that log file and as you can see, right here we've got the log file. While watching that log, you can keep an eye open for the rule numbers that are being logged.
They might just be the most useful thing to look for it. First, because you can focus your search down on a specific rule, which of course means a specific service that you're concerned about. If you find a lot of denies for something, it might be worth looking into a little more deeply. If you have a rule that's blocking traffic erroneously in IPFW, you can delete just that rule rather than shut down the whole firewall. Ss long as you have the rule number documented somewhere, and let's get back to our text document right here. If you have your documented rules still available from before, you can just find a rule in that list that you want to delete.
When you find the number you want to remove, just use that number to delete the rule. So let's find something that we can delete without hurting any of our services that we're using right now. We know that port 25 is used for SMTP, and we're not doing any mail at this time so we can kill this one pretty easily. So, this rule number is 12307, so all I need to do is go back into Terminal. I'm going to flip over to Terminal right here and we type ipfw del and then that rule number, which is 12307.
Type that, hit Return, and that firewall rule is now no longer there. It's no longer a part of the rules that we've put in place. If we wanted to be really thorough about it and kill everything going to port 25, we could kill, look at that, 307 is killing the UDP as well. So there we are. We've got TCP and UDP both gone. This is what we've saved. So, we can check to make sure that the rule was removed by going into Terminal again. We can just up arrow to get back to where we did our original ipfw list. Hit Return and our rule should be deleted now.
12307 and 12307 is now gone. Now, keep in mind, port 25 traffic from other rules were not deleted here, because we only deleted the rule number we specified and not all rules that reference that port. So there we are. That's how you delete a specific rule from your IPFW configuration. Now, in the DNS Servers, I've found that it's useful to know the location. I'll just clear this out, so we got some more space to us, and I'll clean this up, so we can see what we're doing a little bit better.
Get out of Console. In DNS, it's sometimes useful to know where the locations of those configurations files are, because you want to double-check that they were written correctly. With the firewall, that's not so necessary, but it's still useful to know where those configuration files are located. So we're just going to pop into Terminal and locate them now. Here in Terminal, we're just going to cdover to /etc/ipfilter/ and run list. While I'm here, I want you to make note of, but please don't edit anything in this directory, especially if it has a .APPLE extension.
If you edit .APPLE extended files, your firewall could become unresponsive, or you could lose the ability to control it with Server Admin. But if you want to hand-edit a file in this directory, a good candidate would be the ipfw.conf file which could be used to add rules. If we type less and open ipfw.conf, you can see here we have a lot of commented stuff out here, but anything that you add into this file that's not commented will be respected by the IPFW system.
Just be very careful here whenever you're making edits to this file, because if you mistype something and save it, IPFW is going to try to load and run with that. As we've already experienced, a misconfigured yet active firewall is a cruel and unforgiving thing. In our next movie, we're going to look at how to troubleshoot firewalls from the client side.