Join Sean Colins for an in-depth discussion in this video What is a firewall and how does it fit into your server puzzle?, part of Mac OS X Server 10.6 Snow Leopard: DNS and Network Services.
Having nothing to do with dangerous walls of fire a firewall is a device or software on a computer that watches data traffic and either allows or denies passage, either in or out based on rules you set. Firewalls are cleverly named to strike fear into the hearts of people everywhere and yet they're very handy tools. Essentially, firewalls are about security, but I prefer to think of them in the context of a nice nightclub in a tough neighborhood.
The firewall in my analogy is the bouncer standing out in front of the club. In this case our bouncer is standing in front of many different doors. He can let you in or not. He can also keep track of you leaving and let you back in when you return because he gave you a stamp on your hand to show you've already been inside. He controls who can get in, but he also controls which doors can be opened or closed.
He can allow only the public in one door, the mailman in another. He can send the press to a special door, and he can send kitchen deliveries to an entirely different door. All doors lead inside, but the different doors are for different purposes. The bouncer makes sure the right stuff can get into the appropriate doors, and the wrong stuff can't. He gets his rules from the owner of the club and follows them no matter what. Because the club owner has a bouncer, the club is a safer and more orderly place.
A firewall does the same thing, but with data. The doors in our analogy are ports on the network. Not physical ports, not a hole you can plug something into, but something defined in software that exists for the purpose of organizing the flow of data through a network. In software, services have ports associated with them. Unsecured web pages are viewed and served over one specific port that everyone agrees to, just to keep things organized.
Web traffic is on port 80. So by allowing or denying access to port 80, we can allow or deny access to web pages. All services that can travel over networks have one or more ports associated with them. When a computer that happens to be a web server sees a request come in on port 80, it knows what to do with that request, because of the port it came in on. Services and ports are directly linked. So it can be helpful to keep track of frequently used ports.
Apple has a knowledge base article that is updated whenever they create a new service or use something new. Check it out. It can really help when you need to set up your firewall. There are two protocols commonly used on networks. One is TCP and the other is UDP. While the standards are tightly defined and complicated, we can simplify them down to one really important distinction. Data transmitted over TCP is very careful about whether all of the data arrives at its destination and UDP isn't. TCP is slower than UDP, because it spends a lot of time checking with the recipient to verify receipt of all of the data.
If data is lost in transit, TCP transmission will automatically be retransmitted until a perfect transmission is verified by the recipient. TCP is very reliable and is used when the data being sent must arrive at its destination perfectly. This is typically used for documents or images, things that must be stored and reused at the destination. UDP on the other hand doesn't really care if the recipient gets the package in its entirety.
UDP cares more about how much data it can shove out the door as quickly as possible. A great use for UDP, for example, is video streaming. If there's a glitch in the video stream, a viewer would probably rather see a dropped video frame or pixelated images than have to sit and wait for every perfect frame to come in. This has to do with how video is perceived, and the fact that a stream of video is being consumed in real time and not saved for future use.
It evaporates immediately upon playback. So if it isn't perfect, don't worry about it. Just keep shoving the data out the door. Because different services use either TCP or UDP or both, we have to specify the intended protocol in our firewall settings. So we almost have all of our firewall bits and pieces figured out, but there is one more important thing to understand. A firewall can apply different rules to traffic depending upon where it's coming from and where it's going.
So you can set your firewall to allow absolutely anything at all into and out of your server as long as it's coming from your internal network, but not allow anything at all if it's coming from anywhere else. This is done by setting up address groups and then using those groups to organize different sets of rules. Once you have your firewall configured and ready to go, you turn it on and bingo. The bouncer is at the door standing there, arms crossed and looking mean.
Now, now that you know what a firewall is, you're probably already thinking of ways you could use one. Let's get into Server Admin and see how to set this up on Mac OS X Server.
- Deploying, troubleshooting, and understanding OS X 10.6 DNS server
- Understanding and configuring OS X and OS X Server-based firewalls
- Fixing server- and client-side firewalls
- Configuring and troubleshooting DHCP
- Setting up and troubleshooting a VPN server