• Mac OS X,  Mac OS X Server,  Mac Security,  Mass Deployment

    Command Line Firewall Management In OS X 10.10

    The tools to automate OS X firewall events from the command line are still stored in /usr/libexec/ApplicationFirewall. And you will still use socketfilterfw there for much of the heavy lifting. However, now there are much more helpful and functional options in socketfilterfw that will allow you to more easily script the firewall. Some tricks I’ve picked up with the Mac Firewall/alf scripting: Configure the firewall fully before turning it on (especially if you’re doing so through something like Casper, FileWave, Munki, or Absolute Manage where you might kick yourself out of your session otherwise). Whatever you do, you can always reset things back to defaults by removing the com.apple.alf.plist file…

  • Mac OS X,  Mac OS X Server,  Mac Security,  Mass Deployment,  Network Infrastructure

    Mac Network Commands Cheat Sheet

    After writing up the presentation for MacSysAdmin in Sweden, I decided to go ahead and throw these into a quick cheat sheet for anyone who’d like to have them all in one place. Good luck out there, and stay salty. Get an ip address for en0: ipconfig getifaddr en0 Same thing, but setting and echoing a variable: ip=`ipconfig getifaddr en0` ; echo $ip View the subnet mask of en0: ipconfig getoption en0 subnet_mask View the dns server for en0: ipconfig getoption en0 domain_name_server Get information about how en0 got its dhcp on: ipconfig getpacket en1 View some network info: ifconfig en0 Set en0 to have an ip address of 10.10.10.10…

  • cloud,  Mac Security,  Network Infrastructure

    Configure Syslog Options on a Meraki

    Meraki has a syslog option. To configure a Meraki to push logs to a syslog server, open your Meraki Dashboard and click on a device. From there, click on “Alerts & administration”. At the “Alerts & administration” page scroll down to the Logging section. Click on the “Add a syslog server” link and type the IP address of your syslog servers name or IP. Put the port number into the Port field. Choose what types of events to export. This could be Event Log, Flows or URLs, where: Event Log: The messages from the dashboard under Monitor > Event log. Flows: Inbound and outbound traffic flows generate syslog messages that…

  • Mac OS X,  Mac OS X Server,  Mac Security,  Mass Deployment

    Upgrading to Mountain Lion Server

    Now that we’ve looked at what you get and what you don’t get in Mountain Lion Server, let’s take a little while to look at what the upgrade path itself looks like. Before we start, let’s just say that upgrading to Mountain Lion Server is probably one of the fastest, easiest and most boring upgrades you’ll ever get to do. And I say this more to the credit of the engineers that made the process so simple. Apparently there are bonuses to your Server just being an app. There is a catch, some of the services are gone. Another catch, you’re gonna’ need to have a system that meets the…

  • Mac OS X Server

    Changes in Mountain Lion Server

    Mountain Lion Server is now available on the OS X App Store and as with the last few updates there are some things missing that you might be expecting and depending on. First up, three major services are gone: Podcast Producer, RADIUS and dhcp. You can still do dhcp as you always did with OS X client as those features work on OS X Server, but the more granular controls available in OS X Server are now gone. The biggest impact of dhcp is probably in testing NetBoot services when there are network issues and you need to prove to network admins that it’s the network and not your server……

  • Mac OS X,  Mac OS X Server,  Mac Security,  Mass Deployment

    A Cheat Sheet For Using pf in OS X Lion and Up

    I’ve done plenty of writing on the Application Layer Firewall (ALF) and the IP FireWall (IPFW) in OS X over the years. There will be more on ALF coming in “July” but in the meantime, there’s something I hadn’t written much about in Lion and that’s the pf implementation. To get started, let’s look at the /etc/pf.conf configuration file that comprises pf: scrub-anchor "com.apple/*" nat-anchor "com.apple/*" rdr-anchor "com.apple/*" dummynet-anchor "com.apple/*" anchor "com.apple/*" load anchor "com.apple" from "/etc/pf.anchors/com.apple" Here, you can see that pf is configured with a number of anchors. An anchor is a collection of rules and tables. Basically, the anchor file being loaded is /etc/pf.anchors/com.apple. In here, we…

  • VMware

    Configuring the ESX Firewall

    The ESX firewall can be managed from the command line. If you login over SSH you can then use the following command to view (query) all of the active firewall entries (for those BSD/OS X folks, this command is similar to the ipfw command): esxcfg-firewall –q So we’re going to step through opening ports 3389 and 25 UDP and TCP into and out of our VM. We’re going to continue using the esxcfg-firewall command, as it’s the primary interface into the ESX servers/clusters firewall engine. We’re also going to use the -o option to open the port and then follow that up with a comma delimited set of parameters for…

  • Mac OS X,  Mac Security

    Mac OS X Server 10.5: Using NATd to turn the Server into a Router

    There are certain aspects of Mac OS X Server that it just isn’t that great at.  One of them is acting as a router.  It’s just a fact that an appliance by SonicWALL, Cisco, Watchguard and sometimes LinkSys will run circles around the speed and feature set of Mac OS X Server.  So with that in mind, let’s look at how you would go about configuring a basic port forward on OS X Server if you decided not to listen to me on this point…  😉 You can use the /etc/net/natd.plist.  The key you’ll want to edit is the redirect_port, one per port or a range of all in one key… …

  • Xsan

    Preventing Firewall Issues with Xsan

    I originally posted this at http://www.318.com/TechJournal Introduction Xsan requires a dedicated ethernet network in the supported architecture by Apple. For systems that are obtaining directory information or need to be wired into the corporate network of many organizations this can cause issues. Namely that Xsan will attempt to use the corporate network for connectivity with clients. We see this in many configurations and it can cause dropped packets, unmountable volumes and other intermittent issues. One way to fix this for metadata controllers is to choose the network adapter that you would like to use on the metadata network in Server Admin. This can be done by: Open Xsan Admin Click…