Previously, I had done an article on using the adaptive firewall in Mac OS x Server. But I hadn’t looked at controlling it from the command line yet. In Lion Server, the firewall automatically blocks incoming connections that it considers to be dangerous. For example, if a client attempts too many incorrect logins then a firewall rule restricts that user from attempting to communicate with the server for 15 minutes. If you’re troubleshooting and you accidentally tripped up one of these rules then it can be a bit frustrating. Which is why Apple gives us afctl, a tool that interacts with the adaptive firewall. The most basic task you can…
-
-
The OS X Application Layer Firewall Part 3: Lion
In a couple of previous articles I looked at automating the Application Layer Firewall in OS X. These are pretty common articles that get back-linked to the site, so I decided to update them earlier, rather than later, in the Lion release. The tools to automate firewall events from the command line are still stored in /usr/libexec/ApplicationFirewall. And you will still use socketfilterfw there for much of the heavy lifting. However, now there are much more helpful and functional options in socketfilterfw that will allow you to more easily script the firewall. Some tricks I’ve picked up with alf scripting: Configure the firewall fully before turning it on (especially if…
-
Ubuntu and Firewalling
Using the firewall in Ubuntu can be as easy or as hard as you want to make it. BSD variants all basically use the ipfw command whereas most of the rest of the *nix world will use netfilter. Netfilter has a number of front ends; the one that comes pre-installed in Ubuntu is ufw, short for ‘uncomplicated firewall’. Ufw is good for basic port management: allow and deny type of stuff. It’s not going to have the divert or throttling options. So let’s look at some basic incantations of ufw (you need to have elevated privileges to do all of this btw). Initial Configuration First you need to enable ufw,…
-
Snow Leopard Server & Adaptive Firewalls
The term Adaptive Firewall can mean a lot of things to a lot of people. In Mac OS X Server it means that if you attempt to logon with an inappropriate password 10 times that a dynamic rule will be created blocking access for the computer that access was attempted from for 15 minutes. After 15 minutes the dynamic rule will be removed from the server. To see the number of Dynamic Rules running on a server, look at the Firewall services Overview tab, or Active Rules. There’s not a timer but it’s pretty easy to see which IPs are blocked. I’ve found it doesn’t always clear out after 15…
-
Configuring the ESX Firewall
The ESX firewall can be managed from the command line. If you login over SSH you can then use the following command to view (query) all of the active firewall entries (for those BSD/OS X folks, this command is similar to the ipfw command): esxcfg-firewall –q So we’re going to step through opening ports 3389 and 25 UDP and TCP into and out of our VM. We’re going to continue using the esxcfg-firewall command, as it’s the primary interface into the ESX servers/clusters firewall engine. We’re also going to use the -o option to open the port and then follow that up with a comma delimited set of parameters for…
-
Mac OS X: Viewing Firewall Log Changes on the Fly
Well, this is pretty straight forward
-
Preventing Firewall Issues with Xsan
I originally posted this at http://www.318.com/TechJournal Introduction Xsan requires a dedicated ethernet network in the supported architecture by Apple. For systems that are obtaining directory information or need to be wired into the corporate network of many organizations this can cause issues. Namely that Xsan will attempt to use the corporate network for connectivity with clients. We see this in many configurations and it can cause dropped packets, unmountable volumes and other intermittent issues. One way to fix this for metadata controllers is to choose the network adapter that you would like to use on the metadata network in Server Admin. This can be done by: Open Xsan Admin Click…
-
WAF: Web Application Firewall
Web Application Firewalls, or WAFs, are firewalls for web application. They monitor web traffic and decide whether to allow or deny specific requests. IIS web servers (OWA), Apache, WebObjects, Lasso and other web servers will likely end up working with them, although I’ve only tested IIS and Apache at this point.
-
Developer Mode System Extensions on macOS
System and Network Extensions are fairly easy programmatically. However, there is some nuance around building them. Much of this is in getting the correct entitlements – but also a little in troubleshooting. To see (or set) those entitlements, look at the .entitlements file located in the root of an Xcode Project. That will be a plist with a few entries. In this one, we’ll see com.apple.developer.networking.networkextension so we’re working on a network extension. com.apple.security.app-sandbox com.apple.security.application-groups $(TeamIdentifierPrefix)com.krypted.firewall com.apple.developer.networking.networkextension content-filter-provider To add one, go to the General screen for the project, and locate the section for Frameworks, Libraries, and Embedded Content. Then use the plus sign to add and provide the name…
-
Tor and Scripting on macOS
Tor, short for The Onion Router, is a tool to anonymize your web traffic. Tor is simple to use and yet incredibly complicated under the hood. You install software, available at www.torproject.org, or a browser extension. Tor routes your data through a bunch of nodes. Each of those computers or routers is only aware of the node in front of or behind it in the communication route and encrypting the next node sent. Since each step is encrypted, these layers of encryption can be considered like a network with layers like an onion. So if each step is partially encrypted, a compromise of any device in the route will still…