9 Replies Latest reply: Mar 3, 2012 7:49 PM by llubnrut
rgiraldo Orlando FL Level 1 Level 1 (0 points)

I was reading Mac os x Administrator book and the author recommended not turning on the firewall if behind a secured router.

 

What are your thoughts?

 

I currently run Pfsense 2.0 RC3. I only have RDP open to a Windows Server Machine and VNC to my Lion Server.

 

If you wonder why I have a win Server, its because I require to run a windows program and I use terminal server lic for multiple connections. My main Os of choice is Mac. However I am still studing its feature to properly administer it correctly.

 

My setup

Mac Mini Core i7, 8gb Ram


Mac mini, Mac OS X (10.7)
  • 1. Re: Pfsense & Lion server
    Linc Davis Level 10 Level 10 (117,990 points)

    I was reading Mac os x Administrator book and the author recommended not turning on the firewall if behind a secured router.

     

    Correct.

  • 2. Re: Pfsense & Lion server
    rgiraldo Orlando FL Level 1 Level 1 (0 points)

    OK now that we agreed on reading the same page. Why would I not have it enabled? (Firewall)

     

    Is it not correct to say that some security is a good securty practice? Yes the router has the ports blocked is that enough?

     

    Thanks

  • 3. Re: Pfsense & Lion server
    Tim Bloom1 Level 1 Level 1 (110 points)

    It depends on how secure your pfsense router is.  If you have something like snort running on it, you're good.  But the built in firewall in os x server (even with all ports open) is good to have.  It's an adaptive firewall and I've seen it throttle brute force attacks and save my poor little mini server from crumbling under the load.  I think it's probably best to have on, but with all traffic allowed and allow the pfsense router to actually be the gatekeeper.

  • 4. Re: Pfsense & Lion server
    Linc Davis Level 10 Level 10 (117,990 points)

    Why would I not have it enabled? (Firewall)

     

    Because you already have one. You don't need two.

     

    Is it not correct to say that some security is a good securty practice? Yes the router has the ports blocked is that enough?

     

    Yes and yes. Let's say you have AFP active. You obviously want clients on the internal network to be able to connect to it, but you don't want clients on the WAN to be able to connect. They can't. That's what the router does for you. The built-in pf firewall is only useful if you want to discriminate between LAN clients. If that's the case, then you should probably be doing something with VLAN's.

  • 5. Re: Pfsense & Lion server
    rgiraldo Orlando FL Level 1 Level 1 (0 points)

    Yeah after walking around and thinking of it makes sense. I am just so use of using windows server and I feel that the server should not even breath unless I allow it. What other measures would you recommend to prevent any threats or potential treats from happening???

     

    My current Firewall Setup

     

    In my address group 192.168-net allow all traffic, (any)??? or just leave any to allow all traffic aswell?

     

    Thanks

  • 6. Re: Pfsense & Lion server
    Linc Davis Level 10 Level 10 (117,990 points)

    What other measures would you recommend to prevent any threats or potential treats from happening?

     

    None, on the server, in terms of network attacks. If you have Windows clients and you're sharing downloaded files, you could activate Clamav.

     

    I would just turn off the internal firewall. It's not doing anything.

  • 7. Re: Pfsense & Lion server
    Tim Bloom1 Level 1 Level 1 (110 points)

    I personally recommend leaving it on, with the ports open.

     

    Aside from just ipfw, Apple has an adaptive firewall which provides all sorts of nifty benefits if your main firewall does not do intrusion detection (and maybe even supplement it if it does.)

     

    http://www.malwarecity.com/community/index.php?app=blog&module=display&section=b log&blogid=23&showentry=6513

     

    Here's a little explanation.  And of note, this has been reported to have been beefed up extensively in Lion. You do need the system firewall active for this adaptive security mechaism to insert temporary firewall rules to block potentially malicious activity that the OS detects. It will still show in the log that you're attempting to block certain attacks even if the firewall is off so that service is always running, though without the firewall active it never blocks anything.

     

    Edit: changed link to a more informative article.

  • 8. Re: Pfsense & Lion server
    Asajj Ventress Level 1 Level 1 (0 points)

    Quesstion:

     

    Which firewall should be on? Can I use the firewall of Lion OS X server through systempreferences or must I use the firewall of Server Admin? The reason is that with the firewall of Server Admin Itunes Airplay isn't working nog even with the ports open as stated on this support site.

  • 9. Re: Pfsense & Lion server
    llubnrut Level 1 Level 1 (0 points)

    Did you find a solutuion to this? Having the same issue wioth airplay. I have boith firewall turned on, but with server admin firewall set to allow all it somwhow prevents airplay from working.  Even tried allowing the required ports and still no go. As soon as I turn off the firewall airplay works again.