Skip navigation

Pfsense & Lion server

1272 Views 9 Replies Latest reply: Mar 3, 2012 7:49 PM by llubnrut RSS
rgiraldo Orlando FL Level 1 Level 1 (0 points)
Currently Being Moderated
Aug 1, 2011 9:04 PM

I was reading Mac os x Administrator book and the author recommended not turning on the firewall if behind a secured router.

 

What are your thoughts?

 

I currently run Pfsense 2.0 RC3. I only have RDP open to a Windows Server Machine and VNC to my Lion Server.

 

If you wonder why I have a win Server, its because I require to run a windows program and I use terminal server lic for multiple connections. My main Os of choice is Mac. However I am still studing its feature to properly administer it correctly.

 

My setup

Mac Mini Core i7, 8gb Ram

Mac mini, Mac OS X (10.7)
  • Linc Davis Level 10 Level 10 (107,375 points)
    Currently Being Moderated
    Aug 1, 2011 9:25 PM (in response to rgiraldo Orlando FL)

    I was reading Mac os x Administrator book and the author recommended not turning on the firewall if behind a secured router.

     

    Correct.

  • Tim Bloom1 Level 1 Level 1 (110 points)
    Currently Being Moderated
    Aug 1, 2011 9:45 PM (in response to rgiraldo Orlando FL)

    It depends on how secure your pfsense router is.  If you have something like snort running on it, you're good.  But the built in firewall in os x server (even with all ports open) is good to have.  It's an adaptive firewall and I've seen it throttle brute force attacks and save my poor little mini server from crumbling under the load.  I think it's probably best to have on, but with all traffic allowed and allow the pfsense router to actually be the gatekeeper.

  • Linc Davis Level 10 Level 10 (107,375 points)
    Currently Being Moderated
    Aug 1, 2011 9:45 PM (in response to rgiraldo Orlando FL)

    Why would I not have it enabled? (Firewall)

     

    Because you already have one. You don't need two.

     

    Is it not correct to say that some security is a good securty practice? Yes the router has the ports blocked is that enough?

     

    Yes and yes. Let's say you have AFP active. You obviously want clients on the internal network to be able to connect to it, but you don't want clients on the WAN to be able to connect. They can't. That's what the router does for you. The built-in pf firewall is only useful if you want to discriminate between LAN clients. If that's the case, then you should probably be doing something with VLAN's.

  • Linc Davis Level 10 Level 10 (107,375 points)
    Currently Being Moderated
    Aug 1, 2011 10:18 PM (in response to rgiraldo Orlando FL)

    What other measures would you recommend to prevent any threats or potential treats from happening?

     

    None, on the server, in terms of network attacks. If you have Windows clients and you're sharing downloaded files, you could activate Clamav.

     

    I would just turn off the internal firewall. It's not doing anything.

  • Tim Bloom1 Level 1 Level 1 (110 points)
    Currently Being Moderated
    Aug 1, 2011 10:30 PM (in response to Linc Davis)

    I personally recommend leaving it on, with the ports open.

     

    Aside from just ipfw, Apple has an adaptive firewall which provides all sorts of nifty benefits if your main firewall does not do intrusion detection (and maybe even supplement it if it does.)

     

    http://www.malwarecity.com/community/index.php?app=blog&module=display&section=b log&blogid=23&showentry=6513

     

    Here's a little explanation.  And of note, this has been reported to have been beefed up extensively in Lion. You do need the system firewall active for this adaptive security mechaism to insert temporary firewall rules to block potentially malicious activity that the OS detects. It will still show in the log that you're attempting to block certain attacks even if the firewall is off so that service is always running, though without the firewall active it never blocks anything.

     

    Edit: changed link to a more informative article.

  • Asajj Ventress Calculating status...
    Currently Being Moderated
    Aug 8, 2011 4:05 AM (in response to Tim Bloom1)

    Quesstion:

     

    Which firewall should be on? Can I use the firewall of Lion OS X server through systempreferences or must I use the firewall of Server Admin? The reason is that with the firewall of Server Admin Itunes Airplay isn't working nog even with the ports open as stated on this support site.

  • llubnrut Calculating status...
    Currently Being Moderated
    Mar 3, 2012 7:49 PM (in response to Asajj Ventress)

    Did you find a solutuion to this? Having the same issue wioth airplay. I have boith firewall turned on, but with server admin firewall set to allow all it somwhow prevents airplay from working.  Even tried allowing the required ports and still no go. As soon as I turn off the firewall airplay works again.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.