Firewall rules, groups - confusing!

Those are IP subnets, and those groups select the originating IP address for the incoming connection.

Your network looks to be using the 192.168.1.x/24 subnet. Which is common. Unfortunately, the common subnets are also very bad choices if you decide to use VPNs in the future.

Ok, your "10-net group", "129.168-net group" and "192.168.1-net group" should probably be "10-net group", "192.168-net group" and "192.168.1-net group" (typo in there), and you'll find that is the 10.0.0.0/8 subnet, and the 192.168.0.0/16 block, and the 192.168.1.0/24 block.

Here are the three private IP address blocks:

• 10.0.0.0 to 10.255.255.255, also called 10.0.0.0/8
• 172.16.0.0 to 172.31.255.255, also known as 172.16.0.0/12
• 192.168.0.0 to 192.168.255.255, also known as 192.168.0.0/16

You'll generally have a subnet within these blocks, but we'll skip the IP subnet introduction for now and point to the use of "10-net group" to point to any incoming address in 10.0.0.0/8; connections from addresses 10.0.0.1 to 10.255.255.254. "192.168-net group" is 192.168.0.1 to 192.168.255.254, and "192.168.1-net group" is 192.168.1.1 to 192.168.1.254.

You can read the Wikipedia article on this IP addressing stuff but (and I've been tussling with IP for a very long time) it's surprisingly dense reading. (It's entirely correct, but it's written for IP nerds and not really for IP newbies.) If you don't bother reading that (and I would not blame you), then just remember you can't use the .0 and .255 addresses within any particular subnet; the ranges I show above reflect that, though technically the .0 and .255 addresses are within the ranges, and you probably want to configure your network out of the 192.168.0.1 to 192.168.0.254 and 192.168.1.1 to 192.168.1.254 subnets if you might ever need to use VPNs.

Now these private addresses should generally not be active on the public internet and should not be passing default router configurations, and so these should be LAN local. There are cases of ISPs using these blocks and issuing addresses from here for all private LANs managed by that ISP, so there's no solid rule of what you might see; there are various ISP schemes and even more local LAN schemes and permutations.

So the answer to your question is... Do you know what IP addresses will be referencing and reaching your server? If so, then yes, you can delete those groups that you are not using. But I'd probably leave the groups alone (at least for now), and just select the services within each (that your network is not using) for no traffic. Which is the "don't delete" answer.

I also typically recommend acquiring and installing an external gateway firewall box and not running a Mac as a gateway, as that makes networking (far) easier, and (if you purchase a gateway firewall with server-oriented features, or use one of the available open-source options with server-oriented features) you can connect via external VPN to your firewall to allow remote (in-bound) access into your network. That also means you have less traffic hitting your server-local firewalls.

I'd suggest some introductory reading on IP networking and DNS services, as they're essential to operating a server.

Just want to be sure that I understand you correctly: when I do not host any website and do not use VPN, I can uncheck all service of "any group", "10-net group" (I deleted "192.168-net group")?

What address block does your local LAN use? You likely don't want to block that. Otherwise, have at.

(And again, I don't recommend deleting configuration settings.)

How good are your backups? That's your path back from either errant deletion, storage hardware failures and security breaches. That's full-disk backups, as well as at least a couple of copies of older backups kept over time, so you can go back in history if the most recent backups are somehow corrupt or have also been breached, too.

And for sure I will upgrade to an firewall box in future if need. But now I would like to give Macmini a chance!

Google around the forums for previous experiences with this configuration. While it's possible to get the gateway configuration to work, there are many folks that have had issues with this setup and (if you're not very cautious with your settings) you can end up opening your server to attacks due to misconfigurations, or open ports and vulnerabilities through (insecure) software installations on the server. Mac boxes just don't make very good gateways, nor good routers.

I wouldn't use your Mac as a gateway router if that's what you are up to here. That gets ugly. You'll either have to use NAT or subnet routing.

If there's double NAT here, that is likely going to cause network problems. Do remove that at your first convenience.

And FWIW, ftp also needs the ephemeral ports open. It's also wildly insecure, and entirely allergic to firewalls.

The routers I generally install and operate are generally priced around US$250 to US$500, and available from various vendors. Here are some considerations when picking a firewall; what I look for, and why.

Options include D-Link DFL-series, as well as Cisco RV042/RV082 series, among (many) others. For some applications, open source options including Vyatta, M0n0wall, Smoothwall and pfSense, if you have a spare x86 box and NICs that are supported by one or more of these packages.