Pfsense & Lion server

I was reading Mac os x Administrator book and the author recommended not turning on the firewall if behind a secured router.

Correct.

It depends on how secure your pfsense router is. If you have something like snort running on it, you're good. But the built in firewall in os x server (even with all ports open) is good to have. It's an adaptive firewall and I've seen it throttle brute force attacks and save my poor little mini server from crumbling under the load. I think it's probably best to have on, but with all traffic allowed and allow the pfsense router to actually be the gatekeeper.

Why would I not have it enabled? (Firewall)

Because you already have one. You don't need two.

Is it not correct to say that some security is a good securty practice? Yes the router has the ports blocked is that enough?

Yes and yes. Let's say you have AFP active. You obviously want clients on the internal network to be able to connect to it, but you don't want clients on the WAN to be able to connect. They can't. That's what the router does for you. The built-in pf firewall is only useful if you want to discriminate between LAN clients. If that's the case, then you should probably be doing something with VLAN's.

What other measures would you recommend to prevent any threats or potential treats from happening?

None, on the server, in terms of network attacks. If you have Windows clients and you're sharing downloaded files, you could activate Clamav.

I would just turn off the internal firewall. It's not doing anything.

I personally recommend leaving it on, with the ports open.

Aside from just ipfw, Apple has an adaptive firewall which provides all sorts of nifty benefits if your main firewall does not do intrusion detection (and maybe even supplement it if it does.)

http://www.malwarecity.com/community/index.php?app=blog&module=display&section=b log&blogid=23&showentry=6513

Here's a little explanation. And of note, this has been reported to have been beefed up extensively in Lion. You do need the system firewall active for this adaptive security mechaism to insert temporary firewall rules to block potentially malicious activity that the OS detects. It will still show in the log that you're attempting to block certain attacks even if the firewall is off so that service is always running, though without the firewall active it never blocks anything.

Edit: changed link to a more informative article.

Quesstion:

Which firewall should be on? Can I use the firewall of Lion OS X server through systempreferences or must I use the firewall of Server Admin? The reason is that with the firewall of Server Admin Itunes Airplay isn't working nog even with the ports open as stated on this support site.

Did you find a solutuion to this? Having the same issue wioth airplay. I have boith firewall turned on, but with server admin firewall set to allow all it somwhow prevents airplay from working. Even tried allowing the required ports and still no go. As soon as I turn off the firewall airplay works again.