Viewing Mavericks OS X Server adaptive firewall statistics

Thanks Linc,

Sorry to take so long to answer. Just getting back to this problem.

I knew about having to modify plist and have it set to the external interface IP address of the Mac Mini

MrHoffman,

I'll do some poking around to see if ipfw or pfctl are running

Paul

I gave up trying to get the adaptive firewall working through the command line and installed IceFloor from hanynet.com . That works very well for the IPv4 traffic, but I'm having a challenge getting the IPv6 firewall to let port 546 and 547 traffic through to support dhcp6. Has anyone figured out the rules to add to get these two ports opened up?

I've added this Firewall/Inbound rule:

upv6-dhcp6 all 546 547

for IPv6 address fe80::f6ce:46ff:fe36:7b3e on interface en0

I also tried with IPv6 address ::/0 on interface en0

And I'm still blocked

In the log: 00:00:01.999854 rule 10/0(match): block in on en0: fe80::f6ce:46ff:fe36:7b3e.546 > ff02::1:2.547: dhcp6 inf-req

In /Library/IceFloor/icefloor.genericipv6 there are "pass" rules to take care of IPv6 advertisements, multicast, bonjour and DHCPv6 But it seems these rules aren't "active".

Does anyone know how to make this set of rules active in IceFloor? I think I've been looking at this too long and missing the obvious.

As a follow up on MrHoffman's recommendation to get a ZyWall USG firewall (I bought the USG 50). This box is a bargain. It is well made, pretty straight forward to configure with a nice web interface once you wade through the manual a few times. I only needed the firewall part of the ZyWall since I already have in place a CISCO 1921 router that takes good care of my home office routing and DHCP service needs I never got around to learning enough CISCO IOS to setup additional rules for handling firewall tasks. I tried to us a Mac Mini running Mavericks OS X Server, but the OS X PF firewall was sparsely documented and difficult to configure for my environment even when using the IceFloor GUI front end.

All I had to do with the ZyWall was plug one of the LAN interfaces into my laptop and configure one of the ZyWall WAN interfaces with a LAN ip address and gateway. Then plug the WAN interface into the switch and use the GUI to configure the rest of the settings. For my "bridged" firewall, I took interfaces 4 and 5, called those LAN 2 and using the web interface defined them as a bridge. Told the ZyWall that LAN2 was a tagged VLAN and plugged interface 4 into my switch that handles both LAN and VLAN WAN tagged traffic, plugged interface 5 into the ethernet interface on my MacMini Server which has VLAN 2 set up for the internet traffic, and I was up and running!

The ZyWall sits between the switch and MacMini (or whatever box you wish to firewall) and takes care of anti-Spam and other filtering tasks. Both IPv4 and IPv6 traffic passes through just fine. I didn't even have to turn on IPv6 support on the ZyWall, it just worked for bridging all the ethernet packet traffic between the server and the switch.

I choked a bit when I saw the price for the subscription services for virus, spam and content filtering. I'm using the 1 month trial licenses now and will decide after a month whether or not to spend $200+ a year for these licenses or just use the firewall rules without the subscription services. The license service costs are a bit steep for home office use where I'm the only user.

My reason for putting the firewall in place is to start managing the huge amount of spam that comes in to a MacMini that is used to collect and relay email for members of two non-profit community web sites that I run. The end point services do a good job of getting rid of 99% of the spam, but the intermediate server we use to ingest email using the community service email domain addresses and forward on to the individual's various ISP email addresses is getting rate limited by the ISPs. I'm trying to be a good player by screening out a good chunk of the spam mail and sending mail that is mostly legitimate. If the subscribed anti-Spam service can help in filtering out a good portion of the spam then that will reduce the load on macMini server where we use Postfix to collect up the email addressed to the community mail boxes and forward on to the mailboxes owned by the individual volunteers.

After running half a day, it appears the ZyWall firewall doesn't know how to inspect email contained on a bridged interface when the packets are tagged as part of a VPN. Since the MacMini has but one GIgE interface, that interface handles both the LAN and WAN traffic for the MacMini. The LAN traffic is untagged and the WAN traffic, coming from FIOS is tagged by the Cisco switch as VLAN2. That way both LAN and WAN traffic can be sent to and from the Mini using the one high speed Ethernet interface.

If I can't figure out a way to get the ZyWall to inspect the traffic contained in tagged ethernet packets, then I need to figure out how to get IceFloor to work, find another piece of hardware that can handle tagged traffic, or put the usb to ethernet adapter on the Mini to split up the traffic so tagging isn't necessary and the Zywall will hopefully work. Unforutnatley, the USB to ethernet connection is slow and adds yet another cable to the mix.