Paul Derby

Q: Viewing Mavericks OS X Server adaptive firewall statistics

When using the following command:

 

/Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/AdaptiveFirewall.bundle/Contents/MacOS/hb_summary

 

The response is always


"

In the past 23 hours 59 minutes the following hosts were blocked by the Adaptive Firewall

  from 2014-08-09 15:26:54 +0000

  to 2014-08-10 15:26:53 +0000

 

  Address Count(Total) Last Block Time

 

  0 unique hosts   0 total blocks  0 overall"

 

Does anyone know how to get hb_summary to report adaptive firewall statistics?

 

The system log indicates that the firewall is enabled and working. 


Posted on Aug 10, 2014 8:30 AM

Close

Q: Viewing Mavericks OS X Server adaptive firewall statistics

  • All replies
  • Helpful answers

  • by MrHoffman,

    MrHoffman MrHoffman Aug 10, 2014 10:27 AM in response to Paul Derby
    Level 6 (15,627 points)
    Mac OS X
    Aug 10, 2014 10:27 AM in response to Paul Derby

    There are potentially three firewalls around on OS X — are the connections getting blocked at pf (man pfctl) or at (if you're using it) ipfw?

  • by Linc Davis,Helpful

    Linc Davis Linc Davis Aug 10, 2014 3:36 PM in response to Paul Derby
    Level 10 (207,963 points)
    Applications
    Aug 10, 2014 3:36 PM in response to Paul Derby

    The default configuration of the adaptive firewall doesn't actually work, though the documentation doesn't bother to mention that fact. You have to edit the file /etc/af.plist. Change the value of the key "firewall_address" from the default "127.0.0.1" to the IP address of the inteface on which the server listens.

  • by Paul Derby,

    Paul Derby Paul Derby Aug 22, 2014 2:29 PM in response to Linc Davis
    Level 1 (133 points)
    Servers Enterprise
    Aug 22, 2014 2:29 PM in response to Linc Davis

    Thanks Linc, 

     

    Sorry to take so long to answer.  Just getting back to this problem. 

    I knew about having to modify plist and have it set to the external interface IP address of the Mac Mini

     

    MrHoffman,

     

    I'll do some poking around to see if ipfw or pfctl are running

     

    Paul

  • by Paul Derby,

    Paul Derby Paul Derby Aug 30, 2014 7:59 PM in response to Paul Derby
    Level 1 (133 points)
    Servers Enterprise
    Aug 30, 2014 7:59 PM in response to Paul Derby

    I gave up trying to get the adaptive firewall working through the command line and installed IceFloor from hanynet.com .  That works very well for the IPv4 traffic, but I'm having a challenge getting the IPv6 firewall to let port 546 and 547 traffic through to support dhcp6.  Has anyone figured out the rules to add to get these two ports opened up?

     

    I've added this Firewall/Inbound rule:

     

    upv6-dhcp6         all         546  547

     

    for  IPv6 address  fe80::f6ce:46ff:fe36:7b3e  on interface en0  

     

    I also tried with IPv6 address ::/0 on interface en0

     

     

    And I'm still blocked

     

    In the log:  00:00:01.999854 rule 10/0(match): block in on en0: fe80::f6ce:46ff:fe36:7b3e.546 > ff02::1:2.547: dhcp6 inf-req

     

    In /Library/IceFloor/icefloor.genericipv6 there are "pass" rules to take care of IPv6 advertisements, multicast, bonjour and DHCPv6   But it seems these rules aren't "active".

     

    Does anyone know how to make this set of rules active in IceFloor?   I think I've been looking at this too long and missing the obvious.

  • by MrHoffman,Solvedanswer

    MrHoffman MrHoffman Aug 31, 2014 8:19 AM in response to Paul Derby
    Level 6 (15,627 points)
    Mac OS X
    Aug 31, 2014 8:19 AM in response to Paul Derby

    Paul Derby wrote:

     

    I gave up trying to get the adaptive firewall working through the command line ...

     

    Depending on what you're up to here...   I switched to server-grade gateway-firewall boxes with integrated VPN server capabilities, and haven't looked back. 

     

    Host-based firewalls tend to run afoul of local software bugs and of local configuration errors, where a dedicated firewall generally isn't modified all that often, save for firmware upgrades and specific and intended changes.  You have to log into the firewall to change it, where reconfiguring software can sometimes open up problems when depending solely on a host-based firewall.

     

    FWIW, the ZyXEL ZYWALL USG series is pretty good and fairly inexpensive, though these are definitely not an introductory-level devices.  You're definitely assumed and expected to already understand VPNs, IP terminology, and other networking-related constructs.

  • by Paul Derby,

    Paul Derby Paul Derby Sep 13, 2014 9:56 PM in response to Paul Derby
    Level 1 (133 points)
    Servers Enterprise
    Sep 13, 2014 9:56 PM in response to Paul Derby

    As a follow up on MrHoffman's recommendation to get a ZyWall USG firewall (I bought the USG 50).  This box is a bargain. It is well made, pretty straight forward to configure with a nice web interface once you wade through the manual a few times. I only needed the firewall part of the ZyWall since I already have in place a CISCO 1921 router that takes good care of my home office routing and DHCP service needs I never got around to learning enough CISCO IOS to setup additional rules for handling firewall tasks. I tried to us a Mac Mini running Mavericks OS X Server, but the OS X PF firewall was sparsely documented and difficult to configure for my environment even when using the IceFloor GUI front end.

     

    All I had to do with the ZyWall was plug one of the LAN interfaces into my laptop and configure one of the ZyWall WAN interfaces with a LAN ip address and gateway. Then plug the WAN interface into the switch and use the GUI to configure the rest of the settings. For my "bridged" firewall, I took interfaces 4 and 5, called those LAN 2 and using the web interface defined them as a bridge. Told the ZyWall that LAN2 was a tagged VLAN and plugged interface 4 into my switch that handles both LAN and VLAN WAN tagged traffic, plugged interface 5 into the ethernet interface on my MacMini Server which has VLAN 2 set up for the internet traffic, and I was up and running!

     

    The ZyWall sits between the switch and MacMini (or whatever box you wish to firewall) and takes care of anti-Spam and other filtering tasks. Both IPv4 and IPv6 traffic passes through just fine. I didn't even have to turn on IPv6 support on the ZyWall, it just worked for bridging all the ethernet packet traffic between the server and the switch.

     

    I choked a bit when I saw the price for the subscription services for virus, spam and content filtering. I'm using the 1 month trial licenses now and will decide after a month whether or not to spend $200+ a year for these licenses or just use the firewall rules without the subscription services. The license service costs are a bit steep for home office use where I'm the only user.

  • by MrHoffman,

    MrHoffman MrHoffman Sep 14, 2014 8:20 AM in response to Paul Derby
    Level 6 (15,627 points)
    Mac OS X
    Sep 14, 2014 8:20 AM in response to Paul Derby

    On the networks I'm dealing with that are using those USG boxes, I haven't subscribed to the ZyXEL services.

     

    If you're headed down that general path for the connected clients, consider end-point services and network-monitoring, and not traditional AV/AM or firewall-based services.  Signature-based AV misses too much, and you're probably going to be far more interested in ensuring current versions and related compliance anyway.

     

    FWIW, I did have issues with getting  iOS and OS X clients to connect to the L2TP VPN server within a USG 50 box a while back, and that was resolved with a firmware upgrade.

  • by Paul Derby,

    Paul Derby Paul Derby Sep 14, 2014 1:41 PM in response to MrHoffman
    Level 1 (133 points)
    Servers Enterprise
    Sep 14, 2014 1:41 PM in response to MrHoffman

    My reason for putting the firewall in place is to start managing the huge amount of spam that comes in to a MacMini that is used to collect and relay email for members of two non-profit community web sites that I run.  The end point services do a good job of getting rid of 99% of the spam, but the intermediate server we use to ingest email using the community service email domain addresses and forward on to the individual's various ISP email addresses is getting rate limited by the ISPs.  I'm trying to be a good player by screening out a good chunk of the spam mail and sending mail that is mostly legitimate.  If the subscribed anti-Spam service can help in filtering out a good portion of the spam then that will reduce the load on macMini server where we use Postfix to collect up the email addressed to the community mail boxes and forward on to the mailboxes owned by the individual volunteers.

     

    After running half a day, it appears the ZyWall firewall doesn't know how to inspect email contained on a bridged interface when the packets are tagged as part of a VPN.  Since the MacMini has but one GIgE interface, that interface handles both the LAN and WAN traffic for the MacMini.  The LAN traffic is untagged and the WAN traffic, coming from FIOS is tagged by the Cisco switch as VLAN2.  That way both LAN and WAN traffic can be sent to and from the Mini using the one high speed Ethernet interface.

     

    If I can't figure out a way to get the ZyWall to inspect the traffic contained in tagged ethernet packets, then I need to figure out how to get IceFloor to work, find another piece of hardware that can handle tagged traffic, or put the usb to ethernet adapter on the Mini to split up the traffic so tagging isn't necessary and the Zywall will hopefully work.  Unforutnatley, the USB to ethernet connection is slow and adds yet another cable to the mix.

  • by MrHoffman,

    MrHoffman MrHoffman Sep 14, 2014 5:46 PM in response to Paul Derby
    Level 6 (15,627 points)
    Mac OS X
    Sep 14, 2014 5:46 PM in response to Paul Derby

    I'd rework the network.  NAT at the USG, with port-forwarding to the server.  One (private) IP address at the Mac.  Use spamassassin and amavis and zen for mail filtering.

  • by dmltv,

    dmltv dmltv Jun 14, 2016 11:35 AM in response to MrHoffman
    Level 1 (8 points)
    Mac OS X
    Jun 14, 2016 11:35 AM in response to MrHoffman

    If you think the zywall is good, maybe you can help me with a problem I'm having.

     

    We run an Open Directory server on a mac mini. This mac mini is also the DNS for our VLAN (192.168.3.100-255).

    On most computers the internet runs smoothly. I have, however, two computers that have intermittent problems with getting response from the DNS, because they're not retrieving webpages. I can connect with remote desktop etc. just fine though. The computers all get an IP address from the DHCP (also on the zywall)

     

    Together with the Network guys I figured out the clients that have problems are being blocked for polling one of apple's servers too often.

     

    Zywall Logs:

    180

    2016-06-14 19:46:45

    alert

    Security Policy Control

    abnormal TCP flag attack detected, DROP

    192.168.3.174:53268

    17.167.146.12:443

    ACCESS BLOCK

    181

     

    2016-06-14 19:46:18

    alert

    Security Policy Control

    abnormal TCP flag attack detected, DROP

    192.168.3.174:53253

    17.167.146.12:443

    ACCESS BLOCK

    182

     

    2016-06-14 19:46:09

    alert

    Security Policy Control

    abnormal TCP flag attack detected, DROP

    192.168.3.174:53250

    17.167.146.12:443

    ACCESS BLOCK

    183

     

    2016-06-14 19:46:06

    alert

    Security Policy Control

    abnormal TCP flag attack detected, DROP

    192.168.3.174:53249

    17.167.146.12:443

    ACCESS BLOCK

    184

     

    2016-06-14 19:46:02

    alert

    Security Policy Control

    abnormal TCP flag attack detected, DROP

    192.168.3.174:53220

    17.167.146.12:443

    ACCESS BLOCK

    209

     

    2016-06-14 19:35:38

    alert

    Security Policy Control

    abnormal TCP flag attack detected, DROP

    192.168.3.174:52435

    17.167.146.12:443

    ACCESS BLOCK

    211

     

    2016-06-14 19:35:11

    alert

    Security Policy Control

    abnormal TCP flag attack detected, DROP

    192.168.3.174:52421

    17.167.146.12:443

    ACCESS BLOCK

     

    When these log entries manifest I am also not able to ping to google from these computers.

    The network guy was supposed to update the firmware to the zywall tonight. ZyXEL support told us to update it to the latest build before they could help us. Apparently they are aware of the issue.

     

    I tried the solution suggested here, but unfortunately it's not the definite solution..

    http://labs.hoffmanlabs.com/node/1920

     

    I'd hate to have to get a second firewall just to block one IP address.

  • by MrHoffman,

    MrHoffman MrHoffman Jun 14, 2016 2:44 PM in response to dmltv
    Level 6 (15,627 points)
    Mac OS X
    Jun 14, 2016 2:44 PM in response to dmltv

    I've shut off these Apple server reachability status checks via Server.app for now.  Most of those checks are not getting past the ZyXEL rules on most of the servers and networks I'm dealing with in any case, as they're internal-facing servers, and are filling up the log.

     

    From what I've experienced, neither the reachability checks nor the bogus flags are related to DNS translations or network routing or whatever is causing the connectivity issues with reaching Google.  There's probably something else going on with that, and those two hosts.

     

    Once the ZyXEL firewall is loaded and running the current firmware (and if the problem persists), I'd suggest starting up your own thread with some details of whatever's happening here (maybe post a link here?), as AFAICT what you're reporting is not related to the question the OP was asking, and mixing threads just gets me confused.

  • by dmltv,

    dmltv dmltv Jun 15, 2016 2:11 AM in response to MrHoffman
    Level 1 (8 points)
    Mac OS X
    Jun 15, 2016 2:11 AM in response to MrHoffman

    Well it's not related to the DNS, but that's the only symptom where it's causing problems. The zywall blocks DNS requests from those clients, apparently for contacting Apple and/or faceboook servers.

     

    Like you suggested I've made a seperate topic; Zywall blocks clients