PF and DHCP issues with Mac Mini Server

Question

PF and DHCP issues with Mac Mini Server

Hi,

I've been configuring my new Mac Mini server and for the most part things are working as they should but I have a couple problems that I haven't been able to figure out by myself. I'm not a professional in this matter but have some level of knowledge when it comes to running my own home server. My current configuration is as follows:

Setup

Mac Mini (Late 2012) running Mac OS X 10.9.5 (Mavericks) with Server app 3.2.1 acting as a router. Built in ethernet (en0) serving internal network using 10.10.10.0/24 subnet. Thunderbolt to ethernet adapter (en4) connected to external network with static IP. Public DNS hosted by ISP, lookups working properly. Two Airport Extremes configured as a roaming network. Mixed set of clients within the network running Mac OS X, Windows 7, 8, 8.1, iOS, WP8.1

Services

Configured from server app. DNS for internal 10.10.10.0/24 network with ISP DNS servers as forwarders. Also running DHCP, OD, Mail Server, Web Server. NAT and Packet Filter configured using IceFloor.

PF rules

Outbound: All services, all interfaces

Inbound: From 10.10.10.0/24 all services, all interfaces.

From any 53 67 68 123 389 636 5353 5354, all interfaces.

From any 22 25 80 110 143 443 465 587 993 995, all interfaces, tcp.

Options: Multicast DNS allowed, Emerging Threats protection enabled, Stealth mode enabled.

Custom: pass in on en0 inet proto udp from any to 255.255.255.255 keep state

pass in on en0 inet proto udp from any to 10.10.10.255 keep state

Problems

pffirewall.log is flooded with following messages (xxx.xxx.xxx.xxx is my public IP) where the source port is always 993 but the destination varies within the UDP dynamic range.

Sep 26 12:28:21 mydomain.com pf[221]: 00:00:00.000088 rule 12/0(match): block in on en4: xxx.xxx.xxx.xxx.993 > xxx.xxx.xxx.xxx.54256: Flags [S.], seq 3537213936, ack 2188358662, win 65535, options [mss 16344,nop,wscale 4,nop,nop,TS val 162534351 ecr 162534351,sackOK,eol], length 0

Another problem is that none of the windows clients get IP addresses from the DHCP server. When setting addresses manually they work fine.

Any ideas or help really appreciated. Thank you!

Mac mini, OS X Mavericks (10.9.5), Server 3.2.1

Posted on Sep 26, 2014 3:17 AM

Reply

Answer 1

Linc Davis

Level 10

209,739 points

Sep 26, 2014 1:31 PM in response to Jaakko Haaparanta

If your server is behind NAT, there is almost certainly no need for packet filtering and you should disable it. With a stateful firewall, there will always be some blocked TCP packets that arrive out of order, after a connection has been torn down.

Reply

Answer 2

Sep 26, 2014 1:49 PM in response to Linc Davis

> If your server is behind NAT, there is almost certainly no need for packet filtering and you should disable it.

I disagree, Linc. PF is very useful to block known bad IPs and brute force attacks, which are an hourly occurrence, especially on ssh. I use this PF configuration for OS X, which blocks brute force attacks, updates IP blocks from emergingthreats.net, and more. My logs and pf table "bruteforce" are full of attacks and blocked sites (sudo pfctl -t bruteforce -Ts). I also run snort on OS X and can see that the snort alert triggers are greatly reduced by simply blocking all these packets at the network layer.

Reply

Answer 3

Sep 27, 2014 12:23 AM in response to Jaakko Haaparanta

Just wanted to follow up on my own post because I solved the Windows clients not getting IP from the DHCP server problem. Under DNS Settings for my DHCP address range I had left the "Provide these search domains to connected users" intentionally blank but it seems Windows clients need this information in order to get IP addresses from the server.

Reply

Answer 4

Sep 27, 2014 12:29 AM in response to Linc Davis

The server is a front facing server acting as a router and providing NAT for the internal clients. So as to the original problem I am just confused why traffic from my public IP to my public IP is blocked or why there even is such traffic? And is there a way to allow it?

Reply

Answer 5

MrHoffman

Level 10

146,233 points

Sep 27, 2014 7:46 AM in response to Jaakko Haaparanta

Macs make comparatively poor IP routers and firewalls, and always have.

See the many previous discussions of the pain and grief involved here in the forums and on some of the mailing lists, and spend a small amount and get yourself (for instance) a ZyXEL ZYWALL USG box or equivalent.

FWIW, I've been installing ZyXEL USG boxes lately. They're definitely not introductory-grade devices and do expect some knowledge of IP and firewalls and VPNs, but they're comparatively cheap, effective, and have consistent and cogent user interfaces. (nb: I have no financial affiliations with ZyXEL, beyond having purchased ZyXEL gear.)

Macs as routers and firewalls are potentially vulnerable to local reconfigurations, too. Most folks don't alter with the firewall settings and the firewall context on anything approaching a daily or weekly basis, but updates and software reconfigurations are common on OS X and OS X Server; when folks are logged into the system and are tweaking configuration details and updating software — and might not be considering what's open and web-facing.

Reply

Answer 6

Linc Davis

Level 10

209,739 points

Sep 27, 2014 8:08 AM in response to Jaakko Haaparanta

As I wrote earlier, the log messages represent out-of-order packets returned from a remote host (in that example, a mail server) after the TCP connection has been closed. That's normal with a stateful firewall. If you don't have a functional problem, you can ignore the messages.

Reply