Adaptive Firewall not responding

Question

Adaptive Firewall not responding

I am trying to block the IP address 74.208.72.135 due the these lines occurring every 12 minutes in the server's SMTP Log

Aug 24 17:12:35 mail.myserver.com postfix/smtpd[1810]: error: get user record: unable to open user record for user=angeles@myserver.com

Aug 24 17:12:35 mail.myserver.com postfix/smtpd[1810]: error: verify password: unable to lookup user record for: user=angeles@myserver.com

Aug 24 17:12:35 mail.myserver.com postfix/smtpd[1810]: error: authentication failed

Aug 24 17:12:35 mail.myserver.com postfix/smtpd[1810]: warning: s15434454.onlinehome-server.com[74.208.72.135]: SASL LOGIN authentication failed

My first strategy was to employ the adaptive firewall according to the Apple Support page(OS X Server: How to enable the adaptive firewall - Apple Support), but I have no luck, the Adaptive Firewall will not start when rebooted hence I cannot add 74.208.72.135 to the blacklist.

Any ideas?

Mac mini, OS X Server, Server 4.1.5 (Build 14S1136)

Posted on Aug 24, 2015 7:27 AM

Reply

Answer 1

Linc Davis

Level 10

209,739 points

Aug 24, 2015 10:40 AM in response to PeterKjeldsen

What do you have in the file /etc/af.plist ?

Reply

Answer 2

Aug 24, 2015 11:42 AM in response to Linc Davis

/etc/af.plist

Created: 30 of January 2013

Modified: 12 of August 2014

Last opened: 12 August 2014

No record of anything happening today.

Content of /etc/af.plist:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>blacklist_file</key>

<string>/var/db/af/blacklist</string>

<key>default_set</key>

<key>default_timeout</key>

<key>firewall_address</key>

<key>log_facility</key>

<string>SBS_Security</string>

<key>log_level</key>

<key>start_behavior</key>

<string>enabled</string>

<key>state_file</key>

<string>/var/run/af_state</string>

<key>sweep_interval</key>

<key>whitelist_file</key>

<string>/var/db/af/whitelist</string>

</dict>

</plist>

Reply

Answer 3

Linc Davis

Level 10

209,739 points

Aug 24, 2015 11:54 AM in response to PeterKjeldsen

The default configuration of the adaptive firewall doesn't actually work, though the documentation doesn't bother to mention that fact. You have to edit the file /etc/af.plist. Change the value of the key "firewall_address" from the default "127.0.0.1" to the IP address of the interface on which the server listens.

Reply

Answer 4

Aug 24, 2015 1:11 PM in response to Linc Davis

Okay I changed the IP address from 127.0.0.1 to the local IP address.

I ran the whole procedure from OS X Server: How to enable the adaptive firewall - Apple Support again (su):

sh-3.2# pfctl -f /etc/pf.conf

pfctl: Use of -f option, could result in flushing of rules

present in the main ruleset added by the system at startup.

See /etc/pf.conf for further details.

No ALTQ support in kernel

ALTQ related functions disabled

sh-3.2# /Applications/Server.app/Contents/ServerRoot/usr/sbin/serverctl enable service=com.apple.afctl

{

}

sh-3.2# /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -c

sh-3.2# /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -f

No ALTQ support in kernel

ALTQ related functions disabled

No ALTQ support in kernel

ALTQ related functions disabled

pf enabled

Token : 15059476430182572699

No ALTQ support in kernel

ALTQ related functions disabled

sh-3.2# defaults write /System/Library/LaunchDaemons/com.apple.pfctl ProgramArguments '(pfctl, -f, /etc/pf.conf, -e)'

sh-3.2# chmod 644 /System/Library/LaunchDaemons/com.apple.pfctl.plist

sh-3.2# plutil -convert xml1 /System/Library/LaunchDaemons/com.apple.pfctl.plist

sh-3.2#

I rebooted and ran:

mail:~ admin$ su

Password:

sh-3.2# afctl -a 74.208.72.135

sh: afctl: command not found

Meanwhile the guys have a great time:

Aug 24 20:59:00 mail.myserver.com postfix/smtpd[3954]: warning: hostname ptr-155.133.18.81.vmline.pl does not resolve to address 155.133.18.81: nodename nor servname provided, or not known

Aug 24 20:59:31 --- last message repeated 43 times ---

Aug 24 21:07:26 mail.myserver.com postfix/smtpd[4050]: error: get user record: unable to open user record for user=test3@myserver.com

Aug 24 21:07:26 mail.myserver.com postfix/smtpd[4050]: error: verify password: unable to lookup user record for: user=test3@myserver.com

Aug 24 21:07:26 mail.myserver.com postfix/smtpd[4050]: error: authentication failed

Aug 24 21:07:26 mail.myserver.com postfix/smtpd[4050]: warning: s15434454.onlinehome-server.com[74.208.72.135]: SASL LOGIN authentication failed

Aug 24 21:19:16 mail.myserver.com postfix/smtpd[4180]: error: get user record: unable to open user record for user=tim@myserver.com

Aug 24 21:19:16 mail.myserver.com postfix/smtpd[4180]: error: verify password: unable to lookup user record for: user=tim@myserver.com

Aug 24 21:19:16 mail.myserver.com postfix/smtpd[4180]: error: authentication failed

Aug 24 21:19:16 mail.myserver.com postfix/smtpd[4180]: warning: s15434454.onlinehome-server.com[74.208.72.135]: SASL LOGIN authentication failed

Aug 24 21:30:53 mail.myserver.com postfix/smtpd[4308]: error: get user record: unable to open user record for user=apple@myserver.com

Aug 24 21:30:53 mail.myserver.com postfix/smtpd[4308]: error: verify password: unable to lookup user record for: user=apple@myserver.com

Aug 24 21:30:53 mail.myserver.com postfix/smtpd[4308]: error: authentication failed

Aug 24 21:30:53 mail.myserver.com postfix/smtpd[4308]: warning: s15434454.onlinehome-server.com[74.208.72.135]: SASL LOGIN authentication failed

Aug 24 21:42:36 mail.myserver.com postfix/smtpd[4871]: error: get user record: unable to open user record for user=b@myserver.com

Aug 24 21:42:36 mail.myserver.com postfix/smtpd[4871]: error: verify password: unable to lookup user record for: user=b@myserver.com

Aug 24 21:42:36 mail.myserver.com postfix/smtpd[4871]: error: authentication failed

Aug 24 21:42:36 mail.myserver.com postfix/smtpd[4871]: warning: s15434454.onlinehome-server.com[74.208.72.135]: SASL LOGIN authentication failed

Aug 24 21:54:19 mail.myserver.com postfix/smtpd[514]: error: get user record: unable to open user record for user=backupexec@myserver.com

Aug 24 21:54:19 mail.myserver.com postfix/smtpd[514]: error: verify password: unable to lookup user record for: user=backupexec@myserver.com

Aug 24 21:54:19 mail.myserver.com postfix/smtpd[514]: error: authentication failed

Aug 24 21:54:19 mail.myserver.com postfix/smtpd[514]: warning: s15434454.onlinehome-server.com[74.208.72.135]: SASL LOGIN authentication failed

Aug 24 22:06:08 mail.myserver.com postfix/smtpd[848]: error: get user record: unable to open user record for user=install@myserver.com

Aug 24 22:06:08 mail.myserver.com postfix/smtpd[848]: error: verify password: unable to lookup user record for: user=install@myserver.com

Aug 24 22:06:08 mail.myserver.com postfix/smtpd[848]: error: authentication failed

Aug 24 22:06:08 mail.myserver.com postfix/smtpd[848]: warning: s15434454.onlinehome-server.com[74.208.72.135]: SASL LOGIN authentication failed

Aug 24 22:17:51 mail.myserver.com postfix/smtpd[454]: error: get user record: unable to open user record for user=laptop@myserver.com

Aug 24 22:17:51 mail.myserver.com postfix/smtpd[454]: error: verify password: unable to lookup user record for: user=laptop@myserver.com

Aug 24 22:17:51 mail.myserver.com postfix/smtpd[454]: error: authentication failed

Aug 24 22:17:51 mail.myserver.com postfix/smtpd[454]: warning: s15434454.onlinehome-server.com[74.208.72.135]: SASL LOGIN authentication failed

Aug 24 22:29:40 mail.myserver.com postfix/smtpd[803]: error: get user record: unable to open user record for user=lola@myserver.com

Aug 24 22:29:40 mail.myserver.com postfix/smtpd[803]: error: verify password: unable to lookup user record for: user=lola@myserver.com

Aug 24 22:29:40 mail.myserver.com postfix/smtpd[803]: error: authentication failed

Aug 24 22:29:40 mail.myserver.com postfix/smtpd[803]: warning: s15434454.onlinehome-server.com[74.208.72.135]: SASL LOGIN authentication failed

Aug 24 22:41:22 mail.myserver.com postfix/smtpd[532]: error: get user record: unable to open user record for user=ospite@myserver.com

Aug 24 22:41:22 mail.myserver.com postfix/smtpd[532]: error: verify password: unable to lookup user record for: user=ospite@myserver.com

Aug 24 22:41:22 mail.myserver.com postfix/smtpd[532]: error: authentication failed

Aug 24 22:41:22 mail.myserver.com postfix/smtpd[532]: warning: s15434454.onlinehome-server.com[74.208.72.135]: SASL LOGIN authentication failed

Aug 24 22:53:10 mail.myserver.com postfix/smtpd[1290]: error: get user record: unable to open user record for user=postgres@myserver.com

Aug 24 22:53:10 mail.myserver.com postfix/smtpd[1290]: error: verify password: unable to lookup user record for: user=postgres@myserver.com

Aug 24 22:53:10 mail.myserver.com postfix/smtpd[1290]: error: authentication failed

Aug 24 22:53:10 mail.myserver.com postfix/smtpd[1290]: warning: s15434454.onlinehome-server.com[74.208.72.135]: SASL LOGIN authentication failed

Aug 24 22:53:13 mail.myserver.com postfix/postscreen[1284]: warning: dnsblog reply timeout 10s for zen.spamhaus.org

Aug 24 22:53:33 mail.myserver.com postfix/dnsblog[1285]: warning: dnsblog_query: lookup error for DNS query 135.72.208.74.zen.spamhaus.org: Host or domain name not found. Name service error for name=135.72.208.74.zen.spamhaus.org type=A: Host not found, try again

Aug 24 23:05:01 mail.myserver.com postfix/smtpd[1806]: error: get user record: unable to open user record for user=update@myserver.com

Aug 24 23:05:01 mail.myserver.com postfix/smtpd[1806]: error: verify password: unable to lookup user record for: user=update@myserver.com

Aug 24 23:05:01 mail.myserver.com postfix/smtpd[1806]: error: authentication failed

Aug 24 23:05:01 mail.myserver.com postfix/smtpd[1806]: warning: s15434454.onlinehome-server.com[74.208.72.135]: SASL LOGIN authentication failed

Reply

Answer 5

Linc Davis

Level 10

209,739 points

Aug 24, 2015 1:32 PM in response to PeterKjeldsen

sh: afctl: command not found

Use the full path.

Reply

Answer 6

Aug 24, 2015 2:48 PM in response to Linc Davis

sh-3.2# /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -a 74.208.72.135

No ALTQ support in kernel

ALTQ related functions disabled

1/1 addresses added.

From SMTP Log:

Aug 25 00:03:35 mail.myserver.com postfix/smtpd[723]: error: get user record: unable to open user record for user=carlos@myserver.com

Aug 25 00:03:35 mail.myserver.com postfix/smtpd[723]: error: verify password: unable to lookup user record for: user=carlos@myserver.com

Aug 25 00:03:35 mail.myserver.com postfix/smtpd[723]: error: authentication failed

Aug 25 00:03:35 mail.myserver.com postfix/smtpd[723]: warning: s15434454.onlinehome-server.com[74.208.72.135]: SASL LOGIN authentication failed

Aug 25 00:15:12 mail.myserver.com postfix/smtpd[1264]: error: get user record: unable to open user record for user=comercial@myserver.com

Aug 25 00:15:12 mail.myserver.com postfix/smtpd[1264]: error: verify password: unable to lookup user record for: user=comercial@myserver.com

Aug 25 00:15:12 mail.myserver.com postfix/smtpd[1264]: error: authentication failed

Aug 25 00:15:12 mail.myserver.com postfix/smtpd[1264]: warning: s15434454.onlinehome-server.com[74.208.72.135]: SASL LOGIN authentication failed

.

26 minutes later not a sign... HA! They're barred, I'm delighted 😀

Thanks Linc, thank you very much. Your help is much appreciated.

Reply