PeterKjeldsen

Q: Adaptive Firewall not responding

I am trying to block the IP address 74.208.72.135 due the these lines occurring every 12 minutes in the server's SMTP Log

 

Aug 24 17:12:35 mail.myserver.com postfix/smtpd[1810]: error: get user record: unable to open user record for user=angeles@myserver.com

Aug 24 17:12:35 mail.myserver.com postfix/smtpd[1810]: error: verify password: unable to lookup user record for: user=angeles@myserver.com

Aug 24 17:12:35 mail.myserver.com postfix/smtpd[1810]: error: authentication failed

Aug 24 17:12:35 mail.myserver.com postfix/smtpd[1810]: warning: s15434454.onlinehome-server.com[74.208.72.135]: SASL LOGIN authentication failed

 

My first strategy was to employ the adaptive firewall according to the Apple Support page (OS X Server: How to enable the adaptive firewall - Apple Support), but I have no luck, the Adaptive Firewall will not start when rebooted hence I cannot add 74.208.72.135 to the blacklist.


Any ideas?

Mac mini, OS X Server, Server 4.1.5 (Build 14S1136)

Posted on Aug 24, 2015 7:27 AM

Close

Q: Adaptive Firewall not responding

  • All replies
  • Helpful answers

  • by Linc Davis,

    Linc Davis Linc Davis Aug 24, 2015 10:40 AM in response to PeterKjeldsen
    Level 10 (207,990 points)
    Applications
    Aug 24, 2015 10:40 AM in response to PeterKjeldsen

    What do you have in the file /etc/af.plist ?

  • by PeterKjeldsen,

    PeterKjeldsen PeterKjeldsen Aug 24, 2015 11:42 AM in response to Linc Davis
    Level 1 (0 points)
    Aug 24, 2015 11:42 AM in response to Linc Davis

    /etc/af.plist

    Created: 30 of January 2013

    Modified: 12 of August 2014

    Last opened: 12 August 2014

     

    No record of anything happening today.

     

    Content of /etc/af.plist:

     

    <?xml version="1.0" encoding="UTF-8"?>

    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

    <plist version="1.0">

    <dict>

      <key>blacklist_file</key>

      <string>/var/db/af/blacklist</string>

      <key>default_set</key>

      <string>17</string>

      <key>default_timeout</key>

      <string>15</string>

      <key>firewall_address</key>

      <string>127.0.0.1</string>

      <key>log_facility</key>

      <string>SBS_Security</string>

      <key>log_level</key>

      <string>5</string>

      <key>start_behavior</key>

      <string>enabled</string>

      <key>state_file</key>

      <string>/var/run/af_state</string>

      <key>sweep_interval</key>

      <string>20</string>

      <key>whitelist_file</key>

      <string>/var/db/af/whitelist</string>

    </dict>

    </plist>

  • by Linc Davis,

    Linc Davis Linc Davis Aug 24, 2015 11:54 AM in response to PeterKjeldsen
    Level 10 (207,990 points)
    Applications
    Aug 24, 2015 11:54 AM in response to PeterKjeldsen

    The default configuration of the adaptive firewall doesn't actually work, though the documentation doesn't bother to mention that fact. You have to edit the file /etc/af.plist. Change the value of the key "firewall_address" from the default "127.0.0.1" to the IP address of the interface on which the server listens.

  • by PeterKjeldsen,

    PeterKjeldsen PeterKjeldsen Aug 24, 2015 1:11 PM in response to Linc Davis
    Level 1 (0 points)
    Aug 24, 2015 1:11 PM in response to Linc Davis

    Okay I changed the IP address from 127.0.0.1 to the local IP address.

     

    I ran the whole procedure from OS X Server: How to enable the adaptive firewall - Apple Support again (su):

     

    sh-3.2# pfctl -f /etc/pf.conf

    pfctl: Use of -f option, could result in flushing of rules

    present in the main ruleset added by the system at startup.

    See /etc/pf.conf for further details.

     

     

    No ALTQ support in kernel

    ALTQ related functions disabled

    sh-3.2# /Applications/Server.app/Contents/ServerRoot/usr/sbin/serverctl enable service=com.apple.afctl

    {

    }

    sh-3.2# /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -c

    sh-3.2# /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -f

    No ALTQ support in kernel

    ALTQ related functions disabled

    No ALTQ support in kernel

    ALTQ related functions disabled

    pf enabled

    Token : 15059476430182572699

    No ALTQ support in kernel

    ALTQ related functions disabled

    sh-3.2# defaults write /System/Library/LaunchDaemons/com.apple.pfctl ProgramArguments '(pfctl, -f, /etc/pf.conf, -e)'

    sh-3.2# chmod 644 /System/Library/LaunchDaemons/com.apple.pfctl.plist

    sh-3.2# plutil -convert xml1 /System/Library/LaunchDaemons/com.apple.pfctl.plist

    sh-3.2#

     

    I rebooted and ran:

     

    mail:~ admin$ su

    Password:

    sh-3.2# afctl -a 74.208.72.135

    sh: afctl: command not found

     

     

    Meanwhile the guys have a great time:

    Aug 24 20:59:00 mail.myserver.com postfix/smtpd[3954]: warning: hostname ptr-155.133.18.81.vmline.pl does not resolve to address 155.133.18.81: nodename nor servname provided, or not known

    Aug 24 20:59:31 --- last message repeated 43 times ---

    Aug 24 21:07:26 mail.myserver.com postfix/smtpd[4050]: error: get user record: unable to open user record for user=test3@myserver.com

    Aug 24 21:07:26 mail.myserver.com postfix/smtpd[4050]: error: verify password: unable to lookup user record for: user=test3@myserver.com

    Aug 24 21:07:26 mail.myserver.com postfix/smtpd[4050]: error: authentication failed

    Aug 24 21:07:26 mail.myserver.com postfix/smtpd[4050]: warning: s15434454.onlinehome-server.com[74.208.72.135]: SASL LOGIN authentication failed

    Aug 24 21:19:16 mail.myserver.com postfix/smtpd[4180]: error: get user record: unable to open user record for user=tim@myserver.com

    Aug 24 21:19:16 mail.myserver.com postfix/smtpd[4180]: error: verify password: unable to lookup user record for: user=tim@myserver.com

    Aug 24 21:19:16 mail.myserver.com postfix/smtpd[4180]: error: authentication failed

    Aug 24 21:19:16 mail.myserver.com postfix/smtpd[4180]: warning: s15434454.onlinehome-server.com[74.208.72.135]: SASL LOGIN authentication failed

    Aug 24 21:30:53 mail.myserver.com postfix/smtpd[4308]: error: get user record: unable to open user record for user=apple@myserver.com

    Aug 24 21:30:53 mail.myserver.com postfix/smtpd[4308]: error: verify password: unable to lookup user record for: user=apple@myserver.com

    Aug 24 21:30:53 mail.myserver.com postfix/smtpd[4308]: error: authentication failed

    Aug 24 21:30:53 mail.myserver.com postfix/smtpd[4308]: warning: s15434454.onlinehome-server.com[74.208.72.135]: SASL LOGIN authentication failed

    Aug 24 21:42:36 mail.myserver.com postfix/smtpd[4871]: error: get user record: unable to open user record for user=b@myserver.com

    Aug 24 21:42:36 mail.myserver.com postfix/smtpd[4871]: error: verify password: unable to lookup user record for: user=b@myserver.com

    Aug 24 21:42:36 mail.myserver.com postfix/smtpd[4871]: error: authentication failed

    Aug 24 21:42:36 mail.myserver.com postfix/smtpd[4871]: warning: s15434454.onlinehome-server.com[74.208.72.135]: SASL LOGIN authentication failed

    Aug 24 21:54:19 mail.myserver.com postfix/smtpd[514]: error: get user record: unable to open user record for user=backupexec@myserver.com

    Aug 24 21:54:19 mail.myserver.com postfix/smtpd[514]: error: verify password: unable to lookup user record for: user=backupexec@myserver.com

    Aug 24 21:54:19 mail.myserver.com postfix/smtpd[514]: error: authentication failed

    Aug 24 21:54:19 mail.myserver.com postfix/smtpd[514]: warning: s15434454.onlinehome-server.com[74.208.72.135]: SASL LOGIN authentication failed

    Aug 24 22:06:08 mail.myserver.com postfix/smtpd[848]: error: get user record: unable to open user record for user=install@myserver.com

    Aug 24 22:06:08 mail.myserver.com postfix/smtpd[848]: error: verify password: unable to lookup user record for: user=install@myserver.com

    Aug 24 22:06:08 mail.myserver.com postfix/smtpd[848]: error: authentication failed

    Aug 24 22:06:08 mail.myserver.com postfix/smtpd[848]: warning: s15434454.onlinehome-server.com[74.208.72.135]: SASL LOGIN authentication failed

    Aug 24 22:17:51 mail.myserver.com postfix/smtpd[454]: error: get user record: unable to open user record for user=laptop@myserver.com

    Aug 24 22:17:51 mail.myserver.com postfix/smtpd[454]: error: verify password: unable to lookup user record for: user=laptop@myserver.com

    Aug 24 22:17:51 mail.myserver.com postfix/smtpd[454]: error: authentication failed

    Aug 24 22:17:51 mail.myserver.com postfix/smtpd[454]: warning: s15434454.onlinehome-server.com[74.208.72.135]: SASL LOGIN authentication failed

    Aug 24 22:29:40 mail.myserver.com postfix/smtpd[803]: error: get user record: unable to open user record for user=lola@myserver.com

    Aug 24 22:29:40 mail.myserver.com postfix/smtpd[803]: error: verify password: unable to lookup user record for: user=lola@myserver.com

    Aug 24 22:29:40 mail.myserver.com postfix/smtpd[803]: error: authentication failed

    Aug 24 22:29:40 mail.myserver.com postfix/smtpd[803]: warning: s15434454.onlinehome-server.com[74.208.72.135]: SASL LOGIN authentication failed

    Aug 24 22:41:22 mail.myserver.com postfix/smtpd[532]: error: get user record: unable to open user record for user=ospite@myserver.com

    Aug 24 22:41:22 mail.myserver.com postfix/smtpd[532]: error: verify password: unable to lookup user record for: user=ospite@myserver.com

    Aug 24 22:41:22 mail.myserver.com postfix/smtpd[532]: error: authentication failed

    Aug 24 22:41:22 mail.myserver.com postfix/smtpd[532]: warning: s15434454.onlinehome-server.com[74.208.72.135]: SASL LOGIN authentication failed

    Aug 24 22:53:10 mail.myserver.com postfix/smtpd[1290]: error: get user record: unable to open user record for user=postgres@myserver.com

    Aug 24 22:53:10 mail.myserver.com postfix/smtpd[1290]: error: verify password: unable to lookup user record for: user=postgres@myserver.com

    Aug 24 22:53:10 mail.myserver.com postfix/smtpd[1290]: error: authentication failed

    Aug 24 22:53:10 mail.myserver.com postfix/smtpd[1290]: warning: s15434454.onlinehome-server.com[74.208.72.135]: SASL LOGIN authentication failed

    Aug 24 22:53:13 mail.myserver.com postfix/postscreen[1284]: warning: dnsblog reply timeout 10s for zen.spamhaus.org

    Aug 24 22:53:33 mail.myserver.com postfix/dnsblog[1285]: warning: dnsblog_query: lookup error for DNS query 135.72.208.74.zen.spamhaus.org: Host or domain name not found. Name service error for name=135.72.208.74.zen.spamhaus.org type=A: Host not found, try again

    Aug 24 23:05:01 mail.myserver.com postfix/smtpd[1806]: error: get user record: unable to open user record for user=update@myserver.com

    Aug 24 23:05:01 mail.myserver.com postfix/smtpd[1806]: error: verify password: unable to lookup user record for: user=update@myserver.com

    Aug 24 23:05:01 mail.myserver.com postfix/smtpd[1806]: error: authentication failed

    Aug 24 23:05:01 mail.myserver.com postfix/smtpd[1806]: warning: s15434454.onlinehome-server.com[74.208.72.135]: SASL LOGIN authentication failed

  • by Linc Davis,Solvedanswer

    Linc Davis Linc Davis Aug 24, 2015 1:32 PM in response to PeterKjeldsen
    Level 10 (207,990 points)
    Applications
    Aug 24, 2015 1:32 PM in response to PeterKjeldsen
    sh: afctl: command not found

    Use the full path.

  • by PeterKjeldsen,

    PeterKjeldsen PeterKjeldsen Aug 24, 2015 2:48 PM in response to Linc Davis
    Level 1 (0 points)
    Aug 24, 2015 2:48 PM in response to Linc Davis

    sh-3.2# /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -a 74.208.72.135

    No ALTQ support in kernel

    ALTQ related functions disabled

    1/1 addresses added.

     

    From SMTP Log:

    Aug 25 00:03:35 mail.myserver.com postfix/smtpd[723]: error: get user record: unable to open user record for user=carlos@myserver.com

    Aug 25 00:03:35 mail.myserver.com postfix/smtpd[723]: error: verify password: unable to lookup user record for: user=carlos@myserver.com

    Aug 25 00:03:35 mail.myserver.com postfix/smtpd[723]: error: authentication failed

    Aug 25 00:03:35 mail.myserver.com postfix/smtpd[723]: warning: s15434454.onlinehome-server.com[74.208.72.135]: SASL LOGIN authentication failed

    Aug 25 00:15:12 mail.myserver.com postfix/smtpd[1264]: error: get user record: unable to open user record for user=comercial@myserver.com

    Aug 25 00:15:12 mail.myserver.com postfix/smtpd[1264]: error: verify password: unable to lookup user record for: user=comercial@myserver.com

    Aug 25 00:15:12 mail.myserver.com postfix/smtpd[1264]: error: authentication failed

    Aug 25 00:15:12 mail.myserver.com postfix/smtpd[1264]: warning: s15434454.onlinehome-server.com[74.208.72.135]: SASL LOGIN authentication failed

    .

    .

    .

    26 minutes later not a sign... HA! They're barred, I'm delighted

     

    Thanks Linc, thank you very much. Your help is much appreciated.