Firewalls in El Capitan

Hello,

Be easy on yourself. Use Icefloor to manage it for you. (With due respect to Jesus Vigo)

Afterwards you can view the effects in the command line for the different interfaces.

Leo

Well, I dont agree with that one. Icefloor is a mess, its spreads your settings in multiples files and makes using ssh to administer your server very difficult. I would rather understand how it works.

You also have the alternative of Murus, although I have not played around with it. But the technical reviews are good.

If you want to stay with the command line, the stuff by Essandess is excellent

I would rather not use another product.

Hello,

To_Mi wrote:

For server services, the access control can be customized via server menu.

Check the 'Server access' section of Server Help (https://help.apple.com/serverapp/mac/5.0/?lang=en#/apd182170046)

You will be able to find many information related to packet filtering too.

I have very limited knowledge ( and experience ) on the access control as my server is experimental and is in closed environment. ( still learning )

Seemingly, the server setup is shown in the "com.apple.server-firewall" anchor.

# pfctl -v -sA

No ALTQ support in kernel

ALTQ related functions disabled

base

com.apple

com.apple/200.AirDrop

com.apple/250.ApplicationFirewall

com.apple/400.AdaptiveFirewall

com.apple.server-firewall

com.apple.server-firewall/base

com.apple.server-firewall/custom-firewall

custom-firewall

Hoping this gives you some hints.

dash v did it. Without it you only get the base anchor. But anchors can contain anchors. Everything is in com.apple.server-firewall/custom-firewall.

[labanque:: 6:41] [~] % sudo pfctl -sA

No ALTQ support in kernel

ALTQ related functions disabled

base

com.apple

com.apple.server-firewall

custom-firewall

[labanque:: 6:41] [~] % sudo pfctl -sA -v

No ALTQ support in kernel

ALTQ related functions disabled

base

com.apple

com.apple/200.AirDrop

com.apple/250.ApplicationFirewall

com.apple/400.AdaptiveFirewall

com.apple.server-firewall

com.apple.server-firewall/base

com.apple.server-firewall/custom-firewall

custom-firewall

[labanque:: 6:41] [~] %

Also, the firewall setting in that interface is in my own modest opinion complicated. If I want to modulate a service only on one interface, its rather awkward. Its much easier to do in the config file. My gateway has two networks two external networks and two internal networks with different nating.

[labanque:: 6:34] [~] % sudo pfctl -a com.apple.server-firewall/custom-firewall -sr

No ALTQ support in kernel

ALTQ related functions disabled

pass in inet from 10.0.0.0/8 to any no state

pass in inet from 192.168.0.0/16 to any no state

pass in inet from 169.254.0.0/16 to any no state

pass in inet from 127.0.0.1 to any no state

pass in inet from 172.16.0.0/12 to any no state

pass in inet6 from fc00::/7 to any no state

pass in inet6 from ::1 to any no state

block drop in proto tcp from any to any port = 5900

pass in inet6 proto tcp from any to any port = 5900 no state

pass in inet proto tcp from any to any port = 5900 no state

block drop in proto tcp from any to any port = 500

block drop in proto tcp from any to any port = 4500

block drop in proto tcp from any to any port = 1701

block drop in proto tcp from any to any port = 1723

block drop in proto udp from any to any port = 500

block drop in proto udp from any to any port = 4500

block drop in proto udp from any to any port = 1701

block drop in proto udp from any to any port = 1723

pass in inet proto tcp from 10.0.0.0/8 to any port = 53 no state

pass in inet proto tcp from 192.168.0.0/16 to any port = 53 no state

pass in inet proto tcp from 169.254.0.0/16 to any port = 53 no state

pass in inet proto tcp from 127.0.0.1 to any port = 53 no state

pass in inet proto tcp from 172.16.0.0/12 to any port = 53 no state

pass in inet proto udp from 10.0.0.0/8 to any port = 53 no state

pass in inet proto udp from 192.168.0.0/16 to any port = 53 no state

pass in inet proto udp from 169.254.0.0/16 to any port = 53 no state

pass in inet proto udp from 127.0.0.1 to any port = 53 no state

pass in inet proto udp from 172.16.0.0/12 to any port = 53 no state

pass in inet proto udp from any to any port = 500 no state

pass in inet proto udp from any to any port = 4500 no state

pass in inet proto udp from any to any port = 1701 no state

pass in inet proto udp from any to any port = 1723 no state

pass in inet proto tcp from any to any port = 500 no state

pass in inet proto tcp from any to any port = 4500 no state

pass in inet proto tcp from any to any port = 1701 no state

pass in inet proto tcp from any to any port = 1723 no state

pass in inet6 proto tcp from fc00::/7 to any port = 53 no state

pass in inet6 proto tcp from ::1 to any port = 53 no state

pass in inet6 proto tcp from any to any port = 500 no state

pass in inet6 proto tcp from any to any port = 4500 no state

pass in inet6 proto tcp from any to any port = 1701 no state

pass in inet6 proto tcp from any to any port = 1723 no state

pass in inet6 proto udp from fc00::/7 to any port = 53 no state

pass in inet6 proto udp from ::1 to any port = 53 no state

pass in inet6 proto udp from any to any port = 500 no state

pass in inet6 proto udp from any to any port = 4500 no state

pass in inet6 proto udp from any to any port = 1701 no state

pass in inet6 proto udp from any to any port = 1723 no state

block drop in proto tcp from any to any port = 80

block drop in proto tcp from any to any port = 443

pass in inet6 proto tcp from any to any port = 80 no state

pass in inet6 proto tcp from any to any port = 443 no state

pass in inet proto tcp from any to any port = 80 no state

pass in inet proto tcp from any to any port = 443 no state

block drop in proto tcp from any to any port = 22

pass in inet6 proto tcp from any to any port = 22 no state

pass in inet proto tcp from any to any port = 22 no state

block drop in proto tcp from any to any port = 49379

pass in inet proto tcp from any to any port = 49379 no state

[labanque:: 6:35] [~] %