Apple Event: May 7th at 7 am PT

Learn more

Add to your calendar 

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Clive Bruton
Clive Bruton Author
User level: Level 1
38 points

Server 10.5 firewall not working

I am trying to set up some firewall for my 10.5 server, but I just cannot seem to get it to work. The main aim is to try to stop the constant brute force mail login attempts.


To this end I installed fail2ban, to spot and ban the failed logins. For the most part this works, ie the mechanics of submitting the banned IP addresses and sending me an email to that effect is accomplished. If I start up a terminal session I get dozens of IP addresses listed with the following command:


sudo ipfw list


With an entry looking like:


12345 deny tcp from 123.123.23.123 to any in


But, the ban just isn't effective - the same IP address will try again later, sometimes every few seconds for hours.


When I check the fail2ban log it complains (after it has detected a malicious login attempt multiple times):


"WARNING [sasl-ipfw] 123.123.123.123 already banned"


I have tried formatting the ban in different ways:


12345 deny tcp from 123.123.23.123 to 127.0.0.1 dst-port 25

12345 deny tcp from 123.123.23.123 to 192.168.123.123 dst-port 25


But just not making any difference. I even tried just a local network network ban to the web service:


12345 deny tcp from 192.168.123.122 to 192.168.123.123 dst-port 80


But again that does not have any effect. The other rules, seem to be default, in the IPFW list look like:


12300 allow log logamount 1000 tcp from any to any established

12301 allow log logamount 1000 tcp from any to any out

12302 allow log logamount 1000 tcp from any to any dst-port 22 …


and one final rule in the list (which I read somewhere shouldn't be changed):


65535 allow ip from any to any


Server admin app indicates that the firewall service is running, there are no "deny" listings in the ipfw log. The entries patched in to IPFW by fail2ban do not appear in the Server Admin entries anywhere, nor in the ipfw.conf or ipfw.conf.apple files (so I'm not sure where they are stored). But I do see them when I get "ipfw list" in the terminal and they are listed in the "Active Rules" tab of the Firewall section in Server Admin. Thanks for any help on this issue.

Posted on Sep 23, 2016 1:21 AM

Reply
Question marked as Best reply
User profile for user: Clive Bruton
Clive Bruton Author
User level: Level 1
38 points

Posted on Sep 28, 2016 5:00 AM

You can find the answer to this question here:


http://superuser.com/questions/1128614/fail2ban-ipfw-mac-os-x-server-not-denying -connections


Briefly, the rules are executed in order, once one is triggered the firewall stops assessing them. I understood that part, but what I didn't understand that the man page says that LOG is done last - I thought that meant that the rule is applied last, but it doesn't. So you have to make sure your DENY rules appear before the default ALLOW rules.


Also, if you want the DENY to appear in a log you have to put the LOG keyword in the rule when you're adding it:


sudo ipfw add 00900 deny log ip from 123.123.123.123 to 10.10.10.10 25


Where "00900" is the rule number, "ip" is any IP traffic (you can specify tcp or udp) and 25 is the port number (optional, with no port number you just ban all traffic to all ports). The IP numbers can be replaced with the keyword "any" (with the obvious consequences).

View in context
1 reply
Question marked as Best reply
User profile for user: Clive Bruton
Clive Bruton Author
User level: Level 1
38 points

Sep 28, 2016 5:00 AM in response to Clive Bruton

You can find the answer to this question here:


http://superuser.com/questions/1128614/fail2ban-ipfw-mac-os-x-server-not-denying -connections


Briefly, the rules are executed in order, once one is triggered the firewall stops assessing them. I understood that part, but what I didn't understand that the man page says that LOG is done last - I thought that meant that the rule is applied last, but it doesn't. So you have to make sure your DENY rules appear before the default ALLOW rules.


Also, if you want the DENY to appear in a log you have to put the LOG keyword in the rule when you're adding it:


sudo ipfw add 00900 deny log ip from 123.123.123.123 to 10.10.10.10 25


Where "00900" is the rule number, "ip" is any IP traffic (you can specify tcp or udp) and 25 is the port number (optional, with no port number you just ban all traffic to all ports). The IP numbers can be replaced with the keyword "any" (with the obvious consequences).

Reply

Server 10.5 firewall not working

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up