• Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint


Mac OS X Server includes a firewall service that you can use to restrict access to your server based on a requesting machine's IP address.

When the firewall is enabled, each IP service request that Mac OS X Server receives is first checked against a list of firewall rules that define which IP addresses have access to specific port numbers. The port numbers are used to identify specific services, such as Apple File Service (AFS; port 548) and web service (port 80). With the firewall enabled, a Mac OS X Server can allow one machine to access a service while blocking requests from another machine for the same service.

Access through a firewall is based on the requesting machine's IP address. If the IP address of the requesting machine is within a specified range of addresses, the request is denied or allowed, depending on the exact rule applied. For example, pretendco.com can use the firewall service to allow any request from an internal address but deny any request from an external address, except for those belonging to trade partners.

Since the firewall service essentially determines which machines are allowed to access services on a given server, it is a good tool to consider when security is important.


If the firewall does not find a specific rule that applies to the request, it applies the default general rule, which denies all Transport Control Protocol (TCP) connections.

Basic Firewall Configuration

By default, firewall service blocks all incoming TCP connections. Before you turn on firewall service, make sure you've set up rules allowing access from IP addresses you choose. Otherwise, no one will have access to your server.

To start or stop the firewall service, click Firewall in the Computers & Services list in Server Admin and click Start Service or Stop Service.

When you start firewall service for the first time, most TCP packets are denied until you change the rules to allow access. By default, only the ports essential to remote administration are available. These include but are not limited to the ports for Remote Directory Access (625), server administration via Server Admin (687), and Secure Shell (22). For any other network service, you must create rules, or configure existing rules, to allow access to your server. If you turn off firewall service, all addresses are allowed access to your server.

You can easily allow standard services—such as Apple Filing Protocol (AFP), File Transfer Protocol (FTP), print, web, and Windows—to access your server through the firewall.

To open the firewall for standard services:

Open Server Admin, click Firewall, and click General.

Select the “any” address group from the IP Address Groups list.

Select the services you want to allow and click Save.

The “any” group lets you open the firewall to any IP address. But if you want, you can define other groups of IP addresses for your firewall rules and can configure them separately. You can use these groups to organize and target the rules.

Addresses can be listed as individual addresses (for example, or as IP addresses with a Classless Inter-Domain Routing (CIDR) netmask format (for example, CIDR consists of the IP address followed by a slash (/) and the IP prefix, a number from 1 to 32 that specifies the number of significant bits used to identify a network. For example, means the first 16 bits (the first two numbers separated by periods) are used to represent the network (every machine on the network begins with 192.168), and the remaining 16 bits (the last two numbers separated by periods) are used to identify hosts (each machine has a unique set of trailing numbers). The subnet mask that corresponds to CIDR 16 is

To create an address group, click the Add (+) button in the IP Address Groups pane. Enter the group name, enter the addresses and subnet mask you want the rules to affect, and then click OK. To edit an existing group, select the group and click Edit.

Firewall-Service Monitoring

A firewall is a network's first line of defense against malicious intruders. One way to maintain security is to monitor your firewall to make sure that it's working properly and to detect patterns of access attempts that might indicate a serious threat.

To monitor the logs, enable logging in the Logging tab of the firewall settings in Server Admin. You can view the log using the Log pane of the firewall service. Each rule you create in Server Admin corresponds to one or more rules in the underlying firewall software. Log entries show you the rule applied, the IP addresses of the client and server, and other information.

For example, the following log entry shows that the firewall service used rule 65000 to deny (unreach) the remote client at from accessing server on web port 80 via Ethernet port 0:

Dec 12 13:08:16 ballch5 mach_kernel: ipfw: 65000 Unreach TCP in via en0


The following log entry shows that the firewall service used rule 100 to allow the remote client at to access the server on the LPR printing port 515 via Ethernet port 0:

Dec 12 13:20:15 mayalu6 mach_kernel: ipfw: 100 Accept TCP in via en0


The Overview pane shows a simple summary of the firewall service: whether the service is running and which rules are active.

Advanced Firewall Configuration

You can use the Advanced pane of the firewall's Settings tab to configure very specific rules for TCP ports. You can apply a rule to all IP addresses, a specific IP address, or a range of IP addresses.

Test the Firewall
Launch Server Admin on your server and select the AFP service from the Computers & Services list, and start the service. Make sure the only other service that is running is DNS.

Verify that the AFP service is running.

From your Mac OS X computer, choose Connect to Server from the Go menu. Enter in the Address field and click Connect.

The “Connect to Server” dialog appears, showing the server over port 548—the AFP port to which the Connect to Server dialog defaults when you type in an IP address or domain name. You do not need to enter a user name or password here. The dialog simply provides verification that the port is open.

Click Connect, choose a volume to mount, and close the Connect to Server dialog.

Launch Server Admin on your server and select the Firewall service from the Computers & Services list. Click the Settings tab if it is not already open and then click the Services button.

Verify that “any” is selected in the “Edit Services for” drop-down menu. Select “Allow only traffic for 'any' on these ports,” and then choose the ports that you want “any” to be able to access.

Scroll down to make sure port 548 (Apple File Service) does not have a check mark next to it.

Having it selected once the firewall is turned on will still allow connections from any IP address to that port on your server.

Turn on the firewall service and verify that it is running by selecting the Log tab at the bottom of the window.

From your Mac OS X computer, attempt to connect again like you did in step 3.

View the dialogs as they attempt to connect to your server.

Your attempt at a connection will eventually will time out and you will not be connected.

From Server Admin, enter 548 in the Firewall Log window's search box and press Return.

You can see the deny rules in effect when you attempted to contact your AFP server with the firewall active and blocking access to port 548.

Turn off the Firewall in Server Admin on your server. Confirm that you can now connect over port 548 again by repeating step 3.

This shows just a fragment of what is capable with the firewall service.

  • Creative Edge
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint