Adaptive Firewall & afctl

Similar Messages

• Controlling the Adaptive Firewall with `afctl`

  For those of you that don't know, afctl controls (is?) Leopard Server's Adaptive Firewall. Its a really cool program, you give it an IP address, and a time-to-live in minutes, and that ip instantly gets firewalled for about that many minutes.
  Here is the man page for the program:
  http://developer.apple.com/documentation/Darwin/Reference/ManPages/man8/afctl.8. html
  And here is the man page for it's config file:
  http://developer.apple.com/documentation/Darwin/Reference/ManPages/man5/af.plist .5.html
  At first it seems like the perfect program. But I'm having big problems with it, all regarding rule numbers.
  afctl's first firewall rule is number 1700. Its next rule is 1705. And so on and so on. Now my rules come from a script I have running on my server, that automatically 'detects' abusers and blocks them. Rules last for 1 hour. So after the first hour of running, rule 1700 will expire, then 1705 and so on. New rules that are constantly getting generated, are up to maybe lets just say 1840.
  So even though rules only last an hour, the rule numbers keep going up and up and up. This becomes a big problem because once the rules get to 12300, the overlap and then pass existing rules in ipfw. Once they surpass this, incoming packets are matched and accepted before they get to their block rule (generated by afctl). So every second or so, another and another and another firewall rule gets added to block that same IP. But the rules are so high they don't work. Multiply this by 30 or 40 IPs at a time and you can see how once my afctl rules get to 12300, total chaos ensues.
  If I totally disable my script for two hours, and let all my afctl rules expire. Then I can re-enable the script and it will start generating rules again at 1700. But this can be a problem, some times I'm getting more traffic than I can handle during those two hours. After about 250 requests per second, things start to get sketchy.
  I need a way to manage these rule numbers without having to turn off the script that makes these rules.
  One thing that confuses me is the 'default_set' setting in the af.plist file. I'm not sure what this means, but does this somehow let me put my afctl rules into their own 'group'? The default setting for 'default_set' in my plist file is 17. That means nothing to me though. Reading the ipfw man page, it refers to it's whole configuration as it's 'ruleset'. So I'm not sure what this setting is, or if it can help me.
  As it stands now, I have to 'reset' my rules (by way of disabling my script and letting all afctl created rules expire) about every other day. If I could have afctl rules increment by 1 instead of 5, that would give me about 10 days. Still a bandaid, but a better bandaid. If there was a way to make afctl choose rules that are the lowest available rule number greater than 1699, so as rules expired, their numbers would be recycled. That would also work. Although i'd feel better if my dymanic rules also had a greater range to life in, than 1700-12300. But I'd have to be under one **** of an attack for that not to be enough.

  Well I found a solution, but it's not great. I run the following commands daily (nightly).
  sudo rm /var/db/af/blacklist;
  sudo ipfw delete set 17;
  sudo /usr/libexec/afctl;
  This deletes any memory afctl has of it's rules. Then it manually deletes all the rules it's made. Then it recreates it's database file.
  This will make your rules start over every night so you won't get 'rule number overflow' headaches.
  OF COURSE the whole point of afctl is auto-expiring firewall rules. So if you're going to do this, I might as well have my server firewall addresses directly to ipfw instead of bothering with afctl. I'm going to leave it using afctl now only because its already set up and running. At least I can be away from my server now without having a rule number overflow which for several different reasons brings my server to it's knees.

• Afctl (Adaptive Firewall) error in 10.8.2

  I have enabled the Adaptive Firewall in OS X Server (2.2) under Mountain Lion 10.8.2 as per Apple's instructions:
  http://support.apple.com/kb/HT5519
  However, I get back an error everytime I try to enable it:
  # afctl -f
  No ALTQ support in kernel
  ALTQ related functions disabled
  pf enabled
  Token : 18446743524496027528
  No ALTQ support in kernel
  ALTQ related functions disabled
  Jan 22 17:41:50 server.domainredacted.com afctl[17998] <Notice>: Cannot update the Event Monitor config
  When I try to alter a setting:
  sh-3.2# afctl -T 10
  Jan 22 17:42:09 server.domainredacted.com afctl[18005] <Notice>: Cannot update the Event Monitor config
  Or when I try to disable it:
  sh-3.2# afctl -X
  Jan 22 17:45:29 server.domainredacted.com afctl[18021] <Notice>: Cannot update the Event Monitor config
  I thought perhaps that afctl was having trouble writing to AdaptiveFirewall.plist in /Applications/Server.app/Contents/ServerRoot/private/etc/emond.d/rules
  sh-3.2# ls -l /Applications/Server.app/Contents/ServerRoot/private/etc/emond.d/rules
  total 0
  -rw-r--r--  1 root  wheel   3344 Jan 22 00:11 AdaptiveFirewall.plist
  But even adding world write permissions to this file didn't help.
  I also wondered if perhaps afctl was looking for AdaptiveFIrewall.plist in the wrong place:
  sh-3.2# ls -l /etc/emond.d/rules/
  total 0
  -rw-r--r--  1 root  wheel   822 Jan 21 20:01 SampleRules.plist
  -rw-r--r--  1 root  wheel  8964 Jan 21 20:01 Xsan.plist
  But copying AdaptiveFirewall.plist here (or symbolic linking the file in this dir) didn't do the trick either.
  Anyone have any idea why afctl keeps complaining that it  "Cannot update the Event Monitor config" in OS X Server 2.2 / Mountain Lion 10.8.2?
  Rusty

  An additional (and confusing) update. The adaptive firewall may actually be doing something on my machine after all, but it's definitely not consistent. While digging through my logs again today, I noticed the events that I've pasted below. Apologies for the wall of text, but I've included the entire transcript of the attack for completeness.
  2/6/13 10:48:44.161 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:48:44.161 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:48:51.331 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:48:51.331 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:48:55.243 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:48:55.243 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:49:03.151 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:49:03.151 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:49:07.112 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:49:07.112 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:49:10.989 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:49:10.989 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:49:21.890 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:49:21.890 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:49:25.801 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:49:25.801 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:49:29.699 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:49:29.699 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:49:29.700 PM emond[117]: Host at <IP-ADDRESS> will be blocked for at least 15 minutes
  2/6/13 10:49:29.870 PM emond[117]: Host at <IP-ADDRESS> will be blocked for at least 15 minutes
  2/6/13 10:49:29.948 PM afctl[25763]: Address already in the blacklist, not added (timeout has been updated)
  2/6/13 10:49:29.954 PM emond[117]: 381912569.864889 Host at <IP-ADDRESS> was blocked for 15
  2/6/13 10:49:29.954 PM emond[117]: 381912569.864889 Host at <IP-ADDRESS> was blocked for 15
  2/6/13 10:49:29.954 PM emond[117]: 381912569.864889 Host at <IP-ADDRESS> was blocked for 15
  2/6/13 10:49:33.591 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:49:33.591 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:49:33.592 PM emond[117]: Host at <IP-ADDRESS> will be blocked for at least 15 minutes
  2/6/13 10:49:33.669 PM afctl[25764]: Address already in the blacklist, not added (timeout has been updated)
  2/6/13 10:49:33.675 PM emond[117]: Host at <IP-ADDRESS> will be blocked for at least 15 minutes
  2/6/13 10:49:33.754 PM afctl[25765]: Address already in the blacklist, not added (timeout has been updated)
  2/6/13 10:49:33.759 PM emond[117]: Host at <IP-ADDRESS> will be blocked for at least 15 minutes
  2/6/13 10:49:33.836 PM afctl[25766]: Address already in the blacklist, not added (timeout has been updated)
  2/6/13 10:49:37.477 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:49:37.477 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:49:37.478 PM emond[117]: Host at <IP-ADDRESS> will be blocked for at least 15 minutes
  2/6/13 10:49:37.552 PM afctl[25768]: Address already in the blacklist, not added (timeout has been updated)
  2/6/13 10:49:37.558 PM emond[117]: Host at <IP-ADDRESS> will be blocked for at least 15 minutes
  2/6/13 10:49:37.633 PM afctl[25769]: Address already in the blacklist, not added (timeout has been updated)
  2/6/13 10:49:37.638 PM emond[117]: Host at <IP-ADDRESS> will be blocked for at least 15 minutes
  2/6/13 10:49:37.720 PM afctl[25770]: Address already in the blacklist, not added (timeout has been updated)
  2/6/13 10:49:41.433 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:49:41.433 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:49:41.434 PM emond[117]: Host at <IP-ADDRESS> will be blocked for at least 15 minutes
  2/6/13 10:49:41.511 PM afctl[25771]: Address already in the blacklist, not added (timeout has been updated)
  2/6/13 10:49:41.516 PM emond[117]: Host at <IP-ADDRESS> will be blocked for at least 15 minutes
  2/6/13 10:49:41.597 PM afctl[25772]: Address already in the blacklist, not added (timeout has been updated)
  2/6/13 10:49:41.602 PM emond[117]: Host at <IP-ADDRESS> will be blocked for at least 15 minutes
  2/6/13 10:49:41.678 PM afctl[25773]: Address already in the blacklist, not added (timeout has been updated)
  Note that I've made no changes to this server since my last post, but afctl does indeed appear to be working in those logs; there are no more login attempts from that IP after this excerpt. Additionally, I thought this might be a good sign for progress on getting Apple's KB Article (http://support.apple.com/kb/HT5519) to work, but I still receive the <Notice>: Cannot update the Event Monitor config error.
  Also, what's up with the auth errors logging after the IP's already been blocked? And there's a 4-second window preceeding them each time.
  Curiouser and couriser.

• Excessive 'SecurityServer' log entries for ServerEventAgent after Adaptive Firewall

  Hello all,
  I'm running an OS X Server running 10.8.2. After enabling the Adaptive Firewall last night ( http://support.apple.com/kb/HT5519, http://support.apple.com/kb/TS4418 ), I started noticing a massive number of logs in /var/log/system.log that look like this:
  Jan 11 17:44:59 <hostname> com.apple.SecurityServer[21]: Succeeded authorizing right 'system.privilege.admin'
  by client '/Applications/Server.app/Contents/ServerRoot/usr/libexec/ServerEventAgent' [131] for authorization
  created by '/Applications/Server.app/Contents/ServerRoot/usr/libexec/ServerEventAgent' [131] (2,0)
  Jan 11 17:44:59 <hostname> com.apple.SecurityServer[21]: Succeeded authorizing right 'system.privilege.admin'
  by client '/Library/PrivilegedHelperTools/com.apple.serverd' [71] for authorization created by
  '/Applications/Server.app/Contents/ServerRoot/usr/libexec/ServerEventAgent' [131] (100000,0)
  Does anyone have thoughts on this? They generally come in pairs like above. I've seen other SecurityServer logs while managing the server, but the number of them (and ServerEventAgent string) have really jumped up after trying to enable the Adaptive Firewall. I'm not even sure the firewall is working at this point, as running hb_summary tells me there have been 0 blocks in the last 24 hours. Yesterday, before trying to enable the AF, the server was trying to block login bots every few minutes, so I'm not sure everything is hooked-up correctly.
  It should be noted that I had some trouble with the second KB article linked above because I had previously tried using IceFloor to manage the new pffirewall. Apparently IceFloor removes some lines from /etc/pf.anchors/com.apple and doesn't put them back when you uninstall the program. I re-added the two missing lines at the end (with Apple's edits):
  anchor "400.AdaptiveFirewall/*"
  load anchor "400.AdaptiveFirewall" from "/Applications/Server.app/Contents/ServerRoot/private/etc/pf.anchors/400.AdaptiveFirewall"
  Any help would be greatly appreciated!

  Ahhhhhhh...that's gotta be it!
  Um, I mean no, I did not have relations with that application.
  Thanks!

• Adaptive-Firewall (af) blacklist or blockedHosts? Packet-Filter (pf)

  I have just upgraded my Mac mini Server from the latest version of OS X 10.8.5 and OS X Server 2.2.1 to OS X 10.9.3 and OS X Server 3.1.2 by turning off all server services (except Open Directory), upgrade to OS X 10.9.3 and touching up System Preferences, reboot, upgrade OS X Server 3.1.2 and run the Server app to upgrade the server's directories, files and services, and now proceeding carefully by comparing notes from my previous configuration and turning on required server services one by one.
  Now the Adaptive Firewall (af) and Packet Filter (pf) perplexes me since OS X 10.8...
  I have configured how to enable af on system boot-up based on information from Apple support documents. I understand that Event Monitor (emon) monitors the incoming IP connections (among its other functions) and if it detects abnormal behaviour from a particular IP connection, emon uses af to add the offending IP address to af's blacklist file.
  My first question is: does af itself blocks the IP connection, or does it use pf instead to do the job?
  If af uses the latter, my second question is: does af uses some internal socket/pipes to communicate with pf, or does pf uses some file from af?
  Now if pf uses some file from af, it can't be the blacklist file as the pf.anchor uses the table from /var/db/af/blockedHosts file, and it seems that the blockedHosts file is perpetually an empty file and no app or process seems to touch the file since it was created.
  The gist of my question is that the af and/or pf on my system seem not to be doing their job even though emon is detecting abnormal IP connections based on the log messages its been producing after following Apple support documents to enable Adaptive Firewall on my system.

  "The gist of my question is that the af and/or pf on my system seem not to be doing their job even though emon is detecting abnormal IP connections based on the log messages its been producing after following Apple support documents to enable Adaptive Firewall on my system."
  And when and which service use the /var/db/af/blockedHosts file?

• Adaptive firewall experiences - and a kludge to work around it

  I had a vexing issue with Leopard Server and clients with incorrect passwords. We'd, seemingly, after one password attempt get blocked by the server for all traffic. What is likely happening is the client is trying several different attempts (more on that in a sec) and hitting the 10 password failure limit in the Adaptive Firewall code. This block would through the client into the penalty box for 15 minutes.
  Sources of password failures would be things like a windows user with Thunderbird client and the wrong SSL setting. Or a AFP client with password stored in Keychain. Even Apple Mail or iCal with stored password were enough to cause a lock out.
  I did call tech support but figured out things on my own. It seems that there's a firewall rule being automatically inserted on such an 'attack' to the server. They're numbered 01700 and above. The "ipfw delete ####" command (as root) will delete the offending firewall rule and allow things to return to normal.
  So for now - I have a root window running this script:
  #!/bin/sh
  while "true"
  do
  sleep 5
  ipfw list|grep '^017'|awk '{ print "ipfw delete " $1 }'
  ipfw list|grep '^017'|awk '{ print "ipfw delete " $1 }'|sh
  done
  which will delete any firewall rules with numbers starting with 017. Perhaps this will increase past 01799 - I'll examine if the problem continues to vex us. I suppose I could run this as a cron job but a 1 minute delay is not as friendly as 5 seconds.
  With this bandaid out there - anyone know a better solution? I do see mention of the "optional adaptive firewall" but it looks like the optional part has gone away. Personally don't need quite that level of paranoia here.

  The adaptive firewall kicks in differently for different classes of services. For ftp & ssh it looks at log scrapings from /var/log/secure.log and counts each auth failed message as a "strike". For other services, such as AFP & mail, it gets info from the password server, again each failure there counts as one "strike". Unfortunately ssh and ftp tend to spit out several log messages when they get an auth failure, this makes the adaptive firewall system hypersensative to those services.
  The earlier Leopard releases had another problem where things were blocked on the second strike. I believe that has been fixed by now (10.5.3).
  As has been mentioned above there is a way to tune the sensitivity (number of strikes) and the duration of the blocking in the rules file (only if the second strike problem is fixed obviously).
  - Leland

• Unable to enable the adaptive firewall: No ALTQ support in kernel ALTQ related functions disabled

  No ALTQ support in kernel ALTQ related functions disabled
  OS X Server: How to enable the adaptive firewall - Apple Support
  Recently ran the latest OS X Yosemite Server Updates: OS X v10.10.3 and Server v4.1.  Tried to enable the "adaptive firewall" by following the steps in Apple's article (see above) and encountered the error after the second line of commands
  Charlie$ sudo pfctl -f /etc/pf.conf
  pfctl: Use of -f option, could result in flushing of rules
  present in the main ruleset added by the system at startup.
  See /etc/pf.conf for further details.
  No ALTQ support in kernel
  ALTQ related functions disabled
  server:~ Charlie$

  I'm not sure that is an error, it is a warning.
  The Mac kernel is not compiled with support for ALTQ so you can't use those features.
  Carry on & test your firewall is working as you expect.

• HT200259 Configuring adaptive firewall for VNC and RDP connections

  Hello, I'm using Yosemite with OSX Server.  Is there a way of configuring adaptive firewall for VNC and RDP connections?

  Apple has never documented what the adaptive firewall really does, as far as I know. It seems that the built-in network services send it some kind of notification whenever there is a connection attempt. The Screen Sharing service is one of those, so it should be protected. There is no built-in RDP service, so if you somehow added one, it would not be protected.

• Adaptive firewall

  I'm wondering if anybody has any extra info re: the Adaptive Firewall built into Mac OS X Server.
  - How can you reduce the number of hits it takes to make a rule? Is this even possible?
  - What triggers a hit? Is there a scoreboard that would show what counts as a hit or not?
  Here's an example of whar I'm seeing in the secure.log :
  Apr 12 14:54:26 obelix sshd[17953]: Invalid user postgres from 119.46.230.251
  Apr 12 14:54:26 obelix sshd[17955]: Invalid user postgres from 119.46.230.251
  Apr 12 14:54:26 obelix sshd[17956]: Invalid user postgres from 119.46.230.251
  Apr 12 15:14:24 obelix sshd[19526]: Invalid user supportftp from 119.46.230.251
  Apr 12 15:52:12 obelix sshd[22924]: Invalid user web from 119.46.230.251
  Apr 12 15:52:12 obelix sshd[22927]: Invalid user web from 119.46.230.251
  Apr 12 15:52:12 obelix sshd[22925]: Invalid user web from 119.46.230.251
  Apr 12 15:52:12 obelix sshd[22926]: Invalid user web from 119.46.230.251
  None of this triggered a rule...
  Any ideas where to look next?
  Miles

  MrHoffman wrote:
  ps: just noticed a pointer to [this adaptive firewall post|http://blog.lastinfirstout.net/2011/04/os-x-adaptive-firewall-automated.html], from Miles Muri over in [this thread|http://discussions.apple.com/thread.jspa?messageID=13374661]. FWIW. (I'd still get the gateway box.)
  Yeah, that would be me.
  I'm not so worried about the attacks getting in since I have the SSH service ACL restricted and passwords policy is quite strong. I'm just a bit bothered that the adaptive firewall doesn't seem to be picking this stuff up. Supposedly it's set to blacklist at 10 attempts, but I haven't found any info on whether that's 10 per username or 10 per IP. I'm wondering if the ACL is killing the connection before it registers as a bad login attempt. As a bonus, the log file is empty so either the logging feature doesn't work, or AF isn't being triggered.
  We mostly use the SSH service for SFTP but I suppose we could change the port if absolutely necessary.
  There is a gateway in front of this server, but I don't control it (the server is at a colo facility).

• XI Adapter : Firewall Problem !

  Hi Guys !
  Here we face a problem transfering data to Oracle using JDBC Adapter (Sender / Recevier)
  There is firewall between our XI System and Oracle System. We have opened 1521 -- 1529 Series / 50 000 - 59 999 Series in firewall for communication.
  But when data is transfered from  ECC to Oracle follwoing happens ad below
  1) Source Ip : 10.x.x.4 : 38788 to Destination Ip : 10.x.x.56:1521 ---> Connection seems to be OK (I can see in Listner.Log file)
  But when reverse communicatiuo happens
  2)Source Ip : 10.x.x.56:1521 to Destination Ip : 10.x.x.4 : 38788  --> Error comes as no port open for firewall (38000 Series)
  If Source ip with 50000 Series then data transfers.
  This Port generation from SAP XI Application erractic sometimes 30000 , 40000 , 50000 sERIES by seeing in the log ??
  So am not in a  position to tell firewall team this my range of ports to be opened , so when 50000 series comes it works r else it says network adapter error in RWB.
  I heard we can do port binding to divert all request from different port through one port so that firewall can allow the same ??
  Is it possible , if doing so is it good for handeling bulk data transfers  ??
  My main aim is to give the range of ports that SAP XI application generates ?
  Any idea of my problem to be taken further.
  rgds
  srini

  Hi Guys,
  Anyone came across same kind of problem.
  Going to Top
  Rgds
  Srini

• Problem using the adaptive firewall :  "Firewall management disabled"

  I am facing a problem that Google and man pages cannot solve : it seems that af is disabled; I don't know why and cannot enable it.
  In /var/log/system.log, I can see entries like this :
  Aug 19 08:07:14 arda emond[14295]: Host at 202.99.122.136 will be blocked for at least 15.00 minutes
  Aug 19 08:07:14 arda emond[21852]: DoRunAction (child): setting the uid/gid to 0/0
  But ipfw tells me otherwise :
  $ ipfw list
  00001 allow udp from any 626 to any dst-port 626
  01000 allow ip from any to any via lo0
  01010 deny log ip from any to 127.0.0.0/8
  01020 deny log ip from 224.0.0.0/4 to any in
  01030 deny log tcp from any to 224.0.0.0/4 in
  01040 allow udp from 192.168.0.0/16 to 192.168.0.0/16 dst-port 514 in
  01050 allow udp from 212.27.38.253 to 192.168.0.0/16 in
  01060 allow tcp from any to 192.168.0.0/16 dst-port 6881-6889 in
  12300 allow ip from any to any
  12301 allow tcp from 192.168.0.0/16 to any dst-port 25
  12301 allow udp from 192.168.0.0/16 to any dst-port 25
  65534 deny log ip from any to any
  65535 allow ip from any to any
  afctl refuses to run, giving an explicit message that i cannot find anywhere on the web :
  $ /usr/libexec/afctl -v 1 -a 202.99.122.136
  Tue Aug 19 08:09:53 arda.private afctl[22253] <Notice>: Firewall management disabled
  And of course, no new rules added in ipfw.
  Do you have any idea on what is wrong ? afctl is loaded durong boot (I didn(t change anything), but not working :
  $ launchctl list | grep afctl
  - 0 com.apple.afctl

  OK, thanks. Situation is getting better.
  Now af is enabled, and I can add IP to black and white list. I had also to enable the rule set with the -e option (not sure it will stay after reboot; man page is silent on this).
  The rules set 17 appears in ipfw list, but it seems there is still some problem for automatic blacklisting.
  I will continue to investigate the situation, but Apple provides very little documentation on this.

• Mac OS X Server 10.5.8 firewall question

  Hello,
  I'm a network administrator in a company, and we use Mac OS X server 10.5.8, with Mac clients.
  I have a problem with the adaptative firewall : when someone wants to connect to the server (by using the finder, and "connect as"), if the password is not correct, the adaptative firewall just cut the access of the client for all (It's a DHCP and DNS server, so there is no access anymore to the LAN and the web).
  I would like to know if there is a way to make the client blacklisted after 3 bad login attempts, not just only one. I used the afctl command, but it's apparently not possible to manage this problem with that (just the time of blacklisting).
  Thanks a lot in advance.

  I don't have a solution for you. But I do remember reading about this one. Apparently what happens is that beneath the surface, the connection attempt is repeated on failure, using differnet authentication protocols. And so one user login attempt with a bad password, leads to three attempts beneath the surface, and "the boot". But unfortunately I don't remember what the solution is, as I was researching for a completely different issue when I read this.

• Firewall Blocking Wiki for ONE User

  This is a very bizarre issue that I hope someone can help with. We're running 10.6.8 server to host our internal wiki. We had the firewall enabled on that machine without any issues. Last week one user wasn't able to get onto the wiki. In troubleshooting their workstation I found they couldn't access the wiki via Safari under any user account (including a fresh test account). They *could* access it through another browser (Chrome + FF). They could also access sharepoints on that server. I deleted some Safari system-wide prefs to no avail.
  For kicks, I disabled the firewall on the server and they could access the wiki via Safari. So, I assumed it was the adaptive firewall. I checked the AF blacklist file but her machine wasn't on it. In spite of that I whitelisted the user's machine, no change. I disabled the adaptive firewall altogether, no change. I enabled logging for denied packets and watched when her machine connected. Four ports were blocked, 4097,2052,17500,5353. I've temporarily created a FW rule to allow those ports, no change. I then tried keeping the firewall on but allowing all connections and she still couldn't access the wiki from Safari on her machine.
  I'm stumped. It seems like it should be the adaptive firewall but that makes no sense when there's nothing in the blacklist file and the AF is disabled. Any ideas would be greatly appreciated. I realize she can use Chrome or FF as a workaround for now but it should be a resolvable issue.

  Adam, the basic content filter on RV082 does not support the scenario your described. However the ProtectLink Web subscription does allow you to specify select IP addresses to be exempt from the url filter.

• Stopping brute force ssh attacks on OS X Server 4?

  OK, well the new year has brought out a slew of fresh IPs (mostly from Hong Kong, and China) trying to login to my machine (running OS X Yosemite 10.10.1 Server 4.0.3).
  I have enabled the adaptive firewall (per http://help.apple.com/advancedserveradmin/mac/4.0/#/apd4288B31F-0C3D-4004-9480-4 B7E0AFBB818) and yet the attacks continue unabated.  Multiple IPs from one class C address block, for instance—flipping between three different IPs—are hitting my machine once per second over the course of dozens of hours. Yet the firewall is doing nothing to block those IP(s). They either walk through and try a list of bogus accounts, or continually hammer the root account. 
  I have configured just a few users access to ssh via the server application. But short of disabling sshd—which is not ideal—what are the strategies for combating these attacks?  Is the best route to use the /etc/hosts.allow and /etc/hosts.deny files to configure access for sshd?
  Thanks for any tips!  —michael

  Apparently the adaptive firewall isn't very robust (see above). I have seen it block certain attempts automatically, but it doesn't do so for brute force attempts.   And everything I've read about it says to ignore the message "No ALTQ support in kernel".  (There are several references here and here.)
  For more, see: OS X Server: How to enable the adaptive firewall - Apple Support
  I use this command when I want to stop an attack immediately from one IP:
  sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -a 123.123.123.123
  afctl accepts CDIR notation, so this is useful to block an entire class C address from the 123.123.123.0 network:
  sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -a 123.123.123.0/24
  You can add more time to the block with the -t flag. To view the currently blocked hosts:
  sudo cat /var/db/af/blacklist

• Blocking failed smtp relay requests

  Every day (around the same time, interestingly) I get a wave of log messages exactly like this:
  postfix/smtpd[45049]: warning: 186.60.162.91: hostname 186-60-162-91.speedy.com.ar verification failed: nodename nor servname provided, or not known
  It appears to me as if some pinhead is attempting to use my server as a spam relay and all the messages are being rejected. No harm is done, except that I get annoyed about this useless waste of my small and expensive business-class bandwidth (I'm in Australia).
  Is there anyway to automatically add a rule to the firewall to reject the the IP address after, say, 3 failed attempts in less than 10 seconds? Or something like that?
  I've been manually adding rules, now and then, but I'm sure this is useless as they change IP addresses every day. When the wave of attempts start, I've noticed that they tend to come from the same few IP addresses and it seems senseless of the mail server to have to reject them if I could automatically add those IP addresses to the firewall which would simply drop the request before they even get started.
  Any help would be gratefully appreciated.

  Good to hear the basics are covered You'd be surprised how often they're overlooked.
  Looking up the actual error in your log, it looks to be warning indicating that the PTR doesn't have a corresponding A record. Basically, a fairly minor DNS issue on the sending MTA. So, might not be actual relay attempts. Relays should be dropped or show failed login attempts elsewise. /var/log/mail.log I think is where you'll see any failures.
  What I was thinking of is the adaptive firewall. emond is meant to block IPs after 10 failed attempts, for 15 mins. I imagine it can be adapted, so to speak, to block the IPs for longer, or after fewer attempts. You could trawl through your logs to see if that's actually happening.
  The command line tool for the adaptive firewall is afctl The rule that does the default blocking after 10 failed attempts is in a plist /etc/emond.d/rules/AdaptiveFirewall.plist
  The postfix config can also be managed to block SMTP specific accesses, blacklisting or greylisting IPs. I'm trying to dig up details for how to do this in the way you'd like.