Adaptive firewall

Similar Messages

• Controlling the Adaptive Firewall with `afctl`

  For those of you that don't know, afctl controls (is?) Leopard Server's Adaptive Firewall. Its a really cool program, you give it an IP address, and a time-to-live in minutes, and that ip instantly gets firewalled for about that many minutes.
  Here is the man page for the program:
  http://developer.apple.com/documentation/Darwin/Reference/ManPages/man8/afctl.8. html
  And here is the man page for it's config file:
  http://developer.apple.com/documentation/Darwin/Reference/ManPages/man5/af.plist .5.html
  At first it seems like the perfect program. But I'm having big problems with it, all regarding rule numbers.
  afctl's first firewall rule is number 1700. Its next rule is 1705. And so on and so on. Now my rules come from a script I have running on my server, that automatically 'detects' abusers and blocks them. Rules last for 1 hour. So after the first hour of running, rule 1700 will expire, then 1705 and so on. New rules that are constantly getting generated, are up to maybe lets just say 1840.
  So even though rules only last an hour, the rule numbers keep going up and up and up. This becomes a big problem because once the rules get to 12300, the overlap and then pass existing rules in ipfw. Once they surpass this, incoming packets are matched and accepted before they get to their block rule (generated by afctl). So every second or so, another and another and another firewall rule gets added to block that same IP. But the rules are so high they don't work. Multiply this by 30 or 40 IPs at a time and you can see how once my afctl rules get to 12300, total chaos ensues.
  If I totally disable my script for two hours, and let all my afctl rules expire. Then I can re-enable the script and it will start generating rules again at 1700. But this can be a problem, some times I'm getting more traffic than I can handle during those two hours. After about 250 requests per second, things start to get sketchy.
  I need a way to manage these rule numbers without having to turn off the script that makes these rules.
  One thing that confuses me is the 'default_set' setting in the af.plist file. I'm not sure what this means, but does this somehow let me put my afctl rules into their own 'group'? The default setting for 'default_set' in my plist file is 17. That means nothing to me though. Reading the ipfw man page, it refers to it's whole configuration as it's 'ruleset'. So I'm not sure what this setting is, or if it can help me.
  As it stands now, I have to 'reset' my rules (by way of disabling my script and letting all afctl created rules expire) about every other day. If I could have afctl rules increment by 1 instead of 5, that would give me about 10 days. Still a bandaid, but a better bandaid. If there was a way to make afctl choose rules that are the lowest available rule number greater than 1699, so as rules expired, their numbers would be recycled. That would also work. Although i'd feel better if my dymanic rules also had a greater range to life in, than 1700-12300. But I'd have to be under one **** of an attack for that not to be enough.

  Well I found a solution, but it's not great. I run the following commands daily (nightly).
  sudo rm /var/db/af/blacklist;
  sudo ipfw delete set 17;
  sudo /usr/libexec/afctl;
  This deletes any memory afctl has of it's rules. Then it manually deletes all the rules it's made. Then it recreates it's database file.
  This will make your rules start over every night so you won't get 'rule number overflow' headaches.
  OF COURSE the whole point of afctl is auto-expiring firewall rules. So if you're going to do this, I might as well have my server firewall addresses directly to ipfw instead of bothering with afctl. I'm going to leave it using afctl now only because its already set up and running. At least I can be away from my server now without having a rule number overflow which for several different reasons brings my server to it's knees.

• Excessive 'SecurityServer' log entries for ServerEventAgent after Adaptive Firewall

  Hello all,
  I'm running an OS X Server running 10.8.2. After enabling the Adaptive Firewall last night ( http://support.apple.com/kb/HT5519, http://support.apple.com/kb/TS4418 ), I started noticing a massive number of logs in /var/log/system.log that look like this:
  Jan 11 17:44:59 <hostname> com.apple.SecurityServer[21]: Succeeded authorizing right 'system.privilege.admin'
  by client '/Applications/Server.app/Contents/ServerRoot/usr/libexec/ServerEventAgent' [131] for authorization
  created by '/Applications/Server.app/Contents/ServerRoot/usr/libexec/ServerEventAgent' [131] (2,0)
  Jan 11 17:44:59 <hostname> com.apple.SecurityServer[21]: Succeeded authorizing right 'system.privilege.admin'
  by client '/Library/PrivilegedHelperTools/com.apple.serverd' [71] for authorization created by
  '/Applications/Server.app/Contents/ServerRoot/usr/libexec/ServerEventAgent' [131] (100000,0)
  Does anyone have thoughts on this? They generally come in pairs like above. I've seen other SecurityServer logs while managing the server, but the number of them (and ServerEventAgent string) have really jumped up after trying to enable the Adaptive Firewall. I'm not even sure the firewall is working at this point, as running hb_summary tells me there have been 0 blocks in the last 24 hours. Yesterday, before trying to enable the AF, the server was trying to block login bots every few minutes, so I'm not sure everything is hooked-up correctly.
  It should be noted that I had some trouble with the second KB article linked above because I had previously tried using IceFloor to manage the new pffirewall. Apparently IceFloor removes some lines from /etc/pf.anchors/com.apple and doesn't put them back when you uninstall the program. I re-added the two missing lines at the end (with Apple's edits):
  anchor "400.AdaptiveFirewall/*"
  load anchor "400.AdaptiveFirewall" from "/Applications/Server.app/Contents/ServerRoot/private/etc/pf.anchors/400.AdaptiveFirewall"
  Any help would be greatly appreciated!

  Ahhhhhhh...that's gotta be it!
  Um, I mean no, I did not have relations with that application.
  Thanks!

• Adaptive-Firewall (af) blacklist or blockedHosts? Packet-Filter (pf)

  I have just upgraded my Mac mini Server from the latest version of OS X 10.8.5 and OS X Server 2.2.1 to OS X 10.9.3 and OS X Server 3.1.2 by turning off all server services (except Open Directory), upgrade to OS X 10.9.3 and touching up System Preferences, reboot, upgrade OS X Server 3.1.2 and run the Server app to upgrade the server's directories, files and services, and now proceeding carefully by comparing notes from my previous configuration and turning on required server services one by one.
  Now the Adaptive Firewall (af) and Packet Filter (pf) perplexes me since OS X 10.8...
  I have configured how to enable af on system boot-up based on information from Apple support documents. I understand that Event Monitor (emon) monitors the incoming IP connections (among its other functions) and if it detects abnormal behaviour from a particular IP connection, emon uses af to add the offending IP address to af's blacklist file.
  My first question is: does af itself blocks the IP connection, or does it use pf instead to do the job?
  If af uses the latter, my second question is: does af uses some internal socket/pipes to communicate with pf, or does pf uses some file from af?
  Now if pf uses some file from af, it can't be the blacklist file as the pf.anchor uses the table from /var/db/af/blockedHosts file, and it seems that the blockedHosts file is perpetually an empty file and no app or process seems to touch the file since it was created.
  The gist of my question is that the af and/or pf on my system seem not to be doing their job even though emon is detecting abnormal IP connections based on the log messages its been producing after following Apple support documents to enable Adaptive Firewall on my system.

  "The gist of my question is that the af and/or pf on my system seem not to be doing their job even though emon is detecting abnormal IP connections based on the log messages its been producing after following Apple support documents to enable Adaptive Firewall on my system."
  And when and which service use the /var/db/af/blockedHosts file?

• Adaptive Firewall & afctl

  is the adaptive firewall working in 10.6 Server? i can't get it to auto block an IP after numerous failed attempts like 10.5 Server does.

  I highly recommend adding:
  export PATH=$PATH:/Applications/Server.app/Contents/ServerRoot/usr/libexec
  to ~/.bash_profile
  That way, afctl can be easily summoned:
  $ which afctl
  /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl
  Rusty

• Adaptive firewall experiences - and a kludge to work around it

  I had a vexing issue with Leopard Server and clients with incorrect passwords. We'd, seemingly, after one password attempt get blocked by the server for all traffic. What is likely happening is the client is trying several different attempts (more on that in a sec) and hitting the 10 password failure limit in the Adaptive Firewall code. This block would through the client into the penalty box for 15 minutes.
  Sources of password failures would be things like a windows user with Thunderbird client and the wrong SSL setting. Or a AFP client with password stored in Keychain. Even Apple Mail or iCal with stored password were enough to cause a lock out.
  I did call tech support but figured out things on my own. It seems that there's a firewall rule being automatically inserted on such an 'attack' to the server. They're numbered 01700 and above. The "ipfw delete ####" command (as root) will delete the offending firewall rule and allow things to return to normal.
  So for now - I have a root window running this script:
  #!/bin/sh
  while "true"
  do
  sleep 5
  ipfw list|grep '^017'|awk '{ print "ipfw delete " $1 }'
  ipfw list|grep '^017'|awk '{ print "ipfw delete " $1 }'|sh
  done
  which will delete any firewall rules with numbers starting with 017. Perhaps this will increase past 01799 - I'll examine if the problem continues to vex us. I suppose I could run this as a cron job but a 1 minute delay is not as friendly as 5 seconds.
  With this bandaid out there - anyone know a better solution? I do see mention of the "optional adaptive firewall" but it looks like the optional part has gone away. Personally don't need quite that level of paranoia here.

  The adaptive firewall kicks in differently for different classes of services. For ftp & ssh it looks at log scrapings from /var/log/secure.log and counts each auth failed message as a "strike". For other services, such as AFP & mail, it gets info from the password server, again each failure there counts as one "strike". Unfortunately ssh and ftp tend to spit out several log messages when they get an auth failure, this makes the adaptive firewall system hypersensative to those services.
  The earlier Leopard releases had another problem where things were blocked on the second strike. I believe that has been fixed by now (10.5.3).
  As has been mentioned above there is a way to tune the sensitivity (number of strikes) and the duration of the blocking in the rules file (only if the second strike problem is fixed obviously).
  - Leland

• Afctl (Adaptive Firewall) error in 10.8.2

  I have enabled the Adaptive Firewall in OS X Server (2.2) under Mountain Lion 10.8.2 as per Apple's instructions:
  http://support.apple.com/kb/HT5519
  However, I get back an error everytime I try to enable it:
  # afctl -f
  No ALTQ support in kernel
  ALTQ related functions disabled
  pf enabled
  Token : 18446743524496027528
  No ALTQ support in kernel
  ALTQ related functions disabled
  Jan 22 17:41:50 server.domainredacted.com afctl[17998] <Notice>: Cannot update the Event Monitor config
  When I try to alter a setting:
  sh-3.2# afctl -T 10
  Jan 22 17:42:09 server.domainredacted.com afctl[18005] <Notice>: Cannot update the Event Monitor config
  Or when I try to disable it:
  sh-3.2# afctl -X
  Jan 22 17:45:29 server.domainredacted.com afctl[18021] <Notice>: Cannot update the Event Monitor config
  I thought perhaps that afctl was having trouble writing to AdaptiveFirewall.plist in /Applications/Server.app/Contents/ServerRoot/private/etc/emond.d/rules
  sh-3.2# ls -l /Applications/Server.app/Contents/ServerRoot/private/etc/emond.d/rules
  total 0
  -rw-r--r--  1 root  wheel   3344 Jan 22 00:11 AdaptiveFirewall.plist
  But even adding world write permissions to this file didn't help.
  I also wondered if perhaps afctl was looking for AdaptiveFIrewall.plist in the wrong place:
  sh-3.2# ls -l /etc/emond.d/rules/
  total 0
  -rw-r--r--  1 root  wheel   822 Jan 21 20:01 SampleRules.plist
  -rw-r--r--  1 root  wheel  8964 Jan 21 20:01 Xsan.plist
  But copying AdaptiveFirewall.plist here (or symbolic linking the file in this dir) didn't do the trick either.
  Anyone have any idea why afctl keeps complaining that it  "Cannot update the Event Monitor config" in OS X Server 2.2 / Mountain Lion 10.8.2?
  Rusty

  An additional (and confusing) update. The adaptive firewall may actually be doing something on my machine after all, but it's definitely not consistent. While digging through my logs again today, I noticed the events that I've pasted below. Apologies for the wall of text, but I've included the entire transcript of the attack for completeness.
  2/6/13 10:48:44.161 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:48:44.161 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:48:51.331 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:48:51.331 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:48:55.243 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:48:55.243 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:49:03.151 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:49:03.151 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:49:07.112 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:49:07.112 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:49:10.989 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:49:10.989 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:49:21.890 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:49:21.890 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:49:25.801 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:49:25.801 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:49:29.699 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:49:29.699 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:49:29.700 PM emond[117]: Host at <IP-ADDRESS> will be blocked for at least 15 minutes
  2/6/13 10:49:29.870 PM emond[117]: Host at <IP-ADDRESS> will be blocked for at least 15 minutes
  2/6/13 10:49:29.948 PM afctl[25763]: Address already in the blacklist, not added (timeout has been updated)
  2/6/13 10:49:29.954 PM emond[117]: 381912569.864889 Host at <IP-ADDRESS> was blocked for 15
  2/6/13 10:49:29.954 PM emond[117]: 381912569.864889 Host at <IP-ADDRESS> was blocked for 15
  2/6/13 10:49:29.954 PM emond[117]: 381912569.864889 Host at <IP-ADDRESS> was blocked for 15
  2/6/13 10:49:33.591 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:49:33.591 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:49:33.592 PM emond[117]: Host at <IP-ADDRESS> will be blocked for at least 15 minutes
  2/6/13 10:49:33.669 PM afctl[25764]: Address already in the blacklist, not added (timeout has been updated)
  2/6/13 10:49:33.675 PM emond[117]: Host at <IP-ADDRESS> will be blocked for at least 15 minutes
  2/6/13 10:49:33.754 PM afctl[25765]: Address already in the blacklist, not added (timeout has been updated)
  2/6/13 10:49:33.759 PM emond[117]: Host at <IP-ADDRESS> will be blocked for at least 15 minutes
  2/6/13 10:49:33.836 PM afctl[25766]: Address already in the blacklist, not added (timeout has been updated)
  2/6/13 10:49:37.477 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:49:37.477 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:49:37.478 PM emond[117]: Host at <IP-ADDRESS> will be blocked for at least 15 minutes
  2/6/13 10:49:37.552 PM afctl[25768]: Address already in the blacklist, not added (timeout has been updated)
  2/6/13 10:49:37.558 PM emond[117]: Host at <IP-ADDRESS> will be blocked for at least 15 minutes
  2/6/13 10:49:37.633 PM afctl[25769]: Address already in the blacklist, not added (timeout has been updated)
  2/6/13 10:49:37.638 PM emond[117]: Host at <IP-ADDRESS> will be blocked for at least 15 minutes
  2/6/13 10:49:37.720 PM afctl[25770]: Address already in the blacklist, not added (timeout has been updated)
  2/6/13 10:49:41.433 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:49:41.433 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:49:41.434 PM emond[117]: Host at <IP-ADDRESS> will be blocked for at least 15 minutes
  2/6/13 10:49:41.511 PM afctl[25771]: Address already in the blacklist, not added (timeout has been updated)
  2/6/13 10:49:41.516 PM emond[117]: Host at <IP-ADDRESS> will be blocked for at least 15 minutes
  2/6/13 10:49:41.597 PM afctl[25772]: Address already in the blacklist, not added (timeout has been updated)
  2/6/13 10:49:41.602 PM emond[117]: Host at <IP-ADDRESS> will be blocked for at least 15 minutes
  2/6/13 10:49:41.678 PM afctl[25773]: Address already in the blacklist, not added (timeout has been updated)
  Note that I've made no changes to this server since my last post, but afctl does indeed appear to be working in those logs; there are no more login attempts from that IP after this excerpt. Additionally, I thought this might be a good sign for progress on getting Apple's KB Article (http://support.apple.com/kb/HT5519) to work, but I still receive the <Notice>: Cannot update the Event Monitor config error.
  Also, what's up with the auth errors logging after the IP's already been blocked? And there's a 4-second window preceeding them each time.
  Curiouser and couriser.

• Unable to enable the adaptive firewall: No ALTQ support in kernel ALTQ related functions disabled

  No ALTQ support in kernel ALTQ related functions disabled
  OS X Server: How to enable the adaptive firewall - Apple Support
  Recently ran the latest OS X Yosemite Server Updates: OS X v10.10.3 and Server v4.1.  Tried to enable the "adaptive firewall" by following the steps in Apple's article (see above) and encountered the error after the second line of commands
  Charlie$ sudo pfctl -f /etc/pf.conf
  pfctl: Use of -f option, could result in flushing of rules
  present in the main ruleset added by the system at startup.
  See /etc/pf.conf for further details.
  No ALTQ support in kernel
  ALTQ related functions disabled
  server:~ Charlie$

  I'm not sure that is an error, it is a warning.
  The Mac kernel is not compiled with support for ALTQ so you can't use those features.
  Carry on & test your firewall is working as you expect.

• HT200259 Configuring adaptive firewall for VNC and RDP connections

  Hello, I'm using Yosemite with OSX Server.  Is there a way of configuring adaptive firewall for VNC and RDP connections?

  Apple has never documented what the adaptive firewall really does, as far as I know. It seems that the built-in network services send it some kind of notification whenever there is a connection attempt. The Screen Sharing service is one of those, so it should be protected. There is no built-in RDP service, so if you somehow added one, it would not be protected.

• XI Adapter : Firewall Problem !

  Hi Guys !
  Here we face a problem transfering data to Oracle using JDBC Adapter (Sender / Recevier)
  There is firewall between our XI System and Oracle System. We have opened 1521 -- 1529 Series / 50 000 - 59 999 Series in firewall for communication.
  But when data is transfered from  ECC to Oracle follwoing happens ad below
  1) Source Ip : 10.x.x.4 : 38788 to Destination Ip : 10.x.x.56:1521 ---> Connection seems to be OK (I can see in Listner.Log file)
  But when reverse communicatiuo happens
  2)Source Ip : 10.x.x.56:1521 to Destination Ip : 10.x.x.4 : 38788  --> Error comes as no port open for firewall (38000 Series)
  If Source ip with 50000 Series then data transfers.
  This Port generation from SAP XI Application erractic sometimes 30000 , 40000 , 50000 sERIES by seeing in the log ??
  So am not in a  position to tell firewall team this my range of ports to be opened , so when 50000 series comes it works r else it says network adapter error in RWB.
  I heard we can do port binding to divert all request from different port through one port so that firewall can allow the same ??
  Is it possible , if doing so is it good for handeling bulk data transfers  ??
  My main aim is to give the range of ports that SAP XI application generates ?
  Any idea of my problem to be taken further.
  rgds
  srini

  Hi Guys,
  Anyone came across same kind of problem.
  Going to Top
  Rgds
  Srini

• Problem using the adaptive firewall :  "Firewall management disabled"

  I am facing a problem that Google and man pages cannot solve : it seems that af is disabled; I don't know why and cannot enable it.
  In /var/log/system.log, I can see entries like this :
  Aug 19 08:07:14 arda emond[14295]: Host at 202.99.122.136 will be blocked for at least 15.00 minutes
  Aug 19 08:07:14 arda emond[21852]: DoRunAction (child): setting the uid/gid to 0/0
  But ipfw tells me otherwise :
  $ ipfw list
  00001 allow udp from any 626 to any dst-port 626
  01000 allow ip from any to any via lo0
  01010 deny log ip from any to 127.0.0.0/8
  01020 deny log ip from 224.0.0.0/4 to any in
  01030 deny log tcp from any to 224.0.0.0/4 in
  01040 allow udp from 192.168.0.0/16 to 192.168.0.0/16 dst-port 514 in
  01050 allow udp from 212.27.38.253 to 192.168.0.0/16 in
  01060 allow tcp from any to 192.168.0.0/16 dst-port 6881-6889 in
  12300 allow ip from any to any
  12301 allow tcp from 192.168.0.0/16 to any dst-port 25
  12301 allow udp from 192.168.0.0/16 to any dst-port 25
  65534 deny log ip from any to any
  65535 allow ip from any to any
  afctl refuses to run, giving an explicit message that i cannot find anywhere on the web :
  $ /usr/libexec/afctl -v 1 -a 202.99.122.136
  Tue Aug 19 08:09:53 arda.private afctl[22253] <Notice>: Firewall management disabled
  And of course, no new rules added in ipfw.
  Do you have any idea on what is wrong ? afctl is loaded durong boot (I didn(t change anything), but not working :
  $ launchctl list | grep afctl
  - 0 com.apple.afctl

  OK, thanks. Situation is getting better.
  Now af is enabled, and I can add IP to black and white list. I had also to enable the rule set with the -e option (not sure it will stay after reboot; man page is silent on this).
  The rules set 17 appears in ipfw list, but it seems there is still some problem for automatic blacklisting.
  I will continue to investigate the situation, but Apple provides very little documentation on this.

• Mac OS X Server 10.5.8 firewall question

  Hello,
  I'm a network administrator in a company, and we use Mac OS X server 10.5.8, with Mac clients.
  I have a problem with the adaptative firewall : when someone wants to connect to the server (by using the finder, and "connect as"), if the password is not correct, the adaptative firewall just cut the access of the client for all (It's a DHCP and DNS server, so there is no access anymore to the LAN and the web).
  I would like to know if there is a way to make the client blacklisted after 3 bad login attempts, not just only one. I used the afctl command, but it's apparently not possible to manage this problem with that (just the time of blacklisting).
  Thanks a lot in advance.

  I don't have a solution for you. But I do remember reading about this one. Apparently what happens is that beneath the surface, the connection attempt is repeated on failure, using differnet authentication protocols. And so one user login attempt with a bad password, leads to three attempts beneath the surface, and "the boot". But unfortunately I don't remember what the solution is, as I was researching for a completely different issue when I read this.

• Firewall Blocking Wiki for ONE User

  This is a very bizarre issue that I hope someone can help with. We're running 10.6.8 server to host our internal wiki. We had the firewall enabled on that machine without any issues. Last week one user wasn't able to get onto the wiki. In troubleshooting their workstation I found they couldn't access the wiki via Safari under any user account (including a fresh test account). They *could* access it through another browser (Chrome + FF). They could also access sharepoints on that server. I deleted some Safari system-wide prefs to no avail.
  For kicks, I disabled the firewall on the server and they could access the wiki via Safari. So, I assumed it was the adaptive firewall. I checked the AF blacklist file but her machine wasn't on it. In spite of that I whitelisted the user's machine, no change. I disabled the adaptive firewall altogether, no change. I enabled logging for denied packets and watched when her machine connected. Four ports were blocked, 4097,2052,17500,5353. I've temporarily created a FW rule to allow those ports, no change. I then tried keeping the firewall on but allowing all connections and she still couldn't access the wiki from Safari on her machine.
  I'm stumped. It seems like it should be the adaptive firewall but that makes no sense when there's nothing in the blacklist file and the AF is disabled. Any ideas would be greatly appreciated. I realize she can use Chrome or FF as a workaround for now but it should be a resolvable issue.

  Adam, the basic content filter on RV082 does not support the scenario your described. However the ProtectLink Web subscription does allow you to specify select IP addresses to be exempt from the url filter.

• Irregular failure to authenticate OpenDirectory users via password-based ssh

  TL;DR - my Yosemite Open Directory server irregularly fails to properly authenticate users (via password-based ssh). 
  I recently moved an Open Directory server from an Xserve running 10.6 to a new Mini running 10.10.  I archived the OD config on the Xserve and then took it offline.  Then I brought the Mini online using the same hostname/IP address, created a new OD master using the archived configuration.  Everything seemed to work well, however sometimes the server will not authenticate users via password when logging in with ssh/sftp/scp.  This is also true of a few OS X machines that bind to the OD server (i.e. they usually authenticate users properly, but sometimes fail for no discernable reason). 
  The failures are only for password authentication using ssh.  Other mechanisms do not exhibit the auth failures.  For instance, AFP and SMB user auth never fails (with proper credentials).  Nor do users to a FileMaker Server machine that authenticate via the OD server have problems.  Public key based ssh authentication never fails.  Local accounts (non-OD, aka "Local Network Accounts") also do not fail using password-based authentication.
  The failures are irregular.  The only pattern that I can find at all is that sometimes when the failures start happening, they keep happening continuously until...at some point they work properly again.  That is, they may fail from 11:15 am to 2:01 pm, and if so, then all of them fail in that time range.  Sometimes that time range lasts seconds, sometimes it lasts hours.
  The time range failure pattern is host specific.  For instance, if password authentication is failing on the main OD server, authentication may be fine on the other bound machines.  If authentication is failing on one of the bound machines, then it may be fine on all others and fine on the OD server itself.
  The failure pattern does not seem to correlate to any other events or activity on the server (even remotely).  CPU utilization never gets above about 15%.  Memory utilization is similarly very low.  Network traffic is occasionally high, but it does not seem in any way related to the auth failures.  There are not other log messages that occur before or after the failures with any consistency.
  I've been monitoring the auth failures by attempting to login to the OD server and two other bound hosts once per minute so that I can tell when the auth is failing (before getting calls from the users). 
  The adaptive firewall is not running on the OD server.  Nor is any other firewall.
  Below are a comparison of the system.log entries for a failed and successful auth (I've stripped out those lines that are identical in both instances).  The log entries have been sanatized as described.
  Rebooting the OD server does not affect the bound clients' authentication.  Rebooting the OD server is problematic, and I cannot do it often.  When I do, sometimes failures start soon after reboot, and sometimes that don't come back for many hours - again, no discernable pattern.
  If anyone has any ideas what I can do to discover the source of this problem and come up with a solution, I'd very much appreciate it.  Note that I'm aware that I can export all users and group and reconstruct a new, clean OD master, but without the ability to save the passwords, this becomes a large logisitcal problem, and I'm saving it as a last resort (particularly since if it doesn't solve my problem, I will have inconvenienced many users and be right back in the same place).
  Thanks for reading.
  First failure:
      Feb 11 00:00:20 odserver.myorg.gov kdc[67]: TGS-REQ [email protected] from 127.0.0.1:65373 for host/[email protected] [canonicalize, forwardable]
      Feb 11 00:00:20 odserver.myorg.gov opendirectoryd[67268]: GSSAPI Error:  Miscellaneous failure (see text (unable to reach any KDC in realm ODSERVER.MYORG.GOV, tried 2 KDCs (negative cache))
      Feb 11 00:00:20 odserver.myorg.gov sshd[72974]: error: PAM: authentication error for myusername from clienthost.myorg.gov via 10.50.50.50
      Feb 11 00:00:20 odserver.myorg.gov sshd[72974]: Connection closed by 10.50.50.99 [preauth]
  Now successful auth:
      Feb 11 01:03:20 odserver.myorg.gov kdc[67]: TGS-REQ [email protected] from 127.0.0.1:63978 for host/[email protected] [canonicalize, forwardable]
      Feb 11 01:03:20 odserver.myorg.gov kdc[67]: TGS-REQ [email protected] from 127.0.0.1:62346 for ldap/[email protected] [canonicalize, forwardable]
      Feb 11 01:03:20 odserver.myorg.gov sshd[73786]: Accepted keyboard-interactive/pam for myusername from 10.50.50.99 port 53361 ssh2
      Feb 11 01:03:20 odserver.myorg.gov NetAuthSysAgent[73789]: GetStatus: connecting to self not allowed
     Feb 11 01:03:20 odserver.myorg.gov NetAuthSysAgent[73789]: ERROR: AFP_GetServerInfo - connect failed 62
  I've sanitized the entries as follows, replacing...
  My username by myusername
  The ssh source host IP address by 10.50.50.99
  The ssh source hostname by clienthost.myorg.gov
  The server hostname by odserver.myorg.gov
  The server hostname (in caps) by ODSERVER.MYORG.GOV
  The server IP address by 10.50.50.50

  Hello James,
  I have not had a chance to look for the Router configuration document, however, for one of my certificate exams I did configure Authentication Proxy on an IOS router. The config for that lab was:
  aaa new-model
  aaa authentication login default group tacacs+ local
  aaa authorization auth-proxy default group tacacs+ local
  aaa session-id common
  ip auth-proxy name AUTHPROXY http inactivity-time 60
  interface FastEthernet0/0
  ip address 192.168.250.19 255.255.255.0
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  interface FastEthernet0/1
  ip address 192.168.200.120 255.255.255.0
  ip access-group 110 in
  ip nat inside
  ip virtual-reassembly
  ip auth-proxy AUTHPROXY
  duplex auto
  speed auto
  ip route 0.0.0.0 0.0.0.0 192.168.250.1
  ip http server
  ip http authentication aaa
  no ip http secure-server
  ip nat inside source list nat interface FastEthernet0/0 overload
  ip access-list extended nat
  permit ip 192.168.200.0 0.0.0.255 any
  access-list 110 permit ip any any
  tacacs-server host 192.168.250.20
  tacacs-server key cisco123
  end
  Please check if the commands are supported on your router as well.
  If this ws helpful please rate.
  Regards.

• Anyone able to share photos to AppleTV from Lion Server?

  I cannot get my AppleTV to see my photos in iPhoto (using iTunes photo sharing capabilities) running on Lion Server.  Called Apple - no solution.  tried various reinstalls, configs, permission and access changes - no go. 

  Yes confirmed AppleTV2 displays photos from Aperture/iPhoto library on iMac.
  Could use slideshow thereof, & it is also uploading recent photos from iPhone and displaying on AppleTV2 with Photostream via Homesharing & iCloud.
  As you can view your music from iTunes on your AppleTV -
  = Homesharing is enabled and working (for music)
  = It is not a network problem
  (Assume you know most/some of this already therefore ignore parts obvious only included for completeness)
  On the AppleTV when you click "Computer" does it show Photos listed (as well as music movies tv shows podcasts iTunes u) when i click this it displays my photos as above.
  There are very few settings :-
  Open Aperture  (on menu bar) Aperture / Prerferences / Photostream = check all 3 boxes (enable, auto import, auto upload)
  On AppleTV2 - Settings / Computers = Homesharing enabled (shows Turn off Homesharing button & dialogue confirming same)
  Open System Preferences (under Applelogo menu bar) :
  Check iCloud button / settings enabled for Photostream with tick in checkbox and shows available storage
  Check the adaptive firewall - is it on ->
  Sytem Preferences / Security & Privacy button /  Firewall
  If so check advanced settings Add (+ button) -> iPhoto and make sure you change setting to "Allow incoming connections".
  Check other port firewall in Server Admin is not blocking also if enabled try turning off & retest AppleTV2.
  Perhaps list what you see on Apple TV if still not working when go to photos section and confirm above.