XI Adapter : Firewall Problem !

Similar Messages

• Controlling the Adaptive Firewall with `afctl`

  For those of you that don't know, afctl controls (is?) Leopard Server's Adaptive Firewall. Its a really cool program, you give it an IP address, and a time-to-live in minutes, and that ip instantly gets firewalled for about that many minutes.
  Here is the man page for the program:
  http://developer.apple.com/documentation/Darwin/Reference/ManPages/man8/afctl.8. html
  And here is the man page for it's config file:
  http://developer.apple.com/documentation/Darwin/Reference/ManPages/man5/af.plist .5.html
  At first it seems like the perfect program. But I'm having big problems with it, all regarding rule numbers.
  afctl's first firewall rule is number 1700. Its next rule is 1705. And so on and so on. Now my rules come from a script I have running on my server, that automatically 'detects' abusers and blocks them. Rules last for 1 hour. So after the first hour of running, rule 1700 will expire, then 1705 and so on. New rules that are constantly getting generated, are up to maybe lets just say 1840.
  So even though rules only last an hour, the rule numbers keep going up and up and up. This becomes a big problem because once the rules get to 12300, the overlap and then pass existing rules in ipfw. Once they surpass this, incoming packets are matched and accepted before they get to their block rule (generated by afctl). So every second or so, another and another and another firewall rule gets added to block that same IP. But the rules are so high they don't work. Multiply this by 30 or 40 IPs at a time and you can see how once my afctl rules get to 12300, total chaos ensues.
  If I totally disable my script for two hours, and let all my afctl rules expire. Then I can re-enable the script and it will start generating rules again at 1700. But this can be a problem, some times I'm getting more traffic than I can handle during those two hours. After about 250 requests per second, things start to get sketchy.
  I need a way to manage these rule numbers without having to turn off the script that makes these rules.
  One thing that confuses me is the 'default_set' setting in the af.plist file. I'm not sure what this means, but does this somehow let me put my afctl rules into their own 'group'? The default setting for 'default_set' in my plist file is 17. That means nothing to me though. Reading the ipfw man page, it refers to it's whole configuration as it's 'ruleset'. So I'm not sure what this setting is, or if it can help me.
  As it stands now, I have to 'reset' my rules (by way of disabling my script and letting all afctl created rules expire) about every other day. If I could have afctl rules increment by 1 instead of 5, that would give me about 10 days. Still a bandaid, but a better bandaid. If there was a way to make afctl choose rules that are the lowest available rule number greater than 1699, so as rules expired, their numbers would be recycled. That would also work. Although i'd feel better if my dymanic rules also had a greater range to life in, than 1700-12300. But I'd have to be under one **** of an attack for that not to be enough.

  Well I found a solution, but it's not great. I run the following commands daily (nightly).
  sudo rm /var/db/af/blacklist;
  sudo ipfw delete set 17;
  sudo /usr/libexec/afctl;
  This deletes any memory afctl has of it's rules. Then it manually deletes all the rules it's made. Then it recreates it's database file.
  This will make your rules start over every night so you won't get 'rule number overflow' headaches.
  OF COURSE the whole point of afctl is auto-expiring firewall rules. So if you're going to do this, I might as well have my server firewall addresses directly to ipfw instead of bothering with afctl. I'm going to leave it using afctl now only because its already set up and running. At least I can be away from my server now without having a rule number overflow which for several different reasons brings my server to it's knees.

• Adaptive firewall experiences - and a kludge to work around it

  I had a vexing issue with Leopard Server and clients with incorrect passwords. We'd, seemingly, after one password attempt get blocked by the server for all traffic. What is likely happening is the client is trying several different attempts (more on that in a sec) and hitting the 10 password failure limit in the Adaptive Firewall code. This block would through the client into the penalty box for 15 minutes.
  Sources of password failures would be things like a windows user with Thunderbird client and the wrong SSL setting. Or a AFP client with password stored in Keychain. Even Apple Mail or iCal with stored password were enough to cause a lock out.
  I did call tech support but figured out things on my own. It seems that there's a firewall rule being automatically inserted on such an 'attack' to the server. They're numbered 01700 and above. The "ipfw delete ####" command (as root) will delete the offending firewall rule and allow things to return to normal.
  So for now - I have a root window running this script:
  #!/bin/sh
  while "true"
  do
  sleep 5
  ipfw list|grep '^017'|awk '{ print "ipfw delete " $1 }'
  ipfw list|grep '^017'|awk '{ print "ipfw delete " $1 }'|sh
  done
  which will delete any firewall rules with numbers starting with 017. Perhaps this will increase past 01799 - I'll examine if the problem continues to vex us. I suppose I could run this as a cron job but a 1 minute delay is not as friendly as 5 seconds.
  With this bandaid out there - anyone know a better solution? I do see mention of the "optional adaptive firewall" but it looks like the optional part has gone away. Personally don't need quite that level of paranoia here.

  The adaptive firewall kicks in differently for different classes of services. For ftp & ssh it looks at log scrapings from /var/log/secure.log and counts each auth failed message as a "strike". For other services, such as AFP & mail, it gets info from the password server, again each failure there counts as one "strike". Unfortunately ssh and ftp tend to spit out several log messages when they get an auth failure, this makes the adaptive firewall system hypersensative to those services.
  The earlier Leopard releases had another problem where things were blocked on the second strike. I believe that has been fixed by now (10.5.3).
  As has been mentioned above there is a way to tune the sensitivity (number of strikes) and the duration of the blocking in the rules file (only if the second strike problem is fixed obviously).
  - Leland

• FWM 01009 (null):firewall problem?

  Hi Guys,
  I have a problem with a DMZ installation and the firewall settings
  Here's the situation.
  On our internal network we have installed the servercomponents of BOXI Edge 3.1, which seems to be running fine.
  We have a seperate Webserver with Tomcat 5.5 installed on it in the DMZ zone. Via Wdeploy I have deployed the war files on it (according to the wdeploy deploy document).
  Whenever I want to logon to the CMC on my webserver machine, my login screen is appearing fine, but after I hit logon, I receive the error message FWM 010009 (null), a communication failure has occured. According to our firewall team, all ports are open in both directions. They have executed a trace and see that the BOXI Edge server is sending back packages, but that in that package should be an end communication order.
  I still have (an older) VM with Edge 3.1 behind the firewalls (thus internally), from which I can access my newly installed machine in a glance...
  As an extra test we have installed a complet Edge version on the Webserver as well. Communication on the webserver is OK, but as soon as we try to connect to the server behind the firewall, it goes wrong and the error appears.
  So here comes my question, is there anyone who can give me a clue where it goes wrong?
  Is it correct to say that it is a firewall problem?
  If all ports are open on the firewall, communication shouldn't be a problem, isn't it?
  Any help is appreciated.
  Regards,
  Jorn

  Hi,
  we have appointed a static port 4982 to the request port.
  According to our firewall guys, no communications is coming from the request port.  Even before the request port can answer, the port 6400 is sending a FIN package (termination package) to the application resulting in the error message.
  They say that all ports are open and that it's not a firewall problem...  However when I communicate within my LAN environment this is not a problem...
  Can please someone help me out?
  Regards,
  Jorn
  Edited by: Jornvdd on Sep 29, 2010 12:08 PM

• I have just installed Lion OS and Face Time encounters server problems on sign up. I have sought the firewall problem without success and even temporarily turned off firewall with no success.

  I have just installed Lion OS and Face Time encounters server problems on sign up. I have sought to rectify the firewall problem without success and even temporarily turned off firewall with no success. Any ideas?

  Some folks have discovered that changing their DNS service fixes FaceTime connection issues.
  The ideal way is to configure your modem/router with DNS service, but often settings in System Preferences/Network/Advanced/DNS on your Mac will override the router settings. Try either of these;
  OpenDNS
  208.67.222.222, 208.67.220.220
  Google Public DNS
  8.8.8.8, 8.8.4.4

• Excessive 'SecurityServer' log entries for ServerEventAgent after Adaptive Firewall

  Hello all,
  I'm running an OS X Server running 10.8.2. After enabling the Adaptive Firewall last night ( http://support.apple.com/kb/HT5519, http://support.apple.com/kb/TS4418 ), I started noticing a massive number of logs in /var/log/system.log that look like this:
  Jan 11 17:44:59 <hostname> com.apple.SecurityServer[21]: Succeeded authorizing right 'system.privilege.admin'
  by client '/Applications/Server.app/Contents/ServerRoot/usr/libexec/ServerEventAgent' [131] for authorization
  created by '/Applications/Server.app/Contents/ServerRoot/usr/libexec/ServerEventAgent' [131] (2,0)
  Jan 11 17:44:59 <hostname> com.apple.SecurityServer[21]: Succeeded authorizing right 'system.privilege.admin'
  by client '/Library/PrivilegedHelperTools/com.apple.serverd' [71] for authorization created by
  '/Applications/Server.app/Contents/ServerRoot/usr/libexec/ServerEventAgent' [131] (100000,0)
  Does anyone have thoughts on this? They generally come in pairs like above. I've seen other SecurityServer logs while managing the server, but the number of them (and ServerEventAgent string) have really jumped up after trying to enable the Adaptive Firewall. I'm not even sure the firewall is working at this point, as running hb_summary tells me there have been 0 blocks in the last 24 hours. Yesterday, before trying to enable the AF, the server was trying to block login bots every few minutes, so I'm not sure everything is hooked-up correctly.
  It should be noted that I had some trouble with the second KB article linked above because I had previously tried using IceFloor to manage the new pffirewall. Apparently IceFloor removes some lines from /etc/pf.anchors/com.apple and doesn't put them back when you uninstall the program. I re-added the two missing lines at the end (with Apple's edits):
  anchor "400.AdaptiveFirewall/*"
  load anchor "400.AdaptiveFirewall" from "/Applications/Server.app/Contents/ServerRoot/private/etc/pf.anchors/400.AdaptiveFirewall"
  Any help would be greatly appreciated!

  Ahhhhhhh...that's gotta be it!
  Um, I mean no, I did not have relations with that application.
  Thanks!

• Adaptive-Firewall (af) blacklist or blockedHosts? Packet-Filter (pf)

  I have just upgraded my Mac mini Server from the latest version of OS X 10.8.5 and OS X Server 2.2.1 to OS X 10.9.3 and OS X Server 3.1.2 by turning off all server services (except Open Directory), upgrade to OS X 10.9.3 and touching up System Preferences, reboot, upgrade OS X Server 3.1.2 and run the Server app to upgrade the server's directories, files and services, and now proceeding carefully by comparing notes from my previous configuration and turning on required server services one by one.
  Now the Adaptive Firewall (af) and Packet Filter (pf) perplexes me since OS X 10.8...
  I have configured how to enable af on system boot-up based on information from Apple support documents. I understand that Event Monitor (emon) monitors the incoming IP connections (among its other functions) and if it detects abnormal behaviour from a particular IP connection, emon uses af to add the offending IP address to af's blacklist file.
  My first question is: does af itself blocks the IP connection, or does it use pf instead to do the job?
  If af uses the latter, my second question is: does af uses some internal socket/pipes to communicate with pf, or does pf uses some file from af?
  Now if pf uses some file from af, it can't be the blacklist file as the pf.anchor uses the table from /var/db/af/blockedHosts file, and it seems that the blockedHosts file is perpetually an empty file and no app or process seems to touch the file since it was created.
  The gist of my question is that the af and/or pf on my system seem not to be doing their job even though emon is detecting abnormal IP connections based on the log messages its been producing after following Apple support documents to enable Adaptive Firewall on my system.

  "The gist of my question is that the af and/or pf on my system seem not to be doing their job even though emon is detecting abnormal IP connections based on the log messages its been producing after following Apple support documents to enable Adaptive Firewall on my system."
  And when and which service use the /var/db/af/blockedHosts file?

• Adaptive Firewall & afctl

  is the adaptive firewall working in 10.6 Server? i can't get it to auto block an IP after numerous failed attempts like 10.5 Server does.

  I highly recommend adding:
  export PATH=$PATH:/Applications/Server.app/Contents/ServerRoot/usr/libexec
  to ~/.bash_profile
  That way, afctl can be easily summoned:
  $ which afctl
  /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl
  Rusty

• Afctl (Adaptive Firewall) error in 10.8.2

  I have enabled the Adaptive Firewall in OS X Server (2.2) under Mountain Lion 10.8.2 as per Apple's instructions:
  http://support.apple.com/kb/HT5519
  However, I get back an error everytime I try to enable it:
  # afctl -f
  No ALTQ support in kernel
  ALTQ related functions disabled
  pf enabled
  Token : 18446743524496027528
  No ALTQ support in kernel
  ALTQ related functions disabled
  Jan 22 17:41:50 server.domainredacted.com afctl[17998] <Notice>: Cannot update the Event Monitor config
  When I try to alter a setting:
  sh-3.2# afctl -T 10
  Jan 22 17:42:09 server.domainredacted.com afctl[18005] <Notice>: Cannot update the Event Monitor config
  Or when I try to disable it:
  sh-3.2# afctl -X
  Jan 22 17:45:29 server.domainredacted.com afctl[18021] <Notice>: Cannot update the Event Monitor config
  I thought perhaps that afctl was having trouble writing to AdaptiveFirewall.plist in /Applications/Server.app/Contents/ServerRoot/private/etc/emond.d/rules
  sh-3.2# ls -l /Applications/Server.app/Contents/ServerRoot/private/etc/emond.d/rules
  total 0
  -rw-r--r--  1 root  wheel   3344 Jan 22 00:11 AdaptiveFirewall.plist
  But even adding world write permissions to this file didn't help.
  I also wondered if perhaps afctl was looking for AdaptiveFIrewall.plist in the wrong place:
  sh-3.2# ls -l /etc/emond.d/rules/
  total 0
  -rw-r--r--  1 root  wheel   822 Jan 21 20:01 SampleRules.plist
  -rw-r--r--  1 root  wheel  8964 Jan 21 20:01 Xsan.plist
  But copying AdaptiveFirewall.plist here (or symbolic linking the file in this dir) didn't do the trick either.
  Anyone have any idea why afctl keeps complaining that it  "Cannot update the Event Monitor config" in OS X Server 2.2 / Mountain Lion 10.8.2?
  Rusty

  An additional (and confusing) update. The adaptive firewall may actually be doing something on my machine after all, but it's definitely not consistent. While digging through my logs again today, I noticed the events that I've pasted below. Apologies for the wall of text, but I've included the entire transcript of the attack for completeness.
  2/6/13 10:48:44.161 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:48:44.161 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:48:51.331 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:48:51.331 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:48:55.243 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:48:55.243 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:49:03.151 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:49:03.151 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:49:07.112 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:49:07.112 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:49:10.989 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:49:10.989 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:49:21.890 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:49:21.890 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:49:25.801 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:49:25.801 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:49:29.699 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:49:29.699 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:49:29.700 PM emond[117]: Host at <IP-ADDRESS> will be blocked for at least 15 minutes
  2/6/13 10:49:29.870 PM emond[117]: Host at <IP-ADDRESS> will be blocked for at least 15 minutes
  2/6/13 10:49:29.948 PM afctl[25763]: Address already in the blacklist, not added (timeout has been updated)
  2/6/13 10:49:29.954 PM emond[117]: 381912569.864889 Host at <IP-ADDRESS> was blocked for 15
  2/6/13 10:49:29.954 PM emond[117]: 381912569.864889 Host at <IP-ADDRESS> was blocked for 15
  2/6/13 10:49:29.954 PM emond[117]: 381912569.864889 Host at <IP-ADDRESS> was blocked for 15
  2/6/13 10:49:33.591 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:49:33.591 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:49:33.592 PM emond[117]: Host at <IP-ADDRESS> will be blocked for at least 15 minutes
  2/6/13 10:49:33.669 PM afctl[25764]: Address already in the blacklist, not added (timeout has been updated)
  2/6/13 10:49:33.675 PM emond[117]: Host at <IP-ADDRESS> will be blocked for at least 15 minutes
  2/6/13 10:49:33.754 PM afctl[25765]: Address already in the blacklist, not added (timeout has been updated)
  2/6/13 10:49:33.759 PM emond[117]: Host at <IP-ADDRESS> will be blocked for at least 15 minutes
  2/6/13 10:49:33.836 PM afctl[25766]: Address already in the blacklist, not added (timeout has been updated)
  2/6/13 10:49:37.477 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:49:37.477 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:49:37.478 PM emond[117]: Host at <IP-ADDRESS> will be blocked for at least 15 minutes
  2/6/13 10:49:37.552 PM afctl[25768]: Address already in the blacklist, not added (timeout has been updated)
  2/6/13 10:49:37.558 PM emond[117]: Host at <IP-ADDRESS> will be blocked for at least 15 minutes
  2/6/13 10:49:37.633 PM afctl[25769]: Address already in the blacklist, not added (timeout has been updated)
  2/6/13 10:49:37.638 PM emond[117]: Host at <IP-ADDRESS> will be blocked for at least 15 minutes
  2/6/13 10:49:37.720 PM afctl[25770]: Address already in the blacklist, not added (timeout has been updated)
  2/6/13 10:49:41.433 PM log[7449]: auth: Error: od[getpwnam_ext](server,<IP-ADDRESS>): No record for user
  2/6/13 10:49:41.433 PM log[7449]: auth: Error: od(server,<IP-ADDRESS>): verify plain: lookup failed for user: server
  2/6/13 10:49:41.434 PM emond[117]: Host at <IP-ADDRESS> will be blocked for at least 15 minutes
  2/6/13 10:49:41.511 PM afctl[25771]: Address already in the blacklist, not added (timeout has been updated)
  2/6/13 10:49:41.516 PM emond[117]: Host at <IP-ADDRESS> will be blocked for at least 15 minutes
  2/6/13 10:49:41.597 PM afctl[25772]: Address already in the blacklist, not added (timeout has been updated)
  2/6/13 10:49:41.602 PM emond[117]: Host at <IP-ADDRESS> will be blocked for at least 15 minutes
  2/6/13 10:49:41.678 PM afctl[25773]: Address already in the blacklist, not added (timeout has been updated)
  Note that I've made no changes to this server since my last post, but afctl does indeed appear to be working in those logs; there are no more login attempts from that IP after this excerpt. Additionally, I thought this might be a good sign for progress on getting Apple's KB Article (http://support.apple.com/kb/HT5519) to work, but I still receive the <Notice>: Cannot update the Event Monitor config error.
  Also, what's up with the auth errors logging after the IP's already been blocked? And there's a 4-second window preceeding them each time.
  Curiouser and couriser.

• Home Sharing- alleged firewall problem (-3259)

  Hi,
  I've had this problem since I first tried to share any content between libraries with iTunes 9. In fact, I noticed the same problem when I was trying to stream content to my Apple TV a couple of weeks ago.
  So I have an iMac, MacBook Pro and Airport Extreme (802.11n) Base Station. Both Macs have Snow Leopard installed with iTunes 9. None have any third-party firewall software installed nor do they have the firewall turned on in System Preferences.
  Here's the problem: when I try to share content from library to library, it doesn't happen. Specifically, I can initialise a connection between both computers so the other computer's library shows up in the sidebar in iTunes, but that's as far as it gets. When I click on said library, there's a 2 minute wait before the following message is displayed.
  "The shared library "Liam's Music" is not responding. (-3259) Check that any firewall software running on either the shared computer or this computer has been set to allow communication on port 3689."
  I've tried absolutely everything (including a direct Ethernet connection between both Macs- same error message). Most recently, I even verified port 3689 is open using the Network Activity app. If anybody could help me here, I would really appreciate it. I have so much content I want to share to my family's iPods, etc.
  Liam.

  I am having the same problem. Except I am sharing the library from a D-Link NAS. It worked perfectly before upgrading to iTunes 9. It's not a network or firewall problem. Nothing has changed there. The only change is iTunes 9. Any help is appreciated.
  T.

• Unable to enable the adaptive firewall: No ALTQ support in kernel ALTQ related functions disabled

  No ALTQ support in kernel ALTQ related functions disabled
  OS X Server: How to enable the adaptive firewall - Apple Support
  Recently ran the latest OS X Yosemite Server Updates: OS X v10.10.3 and Server v4.1.  Tried to enable the "adaptive firewall" by following the steps in Apple's article (see above) and encountered the error after the second line of commands
  Charlie$ sudo pfctl -f /etc/pf.conf
  pfctl: Use of -f option, could result in flushing of rules
  present in the main ruleset added by the system at startup.
  See /etc/pf.conf for further details.
  No ALTQ support in kernel
  ALTQ related functions disabled
  server:~ Charlie$

  I'm not sure that is an error, it is a warning.
  The Mac kernel is not compiled with support for ALTQ so you can't use those features.
  Carry on & test your firewall is working as you expect.

• Terredo Tunneling adapter driver and Ralink PCI Adapter driver problem

  Have HP A-I-O,  running Windows 8 and getting errors ref. Terredo Tunneling Adapter driver and Ralink PCI Adapter driver problem.  Occassionally lose internet or wireless mouse and kebouad.  Troubleshooting reloaded drivers for both but did NOT resolve the problem.
  Any ideas?  Wouold Refresh work? If so, should I just load Windows 8.1?

  Sysherman, welcome to the forum.
  When requesting help you should always include the make/model (i.e. p6-xxxx) of the computer and/or monitor. This information is necessary for us to review the specifications of them.
  Signature:
  HP TouchPad - 1.2 GHz; 1 GB memory; 32 GB storage; WebOS/CyanogenMod 11(Kit Kat)
  HP 10 Plus; Android-Kit Kat; 1.0 GHz Allwinner A31 ARM Cortex A7 Quad Core Processor ; 2GB RAM Memory Long: 2 GB DDR3L SDRAM (1600MHz); 16GB disable eMMC 16GB v4.51
  HP Omen; i7-4710QH; 8 GB memory; 256 GB San Disk SSD; Win 8.1
  HP Photosmart 7520 AIO
  ++++++++++++++++++
  **Click the Thumbs Up+ to say 'Thanks' and the 'Accept as Solution' if I have solved your problem.**
  Intelligence is God given; Wisdom is the sum of our mistakes!
  I am not an HP employee.

• HT200259 Configuring adaptive firewall for VNC and RDP connections

  Hello, I'm using Yosemite with OSX Server.  Is there a way of configuring adaptive firewall for VNC and RDP connections?

  Apple has never documented what the adaptive firewall really does, as far as I know. It seems that the built-in network services send it some kind of notification whenever there is a connection attempt. The Screen Sharing service is one of those, so it should be protected. There is no built-in RDP service, so if you somehow added one, it would not be protected.

• Adaptive firewall

  I'm wondering if anybody has any extra info re: the Adaptive Firewall built into Mac OS X Server.
  - How can you reduce the number of hits it takes to make a rule? Is this even possible?
  - What triggers a hit? Is there a scoreboard that would show what counts as a hit or not?
  Here's an example of whar I'm seeing in the secure.log :
  Apr 12 14:54:26 obelix sshd[17953]: Invalid user postgres from 119.46.230.251
  Apr 12 14:54:26 obelix sshd[17955]: Invalid user postgres from 119.46.230.251
  Apr 12 14:54:26 obelix sshd[17956]: Invalid user postgres from 119.46.230.251
  Apr 12 15:14:24 obelix sshd[19526]: Invalid user supportftp from 119.46.230.251
  Apr 12 15:52:12 obelix sshd[22924]: Invalid user web from 119.46.230.251
  Apr 12 15:52:12 obelix sshd[22927]: Invalid user web from 119.46.230.251
  Apr 12 15:52:12 obelix sshd[22925]: Invalid user web from 119.46.230.251
  Apr 12 15:52:12 obelix sshd[22926]: Invalid user web from 119.46.230.251
  None of this triggered a rule...
  Any ideas where to look next?
  Miles

  MrHoffman wrote:
  ps: just noticed a pointer to [this adaptive firewall post|http://blog.lastinfirstout.net/2011/04/os-x-adaptive-firewall-automated.html], from Miles Muri over in [this thread|http://discussions.apple.com/thread.jspa?messageID=13374661]. FWIW. (I'd still get the gateway box.)
  Yeah, that would be me.
  I'm not so worried about the attacks getting in since I have the SSH service ACL restricted and passwords policy is quite strong. I'm just a bit bothered that the adaptive firewall doesn't seem to be picking this stuff up. Supposedly it's set to blacklist at 10 attempts, but I haven't found any info on whether that's 10 per username or 10 per IP. I'm wondering if the ACL is killing the connection before it registers as a bad login attempt. As a bonus, the log file is empty so either the logging feature doesn't work, or AF isn't being triggered.
  We mostly use the SSH service for SFTP but I suppose we could change the port if absolutely necessary.
  There is a gateway in front of this server, but I don't control it (the server is at a colo facility).

• Problem using the adaptive firewall :  "Firewall management disabled"

  I am facing a problem that Google and man pages cannot solve : it seems that af is disabled; I don't know why and cannot enable it.
  In /var/log/system.log, I can see entries like this :
  Aug 19 08:07:14 arda emond[14295]: Host at 202.99.122.136 will be blocked for at least 15.00 minutes
  Aug 19 08:07:14 arda emond[21852]: DoRunAction (child): setting the uid/gid to 0/0
  But ipfw tells me otherwise :
  $ ipfw list
  00001 allow udp from any 626 to any dst-port 626
  01000 allow ip from any to any via lo0
  01010 deny log ip from any to 127.0.0.0/8
  01020 deny log ip from 224.0.0.0/4 to any in
  01030 deny log tcp from any to 224.0.0.0/4 in
  01040 allow udp from 192.168.0.0/16 to 192.168.0.0/16 dst-port 514 in
  01050 allow udp from 212.27.38.253 to 192.168.0.0/16 in
  01060 allow tcp from any to 192.168.0.0/16 dst-port 6881-6889 in
  12300 allow ip from any to any
  12301 allow tcp from 192.168.0.0/16 to any dst-port 25
  12301 allow udp from 192.168.0.0/16 to any dst-port 25
  65534 deny log ip from any to any
  65535 allow ip from any to any
  afctl refuses to run, giving an explicit message that i cannot find anywhere on the web :
  $ /usr/libexec/afctl -v 1 -a 202.99.122.136
  Tue Aug 19 08:09:53 arda.private afctl[22253] <Notice>: Firewall management disabled
  And of course, no new rules added in ipfw.
  Do you have any idea on what is wrong ? afctl is loaded durong boot (I didn(t change anything), but not working :
  $ launchctl list | grep afctl
  - 0 com.apple.afctl

  OK, thanks. Situation is getting better.
  Now af is enabled, and I can add IP to black and white list. I had also to enable the rule set with the -e option (not sure it will stay after reboot; man page is silent on this).
  The rules set 17 appears in ipfw list, but it seems there is still some problem for automatic blacklisting.
  I will continue to investigate the situation, but Apple provides very little documentation on this.