Apple Mac OS X Server (Administrator’s Guide) User Manual

526

Chapter 15

The picture below illustrates this process.

The port filters you create are applied to TCP packets and can also be applied to User
Datagram Protocol (UDP) packets. In addition, you can set up filters for restricting Internet
Control Message Protocol (ICMP), Internet Group Management Protocol (IGMP), and
NetInfo data.

If you plan to share data over the Internet, and you do not have a dedicated router or firewall
to protect your data from unauthorized access, you should use Firewall service. This service
works well for small to medium businesses, schools, and small or home offices.

Large organizations with a firewall can use Firewall service to exercise a finer degree of
control over their servers. For example, individual workgroups within a large business, or
schools within a school system, may want to use Firewall service to control access to their
own servers.

Mac OS X Server uses the ipfw software for firewall service.

Is there a filter

for port 80?

Locate the

Any Port filter

with the most

specific range

that includes

the address

10.221.41.33.

A computer with IP
address 10.221.41.33
attempts to connect to
the server over the
Internet (port 80).

The server begins
looking for filters.

Is there a filter

containing

IP address

10.221.41.33?

Yes

Connection

is refused.

Yes

What does the

filter specify?

Connection

is made.

Allow

No

Deny

Important

When you start Firewall service the first time, all incoming TCP packets are

denied until you change the filters to allow access. By default, all addresses that are not
specifically allowed are denied. Therefore, you must create filters if you want to allow access to
your server. If you turn Firewall service off, all addresses are allowed access to your server.