Changing the any port (default) filter, Preventing denial-of-service attacks – Apple Mac OS X Server (Administrator’s Guide) User Manual
Page 537
Firewall Service
537
5
Click Save, then restart Firewall service.
Any IP filters you create allow NetInfo access for the IP addresses you specify. By default,
NetInfo dynamically chooses a TCP or UDP port from the 600 through 1023 range, but you
can configure a shared domain to be accessible using one port or using a port for TCP and a
second port for UDP packets.
If you choose to allow access to all IP addresses, you should have a firewall that protects your
internal network from the Internet and blocks external traffic targeted at the ports used for
NetInfo. If you don’t have a separate firewall, selecting all IP addresses could compromise
your server’s security.
Changing the Any Port (Default) Filter
If the server receives a packet using a port or IP address to which none of your filters apply,
Firewall service uses the Any Port (default) filter. You can set the Any Port (default) filter to
either deny or allow these packets for specific IP addresses. By default the Any Port filter
denies access.
If you need to change the All filter to allow access, you can. However, you should not take
this action lightly. Changing the default to allow means you must explicitly deny access to
your services by setting up specific port filters for all the services that need protection.
To change the default Any Port setting:
1
In Server Settings, click the Network tab.
2
Click Firewall and choose Show Firewall List.
3
Select Any Port and click New, or select an IP address under Any Port and click Edit.
4
Make any changes to the settings, then click Save.
Preventing Denial-of-Service Attacks
When the server receives a TCP connection request from a client to whom access is denied,
by default it sends a reply rejecting the connection. This stops the denied client from
resending over and over again. However, a malicious user could generate a series of TCP
connection requests from a denied IP address and force the server to keep replying, locking
out others who are trying to connect to the server. This is one type of denial-of-service attack.
To prevent denial-of-service attacks:
1
In Server Settings, click the Network tab.
2
Click Firewall and choose Configure Firewall.
3
Make sure “Send rejection to client if connection is denied” is not checked.
4
Click the Advanced tab and select “Deny ICMP echo (ping) reply.”