Filter
Top Products
Chapter 3 IP Firewall Service 59
Common Network Administration Tasks That Use
Firewall Service
Your firewall is the first line of defense against unauthorized network intruders,
malicious users, and network virus attacks. There are many ways that such attacks can
harm your data or use your network resources. This section lists a few of the common
uses of firewall service in network administration.
Preventing Denial-of-Service (DoS) Attacks
When the server receives a TCP connection request from a client to whom access is
denied, by default it sends a reply rejecting the connection. This stops the denied client
from resending over and over again. However, a malicious user can generate a series of
TCP connection requests from a denied IP address and force the server to keep
replying, locking out others trying to connect to the server. This is one type of Denial-
of-Service attack.
To prevent ping denial-of-service attacks:
1 In Server Admin, choose Firewall from the Computers & Services list.
2 Click Settings.
3 Select the General tab.
4 Select the Any address group.
5 Deselect “ICMP Echo (ping) reply.”
6 Click Save.
Controlling or Enabling Peer-to-Peer Network Usage
Sometimes network administrators need to control the use of Peer-to-Peer (P2P) file
sharing applications. Such applications might use network bandwidth and resources
inappropriately or disproportionately. P2P file sharing might also pose a security or
intellectual property risk for a business.
You can cut off P2P networking by blocking all traffic incoming and outgoing on the
port number used by the P2P application. You’ll have to determine the port used for
each P2P network in question. By default, Mac OS X Server’s firewall blocks all ports not
specifically opened.
You can choose to limit P2P network usage to IP addresses behind the firewall. To do
so, you’ll need to open the P2P port for your LAN interface, but continue to block the
port on the interface connected to the Internet (WAN interface). To learn how to make
a firewall filter, see “Creating an Advanced IP Filter for TCP ports” on page 51.
Important: Denial-of-Service attacks are somewhat rare, so make these settings only
if you think your server may be vulnerable to an attack. If you deny ICMP echo replies,
services that use ping to locate network services will be unable to detect your server.
LL2351.Book Page 59 Monday, September 8, 2003 2:47 PM