Changing the any port (default) filter, Preventing denial-of-service attacks – Apple Mac OS X Server (version 10.2.3 or later) User Manual
Page 575
Firewall Service
575
5
Click Save, then restart firewall service.
Any IP filters you create allow NetInfo access for the IP addresses you specify. By default,
NetInfo dynamically chooses a TCP or UDP port from the 600 through 1023 range, but you
can configure a shared domain to be accessible using one port or using a port for TCP and a
second port for UDP packets.
If you choose to allow access to all IP addresses, you should have a firewall that protects your
internal network from the Internet and blocks external traffic targeted at the ports used for
NetInfo. If you don’t have a separate firewall, selecting all IP addresses could compromise
your server’s security.
Changing the Any Port (Default) Filter
If the server receives a packet using a port or IP address to which none of your filters apply,
firewall service uses the Any Port (default) filter. You can set the Any Port (default) filter to
either deny or allow these packets for specific IP addresses. By default the Any Port filter
denies access.
If you need to change the Any Port filter to allow access, you can. However, you should not
take this action lightly. Changing the default to allow means you must explicitly deny access
to your services by setting up specific port filters for all the services that need protection.
To change the default Any Port setting:
1
In Server Settings, click the Network tab.
2
Click Firewall and choose Show Firewall List.
3
Select Any Port and click New, or select an IP address under Any Port and click Edit.
4
Make any changes to the settings, then click Save.
Preventing Denial-of-Service Attacks
When the server receives a TCP connection request from a client to whom access is denied,
by default it sends a reply rejecting the connection. This stops the denied client from
resending over and over again. However, a malicious user could generate a series of TCP
connection requests from a denied IP address and force the server to keep replying, locking
out others trying to connect to the server. This is one type of denial-of-service attack.
To prevent denial-of-service attacks:
1
In Server Settings, click the Network tab.
2
Click Firewall and choose Configure Firewall.
3
Make sure “Send rejection to client if connection is denied” is not checked.
4
Click the Advanced tab and select “Deny ICMP echo (ping) reply.”
LL0395.Book Page 575 Wednesday, November 20, 2002 11:44 AM