Apple OSX Server Firewall

My Apple OSX server (Mountain Lion) at home is the centre of my network and entertainment system. It provides provides the following services:

Since several (soft-, and hardware) upgrades and redesigns of my internal network (from a single VLAN to a multi-VLAN with firewall services and traffic inspection) several services failed under certain circumstances. E.g. Air-Video would work internally where the client was in the same network as the OSX server network interface. But trying to connect through the SSL VPN stopped working for some reason. Also, the VNC Viewer did work in the old days, but stopped working over time. Same for several static NAT entries; worked before, and stopped working without 'no reason'. Other services like ssh did work in the old and new network design....

I disabled the OSX internal firewall (System Preferences), because firewalling had been moved to a Juniper SRX firewall. No need to burden the server with redundant processes within the network.

Since the internal services did work properly, there was no real hurry in fixing the problems. Every now-and-then I would schedule some time to investigate.

Layer 3 connectivity from the client to the server (and back) was OK, since I could ping from the client to the server and visa-versa. Traffic captures didn't show anything wrong with the traffic either. The traffic arrived on the proper interface, but there was no return traffic. So access to the specific services (VNC, Air Video etc.) would not work.
Firewall (Juniper SRX) configuration consisted only of allow-any-any rules between in the Security Zones / VLAN's within the internal network.

For some reason I started searching on the Internet again in regards to firewalling and OSX. This time I found some terminal commands [1, 2] related to ipfw. The following list command gave me an overview of ACTIVE firewall rules on the OSX server platform..... WTF!?

[server:~ user]$ sudo ipfw list
Password:
00001 allow udp from any 626 to any dst-port 626
01000 allow ip from any to any via lo0
01030 deny log ip from any to 127.0.0.0/8
01040 deny log ip from 224.0.0.0/4 to any in
01050 deny log tcp from any to 224.0.0.0/4 in
12300 allow tcp from any to any established
12301 allow tcp from any to any out
12302 allow tcp from any to any dst-port 22
12302 allow udp from any to any dst-port 22
12303 allow udp from any to any out keep-state
12304 allow tcp from any to any dst-port 53 out keep-state
12304 allow udp from any to any dst-port 53 out keep-state
12305 allow udp from any to any in frag
12306 allow tcp from any to any dst-port 311
12307 allow tcp from any to any dst-port 625
12308 allow icmp from any to any icmptypes 8
12309 allow icmp from any to any icmptypes 0
12310 allow igmp from any to any
12311 allow tcp from any to any dst-port 993
12312 allow tcp from any to any dst-port 25
12312 allow udp from any to any dst-port 25
12313 allow tcp from any to any dst-port 443
12314 allow tcp from any to any dst-port 465
12315 allow tcp from any to any dst-port 80
12316 allow tcp from any to any dst-port 587
12319 allow udp from any to any dst-port 67
12320 allow tcp from any to any dst-port 53
12320 allow udp from any to any dst-port 53
12321 allow tcp from any to any dst-port 8443
12322 allow udp from any to any dst-port 68
12323 allow tcp from any to any dst-port 8843
12325 allow tcp from any to any dst-port 20-21
12326 allow udp from any to any dst-port 514
12327 allow udp from any to any dst-port 69
12330 allow ip from 10.0.0.0/8 to any
12331 allow ip from 192.168.0.0/16 to any
12332 allow ip from 192.168.1.0/24 to any via en0 keep-state
12333 allow udp from any 68 to any dst-port 67 via en0
65534 deny log ip from any to any
65535 allow ip from any to any
[server:~ user]$

I thought that I had disabled the internal firewall, but the ipfw was still running with a number of rules. Going through these rules I saw that this was from the time that the firewall was in use in a pre OSX Mountain Lion period.

Further investigation revealed that the firewall functionality was removed from the Server component. This explained a lot. I think I might have overlooked the alert during the upgrade, or that I didn't realise the impact it might have at the time. Anyway, the command on the page combined with a flush of the data completely removes the firewall rules. Add an additional flush and everything is gone.

[server:~ user]$ sudo mv /etc/ipfilter /etc/ipfilter-old
[server:~ user]$ sudo ipfw flush
Are you sure? [yn] y

Flushed all rules.
[zeus:~ administrator]$ sudo ipfw list
65535 allow ip from any to any

Having done that, I could access the Air Video HD server and VNC. Which is strange, since nothing in the firewall logging was explicitly denying traffic to those ports, and the last rule (65535) is basically an implicit allow.

Having solved this, I might need to recheck my DHCP problem from last week. This solution might have solved that as well.

Posted on September 3, 2014 by Willem and filed under Annoying, Apple, Security and tagged ipfw firewall OSX server Air Video.