Configuring IP Forwarding | Apple Mac OS X Server specification

dns:queriesArray:_array_index:4:value = -1

dns:queriesArray:_array_index:5:name = "SOA_QUERIES"

dns:queriesArray:_array_index:5:value = -1

dns:queriesArray:_array_index:6:name = "TXT_QUERIES"

dns:queriesArray:_array_index:6:value = -1 dns:nxdomain = 0

dns:nxrrset = 0 dns:reloadedTime = "" dns:success = 0 dns:failure = 0 dns:recursion = 0

dns:startedTime = "2003-09-10 11:24:03 -0700" dns:referral = 0

Configuring IP Forwarding

You can configure Mac OS X Server to provide routing services by configuring the network interfaces properly and enabling IP forwarding. A server providing routing services requires at least two interfaces, one to connect to the internal network and one to connect to the public network. Each of these interfaces needs to be configured correctly to allow it to route network data.

After the interfaces are configured to allow the server computer to communicate on the two networks, you need to enable the computer to forward traffic between the two networks. IP forwarding is enabled by using the sysctl tool to set the net.inet.forwarding kernel variable to 1 as follows:

$ sysctl -w net.inet.forwarding=1

This change takes place immediately, but is not persistent once you reboot the computer. To enable IP forwarding once Mac OS X Server restarts, you must set the IPFORWARDING flag in the /etc/hostconfig file to -YES-to enable IP forwarding during the startup process.

Managing the Firewall Service

Mac OS X Server uses the reliable open source IPFW2 software for its firewall service. To protect your network applications, the firewall service scans incoming IP packets and rejects or accepts them based on the set of filters you create. You can restrict access to any IP service running on the server, and you can customize filters for all incoming clients or for a range of client IP addresses .

The firewall service relies on the ipfw tool included with Mac OS X Server. The ipfw tool is a content filter that uses rules to decide which packets to allow and which to deny.

Chapter 14 Working with Network Services

227

Image 227

Apple Mac OS X Server manual Configuring IP Forwarding, Managing the Firewall Service

Contents

Mac OS X Server Apple Computer, Inc Apple Computer, Inc. All rights reserved Contents Preparing the Target Volume for a Clean Installation Installing Server SoftwareLocating Computers for Installation Specifying the Target Computer Volume Managing Network Port Configurations Setting Network PreferencesConfiguring Network Interfaces Viewing or Changing Media Settings Unmounting Volumes Working with Disks and VolumesMounting and Unmounting Volumes Mounting Volumes 141 Listing Connected Users 142 163 171 214 Apache Tomcat JBoss Server 215 MySQL Database Contents 265 Configuring the Active Directory Plug-In Index AppendixGlossary Contents About This Guide Understanding Notation Conventions Using This GuideCommands and Other Terminal Text Command Parameters and Options Commands Requiring Root Privileges Default Settings Earlier versions of the server Install Mac OS X Server and set it up for the first timeCreate and manage users, groups, and computer lists. Set up This guide Tells you how to Set up and manage QuickTime streaming services Manage directory and authentication services This guide Tells you how to Opening Terminal Executing Commands Folder Specifying Files and FoldersPath string Description Test.c file in the current folder Redirect Description Modifying Flow ControlRedirecting Input and Output Following command in a Terminal window Using Environment Variables Executing Commands and Running Tools Searching for Text Within a File Correcting Typing ErrorsRepeating Commands Including Paths Using Drag and Drop Scheduling Tasks Terminating CommandsAn example of a configured crontab file To access a man Sending Commands to a Remote ComputerViewing Command Information $ hdiutil help $ dig -h $ diff --help Executing Commands How SSH Works Understanding Secure Shell Password-Less Logins Using SSH Keys Updating SSH Key Fingerprints Controlling Access to SSH Service What is an SSH Man-in-the-Middle Attack? You’re prompted for the user’s password Connecting to a Remote ComputerUsing SSH To access a remote computer using ssh To access a remote computer using telnet Using TelnetTo enable Telnet access To disable Telnet access To use installer to install Mac OS X Server software Installing Server Software Locating Computers for Installation To list computers on the local network Specifying the Target Computer VolumePreparing the Target Volume for a Clean Installation To list volumes available for server software Restarting After Installation Automating Server SetupInstalling from Multiple CDs To save a configuration file during server setup Creating a Configuration File Installing Server Software and Finishing Basic Setup To provide a passphrase interactively Working with an Encrypted Configuration FileCustomizing a Configuration File To provide a passphrase in a file Sample Configuration File Installing Server Software and Finishing Basic Setup Installing Server Software and Finishing Basic Setup Storing a Configuration File in an Accessible Location Configuring the Server Remotely from the Command Line Using the serveradmin Tool Changing Server SettingsUsing the serversetup Tool To set the server software serial number Viewing, Validating, and Setting the Software Serial NumberGeneral and Network Preferences To display the server’s software serial number To validate a server software serial number To check for available updatesTo install an update Updating Server Software Moving a Server Installing Server Software and Finishing Basic Setup To restart a remote computer immediately Restarting a ComputerAutomatic Restart To restart the local computer Manipulating Open Firmware Nvram Variables Changing a Remote Computer’s Startup DiskShutting Down a Computer Folder Usage Monitoring and Restarting Critical Services Restarting or Shutting Down a Computer To change the computer name Viewing or Changing the Computer NameViewing or Changing the Date and Time To display the computer name Viewing or Changing Network Time Server Usage Viewing or Changing the System DateViewing or Changing the System Time Viewing or Changing the System Time Zone Viewing or Changing Automatic Restart Settings Viewing or Changing the Energy Saver SettingsViewing or Changing Sleep Settings Viewing or Changing the Startup Disk Settings Changing the Power Management Settings Viewing or Changing Apple Event Response Viewing or Changing the Sharing SettingsViewing or Changing the International Settings Viewing or Changing Remote Login Settings To view the current setting Viewing and Changing the Login SettingsDisables the buttons and 1 enables the buttons Configuring Network Interfaces Setting Network Preferences Viewing or Changing MTU Values Managing Network Interface InformationViewing Port Names and Hardware Addresses Activating Port Configurations Managing Network Port ConfigurationsViewing or Changing Media Settings Creating or Deleting Port Configurations Changing a Server’s IP Address Managing TCP/IP SettingsTo change the order of the port configurations To change the IP address of a standalone server To change a server’s IP addressRun the changeip tool To change TCP/IP settings for a particular port or device To list TCP/IP settings for a configurationTo view TCP/IP settings for port en0 To view TCP/IP settings for a particular port or device Viewing or Changing DNS Servers Ieee 802.3ad Ethernet Link Aggregation Enabling TCP/IPWorking with VLANs Configuring Ethernet Link Aggregation Configuring a Network Interface Managing Snmp Settings Managing AppleTalk Settings Immediately above it, add this line Installing SnmpOpen the /etc/hostconfig file Locate the line Starting Snmp To stop snmpd Configuring SnmpTo start the snmp agent manually To identify the process id Other options in the menu you were working in are Collecting Snmp Information from the HostTo view the snmp.conf file To start snmpd, execute this as root Viewing or Changing FTP Proxy Settings Managing Proxy Settings Viewing or Changing Gopher Proxy Settings Viewing or Changing Web Proxy SettingsViewing or Changing Secure Web Proxy Settings Viewing or Changing Streaming Proxy Settings Viewing or Changing Proxy Bypass Domains Managing AirPort SettingsViewing or Changing Socks Firewall Proxy Settings Hostname Managing the Computer, Host, and Bonjour NamesComputer Name To display the server’s Bonjour name Managing Preference Files and the Configuration DaemonCommand displays 0 if the name was changed Bonjour Name To get the hostname of a system Changing Network LocationsTo set the hostname of a system Computer will respond with output similar to the following This example, the network location will switch to AirPortTo view the current locations Understanding Disks, Partitions, and the File System Mounting and Unmounting Volumes To view a list of currently mounted file systems Mounting VolumesUnmounting Volumes To unmount a volume To display disk information To enable diskspacemonitorDisplaying Disk Information Monitoring Disk Space Reclaiming Disk Space Using Log-Rolling Scripts Erasing, Modifying, Verifying, and Repairing Disks To erase and repartition a disk To get mount info about a partitionTo mount a drive Partitioning a Disk To format a Mac OS Extended volume as case-sensitive HFS+Command Description Partitioning and Formatting Disks To fomat a disk Checking for Disk ProblemsLabeling a Disk Formatting a Disk To enable journaling Checking to See If Journaling is EnabledEnabling Journaling for an Existing Volume To see if journaling is enabled Enabling and Disabling Spotlight Enabling Journaling When You Erase a DiskUnderstanding Spotlight Technology Disabling Journaling To view the metadata of a file To enable Spotlight on your serverPerforming Spotlight Searches Restart your server Controlling Spotlight Indexing Managing RAID Volumes To repair a failed mirror Imaging and Cloning Volumes Using ASRTo image a boot volume To restore a volume from an image Understanding Accounts Working with Users and Groups To create an local administrator user with a specific UID Administering and Creating AccountsCreating a Local Administrator User Account for a Server To create a local administrator user account To create a domain administrator user account Creating a Domain Administrator User Account To see if a user is a server administrator Checking a User’s Administrator PrivilegesCreating a Nonadministrator User Account To find the Guid of the administrator user Specify the user ID, replacing 1234 with the new user’s ID 102 Review the Guid for a particular user Retreiving a User’s GuidRemoving a User Account To retrieve a user’s Guid To prevent a user from logging Revoking a User’s Right to Access His or Her AccountDisable the user account by entering the following command To terminate all of a user’s processes To reenable a user account that is disabled Checking a Server User’s Name, UID, or Password Attribute Description Modifying a User AccountTo change a user account attribute to a new value To create a mobile account Creating a Mobile User Account To create a home folder for a particular user Managing Home FoldersTo flush the cache Creating a User’s Home Folder To mount a user’s shared home directory on an AFP server Administering Group AccountsTo create a home folder for users in the local domain Mounting a User’s Home Folder To add a group account Creating a Group Account To remove a group account You can remove group accounts by using the dscl toolRemoving a Group Account To add a user to a group You can add users to a group using the dscl toolAdding a User to a Group To remove a user from a group You can remove users from a group by using the dscl toolRemoving a User from a Group Review the new settings of the group To verify a nested group Creating and Deleting Nested GroupTo create a nested group To delete a group Editing Group RecordsTo unnest a group To display the information about a particular group See the CreateGroupFolder man page for more information Viewing the Workgroup a User Selects at LoginCreating a Group Folder To create a group folder To import users and groups Importing Users and Groups Number of attributes in each account record Creating a Character-Delimited User Import FileWriting a Record Description 121 An example user account looks like this Using the StandardUserRecord ShorthandUsing the StandardGroupRecord Shorthand Viewing Permissions Setting PermissionsSome examples of permission settings Use one of the following values to set the permission level Setting the umask for Individual Users See the chmod man page for more information Changing PermissionsUse the chmod tool to change permissions for an item Securing Initial System Accounts Securing System AccountsChanging the Owner Changing the Group Restricting Use of the sudo Tool To disable root loginEnter the root password when prompted Securing the Root Account Securing Single-User Boot Computer should restart and display the login window Setting Password PolicyTo set the Open Firmware password for increased security To set a more secure global password policy To change a user’s passwordTo view the global password policy To set the minimum password length to 5 characters To query for a user by name Access the help prompt and enter the command nameFinding User Account Information See the pwpolicy man page for more information 132 Managing Share Points Working with File Services To create a share point Listing Share PointsCreating a Share Point To list existing share points Modifying a Share Point To change share point settings Viewing AFP Settings Managing the AFP ServiceStarting and Stopping AFP Service Checking AFP Service Status To change several settings Changing AFP SettingsList of AFP Settings To change a setting Location of the error log Allow an administrator user to masquerade as another userAuthentication mode. Can be Whether the AFP service should restart automatically when Default = -1unlimited Record user logins in the activity logLogin greeting message Last time the login greeting was set or updated List of AFP serveradmin Commands Value returned by getConnectedUsers Listing Connected UsersTo list connected users To disconnect users Disconnecting AFP UsersSending a Message to AFP Users To send a message Value Description Canceling a User DisconnectTo cancel a user disconnect Computer will repond with the following output Computer will respond with the following output Listing AFP Service StatisticsTo list service statistic samples Value displayed by Viewing AFP Log FilesTo view the latest entries in a log To display the log paths Viewing NFS Service Settings Managing the NFS ServiceStarting and Stopping NFS Service Checking NFS Service Status Checking FTP Service Status Managing the FTP ServiceStarting FTP Service Stopping FTP Service Parameter ftp Description Changing FTP Service SettingsList of FTP Service Settings Own preferences Directory in which the FTP content is storedDisplays a banner message that appears when Prompted to log in to the FTP. Customize to your Checking for Connected FTP Users List of FTP serveradmin CommandsViewing the FTP Transfer Log Viewing SMB/CIFS Service Settings Managing the SMB/CIFS ServiceStarting and Stopping SMB/CIFS Service Checking SMB/CIFS Service Status Parameter smb Description Changing SMB/CIFS Service SettingsList of SMB/CIFS Service Settings Medium service start and stop, authentication failures Browser service. Can be set toAdvanced pane of Windows service settings in the Server Low errors and warnings only This corresponds to the Wins Registration Off and Enable Server’s NetBIOS name. Can be set to a maximumPane of the Windows service settings in the Server Admin Windows service settings in the Server Admin Listing SMB/CIFS Users List of SMB/CIFS serveradmin Commands Computer responds with the following output Disconnecting SMB/CIFS UsersListing SMB/CIFS Service Statistics To list SMB/CIFS connections Managing ACLs Viewing SMB/CIFS Service LogsLocation of the SMB service log Location of the name service log To deny a guest read permission for a file Using chmod to Modify ACLsFollowing are the permissions applicable to folders To grant a user write permission for a file Output should look like the following To view the ACL of a file 160 Understanding the Print Process Working with the Print Service To stop print service Performing Print Service TasksStarting and Stopping Print Service To start print service Changing Print Service Settings Checking the Status of Print ServiceViewing Print Service Settings Parameter print Description Print Service Settings Parameter printDescription Queue Data Array Following is an example of a queue array parameter block Managing the Print ServiceCommand printcommand= Description To pause a queue Pausing a QueueListing Queues Listing Jobs and Job Information To release the job Holding a JobTo hold a job To obtain a list of available cover pages Viewing Print Service Log FilesViewing Cover Pages 170 To stop NetBoot service Understanding the NetBoot ServiceStarting and Stopping NetBoot Service To start NetBoot service Changing NetBoot Settings Checking NetBoot Service StatusViewing NetBoot Settings Storage Record Array Changing General Netboot Service SettingsVolume parameter array Parameter netboot Description Image Record Array Filters Record Array Port Record Array Enabling NetBoot 1.0 for Older NetBoot ClientsTo enable NetBoot Updating an Image Booting from an ImageUsing hdiutil to Work with System Images Working with System Images Imaging Multiple Clients Using Multicast asr Using asr to Restore System Images To configure a client to receive a multicast stream Choosing a Boot Device Using systemsetup Postfix Agent Understanding the Mail Service Mailman Cyrus Viewing Mail Service Settings Managing the Mail ServiceStarting and Stopping Mail Service Checking the Status of Mail Service Parameter mail Description Mail Service Settings Default = += Default = 500sDefault = 1s Default = domain Default = -=+ Default = 0sDefault = postfix Default = 1000s Default = postdrop Default = flockDefault = flush Default = 60s Default = none Default = 10sDefault = /usr/bin Default = mail Default = fcntl Default = smtpDefault = 7d Default = qmgr Default = host Default = errorDefault = showq Default = 5d Default = bounce Default = incomingDefault = active Default = deferred Default = 600s Default = virtualDefault = $home Default = rewrite Default = c Default = 30sDefault = hash Default = Default Default = auxprop Default = cyrus 193 To list samples Mail serveradmin CommandsListing Mail Service Statistics Location of the server log Viewing the Mail Service LogsDefault = srvr.log To display the log locations Backing Up the Mail Files Reconstructing the Mail Database Enter a key size at the next prompt, and then press Return Setting Up SSL for Mail ServiceGenerating a CSR and Creating a Keychain 199 To import an SSL certificate into the keychain Accessing the Server CertificatesObtaining an SSL Certificate Importing an SSL Certificate into the Keychain To list the certificates stored in the System keychain Creating a Password FileSee the certadmin man page for more information To create a password file Enabling Sieve Scripting Configuring Mailboxes Sample Sieve Scripts To enable Sieve supportReload the mail service Enabling Sieve Support Basic Sort and Anti-Junk Mail Filter Script Self-Defined Forwarding Script Sieve Scripting Resources 206 Files Location Understanding Web Technology Viewing Web Settings Managing the Web ServiceStarting and Stopping Web Service Checking Web Service Status Changing Settings Using serveradmin Changing Web SettingsServeradmin and Apache Settings Listing Hosted Sites Web serveradmin CommandsViewing Service Logs Viewing Service Statistics V3-Cache requests per second Value you want to display. Valid valuesV1-Number of requests per second V2-Throughput bytes/sec Addsite.in File Example Script for Adding a WebsiteAddsite File To run the script Tuning the Server Performance To start Apache Tomcat Working with Application Servers and JavaApache Tomcat JBoss Server To stop JBoss, enter the following To install the default databaseMySQL Database To start JBoss, enter the following To start mysqld To set the root passwordTo create a database To set the network option Managing Network Services Working with Network Services Viewing Dhcp Service Settings Managing the Dhcp ServiceStarting and Stopping Dhcp Service Checking the Status of Dhcp Service To change a single Dhcp setting Changing Dhcp Service SettingsDhcp Service Settings To see a list of available service settings Subnet Parameter Dhcp Subnet Settings ArrayAbout Subnet IDs Lease time in seconds General pane of the subnet settings in the ServerNot set default Wins pane of the subnet settings in the Server Domain name such as apple.com Corresponds to the NetBIOS Scope ID field in the WinsAdding a Dhcp Subnet To add a subnet About Static Map IDs Adding a Dhcp Static MapTo add a static map Determine the location of the Dhcp service logs List of Dhcp serveradmin CommandsViewing the Dhcp Service Log Command Dhcpcommand=Description Viewing DNS Service Settings Managing the DNS ServiceStarting and Stopping the DNS Service Checking the Status of DNS Service Viewing the DNS Service Log Changing DNS Service SettingsDNS Service Settings List of DNS serveradmin Commands Managing the Firewall Service Configuring IP Forwarding Firewall Startup Starting and Stopping Firewall ServiceChecking the Status of Firewall Service Viewing Firewall Service Settings Parameter ipfilter Description Changing Firewall Service SettingsFirewall Service Settings Adding Rules by Modifying ipfw.conf Defining Firewall RulesIpfilter Groups with Rules Array Unmodified ipfw.conf file An example of this would be similar to the following Adding Rules Using serveradminPing cracker.evil.org to determine its IP address To add a rule Ipfilter Rules Array Firewall serveradmin Commands Location of the ipfilter service log Managing the NAT ServiceViewing Firewall Service Log Using Firewall Service to Simulate Network Activity Changing NAT Service Settings Starting and Stopping NAT ServiceChecking the Status of NAT Service Viewing NAT Service Settings Parameter nat Description NAT Service SettingsNAT serveradmin Commands Port Mapping Viewing the NAT Service Log Viewing VPN Service Settings Managing the VPN ServiceStarting and Stopping VPN Service Checking the Status of VPN Service Default = IPSec Changing VPN Service SettingsList of VPN Service Settings Default = Keychain Default = Dsacl Default = ManualDefault = L2TP Default = PPP Default = EAP-RSA Default = PptpDefault = Mppe Restarted. See Using the serveradmin Tool on List of VPN serveradmin CommandsViewing the VPN Service Log VPN Service Log on this Site-to-Site VPN Configuring Site-to-Site VPNLocation of the VPN service log Adding a VPN Keyagent User Hardware Requirements Setting Up IP FailoverIP Failover Prerequisites IP Failover Operation Enabling IP Failover To enable IP failover Pre and Post Scripts Configuring IP FailoverNotification Only Enabling PPP Dial-In Restoring the Default Configuration for Server ServicesTo restore the NAT service to its default configuration To restore the DNS service to its default configuration To restore the Dhcp service to its default configurationRe-create the two default records To restore the Qtss service to its default configuration To restore the VPN service to its default configuration Understanding Open Directory Using General Directory ToolsTesting Your Open Directory Configuration Registering URLs with SLP Testing Open Directory Plug-insChanging Open Directory Service Settings Modifying a Directory Domain Managing OpenLDAP Configuring LdapPasswordOptionsString LDAPTimeoutUnits Default = minutes LDAPServerBackend Tool Used to Configuring slapd and slurpd DaemonsStandard Distribution Tools Searching the Ldap Server Delay RebindIdle Timeout Idle Rebinding Options 256 257 Using Ldif Files Additional Information About Ldap Configuring NetInfoManaging NetInfo Enabling or Disabling Authentication Methods Managing Open Directory PasswordsOpen Directory Password Server Viewing or Changing Password Policies To load KDC data from a dumped file Kerberos and Apple Single Sign-OnBacking Up the Kerberos Database To dump the KDC’s database To delete a principal To add a service principalPrincipal Management To add a principal To kerberize a service from a terminal running on that host Using Directory Service ToolsOperating on Directory Service Directory Domains Using kadmin to kerberize a service Manipulating a Single Named Group Record Finding Network Information To remove an Ldap server Adding or Removing Ldap Server ConfigurationsConfiguring the Active Directory Plug-In To add an Ldap server 266 Understanding QuickTime Streaming Server Performing Qtss Service Tasks Changing Qtss Settings Starting and Stopping the Qtss ServiceChecking Qtss Service Status Viewing Qtss Settings Look in the sample file for Qtss SettingsDescriptions of Settings Default = qtaccess Default = admin Default = digest Logs on Default = qtssManaging Qtss Listing Current Connections Connections Viewing Qtss Service StatisticsFor connections v1, this is integer average number List the Qtss processes Send a HUP signal to this processForcing Qtss to Reread its Preferences To force Qtss to reread its preferences To reset the user name and password Configuring Streaming SecurityResetting the Streaming Server Admin User Name and Password To set up Sites/Streaming/ in older home folders Creating an Access File Controlling Access to Streamed Media Qtusers Between terms, make sure you enclose the entire messageQuotation marks Path and filename of the user file Making Changes to the User or Group File Accessing Protected MediaAdding User Accounts and Passwords Adding or Deleting Groups Create XML text ref movie with extension .qtl Manipulating QuickTime and MP4 MoviesCreating Reference Movies Create QuickTime Atom ref movie with extension .qtl 280 Configuring Your System Logging Configuring the Log File Local Logging Remote Logging Configuring Remote Logging on a Client ComputerTo enable remote logging on a client computer Configuring Remote Logging on a Server Open /etc/rc and locate the following line Or match a single host like this PCI RAID Card Command Reference 286 287 288 Computer account See computer list Glossary Directory node See directory domain Full name See long name 292 293 294 Relay point See open relay Search path See search policy 297 298 Restoring images Logs Lpr Backup Cyrus Mail files AccessSecuring Chgrp tool ACL access control list 136 Example Stopping service Naming 41 Disk journaling Dynamic Host Configuration Protocol. See DhcpError messages command not found Executing commands Image Booting from 176 updating Backing up Principal management 262 tools and utilities Kerberosautoconfig tool 261 keychain QuickTime Streaming Server. See Qtss 302 AFP DNS Used by ldapsearch 255 scheduling tasks Tools for remote configuration 239 Terminating commandsTime, viewing or changing 57 Stopping service Viewing service logs