Firewall Startup | Apple Mac OS X Server specs

228

Firewall Startup

Although the firewall is treated as a service by the Server Admin application, it is not implemented by a running process like other services. It is simply a set of behaviors in the kernel, controlled by the ipfw and sysctl tools. To start and stop the firewall, the Server Admin application sets a switch using the sysctl tool. When the computer starts, a startup item named IPFilter checks the /etc/hostconfig file for the “IPFILTER” flag. If it is set, the sysctl tool is used to enable the firewall:

$ sysctl -w net.inet.ip.fw.enable=1

Otherwise, it disables the firewall:

$ sysctl -w net.inet.ip.fw.enable=0

Note that the rules loaded in the firewall remain there regardless of this setting. It’s just that they are ignored when the firewall is disabled.

Starting and Stopping Firewall Service

To start Firewall service:

$ sudo serveradmin start ipfilter

To stop Firewall service:

$ sudo serveradmin stop ipfilter

Checking the Status of Firewall Service

To see summary status of Firewall service:

$ sudo serveradmin status ipfilter

To see detailed status of Firewall service, including rules:

$ sudo serveradmin fullstatus ipfilter

Viewing Firewall Service Settings

To list Firewall service configuration settings:

$ sudo serveradmin settings ipfilter

To list a particular setting:

$ sudo serveradmin settings ipfilter:setting

To list a group of settings:

Enter only as much of the name as you want, stopping at a colon (:), then enter an asterisk (*) as a wildcard for the remaining parts of the name. For example:

$ sudo serveradmin settings ipfilter:ipAddressGroups:*

Chapter 14 Working with Network Services

Image 228

Apple Mac OS X Server Firewall Startup, Starting and Stopping Firewall Service, Checking the Status of Firewall Service

Contents

Mac OS X Server Apple Computer, Inc Apple Computer, Inc. All rights reserved Contents Installing Server Software Locating Computers for InstallationSpecifying the Target Computer Volume Preparing the Target Volume for a Clean Installation Setting Network Preferences Configuring Network InterfacesViewing or Changing Media Settings Managing Network Port Configurations Working with Disks and Volumes Mounting and Unmounting VolumesMounting Volumes Unmounting Volumes 141 Listing Connected Users 142 163 171 214 Apache Tomcat JBoss Server 215 MySQL Database Contents 265 Configuring the Active Directory Plug-In Appendix GlossaryIndex Contents About This Guide Using This Guide Commands and Other Terminal TextCommand Parameters and Options Understanding Notation Conventions Default Settings Commands Requiring Root Privileges Install Mac OS X Server and set it up for the first time Create and manage users, groups, and computer lists. Set upThis guide Tells you how to Earlier versions of the server Manage directory and authentication services Set up and manage QuickTime streaming services This guide Tells you how to Executing Commands Opening Terminal Specifying Files and Folders Path string DescriptionTest.c file in the current folder Folder Modifying Flow Control Redirecting Input and OutputRedirect Description Using Environment Variables Following command in a Terminal window Executing Commands and Running Tools Correcting Typing Errors Repeating CommandsIncluding Paths Using Drag and Drop Searching for Text Within a File Terminating Commands An example of a configured crontab fileScheduling Tasks Sending Commands to a Remote Computer Viewing Command InformationTo access a man $ hdiutil help $ dig -h $ diff --help Executing Commands Understanding Secure Shell How SSH Works Password-Less Logins Using SSH Keys Updating SSH Key Fingerprints What is an SSH Man-in-the-Middle Attack? Controlling Access to SSH Service Connecting to a Remote Computer Using SSHTo access a remote computer using ssh You’re prompted for the user’s password Using Telnet To enable Telnet accessTo disable Telnet access To access a remote computer using telnet Installing Server Software To use installer to install Mac OS X Server software Locating Computers for Installation Specifying the Target Computer Volume Preparing the Target Volume for a Clean InstallationTo list volumes available for server software To list computers on the local network Automating Server Setup Installing from Multiple CDsRestarting After Installation Creating a Configuration File To save a configuration file during server setup Installing Server Software and Finishing Basic Setup Working with an Encrypted Configuration File Customizing a Configuration FileTo provide a passphrase in a file To provide a passphrase interactively Sample Configuration File Installing Server Software and Finishing Basic Setup Installing Server Software and Finishing Basic Setup Configuring the Server Remotely from the Command Line Storing a Configuration File in an Accessible Location Changing Server Settings Using the serversetup ToolUsing the serveradmin Tool Viewing, Validating, and Setting the Software Serial Number General and Network PreferencesTo display the server’s software serial number To set the server software serial number To check for available updates To install an updateUpdating Server Software To validate a server software serial number Moving a Server Installing Server Software and Finishing Basic Setup Restarting a Computer Automatic RestartTo restart the local computer To restart a remote computer immediately Changing a Remote Computer’s Startup Disk Shutting Down a ComputerManipulating Open Firmware Nvram Variables Monitoring and Restarting Critical Services Folder Usage Restarting or Shutting Down a Computer Viewing or Changing the Computer Name Viewing or Changing the Date and TimeTo display the computer name To change the computer name Viewing or Changing the System Date Viewing or Changing the System TimeViewing or Changing the System Time Zone Viewing or Changing Network Time Server Usage Viewing or Changing the Energy Saver Settings Viewing or Changing Sleep SettingsViewing or Changing Automatic Restart Settings Changing the Power Management Settings Viewing or Changing the Startup Disk Settings Viewing or Changing the Sharing Settings Viewing or Changing the International SettingsViewing or Changing Remote Login Settings Viewing or Changing Apple Event Response Viewing and Changing the Login Settings Disables the buttons and 1 enables the buttonsTo view the current setting Setting Network Preferences Configuring Network Interfaces Managing Network Interface Information Viewing Port Names and Hardware AddressesViewing or Changing MTU Values Managing Network Port Configurations Viewing or Changing Media SettingsCreating or Deleting Port Configurations Activating Port Configurations Managing TCP/IP Settings To change the order of the port configurationsChanging a Server’s IP Address To change a server’s IP address Run the changeip toolTo change the IP address of a standalone server To list TCP/IP settings for a configuration To view TCP/IP settings for port en0To view TCP/IP settings for a particular port or device To change TCP/IP settings for a particular port or device Viewing or Changing DNS Servers Enabling TCP/IP Working with VLANsIeee 802.3ad Ethernet Link Aggregation Configuring a Network Interface Configuring Ethernet Link Aggregation Managing AppleTalk Settings Managing Snmp Settings Installing Snmp Open the /etc/hostconfig file Locate the lineStarting Snmp Immediately above it, add this line Configuring Snmp To start the snmp agent manuallyTo identify the process id To stop snmpd Collecting Snmp Information from the Host To view the snmp.conf fileTo start snmpd, execute this as root Other options in the menu you were working in are Managing Proxy Settings Viewing or Changing FTP Proxy Settings Viewing or Changing Web Proxy Settings Viewing or Changing Secure Web Proxy SettingsViewing or Changing Streaming Proxy Settings Viewing or Changing Gopher Proxy Settings Managing AirPort Settings Viewing or Changing Socks Firewall Proxy SettingsViewing or Changing Proxy Bypass Domains Managing the Computer, Host, and Bonjour Names Computer NameHostname Managing Preference Files and the Configuration Daemon Command displays 0 if the name was changedBonjour Name To display the server’s Bonjour name Changing Network Locations To set the hostname of a systemTo get the hostname of a system This example, the network location will switch to AirPort To view the current locationsComputer will respond with output similar to the following Mounting and Unmounting Volumes Understanding Disks, Partitions, and the File System Mounting Volumes Unmounting VolumesTo unmount a volume To view a list of currently mounted file systems To enable diskspacemonitor Displaying Disk InformationMonitoring Disk Space To display disk information Reclaiming Disk Space Using Log-Rolling Scripts Erasing, Modifying, Verifying, and Repairing Disks To get mount info about a partition To mount a driveTo erase and repartition a disk To format a Mac OS Extended volume as case-sensitive HFS+ Command DescriptionPartitioning and Formatting Disks Partitioning a Disk Checking for Disk Problems Labeling a DiskFormatting a Disk To fomat a disk Checking to See If Journaling is Enabled Enabling Journaling for an Existing VolumeTo see if journaling is enabled To enable journaling Enabling Journaling When You Erase a Disk Understanding Spotlight TechnologyDisabling Journaling Enabling and Disabling Spotlight To enable Spotlight on your server Performing Spotlight SearchesRestart your server To view the metadata of a file Managing RAID Volumes Controlling Spotlight Indexing Imaging and Cloning Volumes Using ASR To image a boot volumeTo repair a failed mirror To restore a volume from an image Working with Users and Groups Understanding Accounts Administering and Creating Accounts Creating a Local Administrator User Account for a ServerTo create a local administrator user account To create an local administrator user with a specific UID Creating a Domain Administrator User Account To create a domain administrator user account Checking a User’s Administrator Privileges Creating a Nonadministrator User AccountTo find the Guid of the administrator user To see if a user is a server administrator Specify the user ID, replacing 1234 with the new user’s ID 102 Retreiving a User’s Guid Removing a User AccountTo retrieve a user’s Guid Review the Guid for a particular user Revoking a User’s Right to Access His or Her Account Disable the user account by entering the following commandTo prevent a user from logging To reenable a user account that is disabled To terminate all of a user’s processes Checking a Server User’s Name, UID, or Password Modifying a User Account To change a user account attribute to a new valueAttribute Description Creating a Mobile User Account To create a mobile account Managing Home Folders To flush the cacheCreating a User’s Home Folder To create a home folder for a particular user Administering Group Accounts To create a home folder for users in the local domainMounting a User’s Home Folder To mount a user’s shared home directory on an AFP server Creating a Group Account To add a group account You can remove group accounts by using the dscl tool Removing a Group AccountTo remove a group account You can add users to a group using the dscl tool Adding a User to a GroupTo add a user to a group You can remove users from a group by using the dscl tool Removing a User from a GroupTo remove a user from a group Review the new settings of the group Creating and Deleting Nested Group To create a nested groupTo verify a nested group Editing Group Records To unnest a groupTo display the information about a particular group To delete a group Viewing the Workgroup a User Selects at Login Creating a Group FolderTo create a group folder See the CreateGroupFolder man page for more information Importing Users and Groups To import users and groups Creating a Character-Delimited User Import File Writing a Record DescriptionNumber of attributes in each account record 121 Using the StandardUserRecord Shorthand Using the StandardGroupRecord ShorthandAn example user account looks like this Setting Permissions Some examples of permission settingsViewing Permissions Setting the umask for Individual Users Use one of the following values to set the permission level Changing Permissions Use the chmod tool to change permissions for an itemSee the chmod man page for more information Securing System Accounts Changing the OwnerChanging the Group Securing Initial System Accounts To disable root login Enter the root password when promptedSecuring the Root Account Restricting Use of the sudo Tool Securing Single-User Boot Setting Password Policy To set the Open Firmware password for increased securityComputer should restart and display the login window To change a user’s password To view the global password policyTo set the minimum password length to 5 characters To set a more secure global password policy Access the help prompt and enter the command name Finding User Account InformationSee the pwpolicy man page for more information To query for a user by name 132 Working with File Services Managing Share Points Listing Share Points Creating a Share PointTo list existing share points To create a share point To change share point settings Modifying a Share Point Managing the AFP Service Starting and Stopping AFP ServiceChecking AFP Service Status Viewing AFP Settings Changing AFP Settings List of AFP SettingsTo change a setting To change several settings Allow an administrator user to masquerade as another user Authentication mode. Can beWhether the AFP service should restart automatically when Location of the error log Record user logins in the activity log Login greeting messageLast time the login greeting was set or updated Default = -1unlimited List of AFP serveradmin Commands Listing Connected Users To list connected usersValue returned by getConnectedUsers Disconnecting AFP Users Sending a Message to AFP UsersTo send a message To disconnect users Canceling a User Disconnect To cancel a user disconnectComputer will repond with the following output Value Description Listing AFP Service Statistics To list service statistic samplesComputer will respond with the following output Viewing AFP Log Files To view the latest entries in a logTo display the log paths Value displayed by Managing the NFS Service Starting and Stopping NFS ServiceChecking NFS Service Status Viewing NFS Service Settings Managing the FTP Service Starting FTP ServiceStopping FTP Service Checking FTP Service Status Changing FTP Service Settings List of FTP Service SettingsParameter ftp Description Directory in which the FTP content is stored Displays a banner message that appears whenPrompted to log in to the FTP. Customize to your Own preferences List of FTP serveradmin Commands Viewing the FTP Transfer LogChecking for Connected FTP Users Managing the SMB/CIFS Service Starting and Stopping SMB/CIFS ServiceChecking SMB/CIFS Service Status Viewing SMB/CIFS Service Settings Changing SMB/CIFS Service Settings List of SMB/CIFS Service SettingsParameter smb Description Browser service. Can be set to Advanced pane of Windows service settings in the ServerLow errors and warnings only Medium service start and stop, authentication failures Server’s NetBIOS name. Can be set to a maximum Pane of the Windows service settings in the Server AdminWindows service settings in the Server Admin This corresponds to the Wins Registration Off and Enable List of SMB/CIFS serveradmin Commands Listing SMB/CIFS Users Disconnecting SMB/CIFS Users Listing SMB/CIFS Service StatisticsTo list SMB/CIFS connections Computer responds with the following output Viewing SMB/CIFS Service Logs Location of the SMB service logLocation of the name service log Managing ACLs Using chmod to Modify ACLs Following are the permissions applicable to foldersTo grant a user write permission for a file To deny a guest read permission for a file To view the ACL of a file Output should look like the following 160 Working with the Print Service Understanding the Print Process Performing Print Service Tasks Starting and Stopping Print ServiceTo start print service To stop print service Checking the Status of Print Service Viewing Print Service SettingsChanging Print Service Settings Print Service Settings Parameter print Description Queue Data Array Parameter printDescription Managing the Print Service Command printcommand= DescriptionFollowing is an example of a queue array parameter block Pausing a Queue Listing QueuesListing Jobs and Job Information To pause a queue Holding a Job To hold a jobTo release the job Viewing Print Service Log Files Viewing Cover PagesTo obtain a list of available cover pages 170 Understanding the NetBoot Service Starting and Stopping NetBoot ServiceTo start NetBoot service To stop NetBoot service Checking NetBoot Service Status Viewing NetBoot SettingsChanging NetBoot Settings Changing General Netboot Service Settings Volume parameter arrayParameter netboot Description Storage Record Array Filters Record Array Image Record Array Enabling NetBoot 1.0 for Older NetBoot Clients To enable NetBootPort Record Array Booting from an Image Using hdiutil to Work with System ImagesWorking with System Images Updating an Image Using asr to Restore System Images Imaging Multiple Clients Using Multicast asr Choosing a Boot Device Using systemsetup To configure a client to receive a multicast stream Understanding the Mail Service Postfix Agent Cyrus Mailman Managing the Mail Service Starting and Stopping Mail ServiceChecking the Status of Mail Service Viewing Mail Service Settings Mail Service Settings Parameter mail Description Default = 500s Default = 1sDefault = domain Default = += Default = 0s Default = postfixDefault = 1000s Default = -=+ Default = flock Default = flushDefault = 60s Default = postdrop Default = 10s Default = /usr/binDefault = mail Default = none Default = smtp Default = 7dDefault = qmgr Default = fcntl Default = error Default = showqDefault = 5d Default = host Default = incoming Default = activeDefault = deferred Default = bounce Default = virtual Default = $homeDefault = rewrite Default = 600s Default = 30s Default = hashDefault = Default Default = c Default = cyrus Default = auxprop 193 Mail serveradmin Commands Listing Mail Service StatisticsTo list samples Viewing the Mail Service Logs Default = srvr.logTo display the log locations Location of the server log Backing Up the Mail Files Reconstructing the Mail Database Setting Up SSL for Mail Service Generating a CSR and Creating a KeychainEnter a key size at the next prompt, and then press Return 199 Accessing the Server Certificates Obtaining an SSL CertificateImporting an SSL Certificate into the Keychain To import an SSL certificate into the keychain Creating a Password File See the certadmin man page for more informationTo create a password file To list the certificates stored in the System keychain Configuring Mailboxes Enabling Sieve Scripting To enable Sieve support Reload the mail serviceEnabling Sieve Support Sample Sieve Scripts Self-Defined Forwarding Script Basic Sort and Anti-Junk Mail Filter Script Sieve Scripting Resources 206 Understanding Web Technology Files Location Managing the Web Service Starting and Stopping Web ServiceChecking Web Service Status Viewing Web Settings Changing Web Settings Serveradmin and Apache SettingsChanging Settings Using serveradmin Web serveradmin Commands Viewing Service LogsViewing Service Statistics Listing Hosted Sites Value you want to display. Valid values V1-Number of requests per secondV2-Throughput bytes/sec V3-Cache requests per second Example Script for Adding a Website Addsite FileAddsite.in File Tuning the Server Performance To run the script Working with Application Servers and Java Apache TomcatJBoss Server To start Apache Tomcat To install the default database MySQL DatabaseTo start JBoss, enter the following To stop JBoss, enter the following To set the root password To create a databaseTo set the network option To start mysqld Working with Network Services Managing Network Services Managing the Dhcp Service Starting and Stopping Dhcp ServiceChecking the Status of Dhcp Service Viewing Dhcp Service Settings Changing Dhcp Service Settings Dhcp Service SettingsTo see a list of available service settings To change a single Dhcp setting Dhcp Subnet Settings Array About Subnet IDsSubnet Parameter General pane of the subnet settings in the Server Not set defaultWins pane of the subnet settings in the Server Lease time in seconds Corresponds to the NetBIOS Scope ID field in the Wins Adding a Dhcp SubnetTo add a subnet Domain name such as apple.com Adding a Dhcp Static Map To add a static mapAbout Static Map IDs List of Dhcp serveradmin Commands Viewing the Dhcp Service LogCommand Dhcpcommand=Description Determine the location of the Dhcp service logs Managing the DNS Service Starting and Stopping the DNS ServiceChecking the Status of DNS Service Viewing DNS Service Settings Changing DNS Service Settings DNS Service SettingsList of DNS serveradmin Commands Viewing the DNS Service Log Configuring IP Forwarding Managing the Firewall Service Starting and Stopping Firewall Service Checking the Status of Firewall ServiceViewing Firewall Service Settings Firewall Startup Changing Firewall Service Settings Firewall Service SettingsParameter ipfilter Description Defining Firewall Rules Ipfilter Groups with Rules ArrayAdding Rules by Modifying ipfw.conf Unmodified ipfw.conf file Adding Rules Using serveradmin Ping cracker.evil.org to determine its IP addressTo add a rule An example of this would be similar to the following Firewall serveradmin Commands Ipfilter Rules Array Managing the NAT Service Viewing Firewall Service LogUsing Firewall Service to Simulate Network Activity Location of the ipfilter service log Starting and Stopping NAT Service Checking the Status of NAT ServiceViewing NAT Service Settings Changing NAT Service Settings NAT Service Settings NAT serveradmin CommandsParameter nat Description Viewing the NAT Service Log Port Mapping Managing the VPN Service Starting and Stopping VPN ServiceChecking the Status of VPN Service Viewing VPN Service Settings Changing VPN Service Settings List of VPN Service SettingsDefault = Keychain Default = IPSec Default = Manual Default = L2TPDefault = PPP Default = Dsacl Default = Pptp Default = MppeDefault = EAP-RSA List of VPN serveradmin Commands Viewing the VPN Service LogVPN Service Log on this Restarted. See Using the serveradmin Tool on Configuring Site-to-Site VPN Location of the VPN service logSite-to-Site VPN Adding a VPN Keyagent User Setting Up IP Failover IP Failover PrerequisitesIP Failover Operation Hardware Requirements To enable IP failover Enabling IP Failover Configuring IP Failover Notification OnlyPre and Post Scripts Restoring the Default Configuration for Server Services To restore the NAT service to its default configurationEnabling PPP Dial-In To restore the Dhcp service to its default configuration Re-create the two default recordsTo restore the Qtss service to its default configuration To restore the DNS service to its default configuration To restore the VPN service to its default configuration Using General Directory Tools Testing Your Open Directory ConfigurationUnderstanding Open Directory Testing Open Directory Plug-ins Changing Open Directory Service SettingsModifying a Directory Domain Registering URLs with SLP Configuring Ldap PasswordOptionsStringLDAPTimeoutUnits Default = minutes LDAPServerBackend Managing OpenLDAP Configuring slapd and slurpd Daemons Standard Distribution ToolsTool Used to Delay Rebind Idle TimeoutIdle Rebinding Options Searching the Ldap Server 256 257 Using Ldif Files Configuring NetInfo Managing NetInfoAdditional Information About Ldap Managing Open Directory Passwords Open Directory Password ServerViewing or Changing Password Policies Enabling or Disabling Authentication Methods Kerberos and Apple Single Sign-On Backing Up the Kerberos DatabaseTo dump the KDC’s database To load KDC data from a dumped file To add a service principal Principal ManagementTo add a principal To delete a principal Using Directory Service Tools Operating on Directory Service Directory DomainsUsing kadmin to kerberize a service To kerberize a service from a terminal running on that host Finding Network Information Manipulating a Single Named Group Record Adding or Removing Ldap Server Configurations Configuring the Active Directory Plug-InTo add an Ldap server To remove an Ldap server 266 Performing Qtss Service Tasks Understanding QuickTime Streaming Server Starting and Stopping the Qtss Service Checking Qtss Service StatusViewing Qtss Settings Changing Qtss Settings Qtss Settings Descriptions of SettingsDefault = qtaccess Look in the sample file for Default = admin Default = digest Default = qtss Managing QtssListing Current Connections Logs on Viewing Qtss Service Statistics For connections v1, this is integer average numberConnections Send a HUP signal to this process Forcing Qtss to Reread its PreferencesTo force Qtss to reread its preferences List the Qtss processes Configuring Streaming Security Resetting the Streaming Server Admin User Name and PasswordTo set up Sites/Streaming/ in older home folders To reset the user name and password Controlling Access to Streamed Media Creating an Access File Between terms, make sure you enclose the entire message Quotation marksPath and filename of the user file Qtusers Accessing Protected Media Adding User Accounts and PasswordsAdding or Deleting Groups Making Changes to the User or Group File Manipulating QuickTime and MP4 Movies Creating Reference MoviesCreate QuickTime Atom ref movie with extension .qtl Create XML text ref movie with extension .qtl 280 Configuring the Log File Configuring Your System Logging Local Logging Configuring Remote Logging on a Client Computer To enable remote logging on a client computerConfiguring Remote Logging on a Server Remote Logging Or match a single host like this Open /etc/rc and locate the following line PCI RAID Card Command Reference 286 287 288 Glossary Computer account See computer list Directory node See directory domain Full name See long name 292 293 294 Relay point See open relay Search path See search policy 297 298 Access Securing Chgrp tool ACL access control list136 Example Stopping service Naming 41 Restoring images Logs Lpr Backup Cyrus Mail files Dynamic Host Configuration Protocol. See Dhcp Error messages command not found Executing commandsImage Booting from 176 updating Disk journaling Kerberosautoconfig tool 261 keychain Backing up Principal management 262 tools and utilities 302 QuickTime Streaming Server. See Qtss Used by ldapsearch 255 scheduling tasks AFP DNS 239 Terminating commands Time, viewing or changing 57 Stopping serviceViewing service logs Tools for remote configuration