OSX Client Firewall

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

OSX Client Firewall

Marc Pinnell-3
I'm running my server under OSX.4.5 Client. I'm in the process of  
going through security compliance checks and they are requiring that  
I shut down ports such as NTP (123) and Finger (79), lacking a better  
solution, can the OSX Client Firewall be used to shut down these  
ports? I have never turned on the Firewall in client, was this a  
mistake? If others are using it, any suggestions for ports to leave  
open (beyond the obvious 80, 110, etc) would be appreciated. My  
server is Colo'd so the facility has some firewall protection, but I  
guess they leave open the majors.

Thanx
Marc



------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: OSX Client Firewall

Trevor Jacques
>they are requiring that I shut down ports such as NTP (123) and Finger (79)

In all the years I've run and monitored Macs, I've never seen either
of these ports ports in the logs (which are set up to make a note of
all ports that should not be accessed). I use IPNetSentry (a great sw
firewall for Mac servers).

>My server is Colo'd so the facility has some firewall protection,

IPNSX has a web interface, but I've not had to use it for a while.
VNC or Timbuktu generally solve that problem rather neatly, anyway.

T.

------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: OSX Client Firewall

Adam Richardson-2
In reply to this post by Marc Pinnell-3

On 02/09/2006, at 6:52 AM, Marc Pinnell wrote:

> I'm running my server under OSX.4.5 Client. I'm in the process of
> going through security compliance checks and they are requiring that I
> shut down ports such as NTP (123) and Finger (79), lacking a better
> solution, can the OSX Client Firewall be used to shut down these
> ports?

What security standards do you need to comply with ?

The OSX client firewall pane in Sytem Preferences is a minimal GUI for
ipfirewall, which is part of the FreeBSD codeset

There are basically five options for firewalling a mac

1. You use the inbuilt firewall configured via the terminal
2. You use the inbuilt firewall configured via the system preferences
panes
3. You use the inbuilt firewall configured via a GUI like Flying
Buttress (formerly Brickhouse) ...
http://personalpages.tds.net/~brian_hill/brickhouse.html
http://www.securemac.com/brickhouse.php
4. You use a standalone firewall app
5. You run the inbuilt firewall in combination with a standalone
firewall app

> I have never turned on the Firewall in client, was this a mistake?

Every computer connected to the internet, regardless of operating
system should be protected by a firewall at all times.

>  If others are using it, any suggestions for ports to leave open
> (beyond the obvious 80, 110, etc) would be appreciated. My server is
> Colo'd so the facility has some firewall protection, but I guess they
> leave open the majors.

The only ports you should leave open are the ones that are absolutely
essential for your server to work.
See http://en.wikipedia.org/wiki/Least_privilege

- Adam

~~~~

Adam Richardson

CEO, Waenick Pty Ltd
Security Consultant, FiveGeeks
http://www.fivegeeks.com

Waenick Pty Ltd is a privately owned database, data security and online
application development company.

We combine databases like mySQL, Oracle and 4D with Omnipilot
Software's Lasso Professional database middleware to produce
intelligent, adaptive database driven business intranet and internet
applications.

We also provide a range of data security services including penetration
testing, application source code audits and network security audits
with full compliance with the remote auditing and testing requirements
of ISO 17799 (BS7799) and ISO 17799-2000 for information security
testing.

Skunkworks One is a division of Waenick Pty Ltd


------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

ChartFX confusion

Steve Upton
In reply to this post by Marc Pinnell-3

I have seen this problem come up in an earlier post but there was no response with a solution so I'm going to try again...

ChartFX wants a folder at the 'root' of the 'webserver' which, on OS X Server is the /Library/WebServer/Documents/ folder.

The problem is that this doesn't work for virtual hosting of multiple sites. As soon as you move the chartfx62/temp folders into the virtual site area, ChartFX stops putting graphs in it. If you leave it at the root of Apache's site area then the virtual sites can't see it and the browsers can't get the graphs...

I've tried everything I can think of, aliasing, scripting, etc, etc to no avail

Has anyone made this work?

Regards,

Steve Upton

--


------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: OSX Client Firewall

Marc Pinnell-3
In reply to this post by Adam Richardson-2
Adam,

Thanks for the info. I tried both the Apple GUI and the Flying  
Buttress software and neither work. I have two IPs on this box (one  
wire) and I suspect that is giving me problems. In the Apple GUI  
everything is greyed out and not selectable. In FB, everytime I setup  
the ports to allow/deny on one ip, it overwrites the other and wipes  
it out.

I have emailed Flying Buttress, but this is the wrong weekend to be  
doing this stuff.....

Marc


On Sep 1, 2006, at 11:19 PM, Adam Richardson wrote:

>
> On 02/09/2006, at 6:52 AM, Marc Pinnell wrote:
>
>> I'm running my server under OSX.4.5 Client. I'm in the process of  
>> going through security compliance checks and they are requiring  
>> that I shut down ports such as NTP (123) and Finger (79), lacking  
>> a better solution, can the OSX Client Firewall be used to shut  
>> down these ports?
>
> What security standards do you need to comply with ?
>
> The OSX client firewall pane in Sytem Preferences is a minimal GUI  
> for ipfirewall, which is part of the FreeBSD codeset
>
> There are basically five options for firewalling a mac
>
> 1. You use the inbuilt firewall configured via the terminal
> 2. You use the inbuilt firewall configured via the system  
> preferences panes
> 3. You use the inbuilt firewall configured via a GUI like Flying  
> Buttress (formerly Brickhouse) ...
> http://personalpages.tds.net/~brian_hill/brickhouse.html
> http://www.securemac.com/brickhouse.php
> 4. You use a standalone firewall app
> 5. You run the inbuilt firewall in combination with a standalone  
> firewall app
>
>> I have never turned on the Firewall in client, was this a mistake?
>
> Every computer connected to the internet, regardless of operating  
> system should be protected by a firewall at all times.
>
>>  If others are using it, any suggestions for ports to leave open  
>> (beyond the obvious 80, 110, etc) would be appreciated. My server  
>> is Colo'd so the facility has some firewall protection, but I  
>> guess they leave open the majors.
>
> The only ports you should leave open are the ones that are  
> absolutely essential for your server to work.
> See http://en.wikipedia.org/wiki/Least_privilege
>
> - Adam
>
> ~~~~
>
> Adam Richardson
>
> CEO, Waenick Pty Ltd
> Security Consultant, FiveGeeks
> http://www.fivegeeks.com
>
> Waenick Pty Ltd is a privately owned database, data security and  
> online
> application development company.
>
> We combine databases like mySQL, Oracle and 4D with Omnipilot
> Software's Lasso Professional database middleware to produce
> intelligent, adaptive database driven business intranet and internet
> applications.
>
> We also provide a range of data security services including  
> penetration
> testing, application source code audits and network security audits
> with full compliance with the remote auditing and testing requirements
> of ISO 17799 (BS7799) and ISO 17799-2000 for information security
> testing.
>
> Skunkworks One is a division of Waenick Pty Ltd
>
>
> ------------------------------
> Lasso Support: http://support.omnipilot.com/
> Search the list archives: http://www.listsearch.com/lassotalk.lasso
> Manage your list subscription:  http://www.listsearch.com/ 
> lassotalk.lasso?manage


------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: OSX Client Firewall

Trevor Jacques
>I tried both the Apple GUI and the Flying Buttress software and neither work.

I have about 25 IPs on my iMac and IPNetSenty works perfectly. Check
it out at http://SustWorks.com/

HTH.

T.

------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: ChartFX confusion

Brett Circe
In reply to this post by Steve Upton
Steve, we got this working in the office, I believe with
Sym links. We are closed on Monday for Labor Day, but I
will make sure to get you an exact answer on Tuesday.


On Fri, 1 Sep 2006 23:33:04 -0700
  Steve Upton <[hidden email]> wrote:

>
> I have seen this problem come up in an earlier post but
>there was no response with a solution so I'm going to try
>again...
>
> ChartFX wants a folder at the 'root' of the 'webserver'
>which, on OS X Server is the
>/Library/WebServer/Documents/ folder.
>
> The problem is that this doesn't work for virtual
>hosting of multiple sites. As soon as you move the
>chartfx62/temp folders into the virtual site area,
>ChartFX stops putting graphs in it. If you leave it at
>the root of Apache's site area then the virtual sites
>can't see it and the browsers can't get the graphs...
>
> I've tried everything I can think of, aliasing,
>scripting, etc, etc to no avail
>
> Has anyone made this work?
>
> Regards,
>
> Steve Upton
>
> --
>
>
> ------------------------------
> Lasso Support: http://support.omnipilot.com/
> Search the list archives:
>http://www.listsearch.com/lassotalk.lasso
> Manage your list subscription:  
> http://www.listsearch.com/lassotalk.lasso?manage

----------------------------------------
Brett Circe
[hidden email]

------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: ChartFX confusion

Greg Willits-2

On Sep 2, 2006, at 3:10 PM, Brett Circe wrote:

> Steve, we got this working in the office, I believe with Sym links.  
> We are closed on Monday for Labor Day, but I will make sure to get  
> you an exact answer on Tuesday.
>
> On Fri, 1 Sep 2006 23:33:04 -0700
>  Steve Upton <[hidden email]> wrote:
>> I've tried everything I can think of, aliasing, scripting, etc,  
>> etc to no avail


Steve -- in general, you can't use OS X aliases for anything except  
in Finder.

Anything that is used for daemon services, shell scripts, or anything  
"Unixy" has to be done with symbolic links ("symlinks").

In Terminal:

ln -s {SOURCE} {DESTINATION}

SOURCE -- just drag the file or folder you want linked to into Terminal

DESTINATION -- I usually drag a file from the target path, then edit  
the file name to save me the typing. No trailing slash when you're  
making folders.


-- gw
-----------------------------------------------------------------------
www.araelium.com/aredit/ae_and_lasso :: A new, Lasso-friendly, OS X
specific project manager and code editing developmennt application.
www.pageblocks.org :: A comprehensive application framework for Lasso.
-----------------------------------------------------------------------



------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: OSX Client Firewall

Adam Richardson-2
In reply to this post by Trevor Jacques
Firewalk X is a great app too. It's a standalone firewall app for OS X,
so it doesn't rely on the built in OS X firewall, but can be configured
to work in tandem with it. The user interface is very intuitive too,
and allows you to set not just which ports can be used, but which
applications on your server can use them ...

http://www.versiontracker.com/dyn/moreinfo/macosx/10832
http://www.pliris-soft.com/products/firewalkx/firewalkx.html

- Adam


On 03/09/2006, at 6:58 AM, Trevor Jacques wrote:

>> I tried both the Apple GUI and the Flying Buttress software and
>> neither work.
>
> I have about 25 IPs on my iMac and IPNetSenty works perfectly. Check
> it out at http://SustWorks.com/
>
> HTH.
>
> T.
>
> ------------------------------
> Lasso Support: http://support.omnipilot.com/
> Search the list archives: http://www.listsearch.com/lassotalk.lasso
> Manage your list subscription:  
> http://www.listsearch.com/lassotalk.lasso?manage
>
>
~~~~

Adam Richardson

CEO, Waenick Pty Ltd
Security Consultant, FiveGeeks
http://www.fivegeeks.com

Waenick Pty Ltd is a privately owned database, data security and online
application development company.

We combine databases like mySQL, Oracle and 4D with Omnipilot
Software's Lasso Professional database middleware to produce
intelligent, adaptive database driven business intranet and internet
applications.

We also provide a range of data security services including penetration
testing, application source code audits and network security audits
with full compliance with the remote auditing and testing requirements
of ISO 17799 (BS7799) and ISO 17799-2000 for information security
testing.

Skunkworks One is a division of Waenick Pty Ltd


------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: OSX Client Firewall

Jolle Carlestam
 From what I can understand, Firewalk X is a dead product. No longer  
supported and not compatible with Tiger.

HDB
JC

4 sep 2006 kl. 01.20 skrev Adam Richardson:

> Firewalk X is a great app too. It's a standalone firewall app for  
> OS X, so it doesn't rely on the built in OS X firewall, but can be  
> configured to work in tandem with it. The user interface is very  
> intuitive too, and allows you to set not just which ports can be  
> used, but which applications on your server can use them ...
>
> http://www.versiontracker.com/dyn/moreinfo/macosx/10832
> http://www.pliris-soft.com/products/firewalkx/firewalkx.html
>
> - Adam


------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: OSX Client Firewall

Wade Maxfield
>From what I can understand, Firewalk X is a dead product. No longer
>supported and not compatible with Tiger.
>
>HDB
>JC

There is always Firewall Builder (http://www.fwbuilder.org/).  It's
GUI for for ipfw (OS X's built in firewall) as well as iptables,
ipfilter and pf.  There's a trial version you can have a play with.
The rules themselves don't expire, just the GUI.

I've been using it for a couple of years on 10.3 and 10.4 (I can't
remember what I was using on 10.2).

  - Wade

------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: ChartFX confusion

Jason Pettis
In reply to this post by Steve Upton
Hey! This is the same problem I am having as well (see
http://www.listsearch.com/lassotalk.lasso?id=166698), except I'm on
Windows 2000 server.

I'm interested in hearing the exact answer, but I'm wondering - can I
set up an alias, or should I try to move the chartfx config folder to
the server "root" and use web sharing to include it with my virtual
servers?

-Jason

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On
Behalf Of Brett Circe
Sent: Saturday, September 02, 2006 4:10 PM
To: [hidden email]
Subject: Re: ChartFX confusion

Steve, we got this working in the office, I believe with
Sym links. We are closed on Monday for Labor Day, but I
will make sure to get you an exact answer on Tuesday.


On Fri, 1 Sep 2006 23:33:04 -0700
  Steve Upton <[hidden email]> wrote:

>
> I have seen this problem come up in an earlier post but
>there was no response with a solution so I'm going to try
>again...
>
> ChartFX wants a folder at the 'root' of the 'webserver'
>which, on OS X Server is the
>/Library/WebServer/Documents/ folder.
>
> The problem is that this doesn't work for virtual
>hosting of multiple sites. As soon as you move the
>chartfx62/temp folders into the virtual site area,
>ChartFX stops putting graphs in it. If you leave it at
>the root of Apache's site area then the virtual sites
>can't see it and the browsers can't get the graphs...
>
> I've tried everything I can think of, aliasing,
>scripting, etc, etc to no avail
>
> Has anyone made this work?
>
> Regards,
>
> Steve Upton
>
> --
>
>
> ------------------------------
> Lasso Support: http://support.omnipilot.com/
> Search the list archives:
>http://www.listsearch.com/lassotalk.lasso
> Manage your list subscription:  
> http://www.listsearch.com/lassotalk.lasso?manage

----------------------------------------
Brett Circe
[hidden email]

------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage

------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage
Reply | Threaded
Open this post in threaded view
|

Re: ChartFX confusion

Steve Upton
In reply to this post by Greg Willits-2
At 4:29 PM -0700 9/2/06, Greg Willits wrote:

>On Sep 2, 2006, at 3:10 PM, Brett Circe wrote:
>
>>Steve, we got this working in the office, I believe with Sym links. We are closed on Monday for Labor Day, but I will make sure to get you an exact answer on Tuesday.
>>
>>On Fri, 1 Sep 2006 23:33:04 -0700
>> Steve Upton <[hidden email]> wrote:
>>>I've tried everything I can think of, aliasing, scripting, etc, etc to no avail
>
>
>Steve -- in general, you can't use OS X aliases for anything except in Finder.
>
>Anything that is used for daemon services, shell scripts, or anything "Unixy" has to be done with symbolic links ("symlinks").
>
>In Terminal:
>
>ln -s {SOURCE} {DESTINATION}
>
>SOURCE -- just drag the file or folder you want linked to into Terminal
>
>DESTINATION -- I usually drag a file from the target path, then edit the file name to save me the typing. No trailing slash when you're making folders.

yup, thanks Greg, that fixed it.

While I know that symbolic links are not the same as OS X aliases I thought that they were both not followed by Apache and that I would need to use a hard link, but those only work for files and not folders..

It turns out that yep, symlinks do the job.

So, just for the record, I put the chartfx62 folder at the root of my web documents directory and Chartfx finds it just fine and puts graphs into its /temp subfolder. Then I made a symbolic link from its /temp folder to within my virtual site's chartfx/ folder and now, finally the graphs appear in the right spot, useable to the browser of the virtual site.

As for how to do this under Windows, I'm not sure. If you can alias folders in a way that the web server is happy then you should be OK. I don't know if shortcuts are up to the task or not...

Note to OmniPilot: I like the ChartFX package but there should be more documentation for the setup of this (as most people will probably serve multiple sites from a server even if the alternates are only their dev sites). And also, it would be logical to have the ability to setup the folder used by ChartFX in the siteadmin Lasso app no? This hard-coding of the path w/ particular, static naming seems a bit primitive to me...

Chances are very good that you don't have that kind of control over the package but it would be nice.

Also, Their documentation is large and detailed but it all tends to have a lot to do with coding in Java rather than simply selection options in the ChartFX graph layout app. Some sort of translation to the primary tool we use would be nice. At a minimum, a list of the features that are in their documentation but NOT in the ChartFX for Lasso would be nice.

For instance, the documentation suggests that ChartFX can output SVG and Flash graphs. Will ChartFX for Lasso do that? If so, can you show us how?

All that said, the ability to lay out a graph in a desktop tool and then simply copy the XML up to the server for static or database storage & rendering is a great system. I'm glad you guys picked a powerful graphing system for this task.

Thanks!

Regards,

Steve


________________________________________________________________________
o  Steve Upton              CHROMiX        www.chromix.com
o   (hueman)                               866.CHROMiX
________________________________________________________________________
--


------------------------------
Lasso Support: http://support.omnipilot.com/
Search the list archives: http://www.listsearch.com/lassotalk.lasso
Manage your list subscription:  
http://www.listsearch.com/lassotalk.lasso?manage