Changing Security Settings
Use the Security pane of Server Preferences to protect your server from users on other
networks or the Internet.
164
Chapter 10
Managing Server Information
You can set up a firewall to protect your local network (IP subnet), or you can manage
an AirPort Extreme Base Station (802.11n) or a Time Capsule to protect your local
network. Either way, you can individually specify which services will accept incoming
connections from computers outside your server’s local network (IP subnet). If you use
firewall security (not AirPort management), you can allow incoming connections to all
services from outside your server’s local network.
If the Security pane says you’re using the application firewall, you can manage it in
System Preferences, or you can turn it off there and manage the server’s firewall in
Server Preferences. For more information, see “About Firewall Security,” next.
If your server gets its Internet connection through a network router other than an
AirPort Extreme Base Station or Time Capsule, you can use the router’s configuration
software to protect your server and your local network. If you do that, you can turn off
firewall security in the Security pane. For information about configuring your router,
see “Protecting Your Network with a Router” on page 36.
To control which services are exposed to the Internet:
1
If you have an AirPort Extreme Base Station or a Time Capsule, and you see a “Switch to
AirPort management” button in the Security pane, click the button to use the AirPort
Extreme Base Station or Time Capsule for security control.
If you’re asked to authenticate, enter the base station or Time Capsule password (not
the wireless network password).
165
Chapter 10
Managing Server Information
If you’ve changed the NAT options on your AirPort Extreme Base Station or Time
Capsule to use your server as the “default host,” you need to use the server’s firewall
to control security, not the AirPort management. In this case, do not click “Switch to
AirPort management” in the Security pane. By default, an AirPort Extreme Base Station
or Time Capsule has the default host option turned off.
If you see a “Switch to Firewall security” button in the Security pane, don’t click the
button if you’re using the default NAT options on your AirPort Extreme Base Station or
Time Capsule. Click this button only if you’ve changed the “default host” option in the
NAT pane of the AirPort Utility application.
2
In the Security pane of Server Preferences, click the On/Off switch to turn on security
control.
3
To allow a service to accept incoming connections from all networks, including the
Internet, click the Add (+) button and choose the service from the pop-up menu.
If the service you want to add isn’t listed in the pop-up menu, choose Other, and then
enter the service name and port. For a list of service names and ports, open Server
Admin and then use the Help menu to search for “TCP and UDP port reference.”
4
To stop a listed service from accepting incoming connections from all networks
including the Internet, select the service and click the Delete (–) button.
While security control is on, services that aren’t listed in the Security pane can get
incoming connections only from the server’s local network.
If you you’re using AirPort management and make changes in the Security pane, Server
Preferences asks if you want to apply your changes by restarting your base station
or Time Capsule. Restarting will interrupt Internet access and DHCP service for all
computers on your local network for up to a minute.
166
Chapter 10
Managing Server Information
If you turn on firewall security and your server gets its Internet connection through
a network router, you should configure your router to send all incoming requests for
services to your server. For instructions, open Server Preferences Help and search for
“making your server the router default host.”
To allow all incoming requests for services with firewall security:
In the Security pane, click the On/Off switch to turn off firewall security.
m
While firewall security is off, your server’s firewall allows incoming connections to all
services. However, if your server gets its Internet connection through a cable router,
DSL router, or other router, you also need to configure it to send incoming service
requests to your server. For information about configuring your router, see “Protecting
Your Network with a Router” on page 36.
If you’re using AirPort management (not firewall security), turning it off blocks
incoming connections to all services.
About Firewall Security
The firewall that you can control in the Security pane of Server Preferences is the
Mac OS X Server firewall. Called an IP firewall, it accepts or denies incoming and
outgoing traffic based on attributes of the traffic, such as its destination port or
originating IP address. For information about the IP firewall, open Server Admin and
then use the Help menu to search for “firewall service overview.”
Your server also has the Mac OS X firewall, which works differently. It’s known as an
application firewall because it accepts or denies an incoming connection based on
the particular application, service, or other software module that’s trying to accept
the connection. This firewall doesn’t control outgoing network traffic. You manage the
application firewall with System Preferences, not Server Preferences.
167
Chapter 10
Managing Server Information
If you upgraded your server from Mac OS X Server v10.5 Leopard, the application
firewall may be active. You need to turn it off in the Security pane of System
Preferences before you can manage the IP firewall with the Security pane of Server
Preferences.
Your server’s firewall and VPN service can both allow access to services from outside
your local network. The difference is that VPN service requires authentication for
access, but access allowed through the firewall doesn’t require authentication. If VPN
service is on, you may not need to expose some services to the Internet through your
firewall. For example, you might set the firewall to expose only your web services to the
Internet so that the public can view your website. Your server’s users can access other
services—file sharing, address book, iCal, iChat, and mail—through a VPN connection.