On 2009-01-20 19:15, Peter O'Gorman wrote:
Gilbert E. Detillieux wrote:
Any suggestions for clean, secure ways to implement firewall support for these services using ipfilter or ipfw?
For Mac OS X, using ipfw in combination with the Application Firewall may accomplish some of what you want: http://support.apple.com/kb/HT1810
I'm working on Mac OS X Server, which doesn't have the Application Firewall (under System Preferences/Security), but instead has a rather nice Firewall GUI front-end to ipfw, under the Server Admin app.
However, this does not provide the functionality I'm looking for. It did make the basic ipfw setup much easier, though. (Only needed a couple manual-override rules that I couldn't set up through the GUI.)
There is also a GUI frontend for ipfw on Mac OS X, don't know if it's any good - http://www.hanynet.com/waterroof
I had heard of this, but I haven't tried it. It looks like an alternative to what's provided in Server Admin. (Perhaps it would be more useful under the non-Server versions of Mac OS X.)
For Solaris, I don't know, I'm afraid, I guess you found the FAQ? http://www.phildev.net/ipf/long.html
Looked through that FAQ already, as well as the IPF Howto it references. Their solution to the passive FTP server problem is to open up a port range in the firewall, and configure the FTP server to use that port range for passive data transfers.
I was hoping for a better solution, including one that would work for Amanda backups as well, using connection tracking. However, it looks like the open port range solution is the best I can hope for right now.
Anyway, thanks for your reply.