TCP/IP Filters allow the server administrator to restrict access to TCP services running on the ASIP server by port number, by IP address of the client, or a combination of both. This powerful feature allows the administrator a great deal of flexibility in offering services and providing extra security. Here are some examples of how an administrator could filter services on the ASIP server:
- Limit all access to specific networks, such as the local LANs; this would prevent users on the Internet from accessing the server.
- Restrict a particular service, such as Remote Web Administration or the IMAP Admin Access Port, to a single IP address. This would allow additional security to these powerful administrative features.
- Permit server access to all clients within an IP address range, except for particular workstations. This might be used if you have some "public" workstations, such as you might find in a library or a business lobby. These public workstations could be set up with only certain types of access, such as access to the web server, while other access (FTP, SMTP, or AFP over TCP) is denied
TCP/IP Filtering includes a TCP Filter Admin program which is used to create the filters (like other ASIP administration programs, launching the TCP/IP Admin program requires the admin name & password). The other components are extensions which interpret the filters created and allow or deny services accordingly.
Figure 1, TCP Filter folder contents
System Requirements/Compatibility
Operating system
The TCP Filter feature is fully compatible with Mac OS 8.5 which includes Open Transport 2.0. It is not supported, and may not run on, 8.1 or earlier due to limitations in earlier versions of Open Transport.
Hardware
The TCP Filter feature will run on any supported hardware platform of the AppleShare IP 6.x product.
Components Installed
TCP/IP Filtering is installed as a standard part of the AppleShare IP 6.1 easy installation, and is implemented in 3 components:
- OT AutoPushSupport init (located in Extensions Folder)
- TCP Filter extension (located in Extensions Folder)
- TCP Filter Admin application (located in TCP Filter folder, within the AppleShare IP 6.1 folder at root level of startup volume)
The TCP/IP Filtering extension module verifies all incoming TCP/IP packets and the admin application is used for configuring the TCP filters for each TCP/IP port.
The initial state is off and thus by default all TCP/IP packets are accepted.
How it works
TCP/IP Filters may be defined for individual ports on the server or as server-wide filters that apply to "All ports" on the server machine. When a packet comes in, the software first checks to see if there is a filter that applies to that particular port. If more than one filter has been defined for that port, it will then check the IP address field, and use the filter that most closely matches the sender's IP address.
If no filter exists for that specific port, then it will look for the "All Ports" filters, and again, apply the one that most closely matches the sender's IP address.
TCP Filtering is installed on the server machine in the "off " or disabled state which means that there are no restrictions on incoming TCP/IP packets after installation. The administrator must enable TCP Filtering and restart the server before any filters can be operational; he should at this time also choose the Default filter state. The Default filter may be set to "Deny All" clients not specifically allowed by another filter or "Allow All" clients if not specifically denied by another filter. The initial state of the Default filter is "Deny All". After enabling TCP Filtering, the Default filter state should be either changed to "allow all", or supplemented by adding new filters.
Figure 2, TCP Filter List
To create a TCP filter, the administrator sets three values:
- Services or Port Numbers
- IP addresses
- Access type (deny or allow)
Services or Port numbers
When adding TCP filters, you may choose a service or a well-known TCP port number from the Port pop-up menu or you may type in any valid port number for which to define filters (port number only; no text). In addition, you may choose the "All ports" designation from the Port pop-up menu to apply the filter to all services running on the server system.
These are the ports that map to services offered by AppleShare IP 6.x:
Figure 3, All Ports pop-up menu
IP Addresses
Filters specify an IP address or range of IP addresses from which to control access to services running on the server system. An IP address consists of 4 decimal numbers (ranging from 0 to 255) that are separated by the period character (.). When creating a filter, an IP address may contain wildcard characters (*) that indicate that any number in that location is considered valid. Wildcard characters can not precede any numerical value in the filter, and must always be followed by other wildcard characters, or terminated. For example:
- 17.202.121.140 is a legal filter value, it specifies one particular machine at this IP address.
- 17.22*.***.*** is a legal filter value; it would specify any IP address with first two octets of 17.22x, where x could be any value between 0 and 9.
- 17.2*2.121.*** is an illegal value because of the second octet; wildcards cannot be followed by more numeric characters.
- ***.202.121.140 is also an illegal value, since the wildcards in the first octet are followed by numeric characters in the remaining octets.
Three wildcard characters are always assumed. If the administrator has specified only one or two wildcard characters for an individual byte of the address, the user interface will expand the wildcard character(s) to three. The following is the appropriate wildcard interpretation within individual bytes:
| * | 192.1.1.* | 0-255 |
| ** | 192.1.1.** | 0-255 |
| *** | 192.1.1.*** | 0-255 |
| 0** | 192.1.1.0** | 0-99 |
| 0* | 192.1.1.0* | 0-9 |
| 1** | 192.1.1.1** | 100-199 |
| 1* | 192.1.1.1* | 10-19 |
| 2** | 192.1.1.2** | 200-255 |
| 2* | 192.1.1.2* | 20-29 |
| 3* | 192.1.1.3* | 30-39 |
| 4* | 192.1.1.4* | 40-49 |
Access Type
Filters may Allow or Deny access to ports on your servers. The initial Default of the TCP Filter is that all incoming packets are denied so you must add Allow filters after enabling filtering, to provide client access to your server.
Filter Interpretation
Filters that pertain to a specific port take precedence over filters that pertain to "all ports." And when more than one filter applies, the one that has a value in the IP address field that most closely matches the sender's IP address will be used.
The interpretation of the filters is not order dependent; in fact, the filters are sorted in order by port, with "All Ports" appearing first, and other specific port numbers listed numerically.
The following examples will clarify how filters are interpreted.
Example 1: In this case, the administrator wishes to restrict access to the local LANs, but they do want to open mail service to everyone except one particular site, which is a known spammer. He might set up his filters like this:
Figure 4, Filter set-up for Example 1
- The first filter denies all clients access to everything (but remember, the interpretation of filters is NOT order-dependent, as it may be in third-party Web Server applications, such as WebStar. Another, more specific, filter would override this one).
- The second filter allows clients on net 17.221.041 access to everything; because it specifically lists the IP address, this filter would take precedence over the first filter for clients from net 17.221.041, who would be allowed access to all services.
- The third filter allows mail servers access. Because it specifically mentions port 25, this filter would override the restrictions to all ports, set up in Filter 1.
- Because filter 3 specifically allows everyone access to port 25, another filter must be set up to deny access to a particular network. If a mail server from network 1.2.3.0 attempts to connect to port 25, Filter 4 will take precedence over filter 3 because it is more specific, in actually identifying the IP address of the client.
Example 2: The administrator wishes to allow everyone access to everything, but wants to limit access to the IMAP Admin Access port to his own computer.
Figure 5, Filter set-up for Example 2
- Filter 1 opens up access to everyone.
- Filter 2 will override filter 1 when it comes to port 626, because filters that specifically name ports are given precedence over the "all ports" filters.
- Filter 3 will take precedence over Filter 2 when a connection is made from a client at 17.221.41.2, because it is more specific in listing the IP address of the client.
Creating, Editing, Duplicating, and Deleting Filters
The icons on the toolbar can be used to create, edit, duplicate, and delete filters, respectively:
Figure 6, Filter toolbar icons: New, Edit, Duplicate, Delete
To add or edit a filter,
- Click the appropriate button from the toolbar to open the TCP Filter editor dialog. (If editing, select the filter you wish to change first.)
Figure 7, TCP Filter dialog box
- Select 'All Ports' or one of the well-known ports from a pop-up menu to which the filter will apply. If the port number is not available in the pop-up menu then enter the number for the desired port but no associated text is allowed (manually-entered ports do not get added to the selection in the popup menu).
- Enter the IP address (use wildcards if desired) of the clients to which you want to allow or deny access. All asterisks (***.***.***.***) would mean "everyone."
- Select access mode: allow or deny.
When you select "Save" then the filter is added to the list for this port. Selecting "Cancel" will discard this entry or any modification to an existing filter.
To duplicate a filter, select it and click the "duplicate" icon in the toolbar; then edit as needed.
To delete a filter, select it and click the trash can icon in the toolbar.
"Find...'
The TCP/IP Filter Admin also lets you do DNS lookups (Find IP Address).
Figure 8, Find IP Address dialog box
The administrator may specify a host name for which it wants to look up the associated IP address. The resulting IP address may then be used by the administrator to create a filter. If the administrator knows how the subnets are partitioned for a given network, she can replace the appropriate lower bytes of the returned IP address with wildcards, thus creating a filter that would apply to everyone at the site (i.e., on that network).
For example, if the IP address returned for "marvin.apple.com" is 17.104.104.86, and the server administrator knows that they are using subnet mask 255.255.255.0, then a filter can be created for IP address 17.104.104.***, thus applying not only to marvin.apple.com, but every other client on that network as well.
Troubleshooting Tips
Here are some suggestions for troubleshooting issues with TCP Filtering:
- Verify that the ASIP server running TCP Filtering has at least Mac OS 8.5 and Open Transport 2.0 installed.
- If clients are having issues accessing a particular service:
- Verify that the service is enabled in ASIP Manager.
- If TCP Filtering is enabled, check the Filter List for a filter that may be preventing access; look first at the filters that apply to the port the client is trying to access; check the range of IP addresses allowed or denied by that filter and compare it to client's IP address; if no filter for that particular port exists, then the "all ports" filter(s) would apply.
- If confused by the combination of filters, try disabling TCP Filtering altogether, stop and restart the server and see if access is then successful. If not, then the issue is not with TCP Filtering. Remember that other firewalls implemented at the server's end, or at the end user's network, may prevent access to services also.
- If clients can access services when they should be denied:
- Verify that TCP Filtering is enabled.
- Verify that the filtering scheme is set up to deny access: check the filter for the specific port first, then look for the filter that has a value in the IP address field that would apply to the client in question.
- Remember that changes in the Filtering will take affect immediately, but do not apply to active connections. The client must disconnect from the server, and test reconnecting again.
- Verify that the service is being offered on the port specified in the Filter. Some applications, such as the Mail Server Admin program or the ASIP Advanced Setup Utility, allow you to change the port numbers, so they will no longer match the predefined popup list in the TCP Admin program. A utility such as MacTCP Watcher has an option to "Show Connection List"; this will list the ports that the server is listening on.