Exploring Mac OS Server – afctl Adaptive Firewall

I have learned a lot in the past months Mac OS X Server and his capabilities and what are services it can give with lower cost than competition.

The several services presented by OS Server are interesting, in the middle of the most eye candy services I have found one that allows us to improve security controls in a situation where for some time I thought there was not much to do in the native OS.

The bellow tool would allow us to mitigate brute force attacks in automated way. Something that was not known to me without extra tools.

Apple has implemented the Adaptive Firewall on Mac OS Server

Enable the service with the following command:

sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -c
sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -f

afctl is a tool for temporarily blocking a given ipv4 or ipv6 address using the built-in firewall.
All blocking requests have a time to live; they are unblocked when it expires.

afctl also maintins a whitelist of addresses that it will not block.
All block requests are checked against this list before being added to the blacklist.

All the firewall rules managed by afctl are grouped into a rule set to allow for bulk enabling/disabling via -e & -d.

I did not find much documentation about this tool.

I will try to update this information while I learn.

For now what I have is the following from the man factl page:

afctl [-v debug_level] [-a ip_address -t ttl] [-w ip_address] [-r ip_address] [-x ip_address] [-c -i interval] [-e] [-d] [-f]


-v -debug_level Verbosity, ascenting numbers are more verbose. level 0 is default level 1 is basic progress.

-a -ip_address Add address to the blacklist. ip_address can be ipv4 or ipv6 in CDIR notation. No DNS names allowed. An optional -t parameter allows the specification of the time in minutes that the address will remain blocked.

-r -ip_address Remove address from the blacklist. It will also be removed from the firewall rules.

-w -ip_address Add address to the white list. ip_address can be ipv4 or ipv6 in CDIR notation. No DNS names allowed.

-x -ip_address Remove an address from the white list. ip_address can be ipv4 or ipv6 in CDIR notation. No DNS names allowed.

-c -i interval Self configure. The afctl tool will query the system configuration and determine the addresses that need to be  (routers, local interfaces, nameservers). It will also modify its launchd plist to invoke the tool every interval to remove old entries from the blacklist. If -i interval is not specified, then a default value of 15 minutes will be used.

-d Disables all firewall rules managed by afctl using a rule set (see man page for ipfw ). Currently ipfw only ( ip6fw does not support rule sets).

-e Enables the rules disabled by -d (above)

-f Forces afctl into a running state (sets the proper key in af.plist and writes out af_state )

We can also get a summary of the afctl activity running the following command:

sudo /Applications/Server.app/Contents/ServerRoot/usr/libexec/hb_summary

Information available from Apple is very restrict and almost resumes to this and user support questions:

https://support.apple.com/en-us/HT200259

I will post more as soon I have news.

OpenWRT and Raspberry PI Access Point

Today I decided to build one personal access point for my travels.

I had one Raspberry PI 2 in my drawers and I decided to use it.

I wanted to prepare something fancy based on web environment and not in bash.

Trying to see what exists compatible with raspberry pi I have found OpenWRT…

I tried to install it and everything work well until I tried to put the wireless cards working. 🙁

The wi-fi did not start-up, I could not make it work…
Until I found I had to install some packages…

I have installed the hostapd package
I have installed the hostapd-common
I have installed the hostapd-utils

This is required to transform the device into an access point.

To install this packages I used the web interface.
Menu System -> Software

Finally I discovered that the network drivers did not exist, I have installed the drivers for the wireless network cards…

1
opkg install kmod-rt2800-lib kmod-rt2800-usb kmod-rt2x00-lib kmod-rt2x00-usb

The suddenly I have a new menu and I can see wi-fi networks… 🙁

But I am not still able to connect or able to advertise my SSID… 🙁

I Hope to be able to complete this post very soon with all the required steps.