Running Panther Server: Confusing interface for firewall

Posted by Pierre Igot in: Macintosh
February 18th, 2004 • 4:54 am

As indicated a couple of days ago, I recently encountered a misleading problem in Panther Server that caused me to fiddle with my firewall settings when the problem was actually a mail database corruption problem.

The problem with this is that there is no easy way, as far as I can tell, to force Panther Server’s firewall to revert to the default settings that it was using when I first installed the system.

The fact that the interface for managing firewall rules (in Server Admin) is confusing does not help. There are two different panes that appear to cover the same functionality. It looks like both can be used to create new rules. One is a pane with a list of addresses (or address ranges) on the left-hand side and a list of all available services (with their port numbers) on the right-hand side. In that pane, you can activate (allow) or deactivate (deny) ports for address or address range.

But then if you go to the third (“advanced”) pane, you have a list of rules that you can edit or add to. You can, for example, add a rule for an address or address range that will allow or deny traffic on a given port. Sounds familiar? Clearly there is some overlap between the first pane and the third pane. Which takes precedence? It’s hard to tell.

Things are made even murkier by the fact that, when you first install Panther Server, there are always a series of rules defined in the third pane. Some of these rules can be activated or deactivated, but they cannot be erased. Others can be. Most of them are active, but a couple of them are not. And then some of them seem to be malformed and cannot be edited at all (all the fields are greyed out), yet they are most definitely there and the check box indicates that they are active…

I had to add a rule for the port 591 for FileMaker Pro, so I went to that third pane and created one, and it worked. But then I had the above-mentioned problem and fiddled with the other rules, thinking that I had been a victim of some kind of intrusion (because of misleading log content) and needed to widen the scope of certain existing rules.

I should never have done that. Because now I can’t remember what was the default set of rules and which were active or not. So when restoring the mail service yesterday, I didn’t notice that people could retrieve their email from their POP account, but couldn’t send email to the outside world from their account on the server. The mail simply didn’t get delivered, but it didn’t bounce back either. The log for the SMTP server said that the external hosts could not be found.

I suspected a faulty firewall rule, and sure enough, after more fiddling with the firewall (during which I managed to lose my connection to the server, probably due to an overzealous rule — fortunately I was still able to connect via ssh in the Terminal and temporarily disable the firewall with a command-line instruction), I managed to restore all functionality, and now the mail that people send is properly delivered again. (And all the backlog of mail that was lost in limbo finally got delivered as well after a while, even though I couldn’t find any GUI to view the SMTP mail queue, which caused me to think that that mail had been lost.)

It’s all a bit frustrating to me, especially as a Mac user. For the firewall part of things at least, it definitely feels as if the UI is only a façade, and you still need to know quite a bit about firewall rules and how they work. In addition, when reading logs, you need to know which lines refer to internal connections and which are suspicious. Are all the lines involving the IP address “” generated by Panther Server itself? One of the default firewall rules in Panther Server does involve IP addresses in that range, so I suspect that some intruders are able to hide behind this supposedly internal address.

Oh, it’s all rather complicated, isn’t it? I guess it’s going to be a learning experience… Still, the GUI in Panther Server for the firewall could definitely be better, and there should be an option to revert to the default settings…

Comments are closed.

Leave a Reply

Comments are closed.