How to Configure Apple Wireless Router’s Firewall from Lion’s Server App
Lion Server has some special features for Apple’s wireless Internet routers, Apple’s AirPort Extreme Base Station and Time Capsule. In the Server app, you can configure the router’s firewall and add extra security by enabling RADIUS.
By default, the firewall is turned on in AirPort Extreme and Time Capsule. To keep the firewall running on the device, you need to enable port mapping on the device with the AirPort Utility or the Server app. To instead have the firewall run on the server, use AirPort Utility to enable a default host on the device.
If you’re going to run the firewall on the AirPort device, the Server app will display it in the sidebar, listed under Hardware. You can use the Server app to configure the firewall on the server or on the Apple router. You can also add another layer of security for users accessing your AirPort wireless network.
In order to use the Server app to configure AirPort devices running firewalls, you first need to configure a few items with AirPort Utility (in the /Applications/Utilities folder of any Mac):
Connection Sharing must be set to Share a Public IP Address.
IPv6 Mode (an advanced option) must be set to Tunnel.
Default Host must be set to Off.
Configuring firewalls on AirPort devices with the Server app
To use the Server app to configure port forwarding on an AirPort Extreme Base Station or Time Capsule, launch the Server app and follow these steps:
Select the AirPort device in the sidebar under Hardware.
Click the Add (+) button and choose a service (iChat, Mail, and so on) from the pop-up menu.
For services not listed, choose Other and enter the service name and port. (Refer to Table 18-1 for port numbers.)
This setting tells the AirPort device to let traffic for these services through.
To block traffic from listed services, select a service and click the Delete (–) button.
When you’re finished, click the Restart AirPort button and enter a password for the device if prompted.
This step interrupts services that the AirPort device may be providing, such as DHCP, access to a Time Machine hard drive, or Internet access.
RADIUS for extra AirPort security
Lion Server comes with another feature for Apple wireless routers: the Remote Authentication Dial In User Service (RADIUS). It provides an extra layer of security for users accessing your network wirelessly via an AirPort Extreme Base Station or Time Capsule.
With RADIUS running, instead of logging on to the network with the wireless password, users log in with their server account usernames and passwords. You can also prevent users from accessing the Wi-Fi network and allow their accounts access only from Ethernet.
You can set up RADIUS with Server Admin:
Click the Settings icon in the toolbar and then click the Services tab.
Select the RADIUS check box and then click Save.
Choose RADIUS in the list under your server.
Click the General icon in the toolbar.
Click Configure RADIUS Service.
The Configuration Assistant takes you through the settings choices.
A much simpler method (though with fewer configuration choices) is to turn RADIUS on in the Server app. Select the AirPort device under Hardware and then choose Allow User Name and Password login over Wi-Fi. RADIUS will be turned on, and all server user accounts will have access to the wireless network.