How to Customize Lion Server’s Firewall Rules

By John Rizzo

If you want to get into deep firewall-configuration territory, you can use the Advanced tab of Firewall Settings in Lion Server to create your own rules that describe what to do with incoming network traffic.

You can set a rule to allow or deny traffic, and you can define both the source and the destination of the traffic. You can apply this rule to standard services or services that you create. Here’s how:

  1. In Server Admin, click the triangle next to your server in the left column to expand the list of services and then select Firewall.

  2. Click the Settings icon in the toolbar and click the Advanced tab.

  3. Click the Add (+) button or duplicate an existing rule by selecting it, clicking the Duplicate button, and double-clicking the rule.

    The editing dialog appears.


  4. Select choices in the top third of the dialog:

    • Action pop-up menu: You can choose Allow or Deny to define access through the firewall. A third option, Other, lets you type additional (more advanced) commands.

    • Protocol pop-up menu: Select TCP, UDP, or Other.

    • Service pop-up menu: Choose 1 of more than 100 services, including third-party software. You also have the choice Other.

    • Log All Packets Matching This Rule check box: A simple choice.

  5. Select the source of the traffic to be filtered.

    The Address pop-up menu contains the address groups that are configured. Choose Other to type a source IP address range you want to filter. (Use CIDR notation.) Type a source port number if you’re using a nonstandard service port.

  6. Select the destination for the traffic to be filtered.

    The Address pop-up menu contains configured address groups, including Any. Or choose Other to type a destination IP address range in CIDR notation. Enter a destination port number if you’re using a nonstandard service port.

  7. From the Interface pop-up menu, choose In to apply the rule to incoming traffic; choose Out to apply the rule to packets the server sends; or choose Other to type an interface name (such as en0, en1, or fw1).

  8. Click OK.

Be careful with creating and deploying your own firewall rules. You could inadvertently block traffic that your network needs to function properly.