Your server has ports, each of which controls a specific service, such as mail or Web access. TCP Filter Admin denies or allows connections through these ports by checking the IP addresses of computers that attempt to connect against the filters in your filter list.
When a computer tries to connect to the server, TCP Filter Admin searches the filter list for a matching port number. If the port number is on the filter list, the filter that matches the IP address of the connecting computer is used. If the port number is not on the list, the All Ports filter that matches the IP address of the connecting computer is used.
The first entry in the filter list is the default filter for all ports. It either denies (the default) or allows all access to your server. You cannot delete this entry.
The second and third entries in the filter list are filters for the administration ports. By default, they are set to allow you to use Mac OS Server Admin and to access the Mail Admin port from the server. (In the example shown, the primary IP address of the server is 192.168.18.15.) If you change these filters to deny access, you won't be able to use Mac OS Server Admin locally.
Each line after the third filter represents a filter that has been added. Asterisks (*) represent a range of IP addresses.)
.dmg/System Utilities/Apple Utilities⁄Updates/Z-ASIP 6.3 Update.smi.sea/Z-ASIP 6.3 Update.smi/Documentation/AppleShare IP 6.3 Help/tc/gfx/TCPFlex2.gif/TCPFlex2.gif) |
Note: If TCP filtering is turned on, clients may not be able to connect to your server using FTP passive mode, which often dynamically negotiates a port. To allow clients to connect this way, you can allow access to all ports for specific FTP users, or you can change the default All Ports filter to Allow.
Using filters to provide selective access
The example filters below are for a company whose network is connected to the Internet. Employees have computers with IP addresses that begin with 012. The administrator uses the filter list to accomplish the following three objectives.
1. Block access to Internet users:
These two filters allow employees access to AppleShare IP services and deny access to the general public on the Internet.
.dmg/System Utilities/Apple Utilities⁄Updates/Z-ASIP 6.3 Update.smi.sea/Z-ASIP 6.3 Update.smi/Documentation/AppleShare IP 6.3 Help/tc/gfx/TCPAllpts.GIF/TCPAllpts.GIF){kind=small} |
2. Block junk mail:
These filters reject e-mail from a junk-mail sender with an IP address of 111.111.222.222 and accept all other Internet e-mail.
.dmg/System Utilities/Apple Utilities⁄Updates/Z-ASIP 6.3 Update.smi.sea/Z-ASIP 6.3 Update.smi/Documentation/AppleShare IP 6.3 Help/tc/gfx/TCPSMTP.GIF/TCPSMTP.GIF){kind=small} |
3. Allow a customer to access a Web site:
This filter allows a customer with an IP address of 199.199.01.01 to view the company Web site.
.dmg/System Utilities/Apple Utilities⁄Updates/Z-ASIP 6.3 Update.smi.sea/Z-ASIP 6.3 Update.smi/Documentation/AppleShare IP 6.3 Help/tc/gfx/TCPWeb.GIF/TCPWeb.GIF){kind=small} |
Allowing access to all ports
If you change the default All Ports filter to Allow, you need to add a filter for every port you want to restrict. For example, if a company whose network is connected to the Internet has computers with IP addresses that begin with 012, it can use the filter list to keep the intranet (Web and shared files) secure while allowing FTP access:
.dmg/System Utilities/Apple Utilities⁄Updates/Z-ASIP 6.3 Update.smi.sea/Z-ASIP 6.3 Update.smi/Documentation/AppleShare IP 6.3 Help/tc/gfx/TCPAllw.GIF/TCPAllw.GIF) |
Table of contents