The AppleShare IP TCP Filter Seed 1 is available as part of the AppleShare IP Seed program. It is separately installable on machines running the AppleShare IP 6.0 Seed 3 software. Please read the AppleShare IP 6.0 Seed Read Me for additional requirements and installation instructions for the seed software.
The AppleShare IP TCP Filter enables administrators to allow or deny access to their AppleShare IP Server based on the sender's IP address and the target port number. TCP filtering allows an administrator to create filters that apply to the entire server or only for specific services, including those provided by third party TCP/IP applications. For example, an administrator may create a set of filters that applies to all services running on the server system, as well as add service specific filters for the AppleShare over TCP, FTP, Web, and SMTP (Mail) services. In addition, built-in domain name lookup functionality aids the administrator in setting port access based on domain names.
TCP Filter System Requirements
You must install AppleShare IP 6.0 Seed 3 on your server before installing the AppleShare IP TCP Filter seed release. Please see the "AppleShare IP 6.0 Read Me" for instructions on installing the server software.
You must also install the OpenTransport 2.0d2 release included in this Seed package in order to run TCP filtering. This version of Open Tranport provides several key fixes for this seed. Please see the OpenTransport 2.0d2 Read Me files for further information. Since this is a debug version of Open Tranport, you may experience user breaks in MacsBugs periodically. See the "Known Problems" section for things to avoid.
For your convenience, we have included a version of the OpenTransport 1.3.1 Installer in the "Extras" folder of this Seed package. If you decide to remove the AppleShare IP TCP Filter seed from your machine, you may run this installer to restore the OpenTransport software for MacOS 8.1.
Installation and Setup
1. Install the AppleShare IP 6.0 Seed 3 software on your server following the AppleShare IP 6.0 Read Me instructions, if you have not already done so.
2. Copy the two files contained in the Extensions Items folder of your AppleShare IP TCP Filter Seed package to the Extensions folder in the active System Folder on your server system.
"OT AutoPush Support"
"TCP Filter"
3. Copy the "AppleShare IP TCP Filter Admin" application to your server's hard disk .
4. Install the OpenTransport 2.0d2 release contained in this package on your server using the Custom Install option. Launch the OpenTransport 2.0d2 Installer and select the Custom Install option from the pop-menu in the top left of the window. Click on the checkbox "OpenTransport for all Macintoshes" and then click on the Install button. See the OpenTranport 2.0d2 Read Me files for additional information about this release.
5. Your computer will need to be restarted after the OpenTransport installation.
6. After startup completes, verify that OpenTransport 2.0d2 was installed correctly. To check the version of OpenTransport, select the "Open Transport Debug Library" file in your Extensions folder and do a Get Info from the Finder's File menu. If this file does not exist or the version is not 2.0d2, then return to Step #4 and repeat the installation.
7. Launch the AppleShare IP TCP Filter Admin application.
8. To activate the TCP filtering feature, click on the "Enable TCP Filtering" checkbox in the TCP Filter List window. After clicking on the this the following will appear:
Are you sure you want to enable IP filtering? You machine will be restarted if you do so.
Choose Restart. Your machine will restart and the TCP Filter will deny all access to the server.
9. After startup completes, you must add filters to the TCP Filter list to allow any client access. Launch the AppleShare IP TCP Filter Admin application and you may choose to add, edit, duplicate, and/or delete filters from your TCP Filter List.
Important Note: Modifications to the filter list become effective immediately, however, active TCP connections are not affected by these changes. For example, if a filter is added to deny access for an IP address that has an active connection, then the filter will deny access the next time this IP address attempts a connection.
TCP Filter Features
TCP filters consist of the following three components:
• Services or Port Numbers
• IP addresses
• Access type
Services or Port numbers
When adding TCP filters, you may choose a service or a well-known TCP port number from the Port pop-up menu or you may type in any valid port number for which to define filters. In addition, you may choose the "All ports" designation from the Port pop-up menu to apply the filter to all services running on the server system.
A port in general maps to a service provided by AppleShare IP. For example:
AppleShare
• 548 (AppleShare over TCP)
Windows File Sharing
• 137 (NETBIOS Name)
• 138 (NETBIOS Datagram)
• 139 (NETBIOS Session)
FTP
• 20 (FTP Data)
• 21 (FTP Control)
Web
• 80 (Web)
Mail
• 25 (SMTP)
• 110 (POP)
• 143 (IMAP)
• 626 (IMAP Admin)
• 79 (Finger)
• 106 (PASS)
IP Addresses
Filters specify an IP address or range of IP addresses from which to restrict access to services running on the server system. An IP address consists of 4 decimal numbers (ranging from 0 to 255) that are separated by the period character (.). An IP address may contain wild card characters (*) that indicate that any number in that location is considered valid. Wild card characters can not precede any numerical value in the filter, and must always be followed by other wild card characters or terminated.
For example:
17.202.121.140 Legal filter value
17.22*.***.*** Legal filter value
17.2*2.121.*** Illegal value
***.202.121.140 Illegal value
Three wildcard characters are always assumed if the administrator has specified only one or two wildcard characters for an individual byte of the address. The user interface will expand the wildcard character(s) to three. The following is the appropriate wildcard interpretation within individual bytes:
* 0 - 255
** 0 - 255
*** 0 - 255
0** 0 - 99
0* 0 - 9
1** 100 - 199
1* 10 - 19
2** 200 - 255
2* 20 - 29
3* 30 - 39
4* 40 - 49
etc.
If there are overlapping IP addresses, whichever is more specific has precedence. For the example below, if a packet is received from IP address 66.77.88.99 the second IP filter would take precedence over the first one since the address range is more specific.
"All Ports" 066.***.***.***
"All Ports" 066.077.***.***
Access Type
Filters may Allow or Deny access to ports on your servers. The initial state of the TCP Filter is that all incoming packets are denied so you must add Allow filters to provide client access to your server.
How It Works
The TCP Filter extension scans all incoming TCP/IP packets to the server. If it detects an incoming TCP Connection Request packet then it checks the target port number and sender's IP address. If the target port number has specific filters defined then it checks the sender's IP address to see if the Allow or Deny statements apply. If one or more of the statements apply, it then executes the one that has the most specific reference to the sender's IP address. If the target port had no specific filters containing the sender's IP address then the "All ports" filters are checked for reference to the sender's IP address. In other words, the "All ports" filters are only applied if there is not a port-specific filter defined for the sender's IP address. If one or more of the "All ports" Allow or Deny statements apply then the one that has the most specific reference to the sender's IP address is executed. Otherwise, the packet is denied.
Example: A TCP Connection request packet is received targeted to "Port 80"
1. The TCP Filter extension checks for "Port 80" filters.
If the sender's IP address applies to a filter, then the most specific filter is executed and filtering for this packet is done.
2. Otherwise, check for "All Ports" filters.
If the sender's IP Address applies to a filter, then the most specific filter is executed and filtering for this packet is done.
3. Otherwise, the TCP Connection request is denied.
TCP Filter Scenarios
The following are five common TCP Filter list scenarios.
The initial state of the filter is deny all. You may override the initial state to allow all by adding the following filter. However, recall that port specific filters are checked before "All ports" and thus access may be denied through a port specific filter.
"All Ports" ***.***.***.*** Allow
1. Your company's network is connected to the Internet. You want your employees to have access to all services on this AppleShare IP server while keeping the general public on the Internet from accessing it. You can add the following filter which in combination with the initial state of deny all will restrict access to only your internal network whose IP address range is "017.***.***.***".
"All Ports" 017.***.***.*** Allow
2. Allow Email access from the entire Internet except for a known spammer "111.111.222.222" with the following filters.
"Port 25(SMTP)" ***.***.***.*** Allow
"Port 25(SMTP)" 111.111.222.222 Deny
3. Allow a special customer "199.199.01.01" Web Access by adding the following filter.
"Port 80(Web)" 199.199.01.01 Allow
4. Deny an external entity all access to our server. External entities are all IP addresses that are not contained in your internal TCP/IP network range.
If no port specific filters have been defined that apply to the external entity, it is unneccessary to add any additional filters since our initial state denies access to all IP addresses until a filter is specifically added.
If port specific filters have been defined that contain this external entity then it is necessary to add a deny filter for each port that currently allows this entity access. For example, if the current Filter list is the following:
"All Ports" 017.***.***.*** Allow
"Port 25(SMTP)" ***.***.***.*** Allow
"Port 80(Web)" 199.199.0.0 Allow
then you must add the following to explicitly deny "123.123.123.123" access to the SMTP server:
"Port 25(SMTP)" 123.123.123.123 Deny
5. Deny an internal entity "17.111.222.199" access to all services on your server even though the rest of the internal network has access. Internal entities are IP addresses that are contained within your internal TCP/IP network range, in this case assumed to be "017.***.***.***".
In this case, a port specific filter exists as well as an "All ports" filter that applies to this entity. The current list looks like the following:
"All Ports" 017.***.***.*** Allow
"Port 25(SMTP)" ***.***.***.*** Allow
"Port 80(Web)" 199.199.01.01 Allow
Remember that the TCP Filter checks the port number first, and then the TCP address. Since a filter for SMTP on port 25 already exists, in order to deny all access to this internal entity, the following two filters must be added:
"All Ports" 17.111.222.199 Deny
"Port 25(SMTP)" 17.111.222.199 Deny
Known Problems
Open Transport 2.0d2
The OpenTransport debug version 2.0d2 has user breaks and thus may drop the Server into MacsBugs during certain operations. The following operations have been observed as causing user breaks. In order to prevent these, you may disable all MacsBug breaks by typing "DX <carriage return>" into MacsBugs on startup of your server.
• Use of Timbuktu to control the server machine has been observed to cause user breaks. It is not recommended that you use Timbuktu with OpenTransport 2.0d2 installed on your server.
• Restarting the Server machine has been observed to cause user breaks with OpenTransport 2.0d2.
TCP Filter
• If your Server suffers from a performance degradation whenever denying access through the TCP Filter, you should verify that OpenTransport 2.0d2 is currently installed and running. To check the version of OpenTransport, select the "Open Transport Debug Library" file in your Extensions folder and do a Get Info from the Finder's File menu. If this file does not exist or the version is not 2.0d2, then return to Step #4 in "Installation and Setup" and repeat the installation.
• Printing from the AppleShare IP TCP Filter Admin has been observed to cause crashes. It is recommended that you avoid printing for this Seed release.