This article describes how to use the TCP Filter Admin program to control access to the ASIP 6.1 server. It includes the following sections:

• What is TCP Filtering?
  • System requirements/Compatibility
  • Components installed
• How it works
• Creating, Editing, Duplicating, and Deleting Filters
• Troubleshooting Tips

• Limit all access to specific networks, such as the local LANs; this would prevent users on the Internet from accessing the server.
• Restrict a particular service, such as Remote Web Administration or the IMAP Admin Access Port, to a single IP address. This would allow additional security to these powerful administrative features.
• Permit server access to all clients within an IP address range, except for particular workstations. This might be used if you have some "public" workstations, such as you might find in a library or a business lobby. These public workstations could be set up with only certain types of access, such as access to the web server, while other access (FTP, SMTP, or AFP over TCP) is denied

Figure 1 , TCP Filter folder contents

System Requirements/Compatibility

Operating system

The TCP Filter feature is fully compatible with Mac OS 8.5 which includes Open Transport 2.0. It is not supported, and may not run on, 8.1 or earlier due to limitations in earlier versions of Open Transport.

Hardware

The TCP Filter feature will run on any supported hardware platform of the AppleShare IP 6.x product.

Components Installed

TCP/IP Filtering is installed as a standard part of the AppleShare IP 6.1 easy installation, and is implemented in 3 components:

• OT AutoPushSupport init (located in Extensions Folder)
• TCP Filter extension (located in Extensions Folder)
• TCP Filter Admin application (located in TCP Filter folder, within the AppleShare IP 6.1 folder at root level of startup volume)

If no filter exists for that specific port, then it will look for the "All Ports" filters, and again, apply the one that most closely matches the sender's IP address.

TCP Filtering is installed on the server machine in the "off " or disabled state which means that there are no restrictions on incoming TCP/IP packets after installation. The administrator must enable TCP Filtering and restart the server before any filters can be operational; he should at this time also choose the Default filter state. The Default filter may be set to "Deny All" clients not specifically allowed by another filter or "Allow All" clients if not specifically denied by another filter. The initial state of the Default filter is "Deny All". After enabling TCP Filtering, the Default filter state should be either changed to "allow all", or supplemented by adding new filters.

Figure 2 , TCP Filter List

To create a TCP filter, the administrator sets three values:

• Services or Port Numbers
• IP addresses
• Access type (deny or allow)

These are the ports that map to services offered by AppleShare IP 6.x:

Figure 3 , All Ports pop-up menu

IP Addresses

Filters specify an IP address or range of IP addresses from which to control access to services running on the server system. An IP address consists of 4 decimal numbers (ranging from 0 to 255) that are separated by the period character (.). When creating a filter, an IP address may contain wildcard characters (*) that indicate that any number in that location is considered valid. Wildcard characters can not precede any numerical value in the filter, and must always be followed by other wildcard characters, or terminated. For example:

• 17.202.121.140 is a legal filter value, it specifies one particular machine at this IP address.
• 17.22*.***.*** is a legal filter value; it would specify any IP address with first two octets of 17.22x, where x could be any value between 0 and 9.
• 17.2*2.121.*** is an illegal value because of the second octet; wildcards cannot be followed by more numeric characters.
• ***.202.121.140 is also an illegal value, since the wildcards in the first octet are followed by numeric characters in the remaining octets.

Filter Interpretation

Filters that pertain to a specific port take precedence over filters that pertain to "all ports." And when more than one filter applies, the one that has a value in the IP address field that most closely matches the sender's IP address will be used.

The interpretation of the filters is not order dependent; in fact, the filters are sorted in order by port, with "All Ports" appearing first, and other specific port numbers listed numerically.

The following examples will clarify how filters are interpreted.

Example 1 : In this case, the administrator wishes to restrict access to the local LANs, but they do want to open mail service to everyone except one particular site, which is a known spammer. He might set up his filters like this:

Figure 4 , Filter set-up for Example 1

• The first filter denies all clients access to everything (but remember, the interpretation of filters is NOT order-dependent, as it may be in third-party Web Server applications, such as WebStar. Another, more specific, filter would override this one).
• The second filter allows clients on net 17.221.041 access to everything; because it specifically lists the IP address, this filter would take precedence over the first filter for clients from net 17.221.041, who would be allowed access to all services.
• The third filter allows mail servers access. Because it specifically mentions port 25, this filter would override the restrictions to all ports, set up in Filter 1.
• Because filter 3 specifically allows everyone access to port 25, another filter must be set up to deny access to a particular network. If a mail server from network 1.2.3.0 attempts to connect to port 25, Filter 4 will take precedence over filter 3 because it is more specific, in actually identifying the IP address of the client.

Figure 5 , Filter set-up for Example 2

• Filter 1 opens up access to everyone.
• Filter 2 will override filter 1 when it comes to port 626, because filters that specifically name ports are given precedence over the "all ports" filters.
• Filter 3 will take precedence over Filter 2 when a connection is made from a client at 17.221.41.2, because it is more specific in listing the IP address of the client.

Figure 6 , Filter toolbar icons: New, Edit, Duplicate, Delete

To add or edit a filter,

• Click the appropriate button from the toolbar to open the TCP Filter editor dialog. (If editing, select the filter you wish to change first.)

Figure 7 , TCP Filter dialog box

• Select 'All Ports' or one of the well-known ports from a pop-up menu to which the filter will apply. If the port number is not available in the pop-up menu then enter the number for the desired port but no associated text is allowed (manually-entered ports do not get added to the selection in the popup menu).
• Enter the IP address (use wildcards if desired) of the clients to which you want to allow or deny access. All asterisks (***.***.***.***) would mean "everyone."
• Select access mode: allow or deny.

Figure 8 , Find IP Address dialog box

The administrator may specify a host name for which it wants to look up the associated IP address. The resulting IP address may then be used by the administrator to create a filter. If the administrator knows how the subnets are partitioned for a given network, she can replace the appropriate lower bytes of the returned IP address with wildcards, thus creating a filter that would apply to everyone at the site (i.e., on that network).

For example, if the IP address returned for "marvin.apple.com" is 17.104.104.86, and the server administrator knows that they are using subnet mask 255.255.255.0, then a filter can be created for IP address 17.104.104.***, thus applying not only to marvin.apple.com, but every other client on that network as well.

Troubleshooting Tips

Here are some suggestions for troubleshooting issues with TCP Filtering:

• Verify that the ASIP server running TCP Filtering has at least Mac OS 8.5 and Open Transport 2.0 installed.
• If clients are having issues accessing a particular service:
  • Verify that the service is enabled in ASIP Manager.
  • If TCP Filtering is enabled, check the Filter List for a filter that may be preventing access; look first at the filters that apply to the port the client is trying to access; check the range of IP addresses allowed or denied by that filter and compare it to client's IP address; if no filter for that particular port exists, then the "all ports" filter(s) would apply.
  • If confused by the combination of filters, try disabling TCP Filtering altogether, stop and restart the server and see if access is then successful. If not, then the issue is not with TCP Filtering. Remember that other firewalls implemented at the server's end, or at the end user's network, may prevent access to services also.
• If clients can access services when they should be denied:
  • Verify that TCP Filtering is enabled.
  • Verify that the filtering scheme is set up to deny access: check the filter for the specific port first, then look for the filter that has a value in the IP address field that would apply to the client in question.
  • Remember that changes in the Filtering will take affect immediately, but do not apply to active connections. The client must disconnect from the server, and test reconnecting again.
• Verify that the service is being offered on the port specified in the Filter. Some applications, such as the Mail Server Admin program or the ASIP Advanced Setup Utility, allow you to change the port numbers, so they will no longer match the predefined popup list in the TCP Admin program. A utility such as MacTCP Watcher has an option to "Show Connection List"; this will list the ports that the server is listening on.