Ip address precedence, Multiple ip addresses, Practical examples – Apple Mac OS X Server (Administrator’s Guide) User Manual

Firewall Service

529

IP Address Precedence

If you create multiple filters for a port number, the filter that contains the most specific
address range has precedence. The table below illustrates how this works. If a request comes
in from an address that falls within the range specified on the first line, access is allowed. If
the request doesn’t fall within that address range, the second line is checked. The last line,
All, denies access. You cannot set both Deny and Allow for the exact same range of addresses.

Multiple IP Addresses

A server can support multiple homed IP addresses, but Firewall service applies one set of
filters to all server IP addresses. If you create multiple alias IP addresses, then the filters you
create will apply to all of those IP addresses.

Practical Examples

The IP filters you create work together to provide security for your network. The examples
that follow show you how to use filters to achieve some specific goals.

Block Access to Internet Users

To allow users on your subnet access to your server’s Web service, but deny access to the
general public on the Internet:

Port

IP address

Mask

Access mode

Result

80 ( Web)

10.221.41.33

255.255.255.255

Allow

Address
10.221.41.33
is allowed.

80 ( Web)

10.221.41.33

255.255.252.0

Allow

Address in range
10.221.40.0 to
10.221.43.255 is
allowed.

80 ( Web)

All

Deny

All addresses are
denied.

Access

Port

IP address

Allow

80 ( Web)

In Server Settings, select “a
range of IP addresses” and
click Use My Subnet in the IP
filter window.

Deny

80 ( Web)

All