Murus on Yosemite Server

Murus
Post Reply
SomeAdmin
Posts: 3
Joined: Sun Mar 22, 2015 3:16 pm
Location: CH

Murus on Yosemite Server

Post by SomeAdmin » Tue Mar 24, 2015 7:00 pm

The release notes of Murus 1.1 say, that compatibility with Server App is given.

To me this does not seem so. After activating Murus I had some very strange happenings: although I set a rule to allow all services on the internal network adatper, PF started blockign DHCP calls....

Any idea how to troubleshoot this?

hany
Posts: 479
Joined: Wed Dec 10, 2014 5:20 pm

Re: Murus on Yosemite Server

Post by hany » Tue Mar 24, 2015 11:42 pm

According to our tests Murus 1.1 is compatible with server.app. Compatibility is achieved overriding the weird pf subset generated by the ridiculously buggy server.app. Of course you have to remove all rules from the server.app firewall and ignore it before using murus.
The best way to troubleshoot it is using the murus rules browser. You see there is a dedicated anchor generated by server.app. This anchor should be overridden by murus ruleset. In some cases it is necessary to reboot the Mac after activating Murus (and installing boot scripts) in order to fix this anchor's position. Ideally this anchor should stay in the first part of the ruleset in order to be overriden by murus.* anchors.
Be sure to check the "apple anchor" option in murus general preferences.
Once done, set the logging policy in order to log everything and add BASIC SERVICES service to your inbound managed services. Try to enable access from all networks before applying a more restrictive filtering policy for this service. Keep logs window open to see if/when/who is blocking DHCP connections. You can do it with both Console.app and Murus Logs Visualizer.

BurningRoli
Posts: 8
Joined: Thu May 14, 2015 10:25 am

Re: Murus on Yosemite Server

Post by BurningRoli » Thu May 14, 2015 11:58 am

Hello all,
first of all, thanks to the Murus Team who develop this interesting Solution of Firewall.

At my first hands-on with Murus 1.1, later with 1.2b1 on my System, i registered the same problem with DHCP.
The Client cant get the DHCP Server. In the DHCP Logfile wasn't any Client Request registered until you stop the PF Service, the DHCP provide the Requests immediately. For the Inbound and Outbound Filters i used 'all Services' for all Users (0.0.0.0/0) to get a minimal restriction. NAT works fine, i was able to get the Internet by a Client.

My Opinion is to serve a powerful Firewall with a smallest possible Energy Footprint since i use a Cable Internet Connection (250/15 MB/s).
My actual System is a Mac mini (early 2015 i7 CPU) with 2 Ethernet Adaptor (WAN/LAN) who runs Yosemite Server with DNS, DHCP, Fileserver, Calendar. My Firewall Solution is pfsense virtualized with VirtualBox running on Mac mini who brings the thruput but not the stability. My Plan is to replace the Virtual Firewall by Murus.

For the future, i would like to see the nat-pmp Implementation, regarding to an other Thread in this Forum. Take a look at the NAT-PMP/UPnP Code at http://miniupnp.free.fr/libnatpmp.html. With this Implementation, you can turn your Yosemite Server to a nearly full featured, powerful Router/Firewall Solution for a small Fee.

Grazie Mille
Roland

Post Reply