10.5 Server has a standard, cascading, rule-based IPFW firewall built into the OS. There is nothing new here, except a relatively (as of 10.5) new add-on called the adaptive firewall.

To clarify: a firewall is nothing but a mechanism that controls IP traffic by either allowing or denying pass-though and further processing of the same. The rules of the firewall are predetermined or static and can be controlled using the Server Admin GUI application. The problem is, that certain ports have to be exposed in order to allow access. Example given: The secure shell or ssh.

Restricting ssh traffic is problematic since it is such an essential tool for server administration. The crux is, that the protocol itself lacks mechanisms for break-in detection and prevention. The only methods of securing access are disallowing root login (thereby eliminating dictionary-based attacks against the known root account) or requiring private/public key-based authentication (a method we use).

With password-based authentication and an unrestricted number of login attempts in any given time period, a hacker with will sooner or later successfully compromise a shell account.

Enter the adaptive firewall.

The purpose of the af is to detect break-in attempts and write rules dynamically into the IPFW filrewall rule set to prevent the same.

This works using a technique of so-called log-scraping. A process continually reads the secure.log in which login attempts and the associated IP addresses are recorded.

The process is able to parse the error logs, detect multiple login attempts from a single source and then issue a IPFW DENY command that writes a "deny" rule into the firewall. The firewall will then block any further traffic originating from that source until that rule is deleted.

The threshold for triggering the rule depends on the number of violations per given amount of time.

There is no GUI control for the af at this time. Therefore, settings have to be manipulated using the command-line and xml formatted plist files. OS X is full of those.

The af settings are controlled in the plist file:
/etc/emond.d/rules/AdaptiveFirewall.plist

Certain protocols trigger a number of password queries per login attempt (e.g.: AFP). Add to that the fact that many services login silently using credentials stored in a user's keychain - and continue to do so after a password change - and you have a disaster on your hands.

We recommend whitelisting the LAN IP scope as a matter of good practice using the following command:
/usr/libexec/afctl -w 10.0.x.x

Thanks for reading!