: OS X Server && WAN Routing

Dennis Nedry
May 6th, 2010, 05:12 AM

May 6th, 2010, 06:14 PM
Best practice is to never have your sensitive info on a world-facing system (i.e. keep OD/home folders off your NAT server). That said, as long as you lock down your firewall, limit your SSH users to one standard, non-admin user (with generated key pairs, never transmitting your password, escalating privileges via su when necessary), and use certificates instead of shared secrets for L2TP (never PPTP) VPN connections, you should be ok.

OS X's built in ipfw firewall is the same as comes standard on most *nix distributions - if there was a vulnerability, we'd have heard about it. serialnumberd is annoying, but it'd be difficult to create an exploit that used it's access to the firewall as it's an internal process.

We run our OD in a VMware virtual machine on the internal side of our server, but that does get expensive.