To use the Lion server for DHCP, you need to simply turn off DHCP service on the AirPort Extreme and turn it on in Lion.
To use the Lion box as a firewall it will need to have two network ports - one for LAN and one for WAN. (Unless you want your LAN side to be provided wirelessly (which I don't recommend)).
I'm a big fan of OSX server and use it at home myself...
so here are some other neat things you could do with a Lion server...
Set up your Lion server to provide DNS names and a domain. When using the Lion server to provide IP addresses (DHCP), you can also allow it to provide other info to the clients, like who's providing DNS. So rather than having to use IPs to refer to your machines, you can give them DNS names. This means you don't have to set up static IPs for each device and you don't have to remember IPs!
DNS and domain name examples: macbook.mynetwork.net, airport.mynetwork.net, etc. (mynetwork.net being your domain)
Set up RADIUS authentication with WPA2 Enterprise for your wireless connection. You "pair" the AirPort Extreme with the Lion server. This means that people who want to use your WiFi have to log in with a user and password.
The user authentication is handled by the Lion server - set up your users in the server's directory.
Set up your Lion server to provide software updates to your Macs This means that your server downloads all the updates from Apple and can then serve them to Macs on your network. Saving bandwidth and time (it's alot faster!) You'll need to either manually point the client Macs to the server for their updates or "bind" the Macs to the server in order to change the appropriate settings for this (which is a big topic best discussed elsewhere).
Have fun.
Yes. Stealth mode enhances your system's security. Stateful packet inspection is another crucial component of a firewall's prowess. It's also of note that Apple's firewall is powered by the rugged ipfw.
What Apple says is a concise summary of how stealth mode works, and if you aren't versed in IT security, a full-fledged explanation won't offer up much more as it's a complex system (TCP, or Transmission Control Protocol, which is just one element of data transmission itself is rather complicated and deeply layered).
The fundamentals of networking (aka transferring data on the internet) rely on protocols that establish connections ("handshaking" starts it all) and then relay of data (through things like TCP and UDP). ICMP (such as pinging or echo requests) are typically used to "probe" a target host (most often for quite valid reasons), identifying it on the network. Hackers use them to find their prey.
Firewalls work by planting themselves between the kernel and the TCP/IP stack (so at a very deep level) and watching the packets that run between those layers. In the image above, a system's kernel would be located between the ethernet driver and hardware. The firewall would sit right on top of the kernel. Firewalls need this deep level of integration to remain rugged and durable. If a firewall were implanted at a high level, say at the level of your browser, it would make it highly susceptible to attack. The deeper a process is located (closer to the kernel), the harder it is to gain access to it.
When a system runs without a firewall, the packets are allowed free access (in and out). If an echo request is sent, an echo response is loosed by your computer (think of it as a greeting; someone on the street passes you and says "hello," you smile and greet them in return). But when a firewall is operational, it steps in, like a member of the secret service, following its protocol. If it is told to deny requests, it will send a message to the machine making the request that it does not reply to echo requests. The machine gets a notice that their echo request was denied (or blocked). Naturally this doesn't give that machine much information, but it does inform them that someone is there.
Stealth mode, on the other hand, doesn't. The firewall watches the echo request come in, and instead of denying it, it simply tells your computer to ignore the packet. The machine on the other end, not only doesn't get any data, but doesn't even get a notice of rejection. It's as if their packet was just lost in the space. And that's indicative of either a machine guarded by a secure firewall, or a machine that doesn't even exist.
In effect, it's the equivalent of putting someone through to voicemail (denying the echo request) or simply disabling voicemail and letting it ring, indefinitely (running under stealth mode).
As with anything, a clever hacker can bypass these safe guards, but it does make their life a lot harder. And that's the key to security: making the hackers job just a little bit harder at every turn. That greatly weeds out the "script kiddie" from the die-hard, Lulzsec hacker.
Stealth mode cloaks you from those initiating traffic, but it doesn't make you invisible. Once a connection is established (either by you, or by something that was allowed to negotiate outbound traffic), you pop up on the grid just like any computer. So while sending ping requests may no longer work, there are still plenty of ways hackers could still establish a connection and potentially exploit your computer through a running service.
Best Answer
You should:
understand pf basics - here is many guides on the Internet, you can safely read any Open/Free BSD guide. You must understand a few basic things:
pfctl
command usingman pfctl
man pf.conf
AFTER this you can use two GUI frontends
PF is not too hard if you have some knowledge about how firewalling works in general.
Fragment of
pf.conf
for table based filtering:The above example contains:
noroute
for nonroutable addresses (RFC 1918) and the secondbadips
that can contain your Geo IP based IP addressesbadips
(last rule wins)