Filter
Top Products
Chapter 3 IP Firewall Service 61
If you want to put your own rules in the ipfw.conf file, you can use a template that is
installed at /etc/ipfilter/ipfw.conf.default. Duplicate the file, rename it, and edit it as
indicated in the template’s comments.
Precautions
By using the Advanced panel or creating your own rules, you can put the server in a
state that is completely cut off from network access. This might require a reboot in
single-user-mode to restore network access. To avoid this, consider adding a cron job to
disable the firewall periodically while you are testing rules. Be sure to disable this cron
job when the machine is put into production.
The following command disables the firewall:
sudo sysctl -w net.inet.ip.fw.enable=0
And this enables it:
sudo sysctl -w net.inet.ip.fw.enable=1
Neither of these operations change the rules loaded into the firewall, they just
determine whether those rules are applied.
Creating IP Filter Rules Using ipfw
You can use the ipfw command in conjunction with the firewall module of Server
Admin when you want to:
• Display rules created by the firewall module. Each filter translates into one or more
rules.
• Create filters with characteristics that can’t be defined using the firewall module. For
example, you may want to use rules specific to a particular kind of IP protocol. Or you
may want to filter or block outgoing packets.
• Count the number of times rules are applied.
If you use ipfw, make sure you don’t modify rules created using the firewall module.
Changes you make to firewall module rules are not permanent. Firewall service
recreates any rules defined using the firewall module whenever the service is restarted.
Here is a summary of how the firewall module assigns rule numbers:
Rule number Used by firewall module for
10 Loop back.
20 Discarding any packet from or to 127.0.0.0/8 (broadcast).
30 Discarding any packet from 224.0.0.0/3 (broadcast).
40 Discarding TCP packets to 224.0.0.0/3 (broadcast).
100–64000 User-defined port-specific filters.
63200 Denying access for icmp echo reply. Created when “Deny ICMP
echo reply” is selected in the Advanced pane of the Configure
Firewall window.
LL2351.Book Page 61 Monday, September 8, 2003 2:47 PM