Filter
Top Products
62 Chapter 3 IP Firewall Service
Reviewing IP Filter Rules
To review the rules currently defined for your server, use the Terminal application to
submit the ipfw show command. The show command displays four columns of
information:
When you type:
ipfw show
You will see information similar to this:
0010 260 32688 allow log ip from any to any via lo*
0020 0 0 deny log ip from 127.0.0.0/8 to any in
0020 0 0 deny log ip from any to 127.0.0.0/8 in
0030 0 0 deny log ip from 224.0.0.0/3 to any in
0040 0 0 deny log tcp from any to 224.0.0.0/3 in
001001 52 allow log tcp from 111.222.33.3 to 111.222.31.3 660
in
...
Creating IP Filter Rules
To create new rules, use the ipfw add command. The following example defines rule
200, a filter that prevents TCP packets from a client with IP address 10.123.123.123 from
accessing port 80 of the system with IP address 17.123.123.123:
ipfw add 200 deny tcp from 10.123.123.123 to 17.123.123.123 80
63300 Denying access for igmp. Created when Deny IGMP is selected in
the Advanced pane of the Configure Firewall window.
63400 Allowing any TCP or UDP packet to access port 111 (needed by
NetInfo). Created when a shared NetInfo domain is found on the
server.
63500 Allowing user-specified TCP and UDP packets to access ports
needed for NetInfo shared domains. You can configure NetInfo to
use a static port or to dynamically select a port from 600 through
1023. Then use the Configure Firewall window to allow all or
specific clients to access those ports.
64000–65000 User-defined filters for Default.
Rule number Used by firewall module for
Column Information
1 The rule number. The lower the number, the higher the priority of
the rule.
2 The number of times the filter has been applied since it was
defined.
3 The number of bytes to which the filter has been applied.
4 A description of the rule.
LL2351.Book Page 62 Monday, September 8, 2003 2:47 PM