232

To disallow any connection from the entire cracker.evil.org network to my host:

1Ping cracker.evil.org to determine its IP address.

$ ping cracker.evil.org

PING cracker.evil.org (123.45.67.10): 56 data types

64 bytes from 123.45.67.10: icmp_seq=0 ttl=52 time=24.953 ms

64 bytes from 123.45.67.10: icmp_seq=1 ttl=52 time=19.406 ms

64 bytes from 123.45.67.10: icmp_seq=2 ttl=52 time=18.871 ms

64 bytes from 123.45.67.10: icmp_seq=3 ttl=52 time=29.776 ms

64 bytes from 123.45.67.10: icmp_seq=4 ttl=52 time=26.209 ms

2Deny access to a range of IP addresses associated with cracker.evil.org.

$ ipfw add deny ip from 123.45.67.0/24 to my.host.org

Adding Rules Using serveradmin

If you prefer not to work with the ipfw.conf file, you can use the serveradmin settings command to add firewall rules to your configuration.

Note: Be sure to include the special first setting (ending with = create). This is how you tell serveradmin to create the necessary rule array with the specified rule number.

To add a rule:

$ sudo serveradmin settings ipfilter:rules:_array_id:rule = create ipfilter:rules:_array_id:rule:source = source ipfilter:rules:_array_id:rule:protocol = protocol ipfilter:rules:_array_id:rule:destination = destination ipfilter:rules:_array_id:rule:action = action ipfilter:rules:_array_id:rule:enableLocked = (yesno) ipfilter:rules:_array_id:rule:enabled = (yesno) ipfilter:rules:_array_id:rule:log = (yesno) ipfilter:rules:_array_id:rule:readOnly = (yesno) ipfilter:rules:_array_id:rule:source-port= port Control-D

Parameter

Description

rule

A unique rule number.

 

 

Other parameters

The standard rule settings described under “ipfilter Rules Array” on

 

page 233.

 

 

An example of this would be similar to the following:

$ sudo serveradmin settings ipfilter:rules:_array_id:1111 = create ipfilter:rules:_array_id:1111:source = "10.10.41.60" ipfilter:rules:_array_id:1111:protocol = "udp" ipfilter:rules:_array_id:1111:destination = "any via en0" ipfilter:rules:_array_id:1111:action = "allow" ipfilter:rules:_array_id:1111:enableLocked = yes ipfilter:rules:_array_id:1111:enabled = yes ipfilter:rules:_array_id:1111:log = no

Chapter 14 Working with Network Services

Page 232
Image 232
Apple Mac OS X Server Ping cracker.evil.org to determine its IP address, Adding Rules Using serveradmin, To add a rule