The unmodified ipfw.conf file:

#ipfw.conf.default - Installed by Apple, never modified by Server Admin app

#ipfw.conf - The servermgrd process (the back end of Server Admin app)

#creates this from ipfw.conf.default if it's absent, but does not modify

#it.

#

#Administrators can place custom ipfw rules in ipfw.conf.

#Whenever a change is made to the ipfw rules by the Server Admin

#application and saved:

#1. All ipfw rules are flushed

#2. The rules defined by the Server Admin app (stored as plists)

#are exported to /etc/ipfilter/ipfw.conf.apple and loaded into the

#firewall via ipfw.

#3. The rules in /etc/ipfilter/ipfw.conf are loaded into the firewall

#via ipfw.

#Note that the rules loaded into the firewall are not applied unless the

#firewall is enabled.

#

#The rules resulting from the Server Admin app's IPFirewall and NAT panels

#are numbered:

#10 - from the NAT Service - this is the NAT divert rule, present only

#when he NAT service is started via the Server Admin app.

#1000 - from the "Advanced" panel - the modifiable rules, ordered by

#their relative position in the drag-sortable rule list

#12300 - from the "General" panel - "allow"" rules that punch specific

#holes in the firewall for specific services

#63200 - from the "Advanced" panel - the non-modifiable rules at the

#bottom of the panel's rule list

#

#Refer to the man page for ipfw(8) for more information.

#The following default rules are already added by default:

#add 01000 allow all from any to any via lo0 #add 01010 deny all from any to 127.0.0.0/8 #add 01020 deny ip from 224.0.0.0/4 to any in #add 01030 deny tcp from any to 224.0.0.0/4 in #add 12300 ("allow" rules from the "General" panel)

#...

#add 63200 deny icmp from any to any in icmptypes 0 in #add 63300 deny igmp from any to any in

#add 65000 deny tcp from any to any in setup

For more information, read the ipfw man page.

Chapter 13 Working With Network Services

139

Page 139
Image 139
Apple oxs manual Unmodified ipfw.conf file