Unmodified ipfw.conf file | Apple oxs guide

The unmodified ipfw.conf file:

#ipfw.conf.default - Installed by Apple, never modified by Server Admin app

#ipfw.conf - The servermgrd process (the back end of Server Admin app)

#creates this from ipfw.conf.default if it's absent, but does not modify

#it.

#

#Administrators can place custom ipfw rules in ipfw.conf.

#Whenever a change is made to the ipfw rules by the Server Admin

#application and saved:

#1. All ipfw rules are flushed

#2. The rules defined by the Server Admin app (stored as plists)

#are exported to /etc/ipfilter/ipfw.conf.apple and loaded into the

#firewall via ipfw.

#3. The rules in /etc/ipfilter/ipfw.conf are loaded into the firewall

#via ipfw.

#Note that the rules loaded into the firewall are not applied unless the

#firewall is enabled.

#

#The rules resulting from the Server Admin app's IPFirewall and NAT panels

#are numbered:

#10 - from the NAT Service - this is the NAT divert rule, present only

#when he NAT service is started via the Server Admin app.

#1000 - from the "Advanced" panel - the modifiable rules, ordered by

#their relative position in the drag-sortable rule list

#12300 - from the "General" panel - "allow"" rules that punch specific

#holes in the firewall for specific services

#63200 - from the "Advanced" panel - the non-modifiable rules at the

#bottom of the panel's rule list

#

#Refer to the man page for ipfw(8) for more information.

#The following default rules are already added by default:

#add 01000 allow all from any to any via lo0 #add 01010 deny all from any to 127.0.0.0/8 #add 01020 deny ip from 224.0.0.0/4 to any in #add 01030 deny tcp from any to 224.0.0.0/4 in #add 12300 ("allow" rules from the "General" panel)

#...

#add 63200 deny icmp from any to any in icmptypes 0 in #add 63300 deny igmp from any to any in

#add 65000 deny tcp from any to any in setup

For more information, read the ipfw man page.

Chapter 13 Working With Network Services

139

Image 139

Apple oxs manual Unmodified ipfw.conf file

Contents

Mac OS X Server Command-Line Administration 034-2354/10-24-03 Contents Power Management Settings Setting General System PreferencesEnergy Saver Settings Viewing or Changing Sleep Settings Unmounting Volumes Working With Disks and VolumesMounting and Unmounting Volumes Mounting Volumes Checking AFP Service Status Working With File ServicesAFP Service Starting and Stopping AFP Service Viewing Print Service Settings Working With Print ServiceStarting and Stopping Print Service Checking the Status of Print Service Changing Settings Using serveradmin 157 Configuring Ldap 156 Changing Open Directory Service Settings 157 171 Index Summary Commands and Other Terminal TextCommand Parameters and Options Notation Conventions Commands Requiring Root Privileges Default Settings To open Terminal Using Terminal To type a command Correcting Typing ErrorsRepeating Commands Including Paths Using Drag-and-Drop $ sudo serveradmin list To open a connection to a remote server Sending Commands to a Remote ServerSending a Single Command Example ssh -l admin Updating SSH Key Fingerprints To disable Telnet access Getting Online Help for CommandsUsing Telnet To enable Telnet access Determining Whether a Service Needs to be Restarted ServersetupPage To save a template configuration file during server setup Installing Server SoftwareAutomating Server Setup Creating a Configuration File Template Installing Server Software and Finishing Basic Setup Installing Server Software and Finishing Basic Setup Installing Server Software and Finishing Basic Setup Naming Configuration Files Changing Server SettingsStoring a Configuration File in an Accessible Location Updating Server Software Viewing, Validating, and Setting the Software Serial Number Moving a Server Page To restart a remote server immediately ExamplesAutomatic Restart To restart the local server To shut down a remote server immediately Changing a Remote Server’s Startup DiskShutting Down a Server To change the startup disk To display the server’s computer name Computer NameDate and Time Viewing or Changing the Computer Name Viewing or Changing the System Time Viewing or Changing the System DateViewing or Changing the System Time Zone Viewing or Changing Network Time Server Usage Energy Saver SettingsViewing or Changing Sleep Settings Viewing or Changing Automatic Restart Settings Startup Disk Settings Power Management SettingsViewing or Changing the Startup Disk Viewing or Changing Language Settings Sharing SettingsInternational Settings Viewing or Changing Remote Login Settings To view the current setting Login SettingsDisabling the Restart and Shutdown Buttons Viewing Port Names and Hardware Addresses Activating Port Configurations Network Port ConfigurationsViewing or Changing Media Settings Creating or Deleting Port Configurations Changing Configuration Precedence TCP/IP SettingsChanging a Server’s IP Address To change TCP/IP settings for a particular port or device To list TCP/IP settings for a configurationTo view TCP/IP settings for port en0 To view TCP/IP settings for a particular port or device Viewing or Changing DNS Servers Enabling TCP/IP AppleTalk SettingsProxy Settings Viewing or Changing FTP Proxy Settings Viewing or Changing Gopher Proxy Settings Viewing or Changing Web Proxy SettingsViewing or Changing Secure Web Proxy Settings Viewing or Changing Streaming Proxy Settings Computer, Host, and Rendezvous Name AirPort SettingsViewing or Changing Socks Firewall Proxy Settings Viewing or Changing Airport Settings Viewing or Changing the Rendezvous Name Viewing or Changing the Local Host NamePage Mounting Volumes Checking for Disk ProblemsUnmounting Volumes Monitoring Disk Space Reclaiming Disk Space Using Log Rolling Scripts Example Checking to See if Journaling is EnabledTurning on Journaling for an Existing Volume Managing Disk Journaling Disabling Journaling Enabling Journaling When You Erase a DiskSetting Up a Case-Sensitive HFS+ File System Erasing, Partitioning, and Formatting Disks Hdiutil convert -format Udzo pathtoimage -o compressedimage Imaging and Cloning Volumes Using ASRTo image a boot volume To restore a volume from an image To create a user with a specific UID To create a userTo create a user with a specific UID and home directory To import users and groups Importing Users and Groups DSRecTypeStandardGroups Creating a Character-Delimited User Import FileWriting a Record Description Use the shorthand StandardGroupRecord Using the StandardUserRecord Shorthand Attribute User AttributesFormat Sample values Attribute Format Sample values AuthenticationHint MCXSettingsAdminLimits Authentication MailAttribute field Description Sample values Mail Attributes in User Records Value NotificationStateKNotificationState NotificationOff is assumed NotificationStaticIP Checking a Server User’s Name, UID, or Password Mounting a User’s Home Directory Checking a User’s Administrator PrivilegesCreating a User’s Home Directory Creating a Group FolderPage To list existing share points Listing Share Points To create a share point Creating a Share PointExamples AFP Service List of AFP Settings Changing AFP Settings AttemptAdminAuth Admin31GetsSpAdminGetsSp AllowRootLogin LogLogin GuestAccessAdminUsers Default = afpserver SpecialAdminPrivs UnixwithclassicadminpermissionsDefault = classicpermissions Noadminkills Output List of AFP serveradmin CommandsListing Connected Users To list connected users To disconnect users Disconnecting AFP UsersSending a Message to AFP Users To send a message To cancel a disconnect Canceling a User DisconnectValue Description To list samples Listing AFP Service Statistics Viewing NFS Settings NFS ServiceStarting and Stopping NFS Service Checking NFS Service Status FTP Service FTP Settings Changing FTP SettingsParameter ftp Ftpcommand= Description List of FTP serveradmin CommandsPage Or see List of SMB Service Settings on Viewing SMB SettingsChanging SMB Settings To list all SMB service settings Parameter smb Description List of SMB Service Settings Max smbd processes Netbios nameLocal master Log level Smbcommand= Description List of SMB serveradmin CommandsListing SMB Users Value returned by getConnectedUsers Disconnecting SMB Users Updating Share Point Information Listing SMB Service Statistics Name-log Viewing SMB Service LogsSmb-log Var/log/samba/log.smbdPage Viewing Print Service Settings Checking the Status of Print Service Print Service Settings Changing Print Service SettingsParameter print Description Parameter printDescription Queue Data Array Here is an example of a queue array parameter block To pause a queue Print Service serveradmin CommandsPausing a Queue Listing Queues Holding a Job Listing Jobs and Job InformationTo hold a job To release the job Viewing Print Service Log FilesPage Viewing NetBoot Settings Checking NetBoot Service Status Parameter netboot Description Changing NetBoot SettingsNetBoot Service Settings General Settings Filters Record Array Storage Record Array Image Record Array Ethernet NetBootPortsRecordsArrayarrayindexmIsEnabledAtIndex Port Record ArrayPage Viewing Mail Service Settings Checking the Status of Mail Service Mail Service Settings Changing Mail Service SettingsParameter mail Description Postfixsmtpsaslauthenable PostfixdisablevrfycommandPostfixlmtpsaslpasswordmaps Postfixsmtpsaslpasswordmaps Postfixcleanupservicename PostfixdeliverlockdelayPostfixmailboxcommand Postfixdefaultverpdelimiters Postfixsmtpderrorsleeptime PostfixforkdelayPostfixdisablemimeoutputconversion Postfixsmtpdtimeout Postfixaliasmaps PostfixdelaywarningtimePostfixtriggertimeout Postfixrelaytransport Postfixsmtpddelayreject PostfixsmtpdnoopcommandsPostfixalternateconfigdirectories Postfixdefaulttransport Postfixinflowdelay PostfixqueueservicenamePostfixipctimeout Postfixdefaultprivs Postfixignoremxlookuperror PostfixshowqservicenamePostfixsmtppixworkarounddelaytime Postfixqmqpdtimeout Postfixsmtpdsenderloginmaps PostfixbounceservicenamePostfixcontentfilter Postfixqmqpderrordelay Postfixsmtpdatadonetimeout PostfixdefaultextrarecipientlimitPostfixlmtpdatadonetimeout Postfixlmtpdataxfertimeout Imapenablepop ImappoptimeoutImapmupdateserver Imaptimeout Imapallowanonymouslogin ImapdefaultpartitionImapsrvtab Default = /etc/srvtab Imapimapauthlogin Imapenableimap Command Mail serveradmin Commands Listing Mail Service Statistics To display the log locations Viewing the Mail Service Logs Generating a CSR and Creating a Keychain Setting Up SSL for Mail Service 120 Importing an SSL Certificate Into the Keychain Obtaining an SSL Certificate Creating a Passphrase File Setting Up SSL for Mail Service on a Headless Server Viewing Web Settings Checking Web Service Status An appropriate value for the setting Changing Web SettingsServeradmin and Apache Settings Changing Settings Using serveradmin To list sites Web serveradmin CommandsViewing Service Logs Listing Hosted Sites Cachethroughput for Viewing Service StatisticsRequestspersecond for Cacherequestspersecond for Addsite File Example Script for Adding a WebsiteAddsite.in File Root To run the scriptIpaddress Port Viewing Dhcp Service Settings Dhcp ServiceStarting and Stopping Dhcp Service Checking the Status of Dhcp Service Dhcp Service Settings Changing Dhcp Service SettingsParameter dhcp Description About Subnet IDs Dhcp Subnet Settings ArraySubnet Parameter Netrangeend LeasetimesecsNetaddress Netmask WINSsecondaryserver Adding a Dhcp SubnetTo add a subnet WINSscopeid Location of the DNS service log List of Dhcp serveradmin CommandsViewing the Dhcp Service Log Command Dhcpcommand=Description DNS Service Sample Output Firewall ServiceListing DNS Service Statistics Starting and Stopping Firewall Service Firewall Service Settings Checking the Status of Firewall ServiceViewing Firewall Service Settings Changing Firewall Service Settings Parameter ipfilter Description Defining Firewall RulesIPFilter Groups With Rules Array Adding Rules by Modifying ipfw.conf Unmodified ipfw.conf file Example Adding Rules Using serveradminRule IPFilter Rules Array Firewall serveradmin Commands NAT Service NAT Service Settings Changing NAT Service SettingsParameter nat Description Viewing the NAT Service Log NAT serveradmin CommandsParameter natDescription Viewing VPN Service Settings VPN ServiceStarting and Stopping VPN Service Checking the Status of VPN Service Parameter vpnServers Description List of VPN Service Settings PPPVerboseLogging Com.name.ppp.l2tp PPPDSACLEnabled Com.name.ppp.l2tpPPPAuthenticatorPlugins Arrayindex n Com.name.ppp.l2tp PPPLCPEchoEnabled Com.name.ppp.l2tp PPPCCPEnabled Com.name.ppp.pptp PPPDSACLEnabled Com.name.ppp.pptpPPPAuthenticatorPlugins Arrayindexn Com.name.ppp.pptp PPPLCPEchoEnabled Com.name.ppp.pptp Be restarted. See Determining Whether a Service Needs to be List of VPN serveradmin CommandsViewing the VPN Service Log VPN Service Log on this Hardware IP FailoverRequirements Failover Operation Enabling IP Failover To enable IP failover Notification Only Configuring IP FailoverPre and Post Scripts Enabling PPP Dial-In Page Modifying an Open Directory Node Testing Your Open Directory ConfigurationTesting Open Directory Plugins General Directory Tools Changing Open Directory Service Settings Registering URLs With Service Location Protocol SLPParameter dirserv Description Standard Distribution Tools Configuring LdapProgram Used to Additional Information About Ldap Delay RebindIdle Timeout Idle Rebinding Options NetInfo Password Server Tool in usr/sbin Description KdcsetupKerberosautoconfig Kerberos and Single Sign On Checking Qtss Service Status Stopping Qtss Service $ sudo serveradmin settings qtss Viewing Qtss SettingsChanging Qtss Settings To list all Qtss service settings Parameter qtss Description Qtss SettingsDescriptions of Settings Qtss parameters you might change Enableremoteadmin ModulesarrayidQTSSAdminModule ModulesarrayidQTSSAdminModuleAdministratorGroup ModulesarrayidQTSSAdminModule Authenticate ModulesarrayidQTSSAdminModule Serverdefaultauthorizationrealm Disableoverbuffering ModulesarrayidQTSSReflectorModuleEnablebroadcastannounce ModulesarrayidQTSSReflectorModule Enablebroadcastpush ModulesarrayidQTSSReflectorModule Listing Current Connections Qtss serveradmin Commands Viewing Qtss Service Statistics Library/QuickTimeStreaming/Logs Error.logForcing Qtss to Re-Read its Preferences To force Qtss to re-read its preferences Preparing Older Home Directories for User Streaming To set up /Sites/Streaming in older home directoriesCreated Page Index Kdcsetup utility 160 Kerberos Installer command 21 IP addressKerberosautoconfig tool 173 174 Used by ldapsearch 157 scripts 175