The unmodified ipfw.conf file:
#ipfw.conf.default - Installed by Apple, never modified by Server Admin app
#ipfw.conf - The servermgrd process (the back end of Server Admin app)
#creates this from ipfw.conf.default if it's absent, but does not modify
#it.
#
#Administrators can place custom ipfw rules in ipfw.conf.
#Whenever a change is made to the ipfw rules by the Server Admin
#application and saved:
#1. All ipfw rules are flushed
#2. The rules defined by the Server Admin app (stored as plists)
#are exported to /etc/ipfilter/ipfw.conf.apple and loaded into the
#firewall via ipfw.
#3. The rules in /etc/ipfilter/ipfw.conf are loaded into the firewall
#via ipfw.
#Note that the rules loaded into the firewall are not applied unless the
#firewall is enabled.
#
#The rules resulting from the Server Admin app's IPFirewall and NAT panels
#are numbered:
#10 - from the NAT Service - this is the NAT divert rule, present only
#when he NAT service is started via the Server Admin app.
#1000 - from the "Advanced" panel - the modifiable rules, ordered by
#their relative position in the
#12300 - from the "General" panel - "allow"" rules that punch specific
#holes in the firewall for specific services
#63200 - from the "Advanced" panel - the
#bottom of the panel's rule list
#
#Refer to the man page for ipfw(8) for more information.
#The following default rules are already added by default:
#add 01000 allow all from any to any via lo0 #add 01010 deny all from any to 127.0.0.0/8 #add 01020 deny ip from 224.0.0.0/4 to any in #add 01030 deny tcp from any to 224.0.0.0/4 in #add 12300 ("allow" rules from the "General" panel)
#...
#add 63200 deny icmp from any to any in icmptypes 0 in #add 63300 deny igmp from any to any in
#add 65000 deny tcp from any to any in setup
For more information, read the ipfw man page.
Chapter 13 Working With Network Services
139