Creating ip filter rules using ipfw – Apple Mac OS X Server (Administrator’s Guide) User Manual
Page 538
538
Chapter 15
5
Click Save, then restart Firewall service.
Creating IP Filter Rules Using ipfw
You can use the ipfw command in conjunction with the Firewall module of Server Settings
when you want to
m Display rules created by the Firewall module. Each filter translates into one or more rules.
m Create filters with characteristics that cannot be defined using the Firewall module. For
example, you may want to use rules specific to a particular kind of IP protocol. Or you
may want to filter or block outgoing packets.
m Count the number of times rules are applied.
If you use ipfw, make sure you do not modify rules created using the Firewall module.
Changes you make to Firewall module rules are not permanent. Firewall service recreates any
rules defined using the Firewall module whenever the service is restarted. Here is a summary
of how the Firewall module assigns rule numbers:
Important
Denial-of-service attacks are somewhat rare, so make these settings only if you
think your server may be vulnerable to an attack. If you don’t send rejection replies to clients,
some clients may retry connections, resulting in server congestion. Also, if you deny ICMP
echo replies, services that use pinging to locate network services will be unable to detect
your server.
Rule number
Used by Firewall module for
10
Loop back.
20
Discarding any packet from or to 127.0.0.0/8 (broadcast).
30
Discarding any packet from 224.0.0.0/3 (broadcast).
40
Discarding TCP packets to 224.0.0.0/3 (broadcast).
100–64000
User-defined port-specific filters.
63200
Denying access for icmp echo reply. Created when “Deny ICMP echo reply” is
selected in the Advanced pane of the Configure Firewall window.
63300
Denying access for igmp. Created when Deny IGMP is selected in the
Advanced pane of the Configure Firewall window.
63400
Allowing any TCP or UDP packet to access port 111 (needed by NetInfo).
Created when a shared NetInfo domain is found on the server.