Apple Mac OS X Server (Administrator’s Guide) User Manual

Firewall Service

539

Reviewing IP Filter Rules

To review the rules currently defined for your server, use the Terminal application to submit
the ipfw show command. The show command displays four columns of information:

When you type:

ipfw show

You see information similar to this:

0010

260

32688

allow log ip from any to any via lo*

0020

0

0

deny log ip from 127.0.0.0/8 to any in

0020

0

0

deny log ip from any to 127.0.0.0/8 in

0030

0

0

deny log ip from 224.0.0.0/3 to any in

0040

0

0

deny log tcp from any to 224.0.0.0/3 in

00100

1

52

allow log tcp from 111.222.33.3

to 111.222.31.3 660 in

...

Creating IP Filter Rules

To create new rules, use the ipfw add command. The following example defines rule 200, a
filter that prevents TCP packets from a client with IP address 10.123.123.123 from accessing
port 80 of the system with IP address 17.123.123.123:

ipfw add 200 deny tcp from 10.123.123.123 to 17.123.123.123 80

Deleting IP Filter Rules

To delete a rule, use the ipfw delete command. This example deletes rule 200:

ipfw delete 200

63500

Allowing user-specified TCP and UDP packets to access ports needed for
NetInfo shared domains. You can configure NetInfo to use a static port or to
dynamically select a port from 600 through 1023. Then use the Configure
Firewall window to allow all or specific clients to access those ports.

64000–65000

User-defined filters for Any Port.

Rule number

Used by Firewall module for

Column

Information

1

The rule number. The lower the number, the higher the priority of the rule.

2

The number of times the filter has been applied since it was defined

3

The number of bytes to which the filter has been applied

4

A description of the rule