Filter
Top Products
230 Chapter 14 Working with Network Services
ipfilter Groups with Rules Array
An array of the following settings is included in the ipfilter settings for each defined
IP address group. These arrays aren’t part of a standard
ipfw configuration, but are
created by the Server Admin application to implement the IP Address groups in the
General pane of the Firewall service settings. In an actual list of settings,
<group> is
replaced with an IP address group.
Defining Firewall Rules
You can use serveradmin to set up firewall rules for your server. However, a simpler
method is to add your rules to a configuration file used by the firewall service.
By modifying the file, you’ll be able to define your rules using standard rule syntax
instead of creating a specialized array to store the rule’s components.
Adding Rules by Modifying ipfw.conf
An ipfw configuration, or ruleset, is made of a list of rules numbered from 1 to 65535.
The file in which you can define your rules is /etc/ipfilter/ipfw.conf. The firewall service
reads this file, but doesn’t modify it. Its contents are annotated and include
commented-out rules you can use as models. Its default contents are listed below.
Packets are passed to ipfw from a number of different places in the protocol stack
(depending on the source and destination of the packet, it is possible that ipfw is
invoked multiple times on the same packet). The packet passed to the firewall is
compared against each of the rules in the firewall ruleset. When a match is found, the
action corresponding to the matching rule is performed.
Important: Misconfiguring the firewall can put your computer in an unusable state,
possibly shutting down network services and requiring console access to regain control
of it.
ipfw can be configured with a variety of commands. See the ipfw man page for more
information.
Parameter (ipfilter:) Description
ipAddressGroupsWithRules:
_array_id:<group>:rules
An array of rules for the group.
ipAddressGroupsWithRules:
_array_id:<group>:addresses
The group’s address.
ipAddressGroupsWithRules:
_array_id:<group>:name
The group’s name.
ipAddressGroupsWithRules:
_array_id:<group>:readOnly
Whether the group is set for read-only.