Setup guide
10. Keeping the Server Admin program open, add the following lines to
/etc/ipfilter/ipfw.conf (substituting $MY_IP,
$TIME_SERVER, and $DNS_SERVER appropriately):
add 02000 allow ip from $MY_IP to any out
#this allows our system to send packets out
add 03000 allow icmp from any to any
#allow icmp messages (e.g. pings) in and out
add 03500 allow udp from $DNS_SERVER 53 to $MY_IP in
#accept packets from our DNS server
add 03600 allow udp from $TIME_SERVER 123 to $MY_IP in
#accept packets from our NTP server
add 65500 allow tcp from any to any established
#accept TCP packets from other hosts once connection est’d
add 65534 deny log ip from any to any in
#deny and log all other packets
11. If your system is hosting a UDP-based service, add rules as needed. In the
examples below, substitute $MY_CLIENTS with an address or subnet that
represents the clients you wish to serve.
add 03700 allow udp from $MY_CLIENTS to $MY_IP 123 in
#this permits our system to answer NTP requests
add 03800 allow udp from $MY_CLIENTS to $MY_IP 631 in
#this permits our system to answer IPP printing requests
add 03900 allow udp from $MY_CLIENTS to $MY_IP 2049 in
#this permits our system to act as an NFS server
add 04000 allow udp from $MY_CLIENTS to $MY_IP 514 in
#this permits our system to receive syslog messages
12. Save and close /etc/ipfilter/ipfw.conf.
13. Switch back to Server Admin.
14. Click the Save button.
15. Click the “Start Service” button to active the firewall.
The firewall rules will need to be updated for any network service you enable and
wish to offer to other systems. If the rules are not properly updated, network
services will not be available to other systems. Most of these services can be enabled
using the Server Admin tool. For those which cannot be enabled that way, an entry
should be added to /etc/ipfilter/ipfw.conf allowing the type of traffic
needed for that service.
57
UNCLASSIFIED