Specifications
Chapter 14 Configuring and Managing Network Services 231
This change takes place immediately, but is not persistent if you reboot the computer.
To enable IP forwarding when Mac OS X Server restarts, set the IPFORWARDING flag in
the /etc/hostconfig file to
-YES- to enable IP forwarding during the startup process.
Managing Firewall Service
For its Firewall service, Mac OS X Server uses the reliable open source IPFW2 software.
To protect your network applications, Firewall service scans incoming IP packets and
rejects or accepts them based on the set of filters you create. You can restrict access to
any IP service running on the server, and you can customize filters for all incoming
clients or for a range of client IP addresses.
Firewall service relies on the ipfw tool included with Mac OS X Server. The ipfw tool is a
content filter that uses rules to decide which packets to allow and which to deny.
Firewall Startup
Although the firewall is treated as a service by the Server Admin application, it is not
implemented by a running process like other services. It is a set of behaviors in the
kernel, controlled by the
ipfw and sysctl tools.
To start and stop the firewall, the Server Admin application sets a switch using the
sysctl tool. When the computer starts, a startup item named IPFilter checks the /etc/
hostconfig file for the “IPFILTER” flag. If it is set, the sysctl tool is used to enable the
firewall:
$ sysctl -w net.inet.ip.fw.enable=1
Otherwise, it disables the firewall:
$ sysctl -w net.inet.ip.fw.enable=0
The rules loaded in the firewall remain regardless of this setting. They are ignored when
the firewall is disabled.
Starting and Stopping Firewall Service
To start the service:
$ sudo serveradmin start ipfilter
To stop the service:
$ sudo serveradmin stop ipfilter
Disabling Firewall Service
To disable the service:
$ sudo /usr/sbin/sysctl -w net.inet.ip.fw.enable=0