Specifications
Chapter 14 Configuring and Managing Network Services 235
#add 01010 deny all from any to 127.0.0.0/8
#add 01020 deny ip from 224.0.0.0/4 to any in
#add 01030 deny tcp from any to 224.0.0.0/4 in
#add 12300 ("allow" rules from the "General" panel)
#...
#add 65534 deny ip from any to any
To add an entry that denies all TCP packets from cracker.evil.org to the Telnet port of
my.host.org from being forwarded by the host:
$ ipfw add deny tcp from cracker.evil.org to my.host.org telnet
To disallow any connection from the cracker.evil.org network to my.host.org:
1 Ping cracker.evil.org to determine its IP address.
$ ping cracker.evil.org
PING cracker.evil.org (123.45.67.10): 56 data types
64 bytes from 123.45.67.10: icmp_seq=0 ttl=52 time=24.953 ms
64 bytes from 123.45.67.10: icmp_seq=1 ttl=52 time=19.406 ms
64 bytes from 123.45.67.10: icmp_seq=2 ttl=52 time=18.871 ms
64 bytes from 123.45.67.10: icmp_seq=3 ttl=52 time=29.776 ms
64 bytes from 123.45.67.10: icmp_seq=4 ttl=52 time=26.209 ms
2 Deny access to a range of IP addresses associated with cracker.evil.org.
$ ipfw add deny ip from 123.45.67.0/24 to my.host.org
Adding Rules Using serveradmin
If you prefer not to work with the ipfw.conf file, you can use the serveradmin settings
command to add firewall rules to your configuration.
Note: Be sure to include the special first setting (ending with = create). This is how you
instruct serveradmin to create the necessary rule array with the specified rule number.
To add a rule:
$ sudo serveradmin settings
ipfilter:rules:_array_id:
rule
= create
ipfilter:rules:_array_id:
rule
:source =
source
ipfilter:rules:_array_id:
rule
:protocol =
protocol
ipfilter:rules:_array_id:
rule
:destination =
destination
ipfilter:rules:_array_id:
rule
:action =
action
ipfilter:rules:_array_id:
rule
:enableLocked = (yes|no)
ipfilter:rules:_array_id:
rule
:enabled = (yes|no)
ipfilter:rules:_array_id:
rule
:log = (yes|no)
ipfilter:rules:_array_id:
rule
:readOnly = (yes|no)
ipfilter:rules:_array_id:
rule
:source-port =
port
Control-D
Parameter Description
rule
A unique rule number.
Other parameters The standard rule settings described under “The ipfilter Rules
Array” on page 236.