redpaw.co.uk

To reset the 10.4 Server firewall to default settings, drag the following linked Config.plist onto the Server Admin Firewall-> Settings pane and 'save'. This will overwrite the current config with the Apple default one. Of course you should probably not install something that you cannot verify (who knows what I have written into it ;-) so the full text equivalent is also shown below.

Download: Filrewall Config.plist

To completely flush the firewall settings prior to the above, use terminal command: ipfw flush

If you prefer to completely replace the default configuration files (perhaps you have manually edited one), delete the contents of /etc/ipfilter/ and replace with following 4 default files...

Download: ip_address_groups.plist
Download: ip_address_groups.plist.default
Download: ipfw.conf.default
Download: standard_services.plist.default

Ownership/permissions should be...

-rw-r--r--   1 root  wheel  35918 Mar 25  2005 ip_address_groups.plist
-r--r--r--   1 root  wheel  35918 Mar 25  2005 ip_address_groups.plist.default
-r--r--r--   1 root  wheel   1874 Mar 25  2005 ipfw.conf.default
-r--r--r--   1 root  wheel    632 Mar 25  2005 standard_services.plist.default

Listing Your Firewall Rules

Terminal command: ipfw list
...will list the effective rules. The default ones (using default plist above) are...

01000 allow ip from any to any via lo0
01010 deny ip from any to 127.0.0.0/8
01020 deny ip from 224.0.0.0/4 to any in
01030 deny tcp from any to 224.0.0.0/4 in
12300 allow tcp from any to any established
12301 allow tcp from any to any out
12302 allow tcp from any to any dst-port 22
12302 allow udp from any to any dst-port 22
12303 allow udp from any to any out keep-state
12304 allow udp from any to any in frag
12305 allow tcp from any to any dst-port 311
12306 allow tcp from any to any dst-port 625
12307 allow udp from any to any dst-port 626
12308 allow icmp from any to any icmptypes 8
12309 allow icmp from any to any icmptypes 0
12310 allow igmp from any to any
65534 deny ip from any to any
65535 allow ip from any to any

The number of a rule (first number in a line) will indicate where the rule originated from. The following explanation  is from Apple's ipfw.conf.default...

# ipfw.conf.default - Installed by Apple, never modified by Server Admin app
#
# ipfw.conf - The servermgrd process (the back end of Server Admin app)
# creates this from ipfw.conf.default if it's absent, but does not modify it.
#
# Administrators can place custom ipfw rules in ipfw.conf.
#
# Whenever a change is made to the ipfw rules by the Server Admin application and saved:
#   1. All ipfw rules are flushed
#   2. The rules defined by the Server Admin app (stored as plists) are exported to
#      /etc/ipfilter/ipfw.conf.apple and loaded into the firewall via ipfw.
#   3. The rules in /etc/ipfilter/ipfw.conf are loaded into the firewall via ipfw.
# Note that the rules loaded into the firewall are not applied unless the firewall is enabled.
#
# The rules resulting from the Server Admin app's IPFirewall and NAT panels are numbered:
#      10 - from the NAT Service - this is the NAT divert rule, present only
#                                  when he NAT service is started via the Server Admin app.
#    1000 - from the "Advanced" panel - the modifiable rules, ordered by their
#                                      relative position in the drag-sortable rule list
#   12300 - from the "General" panel - "allow"" rules that punch specific holes
#                                      in the firewall for specific services
#   63200 - from the "Advanced" panel - the non-modifiable rules at the bottom
#                                       of the panel's rule list
#
# Refer to the man page for ipfw(8) for more information.
#
# The following rules are already added by default:
#
#add 01000 allow all from any to any via lo0
#add 01010 deny all from any to 127.0.0.0/8
#add 01020 deny ip from 224.0.0.0/4 to any in
#add 01030 deny tcp from any to 224.0.0.0/4 in
#add 12300 ("allow" rules from the "General" panel)
#...
#add 65534 deny ip from any to any