This command uses various options to manipulate the firewall application's packet filtering rules. You can change the action or service or both by writing new rules, deleting old rules, and moving rules to the position that you want. Use fw.rule to:
Add a rule with a new action (ALLOW or DENY) or a different service or both. ALLOW means permit the packet that meets the qualifications in the rule through. DENY means reject the packet. You also add new port numbers with this command.
Delete a rule from the list of rules.
List the ordered rules governing the firewall application or to list the interface that the firewall application is using.
Move a rule from one position to another in the ordered list of rules, thus changing the order in which it will take effect.
The basic firewall application is shipped with a number of predefined network services, such ftp, telnet, dns, and rsh, as well as predefined service groups.
Besides the basic services, every TCP/IP implementation provides services such as echo, discard, daytime, chargen, and time. Each service use a state engine, a sort of protocol checker. For example, the FTP state engine checks port numbers when the ftp service is being used.
In addition to the basics services, the basic firewall application is shipped with predefined service group. One such group, for example, is common services, which consists of tcp traffic on port 0 to 3850 or port 3855 to 65535, udp traffic on all ports, syslog, dns, rpc, nfs, icmp, route, ftp, rsh, real audio, pmap udp all, nis, archie, traceroute, and ping.
Type the following to list the services:
# fw.rule list service |
You use this command with the option list service to list the available services and with the option list interface to list the interface that the firewall application is using.
This rule allows to add a new port from a remote host to a local host. if a service is not defined, tcp is the service used. If the new port is not in the services file, it is added.
For example, if you use this rule to add port 3000 from a-remote-host to ALL, a new tcp service on port 30000 is added to the service table and the i-Planet gateway would accept communication on port 30000 from a named remote host.
The configurations for the basic firewall application are based on sets of ordered rules. The default rules that are installed with the basic firewall establish a security policy that works well with i-Planet. These rules specify the action to be taken for services between two addresses that are on different interfaces of the firewall.
As root, type the following to list the rules:
# fw.rule list rule |
The rules (in this case, the default rules) are listed in the order in which they examine incoming packets.
1 ALLOW "ssl" from "le0" to "localhost" 2 ALLOW "common services" from "localhost" to "*" 3 ALLOW "rip" from "*" to "*" |
This rule allows you to add a service from a named remote host to a local host. Use the list option to see the new list of rules.
Rule number 4 is deleted. Use the list option to see the new list of rules.
Rules 5 and 4 are reordered. Use the list option to see the new ordering.