The ipfwadm command will attempt to translate the (Web hosting uk)
The ipfwadm command will attempt to translate the port number into a service name using the /etc/services if an entry exists there. The default output is lacking in some important detail for us. In the default listing output, we can’t see the effect of the -y argument. The ipfwadm command is able to produce a more detailed listing output if you specify the -e (extended output) argument too. We won’t show the whole output here because it is too wide for the page, but it includes an opt (options) column that shows the -y option controlling SYN packets: # ipfwadm -F -l -e P firewall forward rules, default policy: accept pkts bytes type prot opt tosa tosx ifname ifaddress source … 0 0 deny tcp –y-0xFF 0×00 any any anywhere … 0 0 acc tcp b—0xFF 0×00 any any 172.16.1.0/24 … A More Complex Example The previous example was a simple one. Not all network services are as simple as the WWW service to configure; in practice, a typical firewall configuration would be much more complex. Let’s look at another common example, this time FTP. We want our internal network users to be able to log into FTP servers on the Internet to read and write files. But we don’t want people on the Internet to be able to log into our FTP servers. We know that FTP uses two TCP ports: port 20 (ftp-data) and port 21 (ftp), so: # ipfwadm -a deny -P tcp -S 0/0 20 -D 172.16.1.0/24 -y # ipfwadm -a accept -P tcp -S 172.16.1.0/24 -D 0/0 20 -b # # ipfwadm -a deny -P tcp -S 0/0 21 -D 172.16.1.0/24 -y # ipfwadm -a accept -P tcp -S 172.16.1.0/24 -D 0/0 21 -b Right? Well, not necessarily. FTP servers can operate in two different modes: passive mode and active mode.61 In passive mode, the FTP server listens for a connection from the client. In active mode, the server actually makes the connection to the client. Active mode is usually the default. The differences are illustrated in Figure 9.3. Figure 9.3: FTP server modes Many FTP servers make their data connection from port 20 when operating in active mode, which simplifies things for us a little, but unfortunately not all do.62 61 FTP active mode is somewhat nonintuitively enabled using the PORT command. FTP passive mode is enabled using the PASV command. 62 The ProFTPd daemon is a good example of an FTP server that doesn’t, at least in older versions.