The (Lion) Server Admin.app has a nice ability to apply firewall rules to ip address groups without having to edit ipfw config files.
But having to enter large and long lists of IP addresses using the Server Admin GUI is a tedious task.
Therefore I am wondering how can a firewall IP address group be made from the command line?
I know there is a /usr/sbin/serveradmin
which has the ability to output settings, like using $ sudo serveradmin settings ipfilter:ipAddressGroupsWithRules:_array_id:10-net:*
which outputs:
ipfilter:ipAddressGroupsWithRules:_array_id:10-net:rules = _empty_array
ipfilter:ipAddressGroupsWithRules:_array_id:10-net:readOnly = no
ipfilter:ipAddressGroupsWithRules:_array_id:10-net:allowAll = no
ipfilter:ipAddressGroupsWithRules:_array_id:10-net:addresses:_array_index:0 = "10.0.0.0/8"
ipfilter:ipAddressGroupsWithRules:_array_id:10-net:name = "10-net"
Which one can dump to a file using $ sudo serveradmin settings ipfilter:ipAddressGroupsWithRules:_array_id:10-net:* > 10-net.txt
. But then editing that file to rename it to a new group, like:
ipfilter:ipAddressGroupsWithRules:_array_id:11-net:rules = _empty_array
ipfilter:ipAddressGroupsWithRules:_array_id:11-net:readOnly = no
ipfilter:ipAddressGroupsWithRules:_array_id:11-net:allowAll = no
ipfilter:ipAddressGroupsWithRules:_array_id:11-net:addresses:_array_index:0 = "11.0.0.0/8"
ipfilter:ipAddressGroupsWithRules:_array_id:11-net:name = "11-net"
and loading that into serveradmin using $ sudo serveradmin settings < 10-net.txt
doesn't create a new "ipAddressGroupsWithRules" rule in ipfilter. As verified using $ sudo serveradmin settings ipfilter:ipAddressGroupsWithRules:_array_id:11-net:*
.
What am I doing wrong?
Best Answer
After 12 hours of searching and and not finding any example for ipfilter:ipAddressGroupsWithRules this https://help.apple.com/advancedserveradmin/mac/10.7/#apdA0111C46-F018-4C2C-B8D1-EDAEF73AC27E brought a helpful insight.
The only thing that need to be changed to create a new rule, and not update an existing one, is a first line that creates the rule. For example:
Now the output of
$ sudo serveradmin settings < 10-net.txt
is no longer:but:
Which is the synonym for that entering the new setting succeeded.