Starting the firewall involves activating IP packet filtering. This is done with the CFGFILT utility.
To start the firewall, use the command:
cfgfilt -u -i
(This command is explained in more detail below.)
x:\TCPIP\BIN\TCPEXIT.CMD
where x is the drive letter of the volume on which TCP/IP is installed,
and add the line
CALL CFGFILT.EXE -u -i
This file will be called automatically by the TCP/IP startup routines when the system boots.
Note: If you wish to enable firewall logging, you should add the '-d' parameter to the CFGFILT command line. See the section Enabling logging for more information.
This is a TCP/IP protocol setting which enables or disables the firewall. It must be enabled before the firewall will function. The '-u' parameter to CFGFILT will automatically enable this flag if it is not already enabled.
Filter rules specify the criteria by which TCP/IP traffic is permitted or denied by the firewall. If no rules are defined, then the firewall's default behaviour is to deny all TCP/IP traffic, both inbound and outbound. The '-u' parameter to CFGFILT loads filter rules from the rule configuration file into the filter driver.
Once the firewall is enabled and filter rules have been loaded, the IP filtering task must be activated. The '-i' parameter to CFGFILT does this.
Each of these actions is explained more fully in a later part of this book.
If you issue the command
cfgfilt |more
you should see, near the top of the output, the heading 'Status of filter support code'. This should display the status 'active'. If it shows 'inactive', then IP filtering is not active (meaning that the firewall is not currently functioning).