Creating an IPF Firewall with Solaris 10
Outline
=======
1. Background
2. Configuring IPF
3. Enabling IPF
4. Common IPF commands
Background
==========
With the release of Solaris 10, ipfilter is now supported. Before
Solaris 10, EFS or SunScreen Lite was the default firewall. IPfilter
is a mature product traditionally found in BSDish Operating Systems.
Configuring IPF
===============
First, you will need an ipf ruleset. The Solaris default location for
this file is /etc/ipf/ipf.conf. Below is the ruleset I used for a
Solaris 10 x86 workstation. Note that the public NIC is called elx10.
Simply copy this ruleset to a file called /etc/ipf/ipf.conf, and edit
to your needs.
--->8---
# 11/18/04 - Newest Firewall for testing.
# Rich Shattuck
# My IP: 172.16.1.100
#
# Block any packets which are too short to be real
block in log quick all with short
#
# drop and log any IP packets with options set in them.
block in log all with ipopts
#
# Allow all traffic on loopback.
pass in quick on lo0 all
pass out quick on lo0 all
#
# Public Network. Block everything not explicity allowed.
block in on elxl0 all
block out on elxl0 all
#
# Allow pings out.
pass out quick on elxl0 proto icmp all keep state
#
# for testing, allow pings from ben and jerry
pass in quick on elxl0 proto icmp from 172.16.1.11/32 to 172.16.1.100/32
pass in quick on elxl0 proto icmp from 172.16.1.12/32 to 172.16.1.100/32
#
# Allow outbound state related packets.
pass out quick on elxl0 proto tcp/udp from any to any keep state
#
# allow ssh from 172.16.0.0/16 only.
# pass in log quick on elxl0 from 172.16.0.0/16 to 172.16.1.100/32 port = 22
# Actually, allow ssh only from ben, jerry, MSU
pass in log quick on elxl0 proto tcp from 172.16.1.11/32 to 172.16.1.100/32 port = 22
pass in log quick on elxl0 proto tcp from 172.16.1.12/32 to 172.16.1.100/32 port = 22
pass in log quick on elxl0 proto tcp from 153.90.0.0/16 to 172.16.1.100/32 port = 22
--->8---
Enabling IPF
============
Now that you have an ipf ruleset in place, you'll need to tell the
Solaris packet filter which interface to use. This is accomplished by
uncommenting your interface name from /etc/ipf/pfil.ap.
My pfil.ap file looks like this:
--->8---
# IP Filter pfil autopush setup
#
# See the autopush(1M) manpage for more information.
#
# Format of the entries in this file is:
#
#major minor lastminor modules
#iprb -1 0 pfil
elxl -1 0 pfil
#e1000g -1 0 pfil
#bge -1 0 pfil
#nf -1 0 pfil
#fa -1 0 pfil
#ci -1 0 pfil
#el -1 0 pfil
#ipdptp -1 0 pfil
#lane -1 0 pfil
#dnet -1 0 pfil
#pcelx -1 0 pfil
#spwr -1 0 pfil
--->8---
That's It! The ipf firewall should be enabled and working with the next reboot!
Note that the Solaris 10 implementation of ipf will start ipmon.
Ipmon is the ipf utility used to monitor and log packets. By default,
ipmon will write logged packets to /var/adm/messages.
Some Commonly used ipf commands
===============================
ipf -E : Enable ipfilter when running
: for the first time.
: (Needed for ipf on Tru64)
ipf -f /etc/ipf/ipf.conf : Load rules in /etc/ipf/ipf.conf file
: into the active firewall.
ipf -Fa -f /etc/ipf/ipf.conf : Flush all rules, then load rules in
: /etc/ipf/ipf.conf into active firwall.
ipf -Fi : Flush all input rules.
ipf -I -f /etc/ipf/ipf.conf : Load rules in /etc/ipf/ipf.conf file
: into inactive firewall.
ipf -V : Show version info and active list.
ipf -s : Swap active and inactive firewalls.
ipfstat : Show summary
ipfstat -i : Show input list
ipfstat -o : Show output list
ipfstat -hio : Show hits against all rules
ipfstat -t -T 5 : Monitor the state table and refresh every
: 5 seconds. Output is similiar to
: 'top' monitoring the process table.
ipmon -s S : Watch state table.
ipmon -sn : Write logged entries to syslog, and
: convert back to hostnames and servicenames.
ipmon -s [file] : Write logged entries to some file.
ipmon -Ds : Run ipmon as a daemon, and log to
: default location.
: (/var/adm/messages for Solaris)
: (/var/log/syslog for Tru64)
Leave a Reply