Creating an IPF Firewall with Solaris 10

Outline

=======

 1.  Background

2.  Configuring IPF

3.  Enabling IPF

4.  Common IPF commands

 

Background

==========

 With the release of Solaris 10, ipfilter is now supported.  Before Solaris 10, EFS or SunScreen Lite was the default firewall.  IPfilter is a mature product traditionally found in BSDish Operating Systems.

 Configuring IPF

===============

 First, you will need an ipf ruleset.  The Solaris default location for this file is /etc/ipf/ipf.conf.  Below is the ruleset I used for a Solaris 10 x86 workstation.  Note that the public NIC is called elx10. 

Simply copy this ruleset to a file called /etc/ipf/ipf.conf, and edit to your needs.

 # My IP: 172.16.1.100

#

# Block any packets which are too short to be real block in log quick all with short

#

# drop and log any IP packets with options set in them.

block in log all with ipopts

#

# Allow all traffic on loopback.

pass in quick on lo0 all

pass out quick on lo0 all

#

# Public Network.   Block everything not explicity allowed.

block in  on elxl0 all

block out on elxl0 all

#

# Allow pings out.

pass out quick on elxl0 proto icmp all keep state

#

# for testing, allow pings from ben and jerry

pass in quick on elxl0 proto icmp from 172.16.1.11/32 to 172.16.1.100/32

pass in quick on elxl0 proto icmp from 172.16.1.12/32 to 172.16.1.100/32

#

# Allow outbound state related packets.

pass out quick on elxl0 proto tcp/udp from any to any keep state

#

# allow ssh from 172.16.0.0/16 only.

# pass in log quick on elxl0 from 172.16.0.0/16 to 172.16.1.100/32 port = 22

# Actually, allow ssh only from ben, jerry, MSU

pass in log quick on elxl0 proto tcp from 192.168.10.1/32 to 192.168.10.12/32 port = 22

pass in log quick on elxl0 proto tcp from 172.16.1.12/32 to 192.168.10.12/32 port = 22

pass in log quick on elxl0 proto tcp from 153.90.0.0/16 to 192.168.10.12/32 port = 22

Enabling IPF

============

 Now that you have an ipf ruleset in place, you’ll need to tell the Solaris packet filter which interface to use.  This is accomplished by uncommenting your interface name from /etc/ipf/pfil.ap.

 My pfil.ap file looks like this:

 # IP Filter pfil autopush setup

#

# See the autopush(1M) manpage for more information.

#

# Format of the entries in this file is:

#

#major  minor lastminor modules

 

#iprb   -1      0       pfil

elxl    -1      0       pfil

#e1000g -1      0       pfil

#bge    -1      0       pfil

#nf     -1      0       pfil

#fa     -1      0       pfil

#ci     -1      0       pfil

#el     -1      0       pfil

#ipdptp -1      0       pfil

#lane   -1      0       pfil

#dnet   -1      0       pfil

#pcelx  -1      0       pfil

#spwr   -1      0       pfil

That’s It!  The ipf firewall should be enabled and working with the next reboot!

 

Note that the Solaris 10 implementation of ipf will start ipmon.

Ipmon is the ipf utility used to monitor and log packets.  By default,

ipmon will write logged packets to /var/adm/messages.

  

Some Commonly used ipf commands

===============================

 

ipf -E                          : Enable ipfilter when running  for the first time. (Needed for ipf on Tru64)

ipf -f /etc/ipf/ipf.conf        : Load rules in /etc/ipf/ipf.conf file  into the active firewall.

ipf -Fa -f /etc/ipf/ipf.conf    : Flush all rules, then load rules in  /etc/ipf/ipf.conf into active firwall.

ipf -Fi                         : Flush all input rules.

ipf -I -f /etc/ipf/ipf.conf     : Load rules in /etc/ipf/ipf.conf file  into inactive firewall.

 ipf -V                          : Show version info and active list.

 ipf -s                          : Swap active and inactive firewalls.

ipfstat                         : Show summary

ipfstat -i                      : Show input list

ipfstat -o                      : Show output list

ipfstat -hio                    : Show hits against all rules

ipfstat -t -T 5                : Monitor the state table and refresh every   5 seconds. Output is similiar to   top’ monitoring the process table.

ipmon -s S                      : Watch state table.

ipmon -sn                       : Write logged entries to syslog, and  convert back to hostnames and servicenames.

 ipmon -s [file]                 : Write logged entries to some file.

 ipmon -Ds                      : Run ipmon as a daemon, and log to  default location.  (/var/adm/messages for Solaris)  (/var/log/syslog for Tru64)

 

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA * Time limit is exhausted. Please reload the CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.