IP Filter is a freely-available, stateful, firewall/packet-filter. It comes with FreeBSD and NetBSD (and until recently OpenBSD, which has switched to PF, though the latter uses almost exactly the same syntax for rules); it also runs on many other Unix-like operating systems, including Solaris. For more information see the HOWTO at obfuscation.org or the FAQ at phildev.net.
IPFilter binaries are available for Solaris 7, 8 and 9; IPFilter comes as part of Solaris 10.
Binaries of IP Filter — Solaris packages — can be downloaded from maraudingpirates.org, for Solaris 7, 8 and 9. These can be installed in the usual way: gunzip the .gz files and then pkgadd -d <filename>, e.g.,
gunzip ipf-3.4.28-Sol8-sparc-64bit.pkg.gz
pkgadd -d ipf-3.4.28-Sol8-sparc-64bit.pkg
1 ipf IP Filter
(sparc) 3.4.23
2 ipfx IP Filter (64-bit)
(sparc) 3.4.23
Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]:
— the .pkg file actually contains two packages: ipf
and ipfx; the latter is the 64bit version.
If a message such as
Cannot attach to device
is seen during the post-installation phase remove both packages (use
pkgrm) and install ipfx before ipf (i.e.,
choose 2, then 1).
IPFilter comes as part of Solaris 10, but must be activated — a kernel module must be loaded. To do this, edit /etc/ipf/pfil.ap and uncomment the module which matches the network interface on which IPFilter is to be applied (e.g., module bge for interface bge0). Then reboot the machine to load the module/driver — though see the next paragraph to avoid a reboot.
(According to the Solaris 10 documentation, a reboot should not be necessary: to load the module use ifconfig <interface> modinsert pfil@<position>; then confirm with ifconfig <interface> modlist. See the man page for ifconfig for details.)
The pfil driver is no longer required. Simply ensure that all IPFilter-related services are running, and if necessary, enable:
prompt> svcs -a | grep pfil
disabled 13:22:46 svc:/system/rmtmpfiles:default
online 13:23:19 svc:/network/pfil:default
online 14:07:00 svc:/network/ipfilter:default
prompt> svcadm enable ipfilter
prompt> svcs -a | grep pfil
online 14:26:46 svc:/system/rmtmpfiles:default
online 13:23:19 svc:/network/pfil:default
online 14:07:00 svc:/network/ipfilter:default
One or two files are required: the firewalling rules are necessary and usually contained in /etc/ipf.rules ; optionally network-address-translation rules can be set, usually in /etc/ipnat.rules. (See the corresponding lines in the above init script in both cases.)
Below is a simple default deny firewall which can easily be modified. Many more examples and explanation can be found in the HOWTO linked-to above.
# --------------------------------------------------------------------------- # -- default deny : block in on hme0 # -- from any to any (no "quick") # --------------------------------------------------------------------------- # -- loopback : pass out quick on lo0 pass in quick on lo0 # --------------------------------------------------------------------------- # -- OUT : pass out quick on hme0 proto tcp from any to any keep state pass out quick on hme0 proto udp from any to any keep state pass out quick on hme0 proto icmp from any to any keep state # --------------------------------------------------------------------------- # -- allow new tcp connections from trusted hosts and keep-state on them : pass in quick on hme0 proto tcp from 192.168.1.7 to any flags S keep state pass in quick on hme0 proto tcp from 192.168.1.8 to any flags S keep state pass in quick on hme0 proto tcp from 192.168.1.15 to any flags S keep state # -------------------------------------------------------------------------- # ...allow unprivileged port access --- the simplest way to handle protocols # which IPFilter connection-tracking cannot cope with, e.g, FTP : pass in quick on hme0 proto tcp from 130.88.0.0/16 to any port > 1023
A better solution to handling FTP is to set up some NAT rules --- omit the last line of the script above and add this to /etc/ipnat.rules:
# -- handle moronic FTP : this lets _clients_ on Cosmos get data back in # an Active FTP session; Passive transfers should work already # via TCP state-keeping) : map hme0 0/0 -> 0/32 proxy port 21 ftp/tcp
Finally you need to start the filter and NAT:,
ipf -Fa -f /etc/ipf.rules
ipnat -CF -f /etc/ipnat.rules
#
# ...specify appropriate path for files containing rules...
On Solaris 7, 8 and 9, appropriate init scripts should be in place; on Solaris 10, initialisation is handled by the service infrastructure as service network/ipfilter (see man pages of svcadm and svccfg for details).
The Solaris packages from maraudingpirates.org contain suitable init scripts and these are installed as /etc/init.d/ipfboot and /etc/rc3.d/S65ipfboot (the latter being installed as a copy of the former, in the usual Solaris-oriented way). However, the supplied init script is not compatible with the firewall configuration files given above. The following simple init script can be used instead:
#!/bin/sh
case "$1" in
start)
ipf -Fa -f /etc/ipf.rules
ipnat -CF -f /etc/ipnat.rules
#
# ...on Solaris 10, /etc/ipf/ipf.conf...
ipmon -Ds
# ...start ipmon as a daemon and send log info via
# syslogd...
;;
stop)
ipf -Fa
ipnat -CF
;;
*)
echo "Usage: $0 (start|stop)" >&2
exit 1
;;
esac
exit 0
To list current filter rules use:
ipfstat -i # -- for rules affecting inbound traffic
ipfstat -o # ...outbound...
Packets can be logged using rules like:
# -- log attempted/unwanted SMTP traffic: # block in log quick on bge0 proto tcp from any port = 25 to any block in log quick on bge0 proto tcp from any to any port = 25 # block out log quick on bge0 proto tcp from any port = 25 to any block out log quick on bge0 proto tcp from any to any port = 25 # -- default block/log rule : # block in log quick on bge0 proto tcp from any to any
The ipmon daemon must be running; this facility can log to a named file, or via syslogd, cf. ipmon -Ds (as given in the init script, above) — see man page for details.
| ...previous | up (conts) | next... |