Solaris IP Filtering

Published 26 Sep 2007 Read time 1 min 57 sec(s) (2403 views). Solaris

Solaris IP Filter integrates the open source IP Filter software into Solaris 10. IP Filter provides stateful packet filtering capabilities and can filter packets by IP address or network, port, protocol, network interface, and traffic direction. In addition, it also has the ability to perform network address translation (NAT) and port address translation (PAT). IP Filter supports both IPv4 and IPv6, and is configured using a simple firewall rules policy language. Information and examples on the syntax of the policy language can be found in ipf(4).

IP Filter can be enabled using the SMF service svc:/network/ipfilter:default or ipfilter, for short:

# svcs ipfilter
STATE          STIME     FMRI
disabled       Sep_16    svc:/network/ipfilter:default
# svcadm enable -r ipfilter
# svcs ipfilter
STATE          STIME     FMRI
online         14:39:44  svc:/network/ipfilter:default

By default, the IP Filter configuration is stored in /etc/ipf/ipf.conf. Using the ipfstat(1M) command, the list of incoming and outgoing rules being enforced can be displayed:

# ipfstat -io
pass out quick all keep state keep frags
block in quick from any to any port = 137
block in quick from any to any port = 138
block in quick from any to any port = 139
pass in quick proto udp from any to any port = ike
pass in quick proto udp from any to any port = 4500
pass in quick proto esp from any to any
pass in log quick proto tcp from 192.168.1.0/24 to any port = ssh
block in log all
block in from any to 255.255.255.255/32
block in from any to 127.0.0.1/32

The example shown above illustrates an example IP Filter rule set that could be used on a desktop or laptop since it does not restrict outbound communication but blocks nearly everything attempting to communicate to the system. The above example also includes support for IPsec/IKE and incoming Secure Shell (from a specific network). The ipfstat(1M) command can also be used to collect valuable information and statistics regarding how IP Filter is functioning.

IP Filter can logs information to the syslog facility. The following example illustrates a blocked telnet connection attempt from 192.168.0.1 to 192.168.0.2:

Sep 18 14:47:50 blackhole ipmon[7237]: [ID 702911 local0.warning]
14:47:50.075431 ip.tun0 @0:12 b 192.168.0.1,52854 -> 192.168.0.2,23 PR tcp
len 20 52 -S IN

Resources

For more information on IP Filter, see:

Solaris 10 Adoption Kit: IP Filter http://partneradvantage.sun.com/protected/solaris10/adoptionkit/general/features/ip_filter.html
Open Source IP Filter http://coombs.anu.edu.au/~avalon/