Solaris IP Filtering
Solaris IP Filter integrates the open source IP Filter software into Solaris 10. IP Filter provides stateful packet filtering capabilities and can filter packets by IP address or network, port, protocol, network interface, and traffic direction. In addition, it also has the ability to perform network address translation (NAT) and port address translation (PAT). IP Filter supports both IPv4 and IPv6, and is configured using a simple firewall rules policy language. Information and examples on the syntax of the policy language can be found in ipf(4).
IP Filter can be enabled using the SMF service svc:/network/ipfilter:default
or ipfilter
, for short:
# svcs ipfilter STATE STIME FMRI disabled Sep_16 svc:/network/ipfilter:default # svcadm enable -r ipfilter # svcs ipfilter STATE STIME FMRI online 14:39:44 svc:/network/ipfilter:default
By default, the IP Filter configuration is stored in /etc/ipf/ipf.conf
. Using the ipfstat(1M) command, the list of incoming and outgoing rules being enforced can be displayed:
# ipfstat -io pass out quick all keep state keep frags block in quick from any to any port = 137 block in quick from any to any port = 138 block in quick from any to any port = 139 pass in quick proto udp from any to any port = ike pass in quick proto udp from any to any port = 4500 pass in quick proto esp from any to any pass in log quick proto tcp from 192.168.1.0/24 to any port = ssh block in log all block in from any to 255.255.255.255/32 block in from any to 127.0.0.1/32
The example shown above illustrates an example IP Filter rule set that could be used on a desktop or laptop since it does not restrict outbound communication but blocks nearly everything attempting to communicate to the system. The above example also includes support for IPsec/IKE and incoming Secure Shell (from a specific network). The ipfstat(1M) command can also be used to collect valuable information and statistics regarding how IP Filter is functioning.
IP Filter can logs information to the syslog facility. The following example illustrates a blocked telnet connection attempt from 192.168.0.1 to 192.168.0.2:
Sep 18 14:47:50 blackhole ipmon[7237]: [ID 702911 local0.warning] 14:47:50.075431 ip.tun0 @0:12 b 192.168.0.1,52854 -> 192.168.0.2,23 PR tcp len 20 52 -S IN
Resources
For more information on IP Filter, see:
- Solaris 10 Adoption Kit: IP Filter http://partneradvantage.sun.com/protected/solaris10/adoptionkit/general/features/ip_filter.html
- Open Source IP Filter http://coombs.anu.edu.au/~avalon/