Wednesday, July 16, 2008

Solaris 10 ipfilter

Quick guide for ipfilter on Solaris 10

IP Filter home page:
http://coombs.anu.edu.au/~avalon/

Documentation for IPF is also available from:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf.html


Enable interfaces to be used with packet filtering:

Edit /etc/pfil/pfil.ap (old way...now seems to require editing /etc/iu.ap)

Uncomment the device names to enable or add a line to specify the interface:

hme0 -1 0 pfil

For the changes to take effect:

1. svcadm restart /network/pfil and replumb the interfaces
or
2. Reboot

Set the ipfilter service to enabled:

svcadm enable network/ipfilter and replumb the interfaces or reboot

By default the configuration files in /etc/ipf will be read at startup

ipf.conf - ipv4 filtering rules
ipf6.conf - ipv6 filtering rules (if ipv6 is configured)
ipnat.conf - NAT rules (optional)
ippool.conf - refer to many address by a single group name (optional)

A simple ipf.conf to block and log all traffic other than ssh would contain:

pass out quick all keep state
pass in quick on hme0 proto tcp from any to any port = 22 keep state
block in log all


Filtering rules can be loaded from alternative locations:

ipf -f filename

As can NAT rules:

ipnat -f filename


Filter rules sets can either be active or inactive. Doesn't seem to support adding or removing individual rules so the only way of changing the current set seems to be to load an inactive set and to swap that with the running set.

To switch between the active and inactive rule sets:

ipf -s

To modify packet filtering behaviour:

ipf -Fa (remove both incoming and outgoing rule sets)

ipf -Fo (remove outgoing rules only)

ipf -Fi (remove incoming rules only)

ipf -D (disable all packet filtering)

ipf -E (enable packet filtering)



To view currently loaded rules for the active set:

ipfstat -io

To view currently loaded rules for the inactive set:

ipfstat -I -io


To remove all the runnings rules and load a new set from a file:

ipf -Fa -f filename

To load rules to the inactive rule set:

ifp -I -f filename

To append rules to the current active rule set:

echo "block in log on hme0 proto tcp from any to any port = 25" | ipf -f -

Sample rule set for an Solaris 10 host (192.168.93.128) with one zone (192.168.93.132). The interface name is hme0. We all ssh and icmp echo (ping) only to the host, all else being blocked. All outgoing traffic is allowed and stateful. http is allowed through to the Solaris zone hosted on the server:

pass out quick all keep state
pass in quick on hme0 proto icmp from any to any icmp-type 8 keep state
pass in quick on hme0 proto tcp from any to 192.168.93.128 port = ssh keep state
pass in quick on hme0 proto udp from any to 192.168.93.132/32 port = 80 keep state
block in log all

PaTcH_MsG 8 Version of is not installed on this system

I had to manually run some of the patches in the Solaris patch cluster recently but got this error:

> ./checkinstall: .: filename argument required
> .: usage: . filename
> PaTcH_MsG 8 Version of is not installed on this system.

To fix make sure that the directory tree all the way down to the patch is executable by 'nobody'.