Saturday, November 14, 2009

Securing Solaris 10 Host using ipfilter

Although the “svc:/network/pfil:default” is enabled and online on a default Solaris 10 installation, no device driver has been configured for it. So that to enable IPFilter, you’ll need to configure “pfil” so that it gets autopushed for the network drivers for which you want to enable your firewall. And then the network interfaces will need to be plumbed or replumbed.

The point to note here is that IPFilter is enabled per network device driver (hme, ge, qfe,… ).

# vi /etc/ipf/pfil.ap

and uncomment there the specific drivers you are interested in, man ipf(1M) for more.

You now have 2 choices. One : reboot. At boot time, when the “pfil” service is started, the startup script /lib/svc/method/pfil will run the autopush command on the /etc/ipf/pfil.ap file before the network interfaces are confgured so that everything will work as expected. Note that the same script will also start IPFilter with a very restrictive set of rules to cover the window of vulnerability during the time network is initialized and the “ipfilter” service is started.


svcadm enable ipfilter

autopush -f /etc/ipf/pfil.ap
ifconfig bge0 unplumb
ifconfig bge0 plumb netmask up

Now you are reading to write your firewall rules.

You will find some examples of the ipf.conf configuration file in /usr/share/ipfilter/examples. Just copy one of them over /etc/ipf/ipf.conf to start playing around.

Sample firewall rules.

# ipf.conf
# IP Filter rules to be loaded during startup
# See ipf(4) manpage for more information on
# IP Filter rules syntax.
# block all inbound packets.
block in from any to any
# pass through packets to and from localhost.
pass in from to
# allow a variety of individual hosts to send any type of IP packet to any
# other host.
pass in from to any
pass in from to any
# Allow all ICMP
pass in proto icmp from any to any

# Allow all Radius (the localhost running Radius software for authentication)
pass in proto udp from any to any port = 1812
pass in proto udp from any to any port = 1813
pass in proto tcp from any to any port = 1812
pass in proto tcp from any to any port = 1813

# Allow all from internal LAN
pass in from to any

Enabling/Disabling ipf

ipf -D disable
ipf -E enable

ipf -Fa -f /etc/ipf/ipf.conf read the ipf.conf

man ipf(1M) for more on ipf

1 comment:

  1. I am still struggling with 'keep-state' thing, each time I use it the box become unaccessible/unresponsive after few hours max. 10 hrs.