Although the “svc:/network/pfil:default” is enabled and online on a default Solaris 10 installation, no device driver has been configured for it. So that to enable IPFilter, you’ll need to configure “pfil” so that it gets autopushed for the network drivers for which you want to enable your firewall. And then the network interfaces will need to be plumbed or replumbed.
The point to note here is that IPFilter is enabled per network device driver (hme, ge, qfe,… ).
# vi /etc/ipf/pfil.ap
and uncomment there the specific drivers you are interested in, man ipf(1M) for more.
You now have 2 choices. One : reboot. At boot time, when the “pfil” service is started, the startup script /lib/svc/method/pfil will run the autopush command on the /etc/ipf/pfil.ap file before the network interfaces are confgured so that everything will work as expected. Note that the same script will also start IPFilter with a very restrictive set of rules to cover the window of vulnerability during the time network is initialized and the “ipfilter” service is started.
svcadm enable ipfilter
autopush -f /etc/ipf/pfil.ap
ifconfig bge0 unplumb
ifconfig bge0 plumb xxx.xx.xxx.xxx netmask 255.255.255.0 up
Now you are reading to write your firewall rules.
You will find some examples of the ipf.conf configuration file in /usr/share/ipfilter/examples. Just copy one of them over /etc/ipf/ipf.conf to start playing around.
Sample firewall rules.
# IP Filter rules to be loaded during startup
# See ipf(4) manpage for more information on
# IP Filter rules syntax.
# block all inbound packets.
block in from any to any
# pass through packets to and from localhost.
pass in from 127.0.0.1/32 to 127.0.0.1/32
# allow a variety of individual hosts to send any type of IP packet to any
# other host.
pass in from xxx.xx.xxx.xxx/32 to any
pass in from xxx.xx.xx.xxx/32 to any
# Allow all ICMP
pass in proto icmp from any to any
# Allow all Radius (the localhost running Radius software for authentication)
pass in proto udp from any to any port = 1812
pass in proto udp from any to any port = 1813
pass in proto tcp from any to any port = 1812
pass in proto tcp from any to any port = 1813
# Allow all from internal LAN
pass in from xx.xxx.xxx.0/24 to any
ipf -D disable
ipf -E enable
ipf -Fa -f /etc/ipf/ipf.conf read the ipf.conf
man ipf(1M) for more on ipf
I am still struggling with 'keep-state' thing, each time I use it the box become unaccessible/unresponsive after few hours max. 10 hrs.ReplyDelete