Thursday, 16 October 2008

Solaris 10 firewalling

To make matters easy:

iptables -L == ipfstat -io

The configuration file for the firewall is on /etc/ipf/ipf.conf and its service's FMRI is svc:/network/pfil:default

ipf -E : Enable ipfilter when running for the first time.

ipf -f /etc/ipf/ipf.conf : Load rules in /etc/ipf/ipf.conf file into the active firewall.

ipf -Fa -f /etc/ipf/ipf.conf : Flush all rules, then load rules in /etc/ipf/ipf.conf into active firwall.

ipf -Fi : Flush all input rules.

ipf -I -f /etc/ipf/ipf.conf : Load rules in /etc/ipf/ipf.conf file into inactive firewall.

ipfstat -hio : Show hits against all rules

ipfstat -t -T 5 : Monitor the state table and refresh every 5 seconds. Output is similar to 'top'

And finally an example of a ipf.conf just for the heck of having one just in case:

# 11/18/04 - Newest Firewall for testing.
# Rich Shattuck
# My IP: 172.16.1.100
#
# Block any packets which are too short to be real
block in log quick all with short
#
# drop and log any IP packets with options set in them.
block in log all with ipopts
#
# Allow all traffic on loopback.
pass in quick on lo0 all
pass out quick on lo0 all
#
# Public Network.   Block everything not explicity allowed.
block in  on elxl0 all
block out on elxl0 all
#
# Allow pings out.
pass out quick on elxl0 proto icmp all keep state
#
# for testing, allow pings from ben and jerry
pass in quick on elxl0 proto icmp from 172.16.1.11/32 to 172.16.1.100/32
pass in quick on elxl0 proto icmp from 172.16.1.12/32 to 172.16.1.100/32
#
# Allow outbound state related packets.
pass out quick on elxl0 proto tcp/udp from any to any keep state
#
# allow ssh from 172.16.0.0/16 only.
# pass in log quick on elxl0 from 172.16.0.0/16 to 172.16.1.100/32 port = 22
# Actually, allow ssh only from ben, jerry, MSU
pass in log quick on elxl0 proto tcp from 172.16.1.11/32 to 172.16.1.100/32 port = 22
pass in log quick on elxl0 proto tcp from 172.16.1.12/32 to 172.16.1.100/32 port = 22
pass in log quick on elxl0 proto tcp from 153.90.0.0/16 to 172.16.1.100/32 port = 22


Thanks for playing :)

No comments:

Post a Comment