Skip to content. | Skip to navigation

Navigation

You are here: Home / Support / Guides / Tools / Networking / ipf

Personal tools

Networking

Managing firewalls and the like

ipf

ipf is a good packet filter.

!DANGER!

When you enable it you want to be quite sure you don't disable your own access!

Initialisation

Edit pfil.ap and uncomment your NIC(s). To work out what your NICs are try:

netstat -ni

Next edit the configuration file. In this case we'll we'll pass everything through but log it all (so we can see that it's all working):

cd /etc/ipf

cat <<EOF >>ipf.conf
block in log all
block out log all

pass in quick on lo0 all
pass out quick on lo0 all

pass in log all keep state
pass out log all keep state
EOF

Syslog

ipf spews (tens of Mbytes a week) logging on the local0 facility:

cat <<EOF >>/etc/syslog.conf
local0.warn                                     /var/adm/local0.log
EOF
touch /var/adm/local0.log

So you may well want to have that log file rotated:

logadm -C 8 -a 'kill -HUP `cat /var/run/syslog.pid`' -w /var/adm/local0.log

Enabling

svcadm enable /network/ipfilter

reboot

Note

Do you have to reboot? I'm not sure.

ipf.conf

Subsequent changes to ipf.conf seem to require a disable then enable of the service (a refresh doesn't seem to do the right thing):

svcadm disable -t /network/ipfilter
svcadm enable -t /network/ipfilter

See /usr/share/ipfilter/examples/ for further clues

Warning

If your box is remote, always allow SSH!

Given the range of services we've enabled elsewhere, a working configuration might look like:

# default is to deny access
block in log all
block out log all

# loopback traffic allowed through
pass in quick on lo0 all
pass out quick on lo0 all

# should have a more controlled ICMP ruleset
pass in quick on elxl1 proto icmp all
pass out quick on elxl1 proto icmp all

# standard UDP services
pass in quick on elxl1 proto udp from any to any port = ntp keep state
pass in quick on elxl1 proto udp from any to any port = domain keep state

# standard TCP services (FTP requiring funny port rules)
pass in quick on elxl1 proto tcp from any to any port = ftp keep state
pass in quick on elxl1 proto tcp from any port = ftp to any port > 32767 keep state
pass in quick on elxl1 proto tcp from any port = ftp-data to any port > 32767 keep state
pass in quick on elxl1 proto tcp from any to any port = domain keep state
pass in quick on elxl1 proto tcp from any to any port = smtp keep state
pass in quick on elxl1 proto tcp from any to any port = 80 keep state
pass in quick on elxl1 proto tcp from any to any port = imap keep state
pass in quick on elxl1 proto tcp from any to any port = 443 keep state
pass in quick on elxl1 proto tcp from any to any port = imaps keep state
pass in quick on elxl1 proto tcp from any to any port = sieve keep state
pass in quick on elxl1 proto tcp from any to any port = cvspserver keep state

# Only allow me direct access to my application server
pass in quick on elxl1 proto tcp from me.myisp.com to any port = 8080 keep state

# let my stuff outbound.  if we were suspicious of our own code we could restrict this!
pass out log all keep state

# do not delete this line under any circumstances!!!
pass in quick on elxl1 proto tcp from any to any port = ssh keep state

Warning

If you use named hosts or named hosts then those names must be defined. D'uh! We all know that. Sun, however, take the liberty of whittling your /etc/services file down to known IANA entries when you perform a Live Upgrade.

Monitoring

You can keep an eye on what's happening to your firewall in a number of ways.

Current State

If you want to see what the current inbound ruleset is, try:

ipfstat -i

use -o for the outbound ruleset

Current Usage

For idle amusement try the top-alike view of what currently talking to your computer:

ipfstat -t

Historical Usage

You have several weeks worth of logs in local0.log and rotations.

Document Actions