Networking
ipf
ipf is a good packet filter.
!DANGER!
When you enable it you want to be quite sure you don't disable your own access!
Initialisation
Edit pfil.ap and uncomment your NIC(s). To work out what your NICs are try:
netstat -ni
Next edit the configuration file. In this case we'll we'll pass everything through but log it all (so we can see that it's all working):
cd /etc/ipf cat <<EOF >>ipf.conf block in log all block out log all pass in quick on lo0 all pass out quick on lo0 all pass in log all keep state pass out log all keep state EOF
Syslog
ipf spews (tens of Mbytes a week) logging on the local0 facility:
cat <<EOF >>/etc/syslog.conf local0.warn /var/adm/local0.log EOF touch /var/adm/local0.log
So you may well want to have that log file rotated:
logadm -C 8 -a 'kill -HUP `cat /var/run/syslog.pid`' -w /var/adm/local0.log
Enabling
svcadm enable /network/ipfilter reboot
Note
Do you have to reboot? I'm not sure.
ipf.conf
Subsequent changes to ipf.conf seem to require a disable then enable of the service (a refresh doesn't seem to do the right thing):
svcadm disable -t /network/ipfilter svcadm enable -t /network/ipfilter
See /usr/share/ipfilter/examples/ for further clues
Warning
If your box is remote, always allow SSH!
Given the range of services we've enabled elsewhere, a working configuration might look like:
# default is to deny access block in log all block out log all # loopback traffic allowed through pass in quick on lo0 all pass out quick on lo0 all # should have a more controlled ICMP ruleset pass in quick on elxl1 proto icmp all pass out quick on elxl1 proto icmp all # standard UDP services pass in quick on elxl1 proto udp from any to any port = ntp keep state pass in quick on elxl1 proto udp from any to any port = domain keep state # standard TCP services (FTP requiring funny port rules) pass in quick on elxl1 proto tcp from any to any port = ftp keep state pass in quick on elxl1 proto tcp from any port = ftp to any port > 32767 keep state pass in quick on elxl1 proto tcp from any port = ftp-data to any port > 32767 keep state pass in quick on elxl1 proto tcp from any to any port = domain keep state pass in quick on elxl1 proto tcp from any to any port = smtp keep state pass in quick on elxl1 proto tcp from any to any port = 80 keep state pass in quick on elxl1 proto tcp from any to any port = imap keep state pass in quick on elxl1 proto tcp from any to any port = 443 keep state pass in quick on elxl1 proto tcp from any to any port = imaps keep state pass in quick on elxl1 proto tcp from any to any port = sieve keep state pass in quick on elxl1 proto tcp from any to any port = cvspserver keep state # Only allow me direct access to my application server pass in quick on elxl1 proto tcp from me.myisp.com to any port = 8080 keep state # let my stuff outbound. if we were suspicious of our own code we could restrict this! pass out log all keep state # do not delete this line under any circumstances!!! pass in quick on elxl1 proto tcp from any to any port = ssh keep state
Warning
If you use named hosts or named hosts then those names must be defined. D'uh! We all know that. Sun, however, take the liberty of whittling your /etc/services file down to known IANA entries when you perform a Live Upgrade.
Monitoring
You can keep an eye on what's happening to your firewall in a number of ways.
Current State
If you want to see what the current inbound ruleset is, try:
ipfstat -i
use -o for the outbound ruleset
Current Usage
For idle amusement try the top-alike view of what currently talking to your computer:
ipfstat -t
Historical Usage
You have several weeks worth of logs in local0.log and rotations.
Document Actions