The IP filter software in Solaris is called ipfilter. Setting up the filter rules is controlled by the ipfilter service. This service offers several policies, some of which set up rules automatically depending on settings you make in SMF and which services are running. I don't want any magic, I just want to create my rules manually. This can be done with the custom policy.
Here is a simple example for a rule file (goes in /etc/ipf/ipf.conf):
# allow all traffic on loopback device
pass out quick on lo0 all
pass in quick on lo0 all
# allow all outgoing traffic
pass out quick from any to any keep state
# allow incoming TCP connections on a few ports (SSH, HTTP, HTTPs)
pass in quick proto tcp from any to any port = 22 keep state
pass in quick proto tcp from any to any port = 80 keep state
pass in quick proto tcp from any to any port = 443 keep state
# allow some types of incoming ICMP packets
pass in quick proto icmp from any to any icmp-type echo keep state
pass in quick proto icmp from any to any icmp-type timest keep state
# default: block all incoming
block in quick all
If you create /etc/ipf/ipf.conf and start ipfilter (pfexec svcadm enable ipfilter), it is supposed to be detected that you want to use the custom policy. For some reason that did not work for me, but I found instructions on how to do it manually in the svc.ipfd manpage:
1. Set custom policy
svccfg -s ipfilter:default setprop \
firewall_config_default/policy = astring: "custom"
2. Specify custom file
svccfg -s ipfilter:default setprop \
firewall_config_default/custom_policy_file = astring: \
"/etc/ipf/ipf.conf"
3. Refresh configuration
svcadm refresh ipfilter:default
Remember to use "pfexec" for entering all these commands.
You can check the status of the filter by running "pfexec ipfstat -io". This should display the rules that you described in your config file.
No comments:
Post a Comment