|
Softpanorama
(slightly skeptical)
Open Source Software Educational Society |
May the
source be with you,
but remember the KISS principle ;-)
|
IP filter on Solaris
The Solaris OS has included firewall protection technology with every
copy shipped for years, with the specific goal of protecting individual
systems from attack. In the Solaris 10 OS, Sun provides the Solaris IP
Filter firewall software, which is based on the popular IP Filter project
from the free and open source software community. Completely integrated into
the Solaris IP stack, the Solaris IP Filter high-speed firewall allows
administrators to restrict access to particular networking services in a
stateful manner. Reducing the network services exposed reduces your security
risk.
Notes:
- Those pages are written by people for whom English is not a
native language. Some amount of grammar and spelling errors
should be expected.
- This is a Spartan WHYFF (We Help You For Free) site. It
cannot replace the best teachers and
the
best books.
- The site contain some obsolete pages as it develops like a
living tree... Some links on older pages
are broken. Please
try to use Google, Open directory, etc. to find a replacement link
(see
HOWTO search the WEB for details).
We would appreciate if you can
mail us a correct link.
|
|
Solaris 10 and configuring ipfilter
I am wondering what everyone is using to
configure ipfilter, the new
firewall software included with Solaris 10, which has replaced SunScreen?
So far I have turned up the following in my current research (below):
Is everyone using one of the following to modify ipfilter configs? Is
there something else out there?
Thanks,
Jerry K.
-=-=-=-
Per Sun at the following (2) links
<http://docs.sun.com/app/docs/doc/816-4554/6maoq023d?a=view>
<http://docs.sun.com/app/docs/doc/816-4554/6maoq023m?a=view>
you can create/edit a configuration file with you favorite text editor
(i.e. textedit, dtpad, vi, emacs, etc)
-=-=-=-
There is a GUI editor written as Perl/TK called Isba here
<http://inc2.com/isba/>
it appears that this is no longer being maintained
-=-=-=-
There is a GUI editor called fwbuilder here
<http://www.fwbuilder.org/>
that will edit configurations for several firewalls, to include a module
for ipfilter
-=-=-=-
Solaris x86 firewall
using IP Filter by
Thang T. Mai & Hoang Q.
Tran
It is really easy to make a Solaris gateway for a private network. When
installing, choose to install the Core System Support component.
Setting Up
NAT on Solaris Using IP Filter
So, you've got several computers on your
home or business network, and you'd like to be able to access the
Internet from all of them, probably via a cable (or DSL) modem.
Basically you have three options:
- You connect all your machines and your cable modem to a hub, set
them all up as DHCP clients (see
this page for how to do this on Solaris), and go for it.
- You set up one of your machines to do NAT (Network Address
Translation), hiding the rest behind a firewall using
RFC 1918 compliant addresses on your network.
- You use one of those Netgear routers, or someting similar (e.g.,
those from Linksys), as your firewall, and let it perform NAT for
you.
The last option is very popular, and is better than nothing, but you
can't beat having your own dedicated firewall machine. The first method,
as well as being insecure, lacks a certain je ne sais quoi, so
I'll show you how to set up NAT using Darren Reed's
IP Filter. If you want to use the
first or last methods, you're on your own!
Hardware
In my experiments, I could only get NAT to work reliably when I had
two physical interfaces (i.e., using two virtual interfaces, say
le0
and le0:1, didn't work). I used
le0 to connect
directly to my cable modem, and hme0 as the connection to the
rest of my network via a 100 baseT switch.
le0 is under DHCP
control per
these
instructions, and hme0 was set up the conventional way,
with the hostname in /etc/hostname.hme0, and the corresponding
IP address in /etc/hosts.
Installing IP Filter
By far the best way to get IP Filter is install Solaris 10, which
comes with Solaris IP Filter (which is based on IP Filter). For previous
versions of Solaris, the best way to get IP Filter is to compile a copy
of the latest source code, which can be downloaded from the
IP Filter home
page. As an alternative, I have a compiled version of the package
here.
This is IP Filer version 3.3.11, compiled on a Sun SPARCstation 20,
running Solaris 2.6. I'm also using it on a SPARCstation 2 running
Solaris 7, but it is provided here without any support. You should
probably download a more recent binary from
Marauding Pirates.
Configuring IP Filter
Once you've successfully installed IP Filter, you need to configure
it. First of all, you need to make sure that your NAT box will forward
IP packets (it's possible this ability was disabled for security
reasons). As root, run this command:
ndd -get /dev/tcp ip_forwarding
If the result is "1", you're all set. Zero means that IP forwarding is
not enabled. To enable it, delete the file
/etc/notrouter, and
possibly /etc/defaultrouter too. Create an empty /etc/gateways file, and IP forwarding will be enabled at the next
reboot.
One caveat applies, though: if you're using NAT and DHCP on the same
server (like I do), IP forwarding will not get enabled. So, I install
this script
as /etc/init.d/ip_forwarding, with a symbolic link to it from
/etc/rc2.d/S69ip_forwarding. With this script in place, IP
forwarding will be enabled even if you are using a DHCP client.
When you're happy that IP Filter is running, and IP forwarding is
enabled, you need to set up your NAT rules. The file
/etc/opt/ipf/ipnat.conf contains the rules you want to use.
This is
the ipnat.conf file I use, bearing in mind that all of my
machines have an IP address in the 192.168.0.1 to 192.168.0.254 range;
you should change the addresses between "le0" and the "->" to
suit your needs (note also that I've specified
le0; put the
name of your outbound interface here instead):
map le0 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp
map le0 192.168.0.0/24 -> 0/32 portmap tcp/udp auto
map le0 192.168.0.0/24 -> 0/32
The 0/32 stuff is some magic to tell IP Filter to use the
address currently assigned to the interface - very useful in DHCP client
environments!
The order of the rules is important; don't change them unless you
know what you're doing, otherwise things will break! The first rule
allows FTP access from all of your hosts. The second maps the source
port numbers to a high range (10000 to 40000 by default), and the third
rule maps all other TCP traffic.
Use /etc/init.d/ipfboot stop and /etc/init.d/ipfboot
start to test your configuration, and when you're happy that all is
working well, reboot. This will make sure that everything still works as
expected, even after a reboot.
That's about it - enjoy! If this page has been useful to you, please
consider buying a copy of my book,
Solaris
Systems Programming.
IPF Firewall Solaris 10Creating an IPF Firewall with Solaris 10 Updated
12/10/04 Rich Shattuck
1. Background
2. Configuring IPF
3. Enabling IPF
4. Common IPF commands
Filtering
Network Traffic with Solaris 10 And IP Filter
I use Solaris 10 as my primary desktop, and like to use the Java desktop
environment (GNOME w/ enhancements). To allow everything to function
correctly, I have to run rpcbind and a font server. To remediate the risks
associated with these services, I filter all ingress traffic with IP filter,
which has been integrated into the Solaris 10 Operating System.
Since my host doesn't need to accept inbound connections from other network
(other than SSH), I use the followng IP filter rules to allow stateful outbound connectivity, and limit ingress traffic to
port 22 (SSH)
In case of broken links
please try to use Google search. If you find the page please notify
us about new location
IP Filter - TCP-IP Firewall-NAT
Software
The IPFilter FAQ by Phil
Dibowitz!
How-To for IP Filter
- http://www.false.net/ipfilter/
The searchable ipfilter mailing list archive
-
http://www.iae.nl/users/guido/bsdcon2000/ Slides from Guido Van Rooij's
ipfilter presentation at BSDcon 2000
Firewall
Approach to Internet Security Table of Contents
Mirrors
- http://www.unixcircle.com/ipf/
[San Jose, CA, USA]
- http://www.pir.net/pir/ipf/
[Boston, MA, USA]
-
http://www.openlysecure.org/content/html/www.obfuscation.org/ipf
[Surrey, UK]
-
http://mirrors.sunroot.de/www.obfuscation.org/ipf [Kerpen, Germany]
- http://www.grunta.com/ipf/
[Melbourne, Victoria, AU]
-
http://www.darkart.com/mirrors/www.obfuscation.org/ipf/ [Oakland, CA,
USA]
docs.sun.com System Administration Guide IP Services Overview
docs.sun.com System Administration Guide IP Services Tasks
About: fwanalog is a shell script that parses and summarizes firewall
logfiles. It understands logs from ipf (xBSD, Solaris), OpenBSD 3.x pf, Linux
2.2 ipchains, Linux 2.4 iptables, and a few types of routers and firewalls
(Cisco, Checkpoint FW-1, and Watchguard). The excellent log analysis program
Analog is used to create the reports.
Changes: This release has further PIX fixes and a better error message
if no input files are found.
|
Categories |
Focus |
License |
URLs |
Copyright © 1996-2008 by Dr. Nikolai Bezroukov.
www.softpanorama.org was
created as a service to the UN Sustainable Development Networking Programme (SDNP)
in the author free time.
Submit
comments This document is an industrial compilation designed and created
exclusively for educational use and is placed under the copyright of the
Open Content License(OPL).
Original materials copyright belong to respective owners. Quotes are made
for educational purposes only in compliance with the fair use doctrine.
Standard disclaimer: The statements, views and opinions presented on
this web page are those of the author and are not endorsed by, nor do they necessarily
reflect, the opinions of the author present and former employers, SDNP or any other
organization the author may be associated with. We do not warrant the correctness
of the information provided or its fitness for any purpose.
Last modified:
June 05, 2008
